Proceduri za Rbota:

Question : How should I handle alert/procedure/monitor failed ticket?

Answer :

1. Select and open customer device that triggered alert.

2. Go to Logs and open relevant logs depending on the event that triggered alert
(monitor/script/patching) and open details to see what is causing the failure.

3. Investigate the issue and if you find a solution close the ticket by entering resolution. If
however, you can't find a solution, leave the ticket open and consult with colleagues.

Attachments :

Categories :

Last updated : 25-02-2019 8:37 pm

Listing Type : (Internal)

Question : How should I handle Malware detected ticket?

Answer :

After Malware detected ticket is raised, you should open the ticket to check malware info
(Malware detected: C:\Users\xx\Downloads\DriverSupport.exe,
ApplicUnwnt@#3a59mgh5ba3as, Detect).

Go to Applications --> Endpoint Manager --> Security Sub-Systems --> Antivirus and open
Quarantined Files tab, find and open the malware info.

Copy malware Hash value.

Open https://valkyrie.comodo.com/login and login with your C1 user name/pass.

Click on Analyze New File and paste malware hash value to dedicated field. Run Search.

If Valkyrie search result is:

Clean - In Applications --> Endpoint Manager --> Security Sub-Systems --> Antivirus open
Quarantined Files tab, click on Restore File(s) on Devices to restore the file on client's device,
rate file as Rate as Trusted and close the ticket with appropriate comment about performed
actions and Valkyrie report results.

PUA (Potentially Unwanted Application) - In Applications --> Endpoint Manager --> Security Sub-
Systems --> Antivirus open Quarantined Files tab, click on Delete File(s) from Device to delete the
file from client's device, rate file as Rate as Unrecognized and close the ticket with appropriate
comment about performed actions and Valkyrie report results. Decision for certain PUA
applications can be changed based on client complaints.

Malware - In Applications --> Endpoint Manager --> Security Sub-Systems --> Antivirus open
Quarantined Files tab, click on Delete File(s) from Device to delete the file from client's device,
rate file as Rate as Malicious. open Device List tab, find and open client's device and run Scan -->
Antivirus Quick Scan. Close the ticket with appropriate comment about performed actions and
Valkyrie report results.

Attachments :

Categories :

Last updated : 25-02-2019 8:38 pm

Listing Type : (Internal)

Question : How should I handle Performance Monitor ticket?

Answer :

1. Select and open customer device that triggered alert.

2. Go to Logs-->Monitoring Logs, open Details on relevant Cybercillin Performance Monitor log

(usually the last one) and establish that this is log you are searching for.

3. Go to Logs-->Script Logs and find Cybercillin - 5 top CPU/RAM consuming processes with
launch type Auto Remediation that realized at the same time as previous monitor log. Open
Details and look at the top 5 processes that are consuming CPU/RAM of customer's device.

4. If necessary, run procedure one more time by selecting Run Procedure on device and writing
procedure' name (Cybercillin - 5 top CPU/RAM consuming processes). After procedure finishes
look at the details again.

5. Look for unknown processes and search data about them on the internet. Use
https://valkyrie.comodo.com, https://www.virustotal.com/en/ and other available resources.

6. There can be different solutions for such issue. These are some of them:

Customer may have another anti-virus software installed on his device that conflicts with
Comodo Client Security and causes these performance issues. If so, contact customer's preferred
contact via Cybercillin SOC official email and advise him to uninstall existing non-Comodo anti-
virus software from his device. Close the ticket and enter resolution activities you have
performed.

Customer's device may have been infected with malware that is not recognized by Comodo
Client Security engine. Treat the process as possible malware and follow procedure for malware
detection.

Attachments :

Categories :

Last updated : 25-02-2019 8:37 pm

Question : How should I enroll customer's devices when Customer is selected as preferred
contact in the request?

Answer :

When you receive email request for customer provisioning in Service Desk app in which
Customer is selected as preferred contact, you should do the following:

1. Create Service Desk user for the customer. Go to Applications-->Service Desk-->Users-->Users

directory and click on +Add New User. In Email Address: field enter customer's email, and in Full
Name and Your First Name fields enter customer's POC name and first name. and click on Add
User to finish this task.

2. Open Applications-->Endpoint Manager and go to Devices-->Device List. Find

Franchise/Partner group (e.g. Cybercillin St.George), click on plus sign (Add group) next to the
group's name and create a new group by entering customer's name (e.g. Transact Group).

3. Create Endpoint Manager user for the new customer. Go to Applications-->Endpoint

Manager-->User-->User List and click on Create User button. In User name field enter customer's
company name, in Email field enter your email address, and in Customer field find
Partner/Franchise name (e.g. Cybercillin St. George). Be sure to assign role Users to created user!

4. After user is created, check the user and click on Enroll Device button to create enrollment
email. In Please choose the device owner(s) field should be Customer name (Partner/Franchise
name) (e.g. Transact Group (Cybercillin St George)) and if not check whether user you selected is
the correct one. Finally, click on Email enrollment instructions button after which you will receive
email with enrollment instructions. Copy the link Click this link to enroll your device. You will
have to paste it in ticket reply.

6. Go to Applications-->Service Desk-->Tickets and click on New Ticket. In Search User field enter
first letters of customer's email and select the correct email. Go to Ticket Information & Options
section and Ticket Source field choose Email, under Category choose Enrollment of Devices, in
Ticket Details section as Issue summary enter Enrollment of devices and same in description box
and click to open ticket.

7. Open created ticket in Applications-->Service Desk-->Tickets-->Open, in Response drop-down

field choose Enrollment of customer devices where customer is preferred contact, paste copied
link from enrollment email by replacing [Enter link here] text in the response, check Select Reply
as Resolution and send the reply by clicking on Post Reply.

Attachments :

Categories :

Last updated : 25-02-2019 8:36 pm

Question : What should I do when CRITICAL ERROR report from Datto Backup arrives?

Answer :

1. Open Datto portal and click on DEVICE WEB icon to connect to remotely connect to local
storage device.

2. Go to PROTECT tab and click on Show Backup Logs to see the logs that contain information
about the occurred error.

3. Search for explanation about the error by clicking on GET MORE INFO on red Backup Error bar.

4. If you can't find the solution raise a ticket to Datto support by clicking on Support-->Support
ticket on Datto portal. A new page Datto Knowledge Base will open.

5. Click on SUBMIT A REQUEST and fill out requested info. Choose Datto Technical Support, enter
soc@cybercillin.com email address in CC field, write subject and description of the situation and
choose email as preferred method for contact. You will find device serial number on Datto
Portal's Backup status tab under device name.

6. After you resolve the issue, write the solution in Shift report so it could be entered in C1
knowledge base.