On the Dashboard, one "Infected". Now what?

[JoesCat]

On the cloud console dashboard, Infected: 1 . Now what?  Where to go to see what's still showing as "infected"?  The only place I found, which would be highly inconvenient as the deployment grows, is under the "Detections" left pane item, scrolling through ALL of the entries.  Under Action Taken, some were "quarantined", some "blocked", and only one was "Found", just a registry value, "PUM.Optional.DisableShowMyComputer" , "HKU\S-1-5-21-2342763795-823332892-3551160719-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|START_SHOWMYCOMPUTER".  I'm pretty sure it is benign.  Yet there's nothing to click on to allow it for all endpoints like the old Enterprise for Business product.

[JoesCat]

Added info:  I added a new endpoint (that was getting a lot of detections and quarantines in the old product), and submitted a scan+quarantine.  Now in the dashboard I have 2 "Infected".  Four items were found and quarantined on this new endpoint.  Nothing else occurred in the scan apparently - no "Found" or "Blocked". 

So if all four items the scan found were quarantined, why does the "Infected" count in the dashboard increment up?

[djacobson]

That is a Group Policy Object modification to force Windows 10 machines to open "This PC" instead of "Quick Access", add it to your exclusions like this...

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|START_SHOWMYCOMPUTER

[djacobson]

Found means a detection was found but no action took place - this happens when you use scan and report on-demand scan, and for scheduled scans if you do not have the quarantine threats automatically option turned on in the schedule entry.

Quarantined means a detection was found by the realtime or the scanner and the object was quarantined.

Blocked means the web blocker blocked a connection attempt to a known malicious IP.