Jump to content

How to close incident for multiple endpoints at once

Go to solution Solved by AdvancedSetup,

Recommended Posts

I have EDR on a 50-workstation client.   An update to the Citrix Sharefile Outlook plugin tripped the 'Suspicious Activity' flag and was blocked on all endpoints.   I examined the first one, realized it was a false positive and closed the incident, creating a global exclusion for the MD5 Hash on that file.  I also created a 'File by path' exclusion using the system variable %localappdata% for good measure.  Ok, problem solved.    Except 49 other workstations still have open incidents for this very same file.   I cannot find a way to close those incidents without individually opening each one.  What am I missing?

Link to post
Share on other sites

  • Staff

*** This is an automated reply ***


Thanks for posting in the Malwarebytes Business section of the forum

For self-help articles, please see the following link

If you're unable to locate an answer from the articles in that link or here on the forums, you're more than welcome to post a new question.

Please note that if you do need direct support, please create a support ticket from the following link.

Business Support


Thanks in advance for your patience.

-The Malwarebytes Forum Team



Link to post
Share on other sites

  • Root Admin
  • Solution

Good day, @HCHTech

Please review the following KB and see if this helps.

Perform actions to Suspicious Activity events in Malwarebytes Endpoint Detection and Response

At the bottom of the article it mentions: Perform bulk action to suspicious activity


Link to post
Share on other sites

Thank you - that was the place.    This is one of those things about the platform that seems disjointed.   When I log into the main dashboard (not an individual site), and I see an icon that says, "Scan Needed" on 8 workstations spread over 6 sites, I want to be able to click on that icon right there and queue those scans.   It's more work than necessary (IMO) to accomplish the thing you are telling me needs done.  I have to click on that icons, which identifies the individual sites, then I have to open each site in turn to actually  queue the scans.  I understand why this behavior would be desired for detections, but for overdue scans, it should be easier than it is to just queue those scans to run.

In fact, I'm not sure the overdue scan warning really has any value.  In my experience this results from a workstation just being off since all of the sites have schedules for scans to run.  It's not my job (IMO) to chase clients and ask them to turn on a machine just so a scan can run.   If it's been off, then it hasn't been at risk, so there shouldn't be a need for a new scan until that computer is on again, at which point, the scheduled scan should take over and make it happen without my intervention.   Maybe I'm missing the point...

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.