Policy Protect Level

The Agent mitigates threats automatically, if its policy is set to Protect. When you analyze Active threats, you see the mitigation actions that the Agent applied automatically and if there are recommended actions.

These features require Advanced Mode to be enabled:

Kill & Quarantine

  • Kill - Stops processes. Active content in documents, executables, and sub-processes are stopped. The Agent enables Kill for processes that act against normal endpoint behavior or do not fit the actions of the application the process is hiding in.
  • Quarantine - Stops processes, encrypts the executable, and moves it to a confined path. If a threat is known, the Agent automatically kills the threat before it can execute.  The only mitigation action for you is Quarantine.


  • Stops processes, quarantines binaries, removes linked libraries, deletes seed files, and restores configuration of the OS, application, and user settings to the state before the attack began.

Rollback (Windows only)

  • Restores the endpoint to a saved VSS snapshot, undoing the changes made by the process and its associated assets. This option is best for ransomware mitigation and disaster recovery. 


Limitations of Windows

Some platforms do not support all mitigation features:

  • Windows XP, Server 2003, Server 2008 and POSReady 2009 - do not support Quarantine, Remediate, Rollback and Disconnect from Network

By default, when you set a policy to Protect, the Agents run Kill and Quarantine automatically. In Advanced Mode, you can change automatic mitigation to include Remediate or Remediate and Rollback. This option only shows if Threats or Suspicious are set to Protect.