Responding to an Incident
When an investigation confirms a genuine threat, you need to act quickly to contain the damage, remove the threat, and restore normal operations. Bamboozle EDR provides built-in response actions you can execute directly from the console.
Response actions available
The following actions can be taken on an affected device directly from the alert or device view:
| Action | What it does | When to use |
|---|---|---|
| Isolate device | Cuts the device off from the network while keeping the management connection active | Active threat spreading across the network |
| Stop process | Terminates a specific malicious process | Malware actively running |
| Quarantine file | Moves a malicious file to a secure quarantine folder | Confirmed malicious file identified |
| Roll back changes | Reverts changes made by malware using backup data | Ransomware or destructive malware |
| Run full scan | Triggers an immediate full antimalware scan | After initial containment |
Step 1: Isolate the affected device
If a threat is active and there is a risk it is spreading to other devices on the network, isolate the device immediately.
- In the alert detail view, click Actions.
- Select Isolate device.
- Confirm the isolation.
[SCREENSHOT: Isolate device confirmation dialog]
The device will be cut off from all network communication except the Bamboozle management channel, which allows you to continue managing it remotely. Users on the device will see a notification that the device has been isolated.
Isolating a device will disrupt all network-dependent applications and services running on it. Only isolate a device when you have confirmed an active threat that justifies this disruption.
Step 2: Stop malicious processes
If the investigation identified a specific malicious process still running:
- In the alert detail view or process tree, find the malicious process.
- Click Stop process.
- Confirm the action.
[SCREENSHOT: Stop process option in the process tree view]
Step 3: Quarantine malicious files
If a malicious file has been identified:
- In the alert detail view, find the file under Affected files.
- Click Quarantine.
- The file is moved to a secure quarantine location where it cannot execute but can be retrieved if needed.
[SCREENSHOT: Quarantine file option in the alert detail view]
To review quarantined files:
- Go to Devices and select the affected device.
- Click Quarantine in the device details tabs.
- You can restore a file from quarantine if it was quarantined in error, or permanently delete it.
[SCREENSHOT: Quarantine file list on a device]
Step 4: Roll back malware changes
If malware has modified or encrypted files, you can roll back its changes using your backup data:
- In the alert detail view, click Actions then Roll back.
- The system will identify which files were changed after the malware activity began.
- Review the list of files to be restored and confirm.
[SCREENSHOT: Roll back changes confirmation with file list]
Roll back uses your most recent backup as the source. This is why having an up-to-date backup plan is essential — it makes recovery from ransomware or destructive malware fast and reliable.
Step 5: Run a full scan
After containing the threat, run a full antimalware scan to confirm no other malicious files remain:
- Go to Devices and select the affected device.
- Click Actions then Run full scan.
- Monitor the scan progress under Monitoring then Activities.
[SCREENSHOT: Run full scan option and scan progress]
Step 6: Re-enable the device
Once you are confident the threat has been fully removed:
- Go to Devices and select the isolated device.
- Click Actions then Cancel isolation.
- Confirm the action.
The device will reconnect to the network.
[SCREENSHOT: Cancel isolation option in device actions]
Step 7: Document and review
After resolving an incident:
- Return to the alert and click Resolve.
- Add a comment summarizing what was found, what actions were taken, and the outcome.
- Review how the threat entered the environment and consider what changes could prevent a recurrence, such as applying missing patches, tightening firewall rules, or additional user awareness training.
[SCREENSHOT: Resolve alert with comment field]
When to contact Bamboozle Support
Contact Bamboozle Support immediately if:
- You suspect a large-scale ransomware attack affecting multiple devices
- You are unsure whether a threat has been fully removed
- You need help understanding what happened or what action to take
- You need assistance with a complex recovery
Our support team can escalate to security specialists for serious incidents.