GetSusp is a free tool that helps you find and log undetected malware, and automatically submit samples to the Trellix Advanced Research Center. To find suspicious files, GetSusp uses heuristics and compares samples against the Trellix Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect computer, use GetSusp first.
IMPORTANT: Download the ePO-deployable version of GetSusp and the ePO extension reports package from the
GetSusp landing page.
To deploy GetSusp with ePO:
- Log on to the ePO console.
- Check in the GetSusp package and the GetSusp extension:
- Check in the GetSusp package:
- Click Menu, Software, Main Repository.
- Click Actions, Check In Package.
- Click Browse, locate the GetSusp package, and click Next.
- Click Save.
- Check in the GetSusp extension:
- Click Menu, Software, Extensions.
- Click Install Extension.
- Click Browse, locate the GetSusp extension package, and click OK.
- Click OK.
- Verify that GetSusp was checked in successfully.
- Create a Product Deployment task:
- Click Menu, Client Tasks Catalog in the Client Tasks section.
- Select Trellix Agent, and click Product Deployment.
- Select Duplicate. This action duplicates the x64 or the x86 GetSusp Task template.
- Provide a name for the new GetSusp Scan Task, and select the newly created GetSusp Scan Task.
- In the command-line field, you can place different parameters. The available parameters are found at the end of this article.
Example
--email=myemail@example.com --zippath=C:\
NOTE: Make sure that the file path where GetSusp is placed has read and write access.
Additional information:
- The --SILENT option is built into the package, so you don’t have to provide it.
- If you don’t provide any additional parameters, the program exits with GetSusp running.
- Click Save.
- Run the Product Deployment task:
- Click System Tree.
- Select the system where you want to deploy GetSusp.
- Click the Actions menu, and select Agent, Run Client Task Now.
- Click Trellix Agent, Product Deployment, and select the newly created GetSusp deployment task.
- Click Run Client Task Now.
- Review GetSusp scan results:
- Wait for the GetSusp deployment task to be completed.
- Click Queries & Reports, and select Trellix Groups and GetSusp.
- Run the Last 7 days scan results.
- Click the scan result of the completed GetSusp deployment task.
- Click Go to related Threat Event Log.
- Review the files detected in the GetSusp detection list.
Parameters that you can use in the Command-line field within the GetSusp Deployment Task
- --offline
No automatic submission of GetSusp results.
- --emailid=myemail@example.com
GetSusp submissions with an email address receive an acknowledgment with an item ID from Trellix for tracking purposes. This item ID can be used to follow up with support team.
- --zippath=C:\GetSusp_Results
Location where GetSusp creates the ZIP with the results of the GetSusp scan.
- --comment=
Leave a comment which is traceable in GetSusp reports. For example, a Service Request (SR) or customer internal incident number.