Self Service Stuck Threats

Topic

This article explains how to resolve struck threats and define whether the threat is a non-issue to alleviate escalation.

Environment

NinjaOne Integrations
Bitdefender GravityZone
SentinelOne
CrowdStrike

Description

Stuck threats are a persistent issue affecting multiple antivirus integrations. The antivirus detects and reports the threat, but fails to clear it from NinjaOne after remediation. This often required users to intervene and escalate the issue to NinjaOne Support for resolution.

Index

Select a topic to learn more:

Main Causes for Stuck Threats
Stuck Threat Access Permission
Mute Active, Blocked, and Quarantined Threats
View Muted Threat Activity
Additional Resources

Main Causes for Stuck Threats

There may be various issues causing a stuck threat, and these issues could be limited to your choice of antivirus. The following table provides a few reasons why a threat may become stuck.

Cause	Antivirus Vendor	Details
Incorrect product code	Bitdefender Gravityzone	The product code does not match the database, and this prevents threat removal queries from working properly. This often occurs during migration from Bitdefender SDK to GravityZone.
Timing issues	Bitdefender Gravityzone	When GravityZone reports a threat after a full scan starts but before the scan completes, the threat remains stuck. The cleanup query only searches for records created before the scan start time.
API communication problems	SentinelOne	The API poller gets stuck during SentinelOne's scheduled maintenance window, preventing SentinelOne from retrieving the threat status update. The API poller may also get stuck if you experience a 404 error when validating site mappings. API tokens fail to sync between SentinelOne and NinjaOne.
API credential problems	CrowdStrike	The required Alerts - Read scope is missing for threat retrieval.
Missing status updates	CrowdStrike	NinjaOne did not receive updates from the CrowdStrike API when detections were set to a Closed status.

Stuck Threat Access Permission

System administrators must grant an end user access to the self-service feature. When the permission is activated, the end user can install or update assigned software tiles through the end user portal.

To grant access, perform the following steps:

In the end user account or end user role, select Self service.
Click the toggle so it shows the Enabled tag.
Select Allowed from the Self service access drop-down menu.

self service_allow access_enable permission.png — **Figure 1**: Add permission for self service access

Click Save changes.

Mute Active, Blocked, and Quarantined Threats

System administrators can mute threats from the system and organization dashboards. To do so, perform the following steps.

Expand the Devices tab. Select Threats and then click Active/Blocked or Quarantined.

**Figure 2**: View active, blocked, or quarantined threats

Select one or more threats and then click Mute threat.

mute threats.png — **Figure 3**: Mute threats in NinjaOne

Once you have muted the threat, you can view or unmute it at Devices → Threats → Muted.

View Muted Threat Activity

When you mute or unmute a threat, NinjaOne records it as an activity. To view these activities, perform the following steps.

On the system or organization dashboard, select Activities → All.
Select Devices → Antivirus for the Activity type.
Optionally, you can further filter the list by selecting a status.

muted threat activity.png — **Figure 5**: View muted threat activity

Additional Resources

Refer to Integrations and Third-Party Apps: Resource Catalog to find more help with NinjaOne Integrations.