About TDR Baselines
TDR primarily uses the generation of File, Process, and Registry Events by the Host Sensor in real time to detect malware as it occurs on the end host. To account for changes that occur when mobile devices are offline, TDR also uses baselines to detect and alert on changes made to the system. After a baseline is created, the Host Sensor will maintain persistent file baselines. Only changes to the baseline data are sent to TDR to update the database. This reduces the amount of data the Host Sensor regularly sends to TDR. Baselines automatically run when an Host Sensor is installed. Subsequent baselines run on the schedule specified in the Host Sensor Settings.
Baselines can also be performed on demand from the TDR Web UI. This is useful when significant changes are made to a system and you need a baseline before the next scheduled baseline.
- Log In to the TDR Web UI as an Administrator or Analyst.
- Select Devices / Users > Hosts.
- Select the check box next to one or more active hosts in the list.
- Select Actions > Request Baseline.
The Confirm Action - Request Baseline dialog box opens.
- Click Execute Action.
The amount of time it takes for the baseline to run will depend on the number of files on the system. To check on the status of the baseline, see the Host Sensor Status in the Web UI. The status will progress through these stages:
- Baseline Request by <user name> acknowledged
- Process Baseline Received
- File Baseline Received
When the baseline is in progress on a Windows system, the user is notified in the System Tray. For more information about System Tray notifications, see TDR Host Sensor System Tray Icon
Manage Baseline Schedules
You can create an optimal period for the baseline to run to meet your business needs. Specify how often you want a baseline to run in days and create an optimal window for performing the baseline in minutes. Baselines can be scheduled to run every day or periodically with a maximum time period of 30 days. The default schedule is to run every 7 days. You can specify a minimum and maximum delay window in minutes for starting a baseline. This prevents a potential performance issue on Monday mornings when everyone restarts their computers. The baselines will be staggered within the window.
- Log In to the TDR Web UI as an Analyst.
- Select Settings > Host Sensor.
The Host Sensor Settings page opens.
- To create your baseline window:
- Baselines Minimum Delay Minutes - Type the minimum number of minutes to wait before a baseline starts. This value can be 0 to 240 minutes. This allows time for the client to start up before the baseline begins.
- Baseline Maximum Delay Minutes - Type the maximum number of minutes before a baseline starts. When used with the Minimum Delay, this creates a window to run the baseline. This value can be 0 to 240 minutes.
- Baseline Frequency (Days) - Type the number of days to wait between baselines. After the specified number of days, the baseline will automatically run within the window created with the Minimum and Maximum Delay values.
- Age Off For Quarantined Files - Select the number of days a quarantined file should be left on the host before it is deleted. The default is Never.
- Click Save.
Postpone a Baseline
A user can postpone a baseline one time after it starts. When the user receives the notification that the baseline has started, they have the option to postpone it for 2 hours one time.
- When notification that a baseline has started appears, right-click on the TDR icon in the system tray and select Threat Detection and Response.
- Select Postpone Baseline by 2 hours.
A notification that the Baseline has been postponed for 2 hours appears.
For information about Host Sensor Actions, see: