ZeroExfil Security Portal

Monitor

Home Activity Dashboard

Investigation & Response

Alerts Quarantine Hunting File Intelligence

Assets

Devices Device Management

Configure

Detections Settings

File	Hash	Device	Size	Quarantined	Status	Action
Loading quarantined files...

Alert Details

Loading alert details...

Asset Details

Loading asset details...

Download started

ZeroExfilInstaller.msi is downloading. Run it as Administrator on each target device, or use one of the deployment methods below.

Manual install (cmd.exe)

Open an elevated command prompt and run:

msiexec /i ZeroExfilInstaller.msi TENANT=<loading...> /qn

Mass deployment

For Intune or Group Policy rollout, see the Deployment Methods section on this page.

Rule Details

Loading rule details...

Create Automated Response Rule

Rule Name

Description

Enabled

Trigger on Severity

Critical High Medium Low

Actions to Execute

Isolate Device Run Security Scan Collect Logs

Create Whitelist Entry

Note: Events matching ALL specified fields will be suppressed. Leave fields empty to match any value.

Process Name

Process Path

Process Signature

Process Hash (SHA256)

File Path

Account Name

Device ID

Reason *

Enabled

Setup Two-Factor Authentication

⚠️

Confirm Action

Are you sure you want to proceed?

Organization Risk Overview

Device Health

Active Alerts

Threat Intelligence

Detections

Alerts

Hunting

KQL Reference

Devices

Device Deployment

Quarantined Files

Settings

Confirm Action

Activity Dashboard

File Event Timeline Writes Deletes Reads Renames Bursts

Top Processes by Data Volume

Device Outlier Map hover a dot for details

User Activity click a bar to drill down

File Intelligence

Bulk Action Context this file was touched as part of a larger per-PID burst — context shows peers and scale

Event Timeline chronological — click Hunt to pivot into the Hunting editor

Write Volume bytes written per event — colors indicate distinct processes

Device Spread where this file lives across your fleet

Move / Rename Chain click Follow to re-search using the new path

Accessors processes that touched this file — unsigned accessors are flagged

Raw Events