Incidents were resolved by removing or blocking the browser-originated notification source and applying browser-based filtering, and where applicable by running endpoint scans and rebooting. Support removed offending sites from the browser notification allow list in Chrome and Edge (Site Settings → Notifications), installed uBlock Origin when used, and cleared site cookies for affected sessions. Support also performed full endpoint scans during remote sessions (Trellis disk scans, Windows Defender, or third-party AV like McAfee) and rebooted systems; in several cases scans reported no resident malware and a reboot returned the system to normal. After notification permissions were revoked or filtering applied the push notifications and fake-antivirus pop-ups stopped and no further infection was found in the investigated cases.

Antivirus products (Microsoft Defender in documented Epibrowser cases and Trelix in other cases) quarantined and stopped the identified malicious binaries (for example epibrowser_proxy.exe and related files). Support confirmed quarantines and ran full workstation scans; in single-detection cases scans returned clean and no persistent OS-resident malware was found, and remaining browser push-notification artifacts were determined to be browser-level rather than a resident infection. When multiple malware families or stronger infection indicators were present, affected endpoints were proactively isolated from network access and the cybersecurity team led an investigation; remediation in those incidents required device wipe/reimage or issuing a replacement device. Support teams contacted users (Teams remained available in documented cases) to coordinate replacement or reset actions.

The tickets recorded ISP-originated alerts and user concern but did not document a single confirmed remediation for the ISP detections. Investigations in the corpus found no definitive confirmation of corporate endpoint compromise tied to the ISP alerts; cases noted the likelihood of non-corporate home devices (IoT or personal devices) being the source and referenced typical home-network mitigations (router/firmware/credentials, device isolation) without a documented, ticketed closure specific to the Aisuru alert.

Support scanned and inspected the flagged PDFs, identified that PDF Creator embedded a link to its own software which caused Microsoft Defender to produce false positives, and then marked the files/users as authorized so the files were allowed by the backup process. After the exception was applied the backup failures ceased and no malicious content was found in the scanned PDFs.

Multiple incidents of macOS Gatekeeper/launch-time warnings that named management scripts were investigated and traced to Jamf-managed or vendor-supplied scripts (files located in /Library/Management/Scripts or visible in Finder) with historical execution logs. In the ticket corpus the recurring warnings were resolved by delivering updated packages or vendor-signed replacements via the management system; those packages were applied when devices received them (commonly after a reboot) or after a Self Service inventory update, and the Gatekeeper warnings stopped once the updated or cryptographically signed script versions were installed. A small subset of cases referenced vendor-supplied tooling where resolution occurred after the supplier delivered a signed update and macOS/software updates completed. Tickets also recorded that the files could not be removed without administrator credentials and that support teams escalated to specialists when package delivery did not immediately clear the popup.

The issue was resolved when the user removed the account associated with the app; after the account deletion the app no longer appeared in Teams meetings and the behavior stopped.

The Defender scan was allowed to continue running until it completed. The next day the user confirmed the scan had finished successfully and Defender did not report any issues. No system restart was required and no malware was found during the completed scan.

Security reviewed the reported URL and did not find any indicators of compromise or malware; no security detections were reported. IT documented the event, suggested informing the named colleague about the domain, and no further remediation was recorded; the ticket was closed after a period with no further user response.