Create a Recurring Virus and Malware Scan Policy

While the real time monitoring policy is used to protect users from malware whenever they open or execute files, you should also create a recurring virus and malware scan policy and this policy is used to scan for malware on a scheduled basis to remove any dormant malware from the endpoint.

Scan Frequency

The recurring scan can be executed daily or weekly as shown below. In general, customers will opt to conduct weekly or fortnightly recurring scans. As real-time monitoring provides immediate protection when files are accessed, there may be limited benefit from conducting more frequent recurring scans to remove dormant malware.

Scan Options

The scan options available are very similar to the “Scan Now – Virus and Malware Scan” (see Discover section). Particular attention should be paid to the CPU utilization setting and archive scan settings.

CPU Utilization

The CPU utilization setting can be adjusted to determine how much CPU gets consumed when the scan is being performed. If the scan is being performed out of hours, select the high CPU utilization setting which will cause the scan to use as much CPU as possible so that the scan completes more quickly. However, if the scan is being performed during business hours, you should select a medium or low CPU utilization level. This will cause the scan to take longer but the scan will have less of an impact on the user.

Scan Archives

While it makes sense to scan archives on a one-time scan using the Scan Now – Virus and Malware scan option, it may not be necessary to scan archives during a recurring scan as any malware lying dormant in these files will get detected by the real-time monitoring policy if the associated file is extracted from the archive. Scanning archives could result in the scan taking a lot longer so the default setting is to not scan archives. It is possible to set up an infrequent recurring scan (e.g. weekly scan which runs every 8 weeks scheduled to run at the weekend) which includes an archive scanning option.

Logging

The log level for real-time monitoring is set to “Normal” which means that log events are created in the event that malware is detected. It is possible to change this level to “Detailed” whereby a log entry is created for every file that is scanned. This logging level would only be used for diagnostic purposes (e.g. to analyze an application conflict or performance issue) so is not available as a policy option because it would create large log files and could cause performance issues. However, if you need to do some troubleshooting and require a detailed logging level, please contact Ivanti Support to get this enabled temporarily.