Introduction

The Ivanti Endpoint Security AntiVirus module provides protection against known malware using signature-based detection combined with behavioral analysis, including Sandbox technology to provide protection against unknown malware.

This document provides a best practice workflow to act as a guide for administrators when implementing AntiVirus. Following the workflow outlined in this document should help to ensure a successful deployment and ongoing virus and malware protection.

In addition to following this workflow, you should also develop a recovery plan in the event that widespread infections occur. If it does not already exist, you should also develop a support escalation plan so that users will be able to report if malware infections or false positives have occurred on their endpoints. Finally, you will also need to train your IT Help Desk team to deal with such escalations.

What Does AntiVirus Do?

AntiVirus blocks known malware and provides protection against unknown malware without impacting productivity. AntiVirus examines executable files and employs the following capabilities to provide a multi-layered defense against existing and new malware:

  • Full signature matching, also known as blacklisting, to recognize, block and remove known malware. Signature updates are made available twice daily to ensure that protection against the latest known malware is always available.
  • DNA matching or partial signature matching to recognize, block and remove unknown malware and new variants of known malware based on inherited or re-used malware code fragments.
  • Exploit detection to recognize, block and remove malware hidden or embedded in seemingly innocent files.
  • Behavioral detection using SandBox technology which allows code to execute in an emulated environment and block and removes it if it exhibits malicious behavior.

Policies are defined on the Endpoint Security console to define the actions taken by the AntiVirus engine on the endpoint. The following policy types are available:

  • Real-Time Monitoring: This policy defines the actions taken by the engine when files are opened, moved, or copied.
  • Recurring Scan: This policy defines the frequency at which full or partial disk scans are conducted to remove any dormant malware from the endpoints.
  • Scan Now: This is a one-time scan which would typically be performed when AntiVirus is initially introduced, in the case of a suspected outbreak or prior to going into lock-down if deploying Ivanti Application Control.

If malware is detected on the endpoint, the AntiVirus engine will initially attempt to clean the malware and if it is unable to clean it, depending on the policy settings, it will either quarantine or delete the file. The endpoint will also send an alert to the server so that the administrator becomes aware of the incident and can take action, if necessary.

If the AntiVirus engine has been unable to clean the malware, the administrator can submit the file to Ivanti support for further analysis.