About Antivirus Policies

Antivirus policies define a set of actions that are carried out automatically to protect the network and its endpoints from viruses and other malware.

In practice, antivirus policies provide the main form of protection to the network because they perform malware scanning automatically and consistently. A good set of antivirus policies can provide comprehensive protection to the network without significantly affecting its performance.

Ivanti AntiVirus provides two types of antivirus policy, the Recurring Virus and Malware Scan and the Real-time Monitoring Policy. You can create as many of each policy type as you want; the effect of assigning multiple Real-time Monitoring Policies to a group or endpoint is a resultant policy.

Ivanti Endpoint Security allows you to organize endpoints and groups in a hierarchical fashion, and antivirus policies can be assigned and inherited accordingly.

Antivirus Policy Types

Two types of complementary antivirus policies can be created to automatically inspect files for malware: Recurring Virus and Malware Scan and Real-time Monitoring Policy.

Real-time Monitoring Policy: Scans files for malware when read, executed or written by an endpoint (also known as on-access or background scanning).

Recurring Virus and Malware Scan: Scans all files on an endpoint for malware on a regular, scheduled basis (daily or weekly). Duration is typically long due to the large amount of files targeted, but can be noticeably reduced through various configuration options (for example, the careful exclusion of specific files and folders).

About Recurring Virus and Malware Scan Policies

A recurring virus and malware scan policy runs a scan on selected endpoints or groups at regularly scheduled times.

The frequency of a recurring scan can range from daily to weekly. When configuring a recurring scan, you should make it thorough enough to provide comprehensive protection to the network.

A recurring virus and malware scan policy is defined by the following settings:

Setting

Description

Scheduling

Specifies frequency of scan:

  • Daily
  • Weekly

Virus detection actions

Specifies the action taken when malware is detected:

  • Perform no action
  • Attempt to clean then quarantine (default)
  • Attempt to clean then delete
  • Attempt to clean then quarantine then delete

Scan boot sectors

Scans boot sectors in addition to program and data files.

Scan archives

Scans archive files such as .zip and .cab files.

Infected .rar files can be quarantined and deleted, but can't be cleaned.

Scan memory

Scans memory in addition to local storage (hard drive).

Logging level

Determines the level of detail that is recorded in log files. Detailed includes a results summary, name, time and status for each scanned file, while Normal includes only a results summary.

Exclude path/filename

Excludes specified paths or files from the scan.

Optional drives

Scans locally attached storage media such as external hard drives and USB devices.

You create a recurring scan policy with the Recurring Virus and Malware Scan Policy Wizard. The wizard provides detailed configuration options that enable you to specify a high level of protection, without impacting network performance. See Creating a Recurring Virus and Malware Scan Policy for more information on policy settings and how to use this wizard.

About Real-time Monitoring Policies

Real-time monitoring is an ongoing scanning process that monitors file activities on an endpoint. With a real-time monitoring policy you can set the scanning options, determine excluded files or paths, and assign it to endpoints and groups.

A real-time monitoring policy is defined by the following settings:

Setting

Description

Virus detection actions

Specifies the action taken when malware is detected:

  • Perform no action
  • Attempt to clean then quarantine (default)
  • Attempt to clean then delete
  • Attempt to clean then quarantine then delete

Local user

Applies when the endpoint is being used as a workstation.

  • Scan on read/execute
  • Scan on both read/execute and write

Services and remote users

Applies when the endpoint is being used as a server.

  • Scan on write
  • Scan on both read/execute and write

Exclude path/filename

Excludes specified paths or files from the scan.

Optional drives

Scans locally attached storage media such as external hard drives and USB devices.

You create a real-time monitoring policy with the Real-time Monitoring Policy Wizard. The wizard provides detailed configurations options that enable you to specify a high level of protection for the endpoint without affecting its performance unduly. See Creating a Real-time Monitoring Policy for more information on policy setting and how to use this wizard.

Real-time Monitoring Resultant Policies

If two or more Real-time Monitoring Policies are assigned to an endpoint or group, their settings are combined to create a resultant policy.

When combining policies to produce a resultant policy, the system will choose settings that optimize the endpoint's security. Results are described in the AntiVirus Real-time Monitoring Resultant Policy section of the Information tab (endpoints) or Information view (groups).

Example:

Two Real-time Monitoring Policies with different settings are assigned to an endpoint:

Settings

Real-time Monitoring Policy 1

Real-time Monitoring Policy 2

Resultant Policy

When a virus is detected

Attempt to clean then quarantine

Attempt to clean then quarantine then delete

Attempt to clean then quarantine then delete

Local user

Scan on both read/execute and write

Scan on both read/execute and write

Scan on both read/execute and write

Services and remote users

Scan on write

Scan on write

Scan on write

Activation

Enable - Start policy on Finish (only if assigned to a group/ endpoint)

Enable - Start policy on Finish (only if assigned to a group/ endpoint)

Enable - Start policy on Finish (only if assigned to a group/ endpoint)

Exclude path/ filename

c:\temp\

(none)

c:\temp\

Optional drives

Do not scan locally attached storage media such as external hard drives and USB devices.

Scan locally attached storage media such as external hard drives and USB devices.

Scan locally attached storage media such as external hard drives and USB devices.

Assigned and Inherited Policies

Antivirus policies may be assigned to a group or an endpoint, or inherited from a group.

In Ivanti AntiVirus a group may contain endpoints or other groups. There is a parent-child relationship between a group and what it contains. When an antivirus policy is assigned to a group, it is inherited by that group's children, whether they are endpoints or other groups.

You can view an endpoint's antivirus policies on the Antivirus Policies tab of the Details page. Assigned policies can be selected and their Source property is set to "Assigned". Inherited policies are grayed-out (not selectable) and their Source property is set to Inherited.

Similarly, a group's antivirus policies are displayed on the Antivirus Policies view of the Groups page. Assigned policies can be selected and their Source property is set to Assigned. Inherited policies are grayed-out (not selectable) and their Source property is set to Inherited.

Archive Types Supported for Scanning

Ivanti AntiVirus can scan the contents of many archive types when the Scan Archives option is set during scan configuration.

  • 7-ZIP
  • ACE
  • ALZ
  • ARJ
  • debug scripts
  • BZIP2
  • CAB
  • CHM files
  • cpio
  • Doc files
  • SIS
  • gzip
  • IMP
  • INNO installer
  • Instyler
  • ISO disk images
  • LHA
  • MSO
  • NSIS installer
  • objects
  • Windows/MAC OS X process scanner
  • Batch file compiler
  • RAR
  • Windows Registry
  • rpm
  • SFX installers
  • SWF flash
  • Tar
  • TeleDisk image
  • TNEF
  • Universal Image Format
  • UUDecoder
  • VISE installer
  • WISE installer
  • IE cookies extractor
  • InstallShield
  • ZIP
  • Z