About Antivirus Policies
Antivirus policies define a set of actions that are carried out automatically to protect the network and its endpoints from viruses and other malware.
In practice, antivirus policies provide the main form of protection to the network because they perform malware scanning automatically and consistently. A good set of antivirus policies can provide comprehensive protection to the network without significantly affecting its performance.
Ivanti AntiVirus provides two types of antivirus policy, the Recurring Virus and Malware Scan and the Real-time Monitoring Policy. You can create as many of each policy type as you want; the effect of assigning multiple Real-time Monitoring Policies to a group or endpoint is a resultant policy.
Ivanti Endpoint Security allows you to organize endpoints and groups in a hierarchical fashion, and antivirus policies can be assigned and inherited accordingly.
Antivirus Policy Types
Two types of complementary antivirus policies can be created to automatically inspect files for malware: Recurring Virus and Malware Scan and Real-time Monitoring Policy.
Real-time Monitoring Policy: Scans files for malware when read, executed or written by an endpoint (also known as on-access or background scanning).
Recurring Virus and Malware Scan: Scans all files on an endpoint for malware on a regular, scheduled basis (daily or weekly). Duration is typically long due to the large amount of files targeted, but can be noticeably reduced through various configuration options (for example, the careful exclusion of specific files and folders).
About Recurring Virus and Malware Scan Policies
A recurring virus and malware scan policy runs a scan on selected endpoints or groups at regularly scheduled times.
The frequency of a recurring scan can range from daily to weekly. When configuring a recurring scan, you should make it thorough enough to provide comprehensive protection to the network.
A recurring virus and malware scan policy is defined by the following settings:
Setting |
Description |
---|---|
Scheduling |
Specifies frequency of scan:
|
Virus detection actions |
Specifies the action taken when malware is detected:
|
Scan boot sectors |
Scans boot sectors in addition to program and data files. |
Scan archives |
Scans archive files such as .zip and .cab files. Infected .rar files can be quarantined and deleted, but can't be cleaned. |
Scan memory |
Scans memory in addition to local storage (hard drive). |
Logging level |
Determines the level of detail that is recorded in log files. Detailed includes a results summary, name, time and status for each scanned file, while Normal includes only a results summary. |
Exclude path/filename |
Excludes specified paths or files from the scan. |
Optional drives |
Scans locally attached storage media such as external hard drives and USB devices. |
You create a recurring scan policy with the Recurring Virus and Malware Scan Policy Wizard. The wizard provides detailed configuration options that enable you to specify a high level of protection, without impacting network performance. See Creating a Recurring Virus and Malware Scan Policy for more information on policy settings and how to use this wizard.
About Real-time Monitoring Policies
Real-time monitoring is an ongoing scanning process that monitors file activities on an endpoint. With a real-time monitoring policy you can set the scanning options, determine excluded files or paths, and assign it to endpoints and groups.
A real-time monitoring policy is defined by the following settings:
Setting |
Description |
---|---|
Virus detection actions |
Specifies the action taken when malware is detected:
|
Local user |
Applies when the endpoint is being used as a workstation.
|
Services and remote users |
Applies when the endpoint is being used as a server.
|
Exclude path/filename |
Excludes specified paths or files from the scan. |
Optional drives |
Scans locally attached storage media such as external hard drives and USB devices. |
You create a real-time monitoring policy with the Real-time Monitoring Policy Wizard. The wizard provides detailed configurations options that enable you to specify a high level of protection for the endpoint without affecting its performance unduly. See Creating a Real-time Monitoring Policy for more information on policy setting and how to use this wizard.
Real-time Monitoring Resultant Policies
If two or more Real-time Monitoring Policies are assigned to an endpoint or group, their settings are combined to create a resultant policy.
When combining policies to produce a resultant policy, the system will choose settings that optimize the endpoint's security. Results are described in the AntiVirus Real-time Monitoring Resultant Policy section of the Information tab (endpoints) or Information view (groups).
Example:
Two Real-time Monitoring Policies with different settings are assigned to an endpoint:
Settings |
Real-time Monitoring Policy 1 |
Real-time Monitoring Policy 2 |
Resultant Policy |
---|---|---|---|
When a virus is detected |
Attempt to clean then quarantine |
Attempt to clean then quarantine then delete |
Attempt to clean then quarantine then delete |
Local user |
Scan on both read/execute and write |
Scan on both read/execute and write |
Scan on both read/execute and write |
Services and remote users |
Scan on write |
Scan on write |
Scan on write |
Activation |
Enable - Start policy on Finish (only if assigned to a group/ endpoint) |
Enable - Start policy on Finish (only if assigned to a group/ endpoint) |
Enable - Start policy on Finish (only if assigned to a group/ endpoint) |
Exclude path/ filename |
c:\temp\ |
(none) |
c:\temp\ |
Optional drives |
Do not scan locally attached storage media such as external hard drives and USB devices. |
Scan locally attached storage media such as external hard drives and USB devices. |
Scan locally attached storage media such as external hard drives and USB devices. |
Assigned and Inherited Policies
Antivirus policies may be assigned to a group or an endpoint, or inherited from a group.
In Ivanti AntiVirus a group may contain endpoints or other groups. There is a parent-child relationship between a group and what it contains. When an antivirus policy is assigned to a group, it is inherited by that group's children, whether they are endpoints or other groups.
You can view an endpoint's antivirus policies on the Antivirus Policies tab of the Details page. Assigned policies can be selected and their Source property is set to "Assigned". Inherited policies are grayed-out (not selectable) and their Source property is set to Inherited.
Similarly, a group's antivirus policies are displayed on the Antivirus Policies view of the Groups page. Assigned policies can be selected and their Source property is set to Assigned. Inherited policies are grayed-out (not selectable) and their Source property is set to Inherited.
Archive Types Supported for Scanning
Ivanti AntiVirus can scan the contents of many archive types when the Scan Archives option is set during scan configuration.
- 7-ZIP
- ACE
- ALZ
- ARJ
- debug scripts
- BZIP2
- CAB
- CHM files
- cpio
- Doc files
- SIS
- gzip
- IMP
- INNO installer
- Instyler
- ISO disk images
- LHA
- MSO
- NSIS installer
- objects
- Windows/MAC OS X process scanner
- Batch file compiler
- RAR
- Windows Registry
- rpm
- SFX installers
- SWF flash
- Tar
- TeleDisk image
- TNEF
- Universal Image Format
- UUDecoder
- VISE installer
- WISE installer
- IE cookies extractor
- InstallShield
- ZIP
- Z