Creating Antivirus Policies

Ivanti AntiVirus provides two wizards for creating antivirus policies, the Recurring Virus and Malware Scan Wizard and the Real-time Monitoring Policy Wizard.

You can launch either of these wizards using the Create control on the following pages:

  • The Antivirus Policies page.
  • The Antivirus Policies tab of an endpoint's Details page.
  • The Antivirus Policies view of a group's page.

The process of using each wizard follows a general pattern:

  1. Name the policy
  2. Configure basic scanning options
  3. Configure additional scanning options
  4. Configure exclusions or inclusions
  5. Assign to endpoints or groups

Only the first two steps are required to create a basic antivirus policy. After it has been created you can edit the policy to configure additional options and exclusions/inclusions, and assign it to endpoints or groups.

Creating a Recurring Virus and Malware Scan Policy

The Recurring Virus and Malware Scan Policy Wizard enables you to schedule a recurring scan, set scanning options, and build a list of target endpoints.

A recurring scan runs on a regular, scheduled basis. It typically scans all the files on an endpoint (apart from those that are specifically excluded from the scan). A recurring scan can take an appreciable amount of time to run if there are a large number of files to be scanned.

  1. Select Manage > Antivirus Policies.
    The Antivirus Policies page opens.
  2. From the Manage > AntiVirus Policies toolbar, select Create > Recurring Virus and Malware Scan.
    The Recurring Virus and Malware Scan Policy Wizard opens at the Name and Schedule Policy page.
  3. Type a new name in the Recurring virus and malware scan name field. Make the name descriptive, conveying the role of this recurring policy.
  4. The name must be unique, otherwise a warning will be displayed.

  5. Select and configure a Scheduling option:
  6. Important: If an endpoint's internal clock changes (for example, due to Daylight Savings Time or time-zone differences while traveling) a recurring scan scheduled to take place during the time skipped will not occur.
    Ensure you or the endpoint user run a Scan Now immediately after a time change to maintain continuous protection.

    Method

    Steps

    Daily

    1. Select the Daily option.
    2. Type the start date in the Start date field. You can also select the start date by clicking the Calender icon.
    3. Type the start time in the Start time field using a hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. Alternatively, you can select the start time by clicking the Clock icon.
    4. Type a value in the Run every x days field.

    Weekly

    1. Select the Weekly option.
    2. Type the start date in the Start date field. You can also select the start date by clicking the Calender icon.
    3. Type the start time in the Start time field using a hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. Alternatively, you can select the start time by clicking the Clock icon.
    4. Type a value in the Run every x weeks on: field.
    5. Leave the value at 1 if you want the scan to run at least once a week.

    6. Select one or more of the daily check boxes to run the scan on those days.

  7. Select an Activation option.
  8. Setting

    Result

    Enable - Start policy on Finish (only if assigned to a group/endpoint)

    The policy is created and activated when you click Finish and the wizard closes.

    The policy must be assigned to at least one endpoint or group.

    Disable

    The policy is created but not activated when you click Finish and the wizard closes. You may activate it at a later time.

  9. Click Next to set the scanning options.
    The Scan Options page opens.
  10. If you click Finish at this point, a basic policy is created, but is not assigned to any endpoints. You can configure the policy further and assign it to endpoints later.

  11. From the drop-down list, select the action that occurs when a virus is detected.
  12. Setting

    Result

    Perform no action

    Does nothing with the infected file, but sends an alert to the server.

    Attempt to clean then quarantine
    [default setting]

    Attempts to clean the infected file. If this is not possible, the file is quarantined. An alert is sent to the server.

    Attempt to clean then delete

    Attempts to clean the infected file. If this is not possible, the file is deleted. An alert is sent to the server.

    Attempt to clean then quarantine then delete

    Attempts to clean the infected file. If this is not possible, the file is quarantined. If it is not possible to quarantine it, it is deleted. An alert is sent to the server.

    Note:

    • To clean an infected file means to completely remove the malicious code so that the file is safe to use. It is not always possible to remove the malicious code, however. When this happens, you can either delete the file or quarantine it. To quarantine means to move it to a safe place on the endpoint where it can be kept for further examination.
      In certain cases (such as when the malware is a Trojan) the entire file is malicious. Such a file cannot be cleaned, so the only options are to quarantine or delete it.
    • Virus detection actions are not used for memory scans.
  13. From the drop-down list, select the action to be taken when a potentially unwanted application (PUA) is detected:
  14. Setting

    Result

    Perform no action
    [default setting]

    The system ignores the potentially unwanted application.

    Send alert only

    An alert is sent to the server only.

    Alert and action (treat as malware)

    An alert is sent to the server and the file is cleaned, quarantined, or deleted, according to the action you selected in the When a virus is detected drop down.

  15. Set the Scanning options:
  16. Setting

    Result

    Scan boot sectors

    The virus scan will be more thorough if you scan boot sectors in addition to program and data files.

    If malware is detected in a boot sector, the action taken depends on the virus detection option selected:

    • Perform no action - the boot sector is left as it is and an alert is sent to the Virus and Malware Event Alerts page.
    • Clean/Delete/Quarantine - the boot sector is automatically repaired.

    Scan archives

    The virus scan will be more thorough if you scan archive files such as .zip and .cab files.

    • Scanning archives will result in longer scan durations.
    • Infected .rar files can be quarantined and deleted, but can't be cleaned.

    See Archive Types Supported for Scanning.

    Scan memory

    Viruses and other malware can reside in memory as well as on the disk(s). The virus scan will be more thorough if you scan memory for such viruses and malware.

    Virus detection actions and exclusions are not applied to memory scans.

    Rootkit detection

    A rootkit, similar to a hack tool, enables attackers to gain administrator access to a system. They hide the attacker's presence and give them full control of a server or client endpoint without being noticed.

  17. Set the CPU utilization % threshold to control the level of impact the scan is to have on endpoint performance:
  18. Setting

    Result

    High

    Quicker scanning but may noticeably impact endpoint performance.

    Medium

    Balances scan speed with endpoint performance impact (default option).

    Low

    Slower scanning but has the lowest impact on endpoint performance.

  19. Set the logging options:
  20. As logging information is kept on the endpoint, the option you choose will not affect the loggings sent to the server.

    Setting

    Result

    Do not log scanning results

    No scan log is generated.

    Normal logging level (includes results summary)

    A standard scan log is generated.

    Detailed logging level (includes results summary, name, time and status for each scanned file)

    A detailed scan log is generated.

    Caution: Logging detailed virus scan results typically generates large amounts of data, especially when recurring scans run frequently.

  21. Click Next.
  22. If you click Finish at this point, the policy will be created, but not assigned to any endpoints. You can assign it to endpoints at a later time.

    The Exclude Files and Folders page opens.

    This page enables you to exclude specified files and paths from the scan. You may want to do this because:

    • You have some applications whose manufacturers recommend be excluded from virus scans.
    • You have folders containing large amounts of data that you consider relatively safe, such as graphics files. Excluding them from the scan saves time.
    • You have files that cause known "false positives" during a scan.
    • Caution: Excluding files or paths from the scan always involves some degree of risk.

  23. Exclude files and folders, using one of the following methods:
  24. Masks and system variables can be used in exclusions. See Exclusion Rules.

    More information on excluding files and folders from Ivanti AntiVirus malware scans, including recommended exclusions, can be found in the Ivanti Community Article Excluding files, folders and processes from scans.

    Method

    Steps

    Manually exclude specific files and folders from the scan.

    1. Click Add.
      A blank entry is added to the exclusions list.
    2. Select an exclusion type from the Type field.
      The types are File and Folder.
    3. Enter the path to the item you want to exclude in the Path field.
    4. Click to add the exclusion to the list.
      Repeat this procedure for all files and folders you want to exclude from the scan.
    5. Click Remove () to remove items from the exclusion list.

    Import an XML file containing a formatted list of file and folder exclusions.

    See Importing File, Folder and Process Exclusions.

  25. Configure the Optional drives settings:
  26. Setting

    Result

    Scan locally-attached media

    All storage media (including external hard drives, USB devices, and DVD/CD media) are included in the scan.

  27. Click Next.
  28. If you click Finish at this point, the policy will be created, but not assigned to any endpoints. You can assign it to endpoints at a later time.

    The Assign virus and malware scan policy to groups and/or endpoints page opens.

  29. Build a list of targets (endpoints), using either or both of the following methods:

    Important: Recurring scans will not run on an endpoint that is shutdown or hibernating at the scheduled scan time.

    Method

    Steps

    To define targets using groups:

    1. If the Groups section is not open, click its up arrow to open it.
    2. Select one or more endpoint groups by selecting their check boxes.
    3. Click Add.
      This adds the group(s) to the Assigned list.

    To define targets using endpoints:

    1. If the Endpoints section is not open, click its up arrow to open it.
    2. In the search field, do one of the following:
      • Type an endpoint name (to search for a specific endpoint)
      • Type part of an endpoint name (to search for similarly named endpoints)
      • Leave it blank (to search for all available endpoints)
    3. Click the Search icon.
      Depending on what you typed, one or more endpoints will appear in the Name column, with their respective IP addresses.
    4. Select the check box for each endpoint you want to assign.
    5. Click Add.
      This adds the endpoint(s) to the Assigned list.

    You can remove targets from the Assigned list by selecting the applicable check boxes and clicking Remove.

  30. Click Finish.
    The Virus and Malware Scan Policy Wizard closes. The newly created policy is displayed in the Antivirus Policies page.

You have created a recurring Recurring Virus and Malware Scan Policy.

Creating a Real-time Monitoring Policy

The Real-time Monitoring Policy Wizard enables you to set real-time scanning options, include or exclude files or paths, and build a list of target endpoints.

A Real-time scan runs when an endpoint accesses a file to perform an action, such as a read or write. This scan type runs continuously in the background to catch malware before it can infect systems.

  1. Select Manage > Antivirus Policies.
    The Antivirus Policies page opens.
  2. Click Create > Real-time Monitoring Policy.
    The Real-time Monitoring Policy Wizard opens.
  3. Type a new name in the Real-time monitoring policy name field. Make the name descriptive, conveying the role of this real-time monitoring policy.
  4. The name must be unique. If it is not, a warning will be displayed.

  5. From the drop-down list, select the action that occurs when a virus is detected.
  6. Setting

    Result

    Perform no action

    Does nothing with the infected file, but sends an alert to the server.

    Attempt to clean then quarantine[default setting]

    Attempts to clean the infected file. If this is not possible, the file is quarantined. An alert is sent to the server.

    Attempt to clean then delete

    Attempts to clean the infected file. If this is not possible, the file is deleted. An alert is sent to the server.

    Attempt to clean then quarantine then delete

    Attempts to clean the infected file. If this is not possible, the file is quarantined. If it is not possible to quarantine it, it is deleted. An alert is sent to the server.

    Note:

    • To clean an infected file means to completely remove the malicious code so that the file is safe to use. It is not always possible to remove the malicious code, however. When this happens, you can either delete the file or quarantine it. To quarantine means to move it to a safe place on the endpoint where it can be kept for further examination.

      In certain cases (such as when the malware is a Trojan) the entire file is malicious. Such a file cannot be cleaned, so the only options are to quarantine or delete it.
    • Virus detection actions are not used for memory scans.
  7. From the drop-down list, select the action to be taken when a potentially unwanted application (PUA) is detected:
  8. Setting

    Result

    Perform no action
    [default setting]

    The system ignores the potentially unwanted application.

    Send alert only

    An alert is sent to the server only.

    Alert and action (treat as malware)

    An alert is sent to the server and the file is cleaned, quarantined, or deleted, according to the action you selected in the When a virus is detected drop down.

  9. [Optional] Select the Scan archives check box to scan compressed files like: .zip, .rar, and .cab
  10. Note:

    • Scanning the contents of archive files will impact endpoint performance.
    • Infected .rar files can be quarantined or deleted, but can't be cleaned.

    See Archive Types Supported for Scanning.

  11. Configure the Local users setting. This applies when the endpoint is being used as a workstation, with a logged-on user.
  12. Setting

    Result

    Scan on read/execute

    Scans files before they are used.

    Scan on both read/execute and write

    Scans files that are opened for write. New or changed files are scanned on close.

    With Scan on read/execute selected, it is possible that an infected file can be downloaded from the Internet and saved to disk. With Scan on both read/execute and write selected, the scanner will detect and (if possible) remove the malware before writing the file to disk.

  13. Configure the Services and remote users setting. This applies when the endpoint is being used as a server. If someone physically logs on to the server, the Local users setting applies.
  14. Setting

    Result

    Scan on write

    Scans files that are saved to disk.

    Scan on both read/execute and write

    Scans files that are being read or executed, as well as those being saved to disk.

    This is not the default option, as it increases scanning time. But if the server becomes infected, this is the option to select.

  15. Select an Activation option.
  16. Setting

    Result

    Enable - Start policy on Finish (only if assigned to a group/endpoint)

    The policy is created and activated when you click Finish and the wizard closes.

    The policy must be assigned to at least one endpoint or group.

    Disable

    The policy is created but not activated when you click Finish and the wizard closes. You may activate it at a later time.

  17. Click Next.
  18. If you click Finish at this point, a basic policy is created, but is not assigned to any endpoints. You can configure the policy further and assign it to endpoints later.

    The Exclude Files, Folders and Processes page opens.

    This page enables you to exclude specified files and paths from the scan. You may want to do this because:

    • You have some applications whose manufacturers recommend be excluded from virus scans.
    • You have folders containing large amounts of data that you consider relatively safe, such as graphics files. Excluding them from the scan saves time.
    • You have files that cause known "false positives" during a scan.

    Caution: Excluding files or paths from the scan always involves some degree of risk.

  19. Exclude files, folders or processes, using one of the following methods:
  20. Masks and system variables can be used in exclusions. See Exclusion Rules.

    More information on excluding files and folders from Ivanti AntiVirus malware scans, including recommended exclusions, can be found in the Ivanti Community Article Excluding files, folders and processes from scans.

    Method

    Steps

    Manually exclude specific files, folders and processes.

    1. Click Add.
      A blank entry is added to the exclusions list.
    2. Select an exclusion type from the Type field. File, Folder, or Process.
    3. Enter the path to the item you want to exclude in the Path field.
    4. Click to add the exclusion to the list.
      Repeat this procedure for all files, folders and processes you want to exclude from the scan.

    Click Remove () to remove items from the exclusion list.

    Import an XML file containing a formatted list of file, folder and process exclusions.

    See Importing File, Folder and Process Exclusions.

  21. Configure the Optional drives settings:
  22. Setting

    Result

    Scan locally-attached media

    All storage media (including external hard drives, USB devices, and DVD/CD media) are included in the scan.

  23. Click Next.
  24. If you click Finish at this point, the policy will be created, but not assigned to any endpoints. You can assign it to endpoints at a later time.

    The Assign real-time monitoring policy to groups and/or endpoints page opens.

  25. Build a list of targets (endpoints), using either or both of the following methods:
  26. Important: Recurring scans will not run on an endpoint that is shutdown or hibernating at the scheduled scan time.

    Method

    Steps

    To define targets using groups:

    1. If the Groups section is not open, click its up arrow to open it.
    2. Select one or more endpoint groups by selecting their check boxes.
    3. Click Add.
      This adds the group(s) to the Assigned list.

    To define targets using endpoints:

    1. If the Endpoints section is not open, click its up arrow to open it.
    2. In the search field, do one of the following:
      • Type an endpoint name (to search for a specific endpoint)
      • Type part of an endpoint name (to search for similarly named endpoints)
      • Leave it blank (to search for all available endpoints)
    3. Click the Search icon.
      Depending on what you typed, one or more endpoints will appear in the Namecolumn, with their respective IP addresses.
    4. Select the check box for each endpoint you want to assign.
    5. Click Add.
      This adds the endpoint(s) to the Assigned list.

    You can remove targets from the Assigned list by selecting the applicable check boxes and clicking Remove.

  27. Click Finish.
    The Real-time Monitoring Policy Wizard closes. The newly created policy is displayed in the Antivirus Policies page.

Importing File, Folder and Process Exclusions

You can facilitate the exclusion of a large number of files, folders, and processes (Real-time Monitoring Policy only) from an antivirus scan through the import of a formatted XML file.

Prerequisites:

  • You must be in the process of configuring a Real-time Monitoring Policy, Recurring Virus and Malware Scan Policy or Scan Now.
  • You must have created an import XML file. See <install_dir>/AntiVirus/Controls/Components/ExcludeFileImport/NonDomainExcludes.xml for an example.

Scan performance can be improved and false positives prevented by skipping certain files and paths during scans. The Exclude Files and Paths page on the policy and Scan Now wizards enables you to exclude specific files and paths, according to the Exclusion Rules.

More information on excluding files and folders from Ivanti AntiVirus malware scans, including recommended exclusions, can be found in the Ivanti Community Article Excluding files, folders and processes from scans.

As an alternative to manually entering exclusions, you can import an XML file containing a list in a specific format:

<?xml version="1.0"?>

<excludes>

<exclude path=""/>

<pexclude path=""/>

</excludes>

Where:

<exclude path=""/> - file and folder exclusion paths.

<pexclude path=""/> - process exclusion paths (Real-time Monitoring Policies only)

Scan durations can be reduced by avoiding exclusions for software not installed on endpoints.

Keep the exclusion file up to date, especially if you install new software in your environment.

Caution: Do not exclude files or folders unless their contents are known to be threat-free.

Exclusions are not applied to memory scans (when the Scan Memory option is selected during scan configuration).

  1. From the Exclude Files or Paths wizard page, click the Import button.
    The Import Exclusion list from File dialog opens.
  2. Click Browse, select the file, and click OK.
    The XML file imports and you will be made aware of any file and path duplicates detected.

You have added a list of exclusions to an antivirus policy or Scan Now configuration.

After Completing This Task:

Continue configuring a Real-time Monitoring Policy, Recurring Virus and Malware Scan Policy or Scan Now.

Exclusion Rules

Use wildcards (masks) and system variables to precisely choose files and paths to exclude from antivirus policies and a Scan Now.

Caution: Do not exclude files or folders unless their contents are known to be threat-free.

Important: Wildcard character * is not accepted in filenames (test00*.log) but can be used for:

  • Drives (*\temp )
  • Paths (c:\temp\*\) but only once in a single exclusion
  • Drive and path wildcards can also be used together in a single exclusion (*\temp\*\test\). DOS 8.3 short names (ALONGF~1.TXT) are not accepted.

Exclusions are not applied to memory scans (when the Scan Memory option is selected during scan configuration).

Files without paths

Rule Resulting Exclusion

*.exe

All files with extension EXE.

file.*

All files named file with any extension.

file

All files named file with no extension.

file.exe

All text.exe files.

Absolute file paths

Folder paths must end with a path separator (\).

Rule Resulting Exclusion

c:\temp\

All files in the c:\temp folder recursively.

*\temp\

All files in the temp folder on all drives recursively.

c:\temp\*.* or c:\temp\*

All files in the c:\temp folder but not recursively.

c:\temp

The file named temp with no extension on c:\.

c:\temp\test

The file named test in the c:\temp folder.

c:\temp\*.exe

All files with the extension EXE in the c:\temp folder.

c:\temp\test.doc

The test.doc file in the c:\temp folder.

Environment variable directories

Rule Resulting Exclusion

%WINDIR%\ or %WINDIR%/ or %WINDIR%

All files in the Windows folder recursively.

%WINDIR%\*

All files in the Windows folder but not recursively.

%WINDIR%\*\temp\

All files in a subfolder named temp recursively within any folder in the Windows folder.

System account environment variables with multiple values are not supported. For example:
path%

Wildcard Usage

Exclusions can contain the “*” single asterisk wildcard (mask) character in specific combinations, with a maximum of two per exclusion.

Caution: Improper wildcard usage can exclude incorrect files and directories.

Full directory

Restriction:

  • Cannot be used with a file exclusion (c:\directory1\*\file.exe is invalid)
  • Cannot be used in an exclusion that uses a filename wildcard (*\directory1\*.exe and c:\directory1\*\*.exe are invalid)
  • Use of multiple directory wildcards in a single exclusion is not permitted (c:\*\*\directory3\ is invalid)
  • For exclusions without a specific file or filename with wildcard, a trailing backslash must be present or the exclusion will be treated as a file exclusion.

Valid

Invalid

c:\*\directory1\directory2\

c:\directory1\directory*\

c:\directory1\*\directory3\

c:\directory1\*\directory3\*\directory5\

%system_variable%\*\directory1\

c:\*\*\directory3\

Full filename and extension

Restriction: Cannot be used in conjunction with full directory wildcards (c:\directory1\*\*.exe is invalid).

Valid

Invalid

*.exe

*file.exe

abc.*

file*.exe

c:\directory1\*.exe

c:\directory1\*file.exe

c:\directory1\file.*

c:\directory1\file*.exe

%system_variable%\directory1\*.exe

c:\*\file.exe

 

%system_variable%\directory1\*\*.exe

Drives and System Variables

Restriction: Cannot be used with a file exclusion (*\directory1\file.exe is invalid)

Valid

Invalid

*\directory1\directory2\

*\directory1\*.exe

*\*\directory2\

*\directory1\file.*

*\%system_variable%\directory1\*\

*\directory1\file.exe