The Virus and Malware Scan Wizard

A convenient wizard guides you through the process of configuring an antivirus scan.

You can access this wizard from the Discover menu or the Virus and Malware Event Alerts page. Using this wizard, you can:

Schedule the scan
Select the targets (endpoints or groups)
Set the scan options
Set exclusions from the scan

The request is then treated as an antivirus task. If the scan detects any malware, the results are displayed in the Virus and Malware Event Alerts page.

You can also access the Virus and Malware Scan Wizard after you have selected target endpoints or groups on the respective Endpoints or Groups pages. In this case, the wizard provides similar functionality except that it does not provide a Targets page because target selection has already been made.

Using the Virus and Malware Scan Wizard

When invoked from the Discover menu or the Virus and Malware Event Alerts page, the Virus and Malware Scan Wizard enables you to schedule an antivirus scan, build a list of targets, and set scan and exclusion options.

Prerequisites:

Ensure you have the latest version of the AntiVirus Engine and Definition file. Use a Scan Now - Virus and Malware Scan in the following situations :

Odd behavior observed on endpoints.
Virus outbreak in the network.
Long duration between scheduled Virus and Malware scans.

To use the Virus and Malware Scan Wizard:

Select Discover > Scan Now – Virus and Malware Scan. If you are on the Virus and Malware Event Alerts page, click Scan Now.
The Virus and Malware Scan Wizard opens to the Scan Name and Scheduling page.
[Optional] Type a new name in the Scan Name field.

By default, new virus scans are named New Virus and Malware Scan, followed by the server's date and time, which is formatted according to your browser's locale setting.

Schedule the scan using one of the following methods:

Method	Steps
To schedule an immediate scan:	Select the Run scan immediately option.
To schedule a later scan:	Select the Run scan at option. Type the start date in the Start date field. You can also select the start date by clicking the Calendar icon. Type the start time in the Start time field using a hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. Alternatively, you can select the start time by clicking the Clock icon. The purpose of the deferred scan feature is to enable you to schedule the scan at a time that will not adversely affect network or endpoint performance.

Method

Steps

To schedule an immediate scan:

Select the Run scan immediately option.

To schedule a later scan:

Select the Run scan at option.
Type the start date in the Start date field. You can also select the start date by clicking the Calendar icon.
Type the start time in the Start time field using a hh:mm format followed by AM or PM. This field supports both 12- and 24-hour time. Alternatively, you can select the start time by clicking the Clock icon.

The purpose of the deferred scan feature is to enable you to schedule the scan at a time that will not adversely affect network or endpoint performance.

Click Next.
The Targets page opens.
Build a list of targets (endpoints) for the virus scan, using either or both of the following methods:

Method	Steps
To define targets using individual endpoints:	From the Target type list, select Endpoints. In the search field, type an endpoint name in one of the following formats: endpointname or domain\endpointname. Alternatively, you can type an IP address. You can type a partial name or IP address to search for a range of endpoints. Click the Search icon. One or more endpoints are displayed in the area under the search field. Select the check box for the endpoint you want to scan. Click Add to Target List.
To define targets using endpoint groups:	From the Target type list, select Endpoint Groups. In the tree control, select one or more endpoint groups. Click Add to Target List. You can exclude an endpoint or subgroup from a group that is to be scanned. Select the endpoint/subgroup in the tree control and click Exclude from Target List.

Method

Steps

To define targets using individual endpoints:

From the Target type list, select Endpoints.
In the search field, type an endpoint name in one of the following formats: endpointname or domain\endpointname. Alternatively, you can type an IP address.

You can type a partial name or IP address to search for a range of endpoints.

Click the Search icon. One or more endpoints are displayed in the area under the search field.
Select the check box for the endpoint you want to scan.
Click Add to Target List.

To define targets using endpoint groups:

From the Target type list, select Endpoint Groups.
In the tree control, select one or more endpoint groups.
Click Add to Target List.
You can exclude an endpoint or subgroup from a group that is to be scanned. Select the endpoint/subgroup in the tree control and click Exclude from Target List.

You must add at least one endpoint or group for Next to become available. If you change your mind about anything you have added to the target list, you can remove it from the list by selecting its check box and clicking Remove.

One or more endpoints are assigned to the scan.

Click Next.
The Scan Options page opens.
Select the scan policy option:

Setting	Result
Use the endpoint's virus and malware scan policy	The scanning, performance, and logging options of the endpoint's policies will be used. You can click Finish to start the scan.
Override the endpoint virus and malware scan policy with the following:	Enables the Scanning, CPU utilization %, and Logging level controls. Important: Ensure you have a clear understanding of the scan options before overriding the default settings.

Setting

Result

Use the endpoint's virus and malware scan policy

The scanning, performance, and logging options of the endpoint's policies will be used. You can click Finish to start the scan.

Override the endpoint virus and malware scan policy with the following:

Enables the Scanning, CPU utilization %, and Logging level controls.

Important: Ensure you have a clear understanding of the scan options before overriding the default settings.

From the drop-down list, select the action that occurs when a virus is detected.

Setting	Result
Perform no action	Does nothing with the infected file, but sends an alert to the server.
Attempt to clean then quarantine [default setting]	Attempts to clean the infected file. If this is not possible, the file is quarantined. An alert is sent to the server.
Attempt to clean then delete	Attempts to clean the infected file. If this is not possible, the file is deleted. An alert is sent to the server.
Attempt to clean then quarantine then delete	Attempts to clean the infected file. If this is not possible, the file is quarantined. If it is not possible to quarantine it, it is deleted. An alert is sent to the server.

Note:

To clean an infected file means to completely remove the malicious code so that the file is safe to use. It is not always possible to remove the malicious code, however. When this happens, you can either delete the file or quarantine it. To quarantine means to move it to a safe place on the endpoint where it can be kept for further examination.

In certain cases (such as when the malware is a Trojan) the entire file is malicious. Such a file cannot be cleaned, so the only options are to quarantine or delete it.
Virus detection actions are not used for memory scans.

Set the Scanning options:

Setting	Result
Scan boot sectors	The virus scan will be more thorough if you scan boot sectors in addition to program and data files. Note: If malware is detected in a boot sector, the action taken depends on the virus detection option selected: Perform no action - the boot sector is left as it is and an alert is sent to the Virus and Malware Event Alerts page. Clean/Delete/Quarantine - the boot sector is automatically repaired.
Scan archives	The virus scan will be more thorough if you scan archive files such as .zip and .cab files. Infected .rar files can be quarantined and deleted, but can't be cleaned. See Archive Types Supported for Scanning.
Scan memory	The virus scan will be more thorough if you scan the memory in addition to the disk(s). Note: If the scan detects a virus/malware in memory, it will report the event. It will not clean, delete, or quarantine the virus/ malware. Exclusions are not applied to memory scans.
Rootkit detection	A rootkit, similar to a hack tool, enables attackers to gain administrator access to a system. They hide the attacker's presence and give them full control of a server or client endpoint without being noticed.

Set the CPU utilization % threshold to control the level of impact the scan is to have on endpoint performance:

Setting	Result
High	Quicker scanning but may noticeably impact endpoint performance.
Medium	Balances scan speed with endpoint performance impact (default option).
Low	Slower scanning but has the lowest impact on endpoint performance.

Set the logging options:

As logging information is kept on the endpoint, the option you choose will not affect the loggings sent to the server.

Setting	Result
Do not log scanning results	No scan log is generated.
Normal logging level (includes results summary)	A standard scan log is generated.
Detailed logging level (includes results summary, name, time and status for each scanned file)	A detailed scan log is generated. Caution: Logging detailed virus scan results typically generates large amounts of data, especially when recurring scans run frequently.

Setting

Result

Do not log scanning results

No scan log is generated.

Normal logging level (includes results summary)

A standard scan log is generated.

Detailed logging level (includes results summary, name, time and status for each scanned file)

A detailed scan log is generated.

Caution: Logging detailed virus scan results typically generates large amounts of data, especially when recurring scans run frequently.

Click Next to exclude files and folders.
The Exclude Files and Folders page opens.

This page enables you to exclude specified files and folders from the scan. You may want to do this because:

You have some applications whose makers recommend be excluded from virus scans.
You have folders containing large amounts of data that you consider relatively safe, such as graphics files. Excluding them from the scan saves time.
You have files that cause known "false positives" during a scan.

Caution: Excluding files or paths from the scan always involves some degree of risk.

Exclude files and folders, using one of the following methods:

Masks and system variables can be used to exclude files and paths, see Exclusion Rules.

Method	Steps
Manually exclude specific files and folders from the scan.	Click Add. A blank entry is added to the exclusions list. Select an exclusion type from the Type field. The types are File and Folder. Enter the path to the item you want to exclude in the Path field. Click to add the exclusion to the list. Repeat this procedure for all files and folders you want to exclude from the scan. Click Remove () to remove items from the exclusion list.
Import an XML file containing a formatted list of file and folder exclusions.	See Importing File, Folder and Process Exclusions.

Configure the Optional drives settings:

Setting	Result
Scan locally-attached media	All storage media (including external hard drives, USB devices, and DVD/CD media) are included in the scan.

Click Finish.
The Virus and Malware Scan Wizard closes. The scan begins, either immediately or at the scheduled time. After the scan completes, the Virus and Malware Scan Results page displays details of any malware that has been detected.

After Completing This Task:

On completion of scanning, you can:

View the Scan Now log file on endpoints in <INSTALL_DIR>\LMAgent\logs\AV.
Manage detected threats in quarantine.
Report threats as false positives to Ivanti.