Management and Security powered by Landesk

Agent settings: Endpoint Security Essentials

Use this dialog box (Tools > Configuration > Agent Settings > Endpoint Security Essentials) to create and edit Endpoint Security Essentials settings. Many of the options in this agent setting can be configured in other agent settings, but this agent setting gathers important options in one place and helps you configure Endpoint Security by following Ivanti's recommended best practices.

This dialog box contains the following pages.

About the Endpoint Security Essentials: General settings page

Use this page to configure general Endpoint Security settings.

  • Name: Identifies the settings with a unique name.
  • Administrator: Specifies administrator password and options.
    • Use a password for Administrator: Specifies the password required on devices configured with this Endpoint Security settings in order to perform certain actions on the protected device.
    • Collect accessed IP/URL: Stores accessed IP and web addresses. Disabled by default.
    • Collect CPU and memory information: When enabled, the agent collects average CPU and memory usage for each process as well as all inbound and outbound connections. This allows for further analysis in case malware is found on an endpoint. View the data collected by this feature in the application information view (right-click a device in the Network view and click Security and Patch > Application information). This view helps you detect malicious behavior on an endpoint. Disabled by default.
  • Client interface: Specifies how the Endpoint Security client displays on managed devices.
    • Show icon in the taskbar notification area: Displays the notification area icon in the client interface.
  • Save: Saves your changes and closes the dialog.
  • Add, Edit, and Delete: Use these to manage vendor names in the vendor lists.

About the Endpoint Security Essentials: Protection page

Use this page to configure endpoint ransomware and malware protection settings. All options on this page are disabled by default.

  • Restrict access to physical drives (protect against MBR encryption ransomwares): When enabled, Endpoint Security will block access to the master boot record (MBR). Some ransomwares are known to encrypt the MBR, and enabling this feature prevents MBR encryption. Note that when enabled, no process will be able to change the MBR, including legitimate processes. If a legitimate process needs to change the MBR, add it as an exclusion to the Monitored folders list on the Monitoring page.
  • Block and blacklist ransomware: When enabled, Endpoint Security will look for processes trying to encrypt files. Once detected, EPS will kill the encryption process and add it to the application blacklist. This blacklist will be sent to the core on the next sync, and when other endpoints sync to the core after this they will get the updated blacklist. This will effectively block the execution of the same ransomware process by other devices, since this ransomware process will be blocked in the application file list.
  • Protect Word, PowerPoint and Excel files from being encrypted by a ransomware: When enabled, Endpoint Security will only allow Word, PowerPoint and Excel processes to modify Word, PowerPoint and Excel files (users will still be able to copy/paste those files). If a ransomware runs on the endpoint, it won't be able to encrypt these file types. In case of a ransomware attack, an administrator will be able to remote control the infected device and copy the untouched documents somewhere safe, ensuring a quicker recovery, because the end user will get the latest version of their files without the need to recover those files from an old backup copy.
  • Prevent Word and Excel macros from running scripts (prevent file-less attacks): A common method to infect an endpoint is to convince the end user to run a macro inside a Word or Excel document. In most cases the macro will run a PowerShell or other script that downloads malware to the device. Once this feature is enabled, Endpoint Security will prevent macros from launching PowerShell, Visual Basic, and other scripts. As a result, if an end user runs a macro that launches a script, the script won't run, blocking the malware from running. The macro itself will continue to work.

About the Endpoint Security Essentials: Monitoring page

Use this dialog box to specify folder paths on managed devices that should be monitored. All files and child folders contained in a monitored folder are monitored. Use the Security activity tool's Application control section (Tools > Security and Compliance > Security activity) to view notifications on monitored folders. If any endpoint security actions need your attention, you'll also see a notification when you log in to the Endpoint Manager console.

Click Add and specify a folder path, the file patterns, exclusions, and file activities to be monitored.

About the Endpoint Security Essentials: Intermediate Patching page

Use this page to configure how Endpoint Security handles web browsers that don't have the latest patches.

In some cases, certain browser patches cause important business web applications running inside the browser to stop working as expected. When this happens, some administrators choose to roll back the patch, allowing the business web application to continue working.

Use the intermediate patching feature to prevent unpatched browsers from accessing untrusted sites on the internet. Unpatched browsers are a prime target for malware infection. Once this feature is enabled, Endpoint Security will automatically detect browsers that aren't fully patched and will block any access to websites that aren't configured as trusted in the Trusted sites list. This will ensure that end users can only use the unpatched browser to visit trusted sites.

  • Applications monitored for missing patches: Select the browser applications you want to monitor for missing patches.
  • Trusted sites: Add sites to this list that you will allow browsers to access, even if those browsers are missing patches. You can add items by IP address, IP range, subnet address, or hostname. Monitored unpatched browsers will only be able to access sites in this list.

About the Endpoint Security Essentials: Auto Remediation page

The pages in this section configure malware and ransomware auto-remediation. Auto-remediation is disabled by default. You need to click Enable on the Auto remediation page if you want to enable auto-remediation and configure the Triggers and Actions pages.

About the Endpoint Security Essentials Auto Remediation: Triggers page

Endpoint Security monitors the real-time log files created by major antivirus software products. When these products detect malware, they will write entries to their log file. However, different vendors identify malware with different names. Because of this, you need to identify how your antivirus vendor logs the malware you care about. Refer to the following vendors' links for keywords.

• Kaspersky - A Malware Classification

• Symantec - Malicious code classifications and threat types

• McAfee - Threat Library Search Results

• Trend Micro - Virus/Malware

• Sophos - Advanced Targeted Malware Security | Sophos ATP for Corporate Networks and Network Threats

You can then enter a comma-separated list of keywords on the Triggers page. When one of these keywords is detected in the antivirus log, auto-remediation is triggered and the Actions you've configured are carried out.

At this time the following antivirus products are supported:

  • Ivanti Antivirus 2017.3 (Kaspersky Endpoint Security for Windows 10.0 SP1)
  • Symantec Endpoint Protection 14
  • McAfee VirusScan Enterprise 8.8
  • Trend Micro OfficeScan Client 5.0
  • Sophos Anti-Virus 5.8

When triggered, auto remediation automatically sends

  • Triggered by malware: Select this option if you want antivirus log keywords to trigger auto-remediation.
  • Keywords (comma separated): Specify the keywords your antivirus product uses.
  • Triggered by ransomware: Select this option for ransomware to trigger auto-remediation.
  • Triggered by API: Refer to this document on the community for more information.

About the Endpoint Security Essentials Auto Remediation: Actions page

The actions on this page happen when the criteria you specified on the Triggers page are met.

  • Isolate the device from the network but allow remote management: Uses the Ivanti firewall to isolate the device from all traffic except for management traffic from the Ivanti management console. Remote control, software distribution, and so on will still work.
  • Shutdown or restart: Forces a shutdown or restart. You can provide a message that The user will see while this is happening but they won't be able to defer or interrupt the shutdown or restart.
  • Run security scan: Runs a security scan based on the Distribution and patch settings you specify.
  • Deploy a package: Deploys a package you specify. This could be a secondary remediation tool, such as a Malwarebytes product.

Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other