Endpoint Security help

Use this dialog box (Tools > Configuration > Agent Settings > Endpoint Security) to create and edit Endpoint Security settings.

This dialog box contains the following pages.

About the Endpoint Security: General settings page

Use this page to configure location awareness (trusted network) and other access settings.

  • Name: Identifies the settings with a unique name.
  • Administrator: Specifies administrator password and options.
    • Use a password for Administrator: Specifies the password required on devices configured with this Endpoint Security settings in order to perform certain actions on the protected device.
    • Allow Windows Service Control Manager to stop the Endpoint Security service: Lets the end user stop the Endpoint Security service on the client.
  • Client interface: Specifies how the Endpoint Security client displays on managed devices.
    • Show icon in the taskbar notification area: Displays the notification area icon in the client interface.
    • Show violation balloon tips: Displays a message on the end-user device if a blocked operation occurs.
    • Show Start menu shortcut in Ivanti Management group: Displays a program icon for the Endpoint Security client in the Start menu (click Start > Programs > Ivanti Management)
  • Save: Saves your changes and closes the dialog.

About the Endpoint Security: Digital signatures page

Use this page to view and manage trusted digitally-signed applications and vendors.

  • Do not trust digitally signed applications: Don't automatically trust digitally-signed applications. Disables the rest of the dialog-box options.
  • Trust all digitally signed applications: Automatically trust digitally-signed applications. Be careful when using this. While being digitally signed does imply some degree of credibility, it doesn't guarantee that an application should be allowed in your environment.
  • Trust digitally signed applications from these vendors: Only trust digitally-signed applications from the vendors you specify. A basic list of reputable vendors is in the Trusted vendors list by default. You can use the buttons below that list to modify it.
  • Discovered vendors: Vendors found by the inventory software scanner on managed devices.
  • Trusted vendors: Vendor names to trust. Use wildcards to make sure the vendor name matches variations in the name that appears on their digitally-signed applications.
  • Add, Edit, and Delete: Use these to manage vendor names in the vendor lists.

About the Endpoint Security: Default policy

Use this page to configure the security components you want enabled and the setting you want to use for each component. Some options on this page won't be available unless you enable certain components first, such as Application control.

Components: Select the components you want to deploy and the agent setting you want to use for each component.

About the Endpoint Security: Monitored folders page

Use this dialog box to specify folder paths on managed devices that should be monitored. All files and child folders contained in a monitored folder are monitored. Use the Security activity tool's Application control section (Tools > Security and Compliance > Security activity) to view notifications on monitored folders. If any endpoint security actions need your attention, you'll also see a notification when you log in to the Endpoint Manager console.

Click Add and specify a folder path, the file patterns, exclusions, and file activities to be monitored.

About the Endpoint Security: Intermediate Patching page

Use this page to configure how Endpoint Security handles web browsers that don't have the latest patches.

In some cases, certain browser patches cause important business web applications running inside the browser to stop working as expected. When this happens, some administrators choose to roll back the patch, allowing the business web application to continue working.

Use the intermediate patching feature to prevent unpatched browsers from accessing untrusted sites on the internet. Unpatched browsers are a prime target for malware infection. Once this feature is enabled, Endpoint Security will automatically detect browsers that aren't fully patched and will block any access to websites that aren't configured as trusted in the Trusted sites list. This will ensure that end users can only use the unpatched browser to visit trusted sites.

  • Applications monitored for missing patches: Select the browser applications you want to monitor for missing patches.
  • Trusted sites: Add sites to this list that you will allow browsers to access, even if those browsers are missing patches. You can add items by IP address, IP range, subnet address, or hostname. Monitored unpatched browsers will only be able to access sites in this list.

About the Endpoint Security Auto Remediation page

StartIng with Ivanti Endpoint Management 2017.3, Ivanti Software is offering a new Endpoint Security feature called "Auto Remediation" This action can be triggered by malware, ransomware, and through the API.

The pages in this section configure malware and ransomware auto-remediation. Auto-remediation is disabled by default. You need to click Enable on the Auto remediation page if you want to enable auto-remediation and configure the Triggers and Actions pages.

Note that for additional ransomware protection, the application control agent settings under Security > Enpoint security > Application control can Restrict access to physical drives and Auto detect and blacklist crypto-ransomware.

About the Endpoint Security Auto Remediation: Triggers page

Endpoint Security monitors the real-time log files created by major antivirus software products. When these products detect malware, they will write entries to their log file. However, different vendors identify malware with different names. Because of this, you need to identify how your antivirus vendor logs the malware you care about. Refer to the following vendors' links for keywords.

• Kaspersky - A Malware Classification

• Symantec - Malicious code classifications and threat types

• McAfee - Threat Library Search Results

• Trend Micro - Virus/Malware

• Sophos - Advanced Targeted Malware Security | Sophos ATP for Corporate Networks and Network Threats

You can then enter a comma-separated list of keywords on the Triggers page. When one of these keywords is detected in the antivirus log, auto-remediation is triggered and the Actions you've configured are carried out.

At this time the following antivirus products are supported:

  • Ivanti Antivirus 2017.3 (Kaspersky Endpoint Security for Windows 10.0 SP1)
  • Symantec Endpoint Protection 14
  • McAfee VirusScan Enterprise 8.8
  • Trend Micro OfficeScan Client 5.0
  • Sophos Anti-Virus 5.8

When triggered, auto remediation automatically sends

  • Triggered by malware: Select this option if you want antivirus log keywords to trigger auto-remediation.
  • Keywords (comma separated): Specify the keywords your antivirus product uses.
  • Triggered by ransomware: Select this option for ransomware to trigger auto-remediation.
  • Triggered by API: Refer to this document on the Ivanti community for more information.

About the Endpoint Security Auto Remediation: Actions page

The actions on this page happen when the criteria you specified on the Triggers page are met.

  • Isolate the device from the network but allow remote management: Uses the Ivanti firewall to isolate the device from all traffic except for management traffic from the Ivanti console. Remote control, software distribution, and so on will still work.
  • Shutdown or restart: Forces a shutdown or restart. You can provide a message that The user will see while this is happening but they won't be able to defer or interrupt the shutdown or restart.
  • Run security scan: Runs a security scan based on the Distribution and patch settings you specify.
  • Deploy a package: Deploys a package you specify. This could be a secondary remediation tool, such as a Malwarebytes product.

About the Endpoint Security Advanced page

Use this dialog box to configure advanced security options.

  • Allow to generate security authorization codes: Create an authorization code that will allow an end user to perform a blocked operation for a brief period of time. For more information, see Generate security authorization codes.
  • Allow Windows Service Control Manager to stop Ivanti Endpoint Security service: Normally users can't use the Windows Service Control Manager to stop the Ivanti Endpoint Security service. Select this option if you want to allow users to stop the service.
  • Enforce Ivanti Endpoint Security protection while in Safe Mode: Normally Windows Safe Mode disables Endpoint Security. Select this option if you want Endpoint Security active in Safe Mode.
  • Global hotkeys: Specifies hotkey shortcuts used for particular Endpoint Security features.
    • Device Control bypass hotkey: Enables you to define a hotkey sequence that allows temporary access to a blocked device. The default hot key is Ctrl+Shift+F1. To enter the desired hotkey sequence, place the cursor in the text box, and then press (and hold) the keys in the order you want.
  • Provide more notifications to end user
  • Protect Ivanti files from being changed

About the Endpoint Security: Trusted folders page

Use this dialog box to specify folder paths on managed devices that should be considered trusted.

Click Add and specify a folder path and the rights you want to give that folder and all its child folders.

About the Endpoint Security Advanced: Digital signatures page

Use this page to view and manage trusted digitally-signed applications and vendors.

  • Do not trust digitally signed applications: Don't automatically trust digitally-signed applications. Disables the rest of the dialog-box options.
  • Trust all digitally signed applications: Automatically trust digitally-signed applications. Be careful when using this. While being digitally signed does imply some degree of credibility, it doesn't guarantee that an application should be allowed in your environment.
  • Trust digitally signed applications from these vendors: Only trust digitally-signed applications from the vendors you specify. A basic list of reputable vendors is in the Trusted vendors list by default. You can use the buttons below that list to modify it.
  • Discovered vendors: Vendors found by the inventory software scanner on managed devices.
  • Trusted vendors: This list appears to the right of the Discovered vendors list, and shows the vendor signatures you can manage and whether they are trusted or not. Use wildcards to make sure the vendor name matches variations in the name that appears on their digitally-signed applications.
  • Add, Edit, and Delete: Use these to manage vendor names in the vendor lists.

About the Endpoint Security Advanced: Application file lists page

You can edit this list if you've selected the Application Control or Ivanti Firewall components. The application file list helps ensure that the files on a device's file system aren't malware and that no one has tampered with them. For more information, see Using file reputation to restrict applications.

  • Application file lists: Use the Add and Edit buttons to configure the trusted file lists you want to use.
  • Learning list: When a component is set to learning mode, learned file information is added to this list.
  • Add learning activity only into the learning list: Only updates the learning list you specified.
  • Add learning activity into each list where the same file already exists: Updates all trusted file lists that already have an entry for the learned file.
  • Automatically add files trusted by Digital Signatures to the application file list: Application Control queries each file execution to detect the presence of a digital certificate. If the file has a valid digital certificate, the file is allowed to run. Note that all processes digitally signed by LANDesk and Ivanti are trusted by default independently of this setting. Disabled by default.
  • Enable local application file list: Enables a local application file list on computers that isn't manageable from the core server or additional consoles. Some customers may find this feature useful, but editing this list requires physical or remote control access to the computer. When viewing a file list in Endpoint Security, the Scope column shows whether the scope is Global or Local. Disabled by default.