What happens on a device during an antivirus scan

This section describes how Antivirus displays on end user devices with Antivirus installed and what happens when devices are scanned for viruses by an antivirus scan or through real-time virus protection. Possible end user options are listed as well as the actions end users can take when an infected object is discovered by the scan.

Antivirus client interface and end user actions

If the Show Ivanti Antivirus icon in the system tray option is selected on the device's antivirus settings, the Antivirus client appears and shows the following elements:

System tray icon

  • Real-time protection is enabled (system tray icon is yellow) or disabled (system tray icon is gray)

Antivirus window

  • Real-time protection is enabled or disabled (if the option is enabled in antivirus settings, the end user can disable real-time protection for as long a period of time as you specify)
  • Email scanning is enabled or disabled
  • Latest scan (date and time)
  • Scheduled scan (date and time)
  • Scan engine version number
  • Virus definitions (the last time pattern files were updated)
  • Quarantine (Shows the number of objects that have been quarantined. End users can click View details to access the Quarantined objects dialog. If the option is enabled, end user can also restore files. If the password requirement option is enabled, the end user must enter that password.)
  • Backup (shows the number of objects that have been backed up)
  • Trusted items (shows the items the end user has added to their trusted items list that won't be scanned for viruses or risky software)

End user actions

If Antivirus is installed on their computer, and their antivirus settings (default or task-specific) allow, users can perform the following tasks:

  • Scan my computer (can view scan status, and pause and cancel the scan)
  • Right-click to perform antivirus scan on files and folders in Windows Explorer (if the option is enabled by the antivirus setting)
  • View local scheduled antivirus scan tasks
  • Create local scheduled antivirus scans on their own machine (if the option is enabled by the antivirus setting)
  • Update virus definition files
  • Temporarily disable real-time protection (if the option is enabled by the agent configuration, and limited to a specified period of time)
  • View quarantined objects
  • View backup objects
  • View trusted items
  • Restore suspicious objects (if the option is enabled by the antivirus setting)
  • Restore infected objects and risky software (if the option is enabled by the antivirus setting)
  • Add and remove files and folders/subfolders to their trusted items list

Note that end users can't configure antivirus scan settings, or disable email scanning.

When an infected object is detected

This process applies to both infected files and email messages.

  1. The infected object is automatically backed up. (The backup file is saved in \LDClient\Antivirus\ folder, with a *.bak extension.)
  2. An attempt is made to clean the infected object.
  3. If the infected object can be cleaned, it is restored to its original location.
  4. If the infected object can't be cleaned, it is quarantined. (The virus string is removed and the file is encrypted so it can't be run. The quarantined file is saved in \LDClient\Antivirus\ folder, with a *.qar extension.)

If the corresponding option is enabled in their antivirus settings (default or task-specific), end users can restore, delete, and rescan quarantined objects.

Automatic scanning of quarantined files

When an on-demand antivirus scan is executed, or when the virus definition files are updated, the antivirus scanner automatically scans objects in the quarantine folder to see if any infected files can be cleaned with the current virus definition files.

If a quarantined file can be cleaned, it is automatically restored and the user is notified.

End users can open a backup file to see a header that provides information on the original file location, and the reason for the file being backed up.

Note that only the original user (the user that is logged in when the infected file is discovered) is allowed to delete or modify backup files.