Configure antivirus scan options with antivirus settings

Antivirus gives you complete control over how antivirus scans run on targeted devices, and which options are available to end users. For example, depending on the purpose or scheduled time of an antivirus scan, you may want to show the Antivirus client on end user devices, allow the end user to perform antivirus scans, view and restore quarantined objects, download virus definition file updates on their own, and so on. You can do this by creating and applying antivirus settings to a scan task.

With antivirus settings, you can configure the following options:

  • Whether the Antivirus icon appears in device system trays (providing end user access to antivirus scanning, quarantine and backup viewing, and file handling tasks)
  • Real-time email scanning
  • End user right-click scans
  • CPU usage
  • Owner (to restrict access)
  • Scheduled antivirus scans
  • Quarantine/backup folder size
  • Restoring infected and suspicious objects
  • Specifying which files, folders, and file types to scan
  • Scan exclusions
  • Whether to use heuristic analysis for detecting suspicious files
  • Whether to scan for riskware
  • Real-time file protection (including which files to scan, heuristics, and exclusions)
  • Downloading virus definition file updates (pilot test versions, scheduled downloads, end user download permission, and direct downloads from the security content server)

All of the antivirus settings you create are stored in the Ivanti Antivirus group in the Agent settings tool (Tools > Configuration > Agent settings).

Using Antivirus settings

Create and apply antivirus settings (a saved set of configured options) to antivirus scan tasks. You can create as many antivirus settings as you like. Antivirus settings can be designed for a specific purpose, time, or set of target devices.

To create antivirus settings
  1. Click Tools > Configuration > Agent settings. In the Agent settings tool, right-click the Security > Ivanti Antivirus object, and then click New.
  2. Enter a name for the antivirus settings.
  3. Specify the settings on the pages as desired for the particular task. For more information about an option, click Help.

Once configured, you can apply antivirus settings to antivirus tasks (or to a change settings task).

Changing device default antivirus settings

A device's default antivirus settings are deployed as part of the initial agent configuration. When a specific task has a different antivirus setting associated or assigned to it, the default settings are overridden. You can also choose to use the device's default setting by selecting it when you create a task.

At some point you may want to change these default antivirus settings on certain devices. Patch and Compliance provides a way to do this without having to redeploy an entirely new and complete agent configuration. To do this, use the Change settings task located in the drop-down list of the Create a task toolbar button. The dialog box that appears allows you to enter a unique name for the task, specify whether it is a scheduled task or policy, and either select existing antivirus settings as the default or use the Edit button to create new antivirus settings as the default for target devices.

Viewing device antivirus settings in the Inventory

You can discover and/or verify device antivirus settings in their Inventory view.

To do this, right-click the selected device, click Inventory > Ivanti Management > AV Settings.

Configuring which files to scan (infectable files only, exclusions, heuristics, riskware)

You can specify which files (items) you want to scan and which files you don't want to scan with both antivirus scans and real-time antivirus file protection.

See the following sections for information on customizing what to scan:

All files or infectable files only

You can scan all files or infectable files only on the Virus scan and Real-time protection pages of antivirus settings.

  • Scan all file types: Specifies that files of all types on the target device are scanned by an antivirus scan. This may take a long time so it is a good idea to scan all file types with an on-demand scan rather than real-time protection.
  • Scan infectable files only: Specifies that infectable files only are scanned. Infectable files are those types of files known to be vulnerable to virus infections. Scanning only infectable files is more efficient than scanning all files because some viruses affect only certain file types. However, you should make a habit of regularly scanning all the files with an on-demand scan in order to ensure devices are clean.

Infectable file types

Infectable file types are identified by their format identifier in the file header rather than by their file extension, ensuring that renamed files are scanned.

Infectable files include: document files such as Word and Excel files; template files that are associated with document files; and program files such as dynamic link libraries (.DLLs), communication files (.COM), Executable files (.EXEs), and other program files. See below for a list of infectable file types by the file format's standard or original file extension.

  • ACM
  • ACV
  • ADT
  • AX
  • BAT
  • BIN
  • BTM
  • CLA
  • COM
  • CPL
  • CSC
  • CSH
  • DLL
  • DOC
  • DOT
  • DRV
  • EXE
  • HLP
  • HTA
  • HTM
  • HTML
  • HTT
  • INF
  • INI
  • JS
  • JSE
  • JTD
  • MDB
  • MSO
  • OBD
  • OBT
  • OCX
  • PIF
  • PL
  • PM
  • POT
  • PPS
  • PPT
  • RTF
  • SCR
  • SH
  • SHB
  • SHS
  • SMM
  • SYS
  • VBE
  • VBS
  • VSD
  • VSS
  • VST
  • VXD
  • WSF
  • WSH

Excluding items from antivirus scans and real-time protection

You can also specify what not to scan for with both antivirus scans and real-time file protection. Configure antivirus scan exclusions by adding files, folders, and file types to the exclusion list on the Virus scan and Real-time protection pages of antivirus settings.

NOTE: Trusted items list on managed devices
Note that you can also enable an option that allows end users to specify files and folders they don't want to be scanned by Ivanti Antivirus. This feature is called the trusted items list, and is configured on the General page of antivirus settings.

Using heuristic analysis to scan for suspicious objects

You can enable heuristic analysis to check for suspicious (possibly infected) files with both antivirus scans and real-time file protection.

Enable heuristic scanning on the Virus scan and Real-time protection pages of antivirus settings.

Heuristic analysis scanning attempts to detect files suspected of being infected by an unknown virus (not defined in the virus signature database) by looking for suspicious behavior. Suspicious behavior can include a program that is self-modifying, immediately tries to find other executables, or that is modified after terminating. A heuristic analysis emulates program execution to make protocols of observed suspicious activity, and uses those protocols to identify possible virus infections. In almost all cases, this mechanism is effective and reliable, and rarely leads to false positives.

Antivirus utilizes a heuristic analyzer to verify files that have already been scanned by an antivirus scan based on known virus definitions.

Note that heuristic scanning may negatively affect performance on managed devices.

Scanning for riskware (extended database)

Antivirus lets you enable scanning for risky software, also known as riskware, on target devices. Risky software is essentially client software whose installation presents a possible but not definite risk for the end user.

Examples of riskware include adware, proxy-programs, pornware, remote admin utilities, IRC, dialers, activity monitors, password utilities, and Internet tools such as FTP, Web, Proxy and Telnet.

When you choose to scan managed devices for risky software, Antivirus loads an extended database that contains definition files used to perform the scan. The extended database scan requires more time than the standard antivirus scan.

Additional notes about scanning files

  • System restore point scanning: Antivirus will scan the files in any system restore point folders that may exist on the managed device.