Management and Security powered by Landesk

Endpoint Security help

Use this dialog box (Tools > Configuration > Agent Settings > Endpoint Security) to create and edit Endpoint Security settings.

This dialog box contains the following pages.

About the Endpoint Security: General settings page

Use this page to configure location awareness (trusted network) and other access settings.

  • Name: Identifies the settings with a unique name.
  • Administrator: Specifies administrator password and options.
    • Use a password for Administrator: Specifies the password required on devices configured with this Endpoint Security settings in order to perform certain actions on the protected device.
    • Allow Windows Service Control Manager to stop the Endpoint Security service: Lets the end user stop the Endpoint Security service on the client.
  • Client interface: Specifies how the Endpoint Security client displays on managed devices.
    • Show icon in the taskbar notification area: Displays the notification area icon in the client interface.
    • Show violation balloon tips: Displays a message on the end-user device if a blocked operation occurs.
    • Show Start menu shortcut in Ivanti Management group: Displays a program icon for the Endpoint Security client in the Start menu (click Start > Programs > Ivanti Management)
  • Global hotkeys: Specifies hotkey shortcuts used for particular Endpoint Security features.
    • Device Control bypass hotkey: Enables you to define a hotkey sequence that allows temporary access to a blocked device. The default hot key is Ctrl+Shift+F1. To enter the desired hotkey sequence, place the cursor in the text box, and then press (and hold) the keys in the order you want.
  • Save: Saves your changes and closes the dialog.

About the Endpoint Security: Digital signatures page

Use this page to view and manage trusted digitally-signed applications and vendors.

  • Do not trust digitally signed applications: Don't automatically trust digitally-signed applications. Disables the rest of the dialog-box options.
  • Trust all digitally signed applications: Automatically trust digitally-signed applications. Be careful when using this. While being digitally signed does imply some degree of credibility, it doesn't guarantee that an application should be allowed in your environment.
  • Trust digitally signed applications from these vendors: Only trust digitally-signed applications from the vendors you specify. A basic list of reputable vendors is in the Trusted vendors list by default. You can use the buttons below that list to modify it.
  • Discovered vendors: Vendors found by the inventory software scanner on managed devices.
  • Trusted vendors: Vendor names to trust. Use wildcards to make sure the vendor name matches variations in the name that appears on their digitally-signed applications.
  • Add, Edit, and Delete: Use these to manage vendor names in the vendor lists.

About the Endpoint Security: Default policy

Use this page to configure the security component agent settings and trusted file list settings. Some options on this page won't be available unless you enable certain components first, such as Application control.

Components: Select the agent setting you want to use for each component.

  • Trusted file lists: Use the Add and Edit buttons to configure the trusted file lists you want to use.
  • Learning list: When a component is set to learning mode, learned file information is added to this list.
  • Add learning activity only into the learning list: Only updates the learning list you specified.
  • Add learning activity into each list where the same file already exists: Updates all trusted file lists that already have an entry for the learned file.
  • Automatically add files trusted by Digital Signatures to the application file list: Application Control queries each file execution to detect the presence of a digital certificate. If the file has a valid digital certificate, the file is allowed to run. Note that all processes digitally signed by LANDesk and Ivanti are trusted by default independently of this setting. Disabled by default.
  • Enable local application file list: Enables a local application file list on computers that isn't manageable from the core server or additional consoles. Some customers may find this feature useful, but editing this list requires physical or remote control access to the computer. When viewing a file list in Endpoint Security, the Scope column shows whether the scope is Global or Local. Disabled by default.

About the Endpoint Security: Trusted folders page

Use this dialog box to specify folder paths on managed devices that should be considered trusted.

Click Add and specify a folder path and the rights you want to give that folder and all its child folders.

About the Endpoint Security: Monitored folders page

Use this dialog box to specify folder paths on managed devices that should be monitored. All files and child folders contained in a monitored folder are monitored. Use the Security activity tool's Application control section (Tools > Security and Compliance > Security activity) to view notifications on monitored folders. If any endpoint security actions need your attention, you'll also see a notification when you log in to the Endpoint Manager console.

Click Add and specify a folder path, the file patterns, exclusions, and file activities to be monitored.

About the Endpoint Security Auto Remediation page

StartIng with Ivanti Endpoint Management 2017.3, Ivanti Software is offering a new Endpoint Security feature called "Auto Remediation" This action can be triggered by malware, ransomware, and through the API.

The pages in this section configure malware and ransomware auto-remediation. Auto-remediation is disabled by default. You need to click Enable on the Auto remediation page if you want to enable auto-remediation and configure the Triggers and Actions pages.

Note that for additional ransomware protection, the application control agent settings under Security > Enpoint security > Application control can Restrict access to physical drives and Auto detect and blacklist crypto-ransomware.

About the Endpoint Security Auto Remediation: Triggers page

Endpoint Security monitors the real-time log files created by major antivirus software products. When these products detect malware, they will write entries to their log file. However, different vendors identify malware with different names. Because of this, you need to identify how your antivirus vendor logs the malware you care about. Refer to the following vendors' links for keywords.

• Kaspersky - A Malware Classification

• Symantec - Malicious code classifications and threat types

• McAfee - Threat Library Search Results

• Trend Micro - Virus/Malware

• Sophos - Advanced Targeted Malware Security | Sophos ATP for Corporate Networks and Network Threats

You can then enter a comma-separated list of keywords on the Triggers page. When one of these keywords is detected in the antivirus log, auto-remediation is triggered and the Actions you've configured are carried out.

At this time the following antivirus products are supported:

  • Ivanti Antivirus 2017.3 (Kaspersky Endpoint Security for Windows 10.0 SP1)
  • Symantec Endpoint Protection 14
  • McAfee VirusScan Enterprise 8.8
  • Trend Micro OfficeScan Client 5.0
  • Sophos Anti-Virus 5.8

When triggered, auto remediation automatically sends

  • Triggered by malware: Select this option if you want antivirus log keywords to trigger auto-remediation.
  • Keywords (comma separated): Specify the keywords your antivirus product uses.
  • Triggered by ransomware: Select this option for ransomware to trigger auto-remediation.
  • Triggered by API: Refer to this document on the community for more information.

About the Endpoint Security Auto Remediation: Actions page

The actions on this page happen when the criteria you specified on the Triggers page are met.

  • Isolate the device from the network but allow remote management: Uses the Ivanti firewall to isolate the device from all traffic except for management traffic from the Ivanti console. Remote control, software distribution, and so on will still work.
  • Shutdown or restart: Forces a shutdown or restart. You can provide a message that The user will see while this is happening but they won't be able to defer or interrupt the shutdown or restart.
  • Run security scan: Runs a security scan based on the Distribution and patch settings you specify.
  • Deploy a package: Deploys a package you specify. This could be a secondary remediation tool, such as a Malwarebytes product.

Was this article useful?    

The topic was:



Not what I expected