Agent settings: Ivanti Antivirus 2017

Ivanti Endpoint Security for Endpoint Manager 2017.3 SU2 introduces a new antivirus option that you can use on managed Windows and Apple Mac devices. It's not installed by default, so visit this page on the Ivanti community for installation and deployment instructions.

Ivanti Antivirus 2017 features are accessed from the Agent Settings tool window (Tools > Security and Compliance > Agent Settings). Then in the Agent settings window under the Security folder, right-click Ivanti Antivirus 2017 or Ivanti Antivirus 2017 - Mac and click New....

This topic describes the Ivanti Antivirus 2017 agent settings dialog box and other dialog boxes related to Ivanti Antivirus 2017.

Use these options to configure what antivirus protections are active and what antivirus elements users see on their devices.

Maintenance password: Password that will have to be entered on managed devices before any local changes to the antivirus software are allowed.

Notifications: These options determine what users see on their managed devices.

  • Show icon in notification area
  • Display alert popups
  • Display notification popups

Use this page to configure the real-time protection scanning options. This page was added in the Endpoint Manager 2019.1 SU2 release.

File location
  • Scan all local files: Enabled by default. Scans files on local storage.
  • Scan all network files: Enabled by default. Scans files accessed over the network.
  • Maximum size (MB): Disabled by default. Limits scans to files that are smaller than the specified number of megabytes.
Scan
  • Boot sectors: Enabled by default. Scans the device's boot sector for viruses.
  • For keyloggers: Enabled by default. Scans for keylogging software.
  • For potentially unwanted applications (PUA): Enabled by default. Scans for unwanted software that may be part of another application you installed, such as adware or ad-supported software. These types of software can display unwanted popups or toolbars and slow down system performance.
Archives
  • Archive maximum size (MB): Disabled by default.Archives over this size won't be scanned. When enabled, you can also specify Archive maximum depth (levels): If an archive contains other archives, this controls how many levels deep to scan. The maximum is 16 levels. Fewer levels increase performance.
  • Deferred scanning: Delays scans until file operations are done. This can help reduce performance hits when doing things like copying large files.
Scan actions

There are two types of detected files, suspected and infected. If the antivirus heuristic analysis think the file has suspicious characteristics but the file doesn't have a virus signature match, it is considered suspected. Since there's no virus match, suspected files can't be disinfected.

If a scan finds an infected or suspected file, these actions can be taken:

  • Deny: Access to the file will be denied
  • Disinfect: Antivirus will try to repair the infected file. This is the default action for infected files. This option isn't available for suspected files.
  • Delete: Antivirus will delete the infected file without warning. In most cases, it may be better to Move to quarantine instead, so you can evaluate the file yourself before deciding if it should be deleted.
  • Move to quarantine: Antivirus will move the infected file to the local quarantine folder, where it can't be executed or opened. Manage files in quarantine from Security and Compliance > Security Activity > Quarantined infections (by computer or virus).

The Default action for infected files is Disinfect, and the default Alternative action is Move to quarantine.

The Default action for suspected files is Deny, and the default Alternative action is Move to quarantine.

  • File scan (Real-time protection): Enables file scanning so that files on managed devices are periodically scanned for viruses and malware. The default is enabled.
  • Application behavior monitoring (Windows only): Enables real-time behavioral scanning, which monitors application behavior for suspicious activity. The default is enabled.
  • Allow user to scan CD/DVD/USB media (Windows only): Allows users to scan these media types. The default is enabled.
  • Exclusions: You can exclude files, folders, and file extensions from realtime scans and on-demand virus scans. Select the tab for the scan type you want to modify, and click Add, Edit, or Delete, depending on the action you want. Click Insert variable if you want to use a system path variable in the object's path.

Traffic scan: These options control the monitored network protocols.

  • Enable Web (HTTP) scanning: Enables unencrypted HTTP traffic scans. If you want to scan both HTTP and HTTPS traffic, also enable the Scan SSL option on the Network scan page.
  • Enable SMTP scanning: Enables anti-malware protection for SMTP mail protocol traffic.
  • Enable POP3 scanning: Enables anti-malware protection for POP3 mail protocol traffic.
  • HTTP traffic scan exclusions: You can exclude remote IP addresses, URLs and applications from HTTP traffic scans. Click Add, select the item type you want to exclude, and specify the item's details.

Network scan: These options control encrypted traffic scanning and browser behavior.

  • Scan SSL: Controls encrypted SSL traffic scanning. Select this to enable it.
  • Show browser toolbar: Shows a small antivirus browser tool at the top of every page. Clicking it shows a toolbar indicating the page safety rating. The toolbar supports recent versions of Internet Explorer, Edge, Firefox, Chrome, Safari, and Opera.
  • Browser search advisor: Places a safety rating icon next to search engine results, helping users avoid suspicious pages. Most search engines encrypt traffic with SSL, so you'll need to enable the Scan SSL option for the search advisor to work correctly. The search advisor filters results from Google, Bing, and Yahoo. It also filters links from Facebook and Twitter.

The Full scan and Critical areas scan pages have the same options. One affects full antivirus scans and the other affects critical area antivirus scans. Available actions on detected items are:

  • Ignore: Antivirus takes no action on the file, but an entry will appear in the scan log.
  • Disinfect: Antivirus will try to repair the infected file. This is the default action for infected files.
  • Delete: Antivirus will delete the infected file without warning. In most cases, it may be better to Move to quarantine instead, so you can evaluate the file yourself before deciding if it should be deleted.
  • Move to quarantine: Antivirus will move the infected file to the local quarantine folder, where it can't be executed or opened. Manage files in quarantine from Security and Compliance > Security Activity > Quarantined infections (by computer or virus).

Available options:

  • Action to take for infected files: Action to be taken for an infected file.
  • Action to take for suspicious files: Action to be taken for a suspicious file.
  • Action to take for rootkits: Action to be taken for rootkits.
  • Enable smart scanning (faster file scan): Stores file scan data and file checksums in a local database. If a file isn't in the database or if its checksum changes, the file will be scanned. This option speeds up scans since only new or changed files are scanned.
  • Lower the priority of scanning threads: Lowers the scanner thread priority so that it is less likely to affect other tasks. This may make scans take longer.

User rights:

  • Allow user to pause a scan: Users can pause antivirus scans.
  • Allow user to postpone a scan: Users can postpone scans.
  • Allow stop a scan: Users can stop an active scan.

Use this page to configure where managed devices will download antivirus updates from. By default two locations are included: directly from the antivirus vendor (av-update.ivanti.com) and your core server. The vendor server will always have the latest updates. The core server updates its antivirus pattern files at the interval you specify, as described in the next section. The default is 24 hours.

Managed devices will contact servers in the order they appear in the list. If the first server fails, the device will proceed to the next server in the list, and so on. When a device downloads pattern files from the core server, it will always go directly to the core server.

Use the Up and Down buttons to change the preferred order. The Default URL and Core URL buttons insert the default values for those items. If you want scan engine updates along with signature updates, select Update product in addition to the signatures. This is enabled by default.

In the Patch and Compliance tool's Download updates dialog box (accessed by clicking the Download updates toolbar button), there are two pages to be aware of: The Ivanti Antivirus 2017 page and the Proxy settings page.

The Ivanti Antivirus 2017 page has a single option, Update frequency. This controls the how often antivirus pattern file updates are downloaded from the cloud repository to the core for the new antivirus. The configurable range is 1-240 hours and the default is 24 hours.

Ivanti Antivirus 2017 updates use the proxy configuration you've specified on the Proxy settings page. When a proxy is set, the update process that runs on the core will used the proxy settings when connecting to the antivirus cloud server to download the updated pattern files.