Network, device, and app threats available in Local Actions

To select all the actions, select the check box next to the Name field. This is a one time action and does not persist after the policy is saved.

Local Actions Network threats

The following Network threats are available in [email protected] Local Actions:

Table 17.  Available Network threat policies
Threat Mitigation when the following events occur

ARP Scan

A reconnaissance scan using the ARP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as man-in-the-middle (MITM).

Captive Portal

Detected that the device connected to a captive portal network.

Danger Zone Connected

Danger Zone Connected provides device users with information on nearby Wi-Fi networks and their potential risk. If a iOS or Android device user does connect to a malicious Wi-Fi access point, the device user will be notified: "This device has connected to a Wi-Fi network where malicious attacks have been observed. It is recommended to disconnect immediately and use an alternative network."

In order to enable Danger Zone Connected, you must have the Enable the Danger Zone feature in zIPS check box selected (located in the management console > Manage > General tab.)

For Android release 9.0 and newer supported versions, if the app developer does not add the Access_Coarse_Location permission, then the following MTD console functionality is not enabled:

  • Network name and BSSID fields are not available for threat forensics information.
  • Network threats are not mitigated.

If MTD console cannot get the BSSID from the device, then the Danger Zone Connection threat will not work.

IP Scan

A reconnaissance scan using the IP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.

Internal Network Access

Detected application connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage.

MITM

Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-ARP

Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-Fake SSL certificate

Man-in-the-Middle attack using fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-ICMP Redirect

Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-SSL Strip

Man-in-the-Middle attack using SSL stripping that allows a hacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device.

Network Handoff

Network handoff allows a device to alter routing on a network, potentially allowing for a man-in-the-middle attack.

Rogue Access Point

Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-Fi network by masking preferred/known networks.

Rogue Access Point: Nearby

Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-fi network by masking a nearby network.

SSL/TLS Downgrade

SSL/TLS Downgrade force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information.

TCP Scan

A reconnaissance scan using the TCP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.

UDP Scan

A reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.

Unsecured WiFi Network

A unsecured Wi-Fi network is vulnerable for a network attack.

Local Actions Device threats

The following Device threats are available in [email protected] Local Actions:

Table 18.  Available Device threat policies
Threat Mitigation when the following events occur

Abnormal Process Activity

Detected abnormal activity. User device is being monitored for any attacks.

App Tampering

Existing app libraries may have been modified, or a foreign library may have been injected into the app.

BlueBorne Vulnerability

Ivanti Mobile Threat Defense has detected this device is vulnerable to BlueBorne, an attack leveraging Bluetooth connections to penetrate and take control of targeted devices. To avoid any sort of risk from BlueBorne, it is highly recommended that the user turn off Bluetooth permanently until an update is available from the device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area.

DNS Change

DNS Configuration change on the mobile device. If the DNS change happened in your own network to an unknown DNS server - it is likely to a MITM attempt.

Daemon Anomaly

Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited.

Developer Options

Developer Options is an advanced configuration options intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings.

Device Encryption

Device Encryption notifies an administrator when a device is not setup to use encryption to protect device content.

Device Pin

Device Pin notifies the administrator when a device is not setup to use a PIN code or password to control access to the device.

Device jailbreaking/rooting

Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device's built-in security measures.

EOP

A malicious process that results in the elevation of privileges on the mobile device, which allows the attacker to take full control of the device.

File system changed

A normal file system change.

Gateway Change

Gateway configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination.

Proxy Change

Proxy configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination.

SELinux Disabled

Security-enhanced Linux (SELinux) is a security feature in the operating feature in the operating system that helps maintain the integrity of operating system. If SELinux has been disabled, the integrity of the operating system may be compromised and should be investigated immediately.

Sideloaded App(s)

Sideloaded apps are installed independently of an official app store and can present a security risk.

Stagefright Vulnerability

Stagefright vulnerability indicates the device is on an OS patch version susceptible to compromise.

System Tampering

System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and can no longer be trusted.

USB Debugging Mode

USB Debugging is an advanced configuration option intended for development purposes only. By enabling USB Debugging, the user device can accept commands from a computer when plugged into a USB connection.

Unknown sources download config change

Allows user to download an app not in Google Play store.

Vulnerable Android Version

MTD has detected that the Android version installed on your device is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately.

Vulnerable iOS Version

MTD has detected that the iOS version installed on your device is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately.

Vulnerable, non-upgradeable Android Version

MTD detected a device running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time.

Vulnerable, non-upgradeable iOS Version

Ivanti Mobile Threat Defense detected a device running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time.

Local Actions App threats

The following App threats are available in [email protected] Local Actions:

Table 19.  Available App threat policies
Threat Mitigation when the following events occur

Suspicious Android App

A known risky app that attempts to take control of the user device in some manner (e.g. elevate privileges, spyware, etc.)

Suspicious Profile

A suspicious profile is a new profile introduced to the environment and is not explicitly trusted or untrusted. It is recommended that the Administrator review the Profile and mark the profile as trusted or untrusted.

Suspicious iOS App

A known and risky app that attempts to take control of the device in some manner (e.g. elevate privileges, spyware, etc.)

Untrusted Profile

An untrusted profile is a new profile installed on one or more devices and is deemed unsafe to have installed on user devices. An untrusted profile installed on devices could be used to control devices remotely, monitor and manipulate user activities, and/or hijack a users' traffic.