Local Actions against network, device, and app threats

The following network, device, and app threats and compliance actions are available on MTD-enabled client devices.

Available compliance actions by device type

Regardless of the threat type, each iOS, Android, or Samsung Knox Android device offers a different limited set of available compliance behaviors. The following tables describe these available compliance behaviors.

Table 2.  Compliance actions available on iOS devices
Local Compliance Action Definition

None

No action will be taken on the device.

Block Email Access and AppConnect Apps

  • Disables email access.
  • Disables AppConnect-enabled applications and blocks the transfer of AppConnect data between Client and Ivanti Neurons for MDM.

Network Sinkhole

Isolates the device from the network.

Ivanti recommends selecting the Network Sinkhole action ONLY for network-related threats. Use of Network Sinkhole action for device and application threats can result in disabling network connectivity to the device without the ability to restore network connectivity.

Table 3.  Compliance actions available on Android Devices
Local Compliance Action Definition

None

No action will be taken on the device.

Wipe the device

Retires the device.

Quarantine - Remove all configurations

Removes configurations that provide access to corporate resources, such as certificates. Configurations that secure the device are not removed.

Quarantine - Do not remove Wi-Fi settings for Wi-Fi only devices

Removes configurations that provide access to corporate resources, such as certificates, with the exception of the Wi-Fi settings on Wi-Fi only devices. Configurations that secure the device are not removed.

Quarantine - Do not remove Wi-Fi settings for all devices

Removes configurations that provide access to corporate resources, such as certificates, with the exception of Wi-Fi settings on all devices. Configurations that secure the device are not removed.

Quarantine - Remove managed apps and block new downloads

Removes access to the company App Catalog and/or work apps.

Disable Bluetooth

Disables Bluetooth to the company App Catalog and/or work apps.

Disconnect from Wi-Fi

Disables Wi-Fi to the company App Catalog and/or work apps.

Table 4.  Compliance actions available on Android Knox devices
Knox local action Description

Block app

Blocks the risky app from future installation and also uninstall the app. This action can be reverted once the device is back in compliance.

Uninstall app

Uninstalls the risky app from the device. This action cannot be reverted once the device is back in compliance.

Disable app

The app is no longer visible in the app tray but it is not uninstalled. If a disabled app is re-installed, it will be re-enabled. This action can be reverted once the device is back in compliance.

Isolate app from network

The risky app cannot access anything on the network. This action can be reverted once the device is back in compliance.

Locally-initiated threats by threat type

The following sections describe the available threats for each supported threat type:

Local network threat actions

The following network threats can be monitored and actions taken to mitigate them in Go Local Actions:

Table 5.  Available local network threats
Threat Mitigation trigger

ARP Scan

A reconnaissance scan using the ARP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as man-in-the-middle (MITM).

Captive Portal

Detected that the device connected to a captive portal network.

Danger Zone Connected

Danger Zone Connected provides device users with information on nearby Wi-Fi networks and their potential risk. If an iOS or Android device user does connect to a malicious Wi-Fi access point, the device user will be notified: "This device has connected to a Wi-Fi network where malicious attacks have been observed. It is recommended to disconnect immediately and use an alternative network."

Procedure

To enable Danger Zone Connected:

  1. Log into the MTD console, and navigate to the Manage > General page.

  2. Click Enable the Danger Zone feature in zIPS.

    For Android release 9.0 and higher supported releases, if the app developer does not add the Access_Coarse_Location permission, then the following MTD console functionality is not enabled:

    • Network name and BSSID fields are not available for threat forensics information.
    • Network threats are not mitigated.

    If MTD console cannot get the BSSID from the device, then the Danger Zone Connection threat will not work.

IP Scan

A reconnaissance scan using the IP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.

Internal Network Access

Detected application connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage.

MITM

Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-ARP

Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-Fake SSL certificate

Man-in-the-Middle attack using fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-ICMP Redirect

Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.

MITM-SSL Strip

Man-in-the-Middle attack using SSL stripping that allows a hacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device.

Network Handoff

Network handoff allows a device to alter routing on a network, potentially allowing for a man-in-the-middle attack.

Rogue Access Point

Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-Fi network by masking preferred/known networks.

Rogue Access Point: Nearby

Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-fi network by masking a nearby network.

SSL/TLS Downgrade

SSL/TLS Downgrade force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information.

TCP Scan

A reconnaissance scan using the TCP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.

UDP Scan

A reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.

Unsecured WiFi Network

A unsecured Wi-Fi network is vulnerable for a network attack.

Local device threat actions

The following device threats can be monitored and actions taken to mitigate them in Go Local Actions:

Table 6.  Available local device threats
Threat Mitigation when the following events occur

Abnormal Process Activity

Detected abnormal activity. User device is being monitored for any attacks.

App Tampering

Existing app libraries may have been modified, or a foreign library may have been injected into the app.

BlueBorne Vulnerability

Ivanti Mobile Threat Defense has detected this device is vulnerable to BlueBorne, an attack leveraging Bluetooth connections to penetrate and take control of targeted devices. To avoid any sort of risk from BlueBorne, it is highly recommended that the user turn off Bluetooth permanently until an update is available from the device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area.

DNS Change

DNS Configuration change on the mobile device. If the DNS change happened in your own network to an unknown DNS server - it is likely to a MITM attempt.

Daemon Anomaly

Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited.

Developer Options

Developer Options is an advanced configuration options intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings.

Device Encryption

Device Encryption notifies an administrator when a device is not setup to use encryption to protect device content.

Device Pin

Device Pin notifies the administrator when a device is not setup to use a PIN code or password to control access to the device.

Device jailbreaking/rooting

Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device's built-in security measures.

EOP

A malicious process that results in the elevation of privileges on the mobile device, which allows the attacker to take full control of the device.

File system changed

A normal file system change.

Gateway Change

Gateway configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination.

Proxy Change

Proxy configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination.

SELinux Disabled

Security-enhanced Linux (SELinux) is a security feature in the operating feature in the operating system that helps maintain the integrity of operating system. If SELinux has been disabled, the integrity of the operating system may be compromised and should be investigated immediately.

Sideloaded App(s)

Sideloaded apps are installed independently of an official app store and can present a security risk.

Stagefright Vulnerability

Stagefright vulnerability indicates the device is on an OS patch version susceptible to compromise.

Suspicious Profile

Suspicious profiles identifies profiles that are untrusted or not explicitly trusted. Ivanti recommends that you review the profile and mark it as trusted or untrusted.

System Tampering

System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and can no longer be trusted.

USB Debugging Mode

USB Debugging is an advanced configuration option intended for development purposes only. By enabling USB Debugging, the user device can accept commands from a computer when plugged into a USB connection.

Unknown sources download config change

Allows user to download an app not in Google Play store.

Untrusted Profile

An untrusted profile is considered unsafe to install on your devices. An untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and /or hijack traffic.

Vulnerable Android Version

Ivanti Mobile Threat Defense has detected that the Android version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately.

Vulnerable iOS Version

Ivanti Mobile Threat Defense has detected that the iOS version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately.

Vulnerable, non-upgradeable Android Version

Ivanti Mobile Threat Defense detected a device running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time.

Vulnerable, non-upgradeable iOS Version

Ivanti Mobile Threat Defense detected a device running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time.

Local app threat actions

The following app threats can be monitored and actions taken to mitigate them in Go Local Actions:

Table 7.  Available App threat policies
Threat Mitigation when the following events occur

Out of Compliance App

An app that is considered to be out of compliance with your corporate policy. When apps designated as "out of compliance" are detected on an MTD-enabled client device, the device user sees a threat warning and a request to remove the app from the device.

Suspicious Android App

A known risky app that attempts to take control of the user device in some manner (e.g. elevate privileges, spyware, etc.)

Suspicious iOS App

A known and risky app that attempts to take control of the device in some manner (e.g. elevate privileges, spyware, etc.)