Local Actions against network, device, and app threats
The following network, device, and app threats and compliance actions are available on MTD-enabled client devices.
Available compliance actions by device type
Regardless of the threat type, each iOS, Android, or Samsung Knox Android device offers a different limited set of available compliance behaviors. The following tables describe these available compliance behaviors.
| Local Compliance Action | Definition |
|
None |
No action will be taken on the device. |
|
Block Email Access and AppConnect Apps |
|
|
Network Sinkhole |
Isolates the device from the network. Ivanti recommends selecting the Network Sinkhole action ONLY for network-related threats. Use of Network Sinkhole action for device and application threats can result in disabling network connectivity to the device without the ability to restore network connectivity. |
| Local Compliance Action | Definition |
|
None |
No action will be taken on the device. |
|
Wipe the device |
Retires the device. |
|
Quarantine - Remove all configurations |
Removes configurations that provide access to corporate resources, such as certificates. Configurations that secure the device are not removed. |
|
Quarantine - Do not remove Wi-Fi settings for Wi-Fi only devices |
Removes configurations that provide access to corporate resources, such as certificates, with the exception of the Wi-Fi settings on Wi-Fi only devices. Configurations that secure the device are not removed. |
|
Quarantine - Do not remove Wi-Fi settings for all devices |
Removes configurations that provide access to corporate resources, such as certificates, with the exception of Wi-Fi settings on all devices. Configurations that secure the device are not removed. |
|
Quarantine - Remove managed apps and block new downloads |
Removes access to the company App Catalog and/or work apps. |
|
Disable Bluetooth |
Disables Bluetooth to the company App Catalog and/or work apps. |
|
Disconnect from Wi-Fi |
Disables Wi-Fi to the company App Catalog and/or work apps. |
| Knox local action | Description |
|---|---|
|
Block app |
Blocks the risky app from future installation and also uninstall the app. This action can be reverted once the device is back in compliance. |
|
Uninstall app |
Uninstalls the risky app from the device. This action cannot be reverted once the device is back in compliance. |
|
Disable app |
The app is no longer visible in the app tray but it is not uninstalled. If a disabled app is re-installed, it will be re-enabled. This action can be reverted once the device is back in compliance. |
|
Isolate app from network |
The risky app cannot access anything on the network. This action can be reverted once the device is back in compliance. |
Locally-initiated threats by threat type
The following sections describe the available threats for each supported threat type:
Local network threat actions
The following network threats can be monitored and actions taken to mitigate them in Ivanti Go Local Actions:
| Threat | Mitigation trigger |
|
ARP Scan |
A reconnaissance scan using the ARP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as man-in-the-middle (MITM). |
|
Captive Portal |
Detected that the device connected to a captive portal network. |
|
Danger Zone Connected |
Danger Zone Connected provides device users with information on nearby Wi-Fi networks and their potential risk. If an iOS or Android device user does connect to a malicious Wi-Fi access point, the device user will be notified: "This device has connected to a Wi-Fi network where malicious attacks have been observed. It is recommended to disconnect immediately and use an alternative network." Procedure To enable Danger Zone Connected:
|
|
IP Scan |
A reconnaissance scan using the IP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
|
Internal Network Access |
Detected application connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage. |
|
MITM |
Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-ARP |
Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-Fake SSL certificate |
Man-in-the-Middle attack using fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-ICMP Redirect |
Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-SSL Strip |
Man-in-the-Middle attack using SSL stripping that allows a hacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device. |
|
Network Handoff |
Network handoff allows a device to alter routing on a network, potentially allowing for a man-in-the-middle attack. |
|
Rogue Access Point |
Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-Fi network by masking preferred/known networks. |
|
Rogue Access Point: Nearby |
Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-fi network by masking a nearby network. |
|
SSL/TLS Downgrade |
SSL/TLS Downgrade force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information. |
|
TCP Scan |
A reconnaissance scan using the TCP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
|
UDP Scan |
A reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
|
Unsecured WiFi Network |
A unsecured Wi-Fi network is vulnerable for a network attack. |
Local device threat actions
The following device threats can be monitored and actions taken to mitigate them in Ivanti Go Local Actions:
| Threat | Mitigation when the following events occur |
|
Abnormal Process Activity |
Detected abnormal activity. User device is being monitored for any attacks. |
|
App Tampering |
Existing app libraries may have been modified, or a foreign library may have been injected into the app. |
|
BlueBorne Vulnerability |
Ivanti Mobile Threat Defense has detected this device is vulnerable to BlueBorne, an attack leveraging Bluetooth connections to penetrate and take control of targeted devices. To avoid any sort of risk from BlueBorne, it is highly recommended that the user turn off Bluetooth permanently until an update is available from the device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area. |
|
DNS Change |
DNS Configuration change on the mobile device. If the DNS change happened in your own network to an unknown DNS server - it is likely to a MITM attempt. |
|
Daemon Anomaly |
Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited. |
|
Developer Options |
Developer Options is an advanced configuration options intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings. |
|
Device Encryption |
Device Encryption notifies an administrator when a device is not setup to use encryption to protect device content. |
|
Device Pin |
Device Pin notifies the administrator when a device is not setup to use a PIN code or password to control access to the device. |
|
Device jailbreaking/rooting |
Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device's built-in security measures. |
|
EOP |
A malicious process that results in the elevation of privileges on the mobile device, which allows the attacker to take full control of the device. |
|
File system changed |
A normal file system change. |
|
Gateway Change |
Gateway configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination. |
|
Proxy Change |
Proxy configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination. |
|
SELinux Disabled |
Security-enhanced Linux (SELinux) is a security feature in the operating feature in the operating system that helps maintain the integrity of operating system. If SELinux has been disabled, the integrity of the operating system may be compromised and should be investigated immediately. |
|
Sideloaded App(s) |
Sideloaded apps are installed independently of an official app store and can present a security risk. |
|
Stagefright Vulnerability |
Stagefright vulnerability indicates the device is on an OS patch version susceptible to compromise. |
|
Suspicious Profile |
Suspicious profiles identifies profiles that are untrusted or not explicitly trusted. Ivanti recommends that you review the profile and mark it as trusted or untrusted. |
|
System Tampering |
System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and can no longer be trusted. |
|
USB Debugging Mode |
USB Debugging is an advanced configuration option intended for development purposes only. By enabling USB Debugging, the user device can accept commands from a computer when plugged into a USB connection. |
|
Unknown sources download config change |
Allows user to download an app not in Google Play store. |
|
Untrusted Profile |
An untrusted profile is considered unsafe to install on your devices. An untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and /or hijack traffic. |
|
Vulnerable Android Version |
Ivanti Mobile Threat Defense has detected that the Android version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately. |
|
Vulnerable iOS Version |
Ivanti Mobile Threat Defense has detected that the iOS version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately. |
|
Vulnerable, non-upgradeable Android Version |
Ivanti Mobile Threat Defense detected a device running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time. |
|
Vulnerable, non-upgradeable iOS Version |
Ivanti Mobile Threat Defense detected a device running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time. |
Local app threat actions
The following app threats can be monitored and actions taken to mitigate them in Ivanti Go Local Actions:
| Threat | Mitigation when the following events occur |
|
Out of Compliance App |
An app that is considered to be out of compliance with your corporate policy. When apps designated as "out of compliance" are detected on an MTD-enabled client device, the device user sees a threat warning and a request to remove the app from the device. |
|
Suspicious Android App |
A known risky app that attempts to take control of the user device in some manner (e.g. elevate privileges, spyware, etc.) |
|
Suspicious iOS App |
A known and risky app that attempts to take control of the device in some manner (e.g. elevate privileges, spyware, etc.) |