Network, device, and app threats available in Local Actions

To select all the actions, select the check box next to the Name field. This is a one time action and does not persist after the policy is saved.

Local Actions Network threats

The following Network threats are available in Go Local Actions:

**Table 11.** Available Network threat policies
Threat	Mitigation when the following events occur
ARP Scan	A reconnaissance scan using the ARP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as man-in-the-middle (MITM).
Captive Portal	Detected that the device connected to a captive portal network.
Danger Zone Connected	Danger Zone Connected provides device users with information on nearby Wi-Fi networks and their potential risk. If an iOS or Android device user does connect to a malicious Wi-Fi access point, the device user will be notified: "This device has connected to a Wi-Fi network where malicious attacks have been observed. It is recommended to disconnect immediately and use an alternative network." Procedure To enable Danger Zone Connected: Log into the zConsole, and navigate to the Manage > General page. Click Enable the Danger Zone feature in zIPS. For Android release 9.0 and higher supported releases, if the app developer does not add the Access_Coarse_Location permission, then the following zConsole functionality is not enabled: Network name and BSSID fields are not available for threat forensics information. Network threats are not mitigated. If zConsole cannot get the BSSID from the device, then the Danger Zone Connection threat will not work.
IP Scan	A reconnaissance scan using the IP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
Internal Network Access	Detected application connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage.
MITM	Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.
MITM-ARP	Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.
MITM-Fake SSL certificate	Man-in-the-Middle attack using fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.
MITM-ICMP Redirect	Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device.
MITM-SSL Strip	Man-in-the-Middle attack using SSL stripping that allows a hacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device.
Network Handoff	Network handoff allows a device to alter routing on a network, potentially allowing for a man-in-the-middle attack.
Rogue Access Point	Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-Fi network by masking preferred/known networks.
Rogue Access Point: Nearby	Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-fi network by masking a nearby network.
SSL/TLS Downgrade	SSL/TLS Downgrade force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information.
TCP Scan	A reconnaissance scan using the TCP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
UDP Scan	A reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
Unsecured WiFi Network	A unsecured Wi-Fi network is vulnerable for a network attack.

Local Actions Device threats

The following Device threats are available in Go Local Actions:

**Table 12.** Available Device threat policies
Threat	Mitigation when the following events occur
Abnormal Process Activity	Detected abnormal activity. User device is being monitored for any attacks.
App Tampering	Existing app libraries may have been modified, or a foreign library may have been injected into the app.
BlueBorne Vulnerability	Ivanti has detected this device is vulnerable to BlueBorne, an attack leveraging Bluetooth connections to penetrate and take control of targeted devices. To avoid any sort of risk from BlueBorne, it is highly recommended that the user turn off Bluetooth permanently until an update is available from the device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area.
DNS Change	DNS Configuration change on the mobile device. If the DNS change happened in your own network to an unknown DNS server - it is likely to a MITM attempt.
Daemon Anomaly	Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited.
Developer Options	Developer Options is an advanced configuration options intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings.
Device Encryption	Device Encryption notifies an administrator when a device is not setup to use encryption to protect device content.
Device Pin	Device Pin notifies the administrator when a device is not setup to use a PIN code or password to control access to the device.
Device jailbreaking/rooting	Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device's built-in security measures.
EOP	A malicious process that results in the elevation of privileges on the mobile device, which allows the attacker to take full control of the device.
File system changed	A normal file system change.
Gateway Change	Gateway configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination.
Proxy Change	Proxy configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination.
SELinux Disabled	Security-enhanced Linux (SELinux) is a security feature in the operating feature in the operating system that helps maintain the integrity of operating system. If SELinux has been disabled, the integrity of the operating system may be compromised and should be investigated immediately.
Sideloaded App(s)	Sideloaded apps are installed independently of an official app store and can present a security risk.
Stagefright Vulnerability	Stagefright vulnerability indicates the device is on an OS patch version susceptible to compromise.
Suspicious Profile	Suspicious profiles identifies profiles that are untrusted or not explicitly trusted. Ivanti recommends that you review the profile and mark it as trusted or untrusted.
System Tampering	System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and can no longer be trusted.
USB Debugging Mode	USB Debugging is an advanced configuration option intended for development purposes only. By enabling USB Debugging, the user device can accept commands from a computer when plugged into a USB connection.
Unknown sources download config change	Allows user to download an app not in Google Play store.
Untrusted Profile	An untrusted profile is considered unsafe to install on your devices. An untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and /or hijack traffic.
Vulnerable Android Version	Ivanti has detected that the Android version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately.
Vulnerable iOS Version	Ivanti has detected that the iOS version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately.
Vulnerable, non-upgradeable Android Version	Ivanti detected a device running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time.
Vulnerable, non-upgradeable iOS Version	Ivanti detected a device running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time.

Local Actions App threats

The following App threats are available in Go Local Actions:

**Table 13.** Available App threat policies
Threat	Mitigation when the following events occur
Out of Compliance App	An app that is considered to be out of compliance with your corporate policy. When apps designated as "out of compliance" are detected on an MTD-enabled client device, the device user sees a threat warning and a request to remove the app from the device.
Suspicious Android App	A known risky app that attempts to take control of the user device in some manner (e.g. elevate privileges, spyware, etc.)
Suspicious iOS App	A known and risky app that attempts to take control of the device in some manner (e.g. elevate privileges, spyware, etc.)