5.2 Antimalware Page

If you have the Antimalware Database configured, this page provides a snapshot status of malware threats, the scan schedule, and quarantined file information for the selected computer. You can also take specific actions on files, kickoff scans, and update the Antimalware Agent and Malware Signature versions on the computer. For more detailed information, see the topics for each section on the page.

5.2.1 Device Status

The Device Status section enables you to quickly do the following for the selected device:

View malware threat status

The charts display data for three different time periods based on the last time the device reported its status. If the device last reported 12 hours ago, the 24 hour status is for the 24 hours prior to that report and so forth for 7 and 30 days.

The status indicators relate to the overall status of threats on the device by status level. For example, for a given time period, you could have a status of Unresolved Threats with 3 threats detected. However, only one of those threats would need to be unresolved to display that status.

A different color is associated with each status level:

  • Unresolved Threats = Red

  • Resolved Threats = Blue

  • No Threats = Green

If the device has not reported within the last 3 days, the status is reported as Unknown by default. You can change the Unknown threshold using the Security Dashboard setting. For more information see, Security Dashboard Configuration.

View and update the Antimalware Agent or Malware Signature

Under Antimalware Agent and Malware Signature, respectively, you can view the version information and the last time either item was updated. You can also check for an update for either item by clicking Update Now under its respective heading. Each option opens the Quick Task Status window where you can start the task.

View quarantine file count and delete or restore them in bulk

The Quarantine section displays the total count of files placed in quarantine during the last 30 days. The options to Delete All or Restore All quarantine files is done in mass using a quick task. To delete or restore quarantine files by individual file selection, go to the Files panel on the Antimalware page. For information about the Files panel, see Files.

5.2.2 Scan Schedule

Lists the device's scan schedule for Full and Quick scans from the assigned Enforcement policy and from and all custom and network scans from the assigned Custom Scan and Network Scan policies. The Schedule link will automatically take you to where the schedule for the device is set, either the zone, device folder, or device.

NOTE:The time zone for Next Scan entries is based on the time zone of the browser used to log into the ZENworks Control Center. This time zone can be different on the actual device based on its location. To see if the two are different, mouse over the time displayed for Last Contact in the Summary page of the selected device, where a popup displays the time zone for both.

You can kick off any of the scans shown for the device, at will, by selecting the scan in the Scan Type column, and clicking Run Scan. This will open a quick task dialog box for the scan.

5.2.3 Malware Threats

The Malware Threats section enables you to view the status of malware events. You can filter the malware events by threat name or click on a specific threat in the Threat Name column to see details about the threat.

For information about threat details when you click a specific threat in the table, see Malware Threat Details.

5.2.4 Files

Shows the status (Disinfected, Quarantined, Deleted, Denied Access, Ignored) of both infected and suspicious files associated with the detected malware threats. Quarantined files can be restored or deleted if necessary, using a quick task. You can filter the list by either file name or threat name.

NOTE:If you remove the Antimalware Enforcement Policy from the device, the files shown in this list will persist for 30 days, at which point the history data will be cleaned up. There may also be a disparity from the Files count provided in the Malware Threats pane and the number of files in the list during this 30 day period.

Restore Files from Quarantine

To restore a file from quarantine:

  1. Select the file in the Files list.

  2. Click Restore File from Quarantine at the top of the table.

  3. If you want to restore the file to a location different than the one shown in the table, select New Location, and enter the location using one of the formats below:

    • Local directory:

      C:\Windows

      %WINDIR%\system32

    • Network directory:

      \\hostName\shareName\filePaths

      \\IPaddress\shareName\filePath

  4. Select the desired option boxes as defined below:

    • Exclude restored file from future On-Access or On-demand scans

      You might select either or both of these options if you continue to get the same file displaying as “suspicious” in the quarantine list.

    • Overwrite if file exists in restore location

  5. Click OK to advance to the Quick Task Status window, and then click Start to execute the operation. You can leave the Quick Task Status open until the process completes, or click Hide and monitor the status from the Quick Tasks section under the ZENworks Control Center navigation panel.

Delete Files from Quarantine

To delete one or more files from quarantine:

  1. Select the file or files in the Files list for deletion.

  2. Click Delete File from Quarantine at the top of the table.

  3. Click Start to execute the operation in the Quick Task Status window.

About Scanned Archive Files

When you have the Scan archives option enabled in Scan Behavior settings for any of the policies that run scans, Antimalware scans all types of archives (including email file formats). If the Antimalware Agent unzips the archive and finds an infected or suspicious file, it will perform the policy-configured remediation actions on the file, such as disinfecting or quarantining the file. It will then rezip the file.

If the agent cannot perform the configured remediation actions, it will take whatever actions it can to safeguard against the malware threat. This could include denying access to the entire archive.

If the agent cannot unzip the archive, it will ignore it.

While the list below is by no means inclusive of all supported archive formats, these are the most common:

7z; ace; alz; ar; arc; arj; boo; bz; bz2; bzip2; cab; chm; cpio; dbx; deb (with gzip, bzip2, xz); dmg (with HFS); docfile; eml; esh; exe; ezs; fky; frs; fxp; gadget; gif; grv; gx2; gz; gzip; hap; hlp; hms; hqx; hta; htm; html; htt; iaf; icd; ico; img; inf; ini; inno; instyler; inx; ipf; iso; installshield; isu; jar; jfif; jpe; jpeg; jpg; js; jse; jsx; kix; laccdb; lha; lzh; lnk; maf; mam; maq; mar; mat; mbx; mcr; mda; mdb; mde; mdt; mdw; mem; mhtml; mid; mime; mmf; mov; mp3; mpd; mpeg; mpg; mpp; mpt; mpx; ms; mscompress; msg; msi; mso; msp; mst; msu; nsis; nws; oab; obd; obi; obs; obt; ocx; odt; oft; ogg; ole; one; onepkg; osci; ost; ovl; pa; paf; pak; pat; pci; pcx; pdf; pex; pfd; pgm; php; pif; pip; png; pot; potm; potx; ppa; ppam; pps; ppsm; ppsx; ppt; pptm; pptx; ppz; prc; prf; prg; ps1; psd; psp; pst; pub; puz; pvd; pwc; pwz; py; pyc; pyo; qpx; qt; qxd; ra; ram; rar; rbx; rgb; rgs; rm; rox; rpj; rpm (with cpio, gzip, bzip2, xz); rtf; scar; scr; script; sct; sdr; sfx; sh3; shb; shs; shw; sis; sit; sldm; sldx; smm; snp; snt; spr; src; svd; swf; sym; sys; tar; tar.z; tb2; tbb; tbz2; td0; tgz; thebat; thmx; tif; tiff; tlb; tms; tsp; tt6; u3p; udf; ufa; url; uuencode; vb; vbe; vbs; vbscript; vise; vwp; vxd; wav; wbk; wbt; wcm; wdm; wise; wiz; wks; wll; wmf; wml; wpc; wpf; wpg; wpk; wpl; ws; ws2; wsc; wsf; wsh; xar; xl; xla; xlam; xlb; xlc; xll; xlm; xls; xlsb; xlsm; xlsx; xlt; xltm; xltx; xlw; xml; xqt; xsf; xsn; xtp; xz; z; zip; zl?; zoo