3.5 Antimalware Enforcement Policy

This section provides information about the settings you can view and modify in the Details page of a selected Antimalware Enforcement Policy. If you want to update settings on devices that already have the selected policy assigned, you need to republish the policy after making modifications, and then execute a refresh on those devices.

To open the Details page of the policy in ZENworks Control Center, navigate to Policies, select the policy in the Policies page or folder, click the policy name link, and select the Details tab.

3.5.1 On-Access Scan

On-access scans protect the device by preventing new malware threats from entering the system. This option scans local and network files when they are accessed (opened, moved, copied, or executed).

Scan Locations

You can configure which type of local files get scanned when they are accessed from the device. You can choose one of the three options below for each scan type, local or network as well as proscribe a limit on the size of files to be scanned. See the descriptions below to better understand what each option does:

  • All files: Scans all files on the device or network except files excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement and Scan Exclusions Policy settings.

  • Applications only: Scans only application files on the device except applications excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement Policy settings.

    For more information about the type of application files that get scanned or how to customize that list, see Application Only File Scans.

  • Defined file extensions only: Scans only files that possess a file extension added in the Defined file extensions field for local files as applicable.

    Enter one or more file extensions to be scanned, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example: txt or.txt

  • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here (in MB). This option is provided to have some control on system performance related to scans. Since malware can also effect larger files, this option should be used with caution.

Scan Behavior

These settings provide some flexibility for configuring the behavior details of files to be scanned. Enable or disable as applicable to your desired protection in relation to system performance.

  • Scan only new or changed files: This setting gives you an option that may improve system responsiveness with a minimum trade-off of security.

  • Scan boot sectors: Boot sectors contain the required code to start the boot process. An infection could disable the drive and prevent the system from starting.

  • Scan for keyloggers: Keyloggers record the input from the device’s keyboard and can disclose sensitive information to hackers, including account numbers and passwords.

  • Scan for Potentially Unwanted Applications (PUA): PUAs typically include undesirable programs that get installed on the device when bundled and downloaded with free software, often without the user’s consent.

  • Scan archives: Infected archive files are not an immediate threat and scanning them can be resource-intensive. Infected archive files are only a threat to the system if they are extracted from the archive and executed without having on-access scanning enabled.

    • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here.

    • Maximum depth (levels): Defines the directory level depth that will be scanned, in increments of two.

    For information specific to scanning archived files, see About Scanned Archive Files.

  • Use deferred scanning: Deferred scanning is selected by default and improves system performance by performing scans or copying scanned files when performance limitations are optimized.

Remediate Actions

Configure the default remediation action for infected files and suspect files. Each file type has a layered approach for the action taken, a default action and a secondary action if the default action fails. Configuration options are shown below:

File type

Default action

If default action fails:

Infected Files

  • Deny Access

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

  • Deny Access

  • Disinfect

  • Delete

  • Move to Quarantine

 

 

 

Suspect Files

  • Deny Access

  • Delete

  • Move to Quarantine

  • Ignore

  • Deny Access

  • Delete

  • Move to Quarantine

NOTE:For information about remediation of scanned archive files, see About Scanned Archive Files.

3.5.2 Full Scan

The Full Scan option is enabled by default. It is an on-demand scan that runs according to the schedule defined in the Antimalware Agent Schedules configuration. Full scans protect scan targets by checking for all types of malware threatening their security, such as viruses, spyware, adware, rootkits, and others.

Use this page to configure the types of files to scan, scan targets, scan behavior, and remediate actions, as defined below. You can also disable the feature entirely which might be needed temporarily when performing large scale operations such as migrations or software updates that use more resources.

User Rights

This setting enables you to configure rights for end users to initiate their own scans and pause, postpone, or cancel those scans as well as do the same for administrator-initiated scans, if so enabled.

The right for a user to cancel an administrator-initiated scan is disabled by default. The administrator can initiate a scan via a policy, quick task, or zac command.

NOTE:If the user pauses a scan and reboots the device before restarting the scan, the scan will resume on restart, but will no longer be visible to the user in the Agent Status Console.

Files to Scan

You can configure which type of files get scanned when the scheduled scan runs. See the descriptions below to better understand what each option does:

  • All files: Scans all files on the device except files excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement and Scan Exclusions Policy settings.

  • Applications only: Scans only application files on the device except applications excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement Policy settings.

    For more information about the type of application files that get scanned or how to customize that list, see Application Only File Scans.

  • Defined file extensions only: Scans only files that possess a file extension added in the Defined file extensions field for local files as applicable.

    Enter one or more file extensions to be scanned, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example: txt or.txt

Scan Targets

The default scan targets for Full Scan are All Local Drives and All Removable Drives, but you can delete these entries if not needed. Once you modify the configuration, whichever items you have selected in the Scan Targets configuration, including additional added items if that be the case, are the targets that will be scanned. When adding targets, you can specify either a drive path or an environment variable, for example:

  • D:\

  • %WINDIR%\system32

Scan Behavior

These settings provide flexibility for configuring the behavior details of files to be scanned. Enable or disable as applicable to your desired protection in relation to system performance.

  • Scan only new or changed files: This setting gives you an option that may improve system responsiveness with a minimum trade-off of security.

  • Scan boot sectors: Boot sectors contain the required code to start the boot process. An infection could disable the drive and prevent the system from starting.

  • Scan registry: This option scans the Windows Registry database that stores settings for operating system components.

  • Scan memory: This option scans programs that run in the system’s memory.

  • Scan for keyloggers: Keyloggers record the input from the device’s keyboard and can disclose sensitive information to hackers, including account numbers and passwords.

  • Scan for rootkits: Rootkits enable administrator-level access to the device with a primary function of hiding processes, files, logins, and logs. When combined with malware, they can be used to conceal the presence of intruders.

  • Scan cookies: This option scans cookies stored by browsers installed on the device.

  • Scan for Potentially Unwanted Applications (PUA): PUAs typically include undesirable programs that get installed on the device when bundled and downloaded with free software, often without the user’s consent.

  • Scan archives: Infected archive files are not an immediate threat and scanning them can be resource-intensive. Infected archive files are only a threat to the system if they are extracted from the archive and executed without having on-access scanning enabled.

    • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here.

    • Maximum depth (levels): Defines the directory level depth that will be scanned, in increments of two.

  • Scan email archives: This option scans email files and databases, including the file formats of .eml, .msg, .pst, .dbx, .mbx, .tbb, and others.

    IMPORTANT:This scanning option is resource-intensive.

Remediate Actions

Configure the default remediation action for infected files, suspect files, and rootkits. Each file type, except rootkit, has a layered approach to configure for action taken, a default action and a secondary action if the default action fails. Configuration options are shown below:

File type

Default action

If default action fails:

Infected Files

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Suspect Files

  • Delete

  • Move to Quarantine

  • Ignore

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Rootkits

  • Disinfect

  • Ignore

(not applicable)

NOTE:For information about remediation of scanned archive files, see About Scanned Archive Files.

3.5.3 Quick Scan

The Quick Scan option is enabled by default. It is a reduced-scope on-demand scan that runs according to the schedule defined in the Antimalware Agent Schedules configuration. A quick scan typically runs in less than a minute and uses a fraction of the resources needed to run a full scan.

Quick scans protect scan targets by scanning new and changed files on local drives and removable drives including rootkits and PUAs. It also checks boot sectors and memory. If files detected with malware cannot be disinfected, they are quarantined.

Use this page to configure the types of files to scan, scan targets, scan behavior, and remediate actions, as defined below. You can also disable the feature entirely.

User Rights

This setting enables you to configure rights for end users to initiate their own scans and pause, postpone, or cancel those scans as well as do the same for administrator-initiated scans, if so enabled.

The right for a user to cancel an administrator-initiated scan is disabled by default. The administrator can initiate a scan via a policy, quick task, or zac command.

NOTE:If the user pauses a scan and reboots the device before restarting the scan, the scan will resume on restart, but will no longer be visible to the user in the Agent Status Console.

Files to Scan

You can configure which type of files get scanned when the scheduled scan runs. See the descriptions below to better understand what each option does:

  • All files: Scans all files on the device except files excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement and Scan Exclusions Policy settings.

  • Applications only: Scans only application files on the device except applications excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement Policy settings.

    For more information about the type of application files that get scanned or how to customize that list, see Application Only File Scans.

  • Defined file extensions only: Scans only files that possess a file extension added in the Defined file extensions field for local files as applicable.

    Enter one or more file extensions to be scanned, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example: txt or.txt

Scan Targets

The default scan targets for Quick Scan are %WINDIR%\system32 and %temp%. Once you modify the configuration, whichever items you have selected in the Scan Targets configuration, including additional added items if that be the case, are the targets that will be scanned. When adding targets, you can specify either a drive path or an environment variable, for example:

  • D:\

  • C:\%USERPROFILE%\

Scan Behavior

These settings provide flexibility for configuring the behavior details of files to be scanned. Enable or disable as applicable to your desired protection in relation to system performance.

  • Scan only new or changed files: This setting gives you an option that may improve system responsiveness with a minimum trade-off of security.

  • Scan boot sectors: Boot sectors contain the required code to start the boot process. An infection could disable the drive and prevent the system from starting.

  • Scan registry: This option scans the Windows Registry database that stores settings for operating system components.

  • Scan memory: This option scans programs that run in the system’s memory.

  • Scan for keyloggers: Keyloggers record the input from the device’s keyboard and can disclose sensitive information to hackers, including account numbers and passwords.

  • Scan for rootkits: Rootkits enable administrator-level access to the device with a primary function of hiding processes, files, logins, and logs. When combined with malware, they can be used to conceal the presence of intruders.

  • Scan cookies: This option scans cookies stored by browsers installed on the device.

  • Scan for Potentially Unwanted Applications (PUA): PUAs typically include undesirable programs that get installed on the device when bundled and downloaded with free software, often without the user’s consent.

  • Scan archives: Infected archive files are not an immediate threat and scanning them can be resource-intensive. Infected archive files are only a threat to the system if they are extracted from the archive and executed without having on-access scanning enabled.

    • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here.

    • Maximum depth (levels): Defines the directory level depth that will be scanned, in increments of two.

  • Scan email archives: This option scans email files and databases, including the file formats of .eml, .msg, .pst, .dbx, .mbx, .tbb, and others.

    IMPORTANT:This scanning option is resource-intensive.

Remediate Actions

Configure the default remediation action for infected files, suspect files, and rootkits. Each file type, except rootkit, has a layered approach to configure for action taken, a default action and a secondary action if the default action fails. Configuration options are shown below:

File type

Default action

If default action fails:

Infected Files

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Suspect Files

  • Delete

  • Move to Quarantine

  • Ignore

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Rootkits

  • Disinfect

  • Ignore

(not applicable)

NOTE:For information about remediation of scanned archive files, see About Scanned Archive Files.

3.5.4 External Device Scan

External device scans are enabled by default. When enabled, they automatically detect and scan removable storage devices and media when they are connected to the system, unless the Display Security Alerts option is enabled in the Antimalware Agent Notifications settings, in which case users are prompted to scan the external drive. If an infected file is detected, a disinfection routine will run on the file. Files that cannot be disinfected are placed in quarantine.

Devices to Scan

Devices and media that are detected as external include:

  • CDs and DVDs

  • USB storage devices, to include flash drives and external-hard drives

  • Devices with more storage than specified when connected

NOTE:You can configure Antimalware Agent notifications, alerts, and other options for endpoint users in the Antimalware Agent Notifications configuration. For more information, see Antimalware Agent Notifications.

Files to Scan

You can configure which type of files get scanned when the scheduled scan runs. See the descriptions below to better understand what each option does:

  • All files: Scans all files on the device except files excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement and Scan Exclusions Policy settings.

  • Applications only: Scans only application files on the device except applications excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement Policy settings.

    For more information about the type of application files that get scanned or how to customize that list, see Application Only File Scans.

  • Defined file extensions only: Scans only files that possess a file extension added in the Defined file extensions field for local files as applicable.

    Enter one or more file extensions to be scanned, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example: txt or.txt

Scan Behavior

These settings provide flexibility for configuring the behavior details of files to be scanned. Enable or disable as applicable to your desired protection in relation to system performance.

  • Scan only new or changed files: This setting gives you an option that may improve system responsiveness with a minimum trade-off of security.

  • Scan boot sectors: Boot sectors contain the required code to start the boot process. An infection could disable the drive and prevent the system from starting.

  • Scan registry: This option scans the Windows Registry database that stores settings for operating system components.

  • Scan memory: This option scans programs that run in the system’s memory.

  • Scan for keyloggers: Keyloggers record the input from the device’s keyboard and can disclose sensitive information to hackers, including account numbers and passwords.

  • Scan for rootkits: Rootkits enable administrator-level access to the device with a primary function of hiding processes, files, logins, and logs. When combined with malware, they can be used to conceal the presence of intruders.

  • Scan cookies: This option scans cookies stored by browsers installed on the device.

  • Scan for Potentially Unwanted Applications (PUA): PUAs typically include undesirable programs that get installed on the device when bundled and downloaded with free software, often without the user’s consent.

  • Scan archives: Infected archive files are not an immediate threat and scanning them can be resource-intensive. Infected archive files are only a threat to the system if they are extracted from the archive and executed without having on-access scanning enabled.

    • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here.

    • Maximum depth (levels): Defines the directory level depth that will be scanned, in increments of two.

  • Scan email archives: This option scans email files and databases, including the file formats of .eml, .msg, .pst, .dbx, .mbx, .tbb, and others.

    IMPORTANT:This scanning option is resource-intensive.

Remediate Actions

Configure the default remediation action for infected files, suspect files, and rootkits. Each file type, except rootkit, has a layered approach to configure for action taken, a default action and a secondary action if the default action fails. Configuration options are shown below:

File type

Default action

If default action fails:

Infected Files

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Suspect Files

  • Delete

  • Move to Quarantine

  • Ignore

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Rootkits

  • Disinfect

  • Ignore

(not applicable)

NOTE:For information about remediation of scanned archive files, see About Scanned Archive Files.

3.5.5 Contextual Scan

The Contextual Scan option is always enabled in the policy. However, Antimalware Agent Notifications must be enabled with the Show icon in notification area setting also enabled. With these options enabled, endpoint users can run scans on folders in File Explorer via the right-click menu. If either option is disabled, the option is not present in the right-click menu.

For more information about these notification settings, see Agent Notifications and End User Options.

Scan Behavior

These settings provide flexibility for configuring the behavior details of files to be scanned. Enable or disable as applicable to your desired protection in relation to system performance.

  • Scan only new or changed files: This setting gives you an option that may improve system responsiveness with a minimum trade-off of security.

  • Scan boot sectors: Boot sectors contain the required code to start the boot process. An infection could disable the drive and prevent the system from starting.

  • Scan registry: This option scans the Windows Registry database that stores settings for operating system components.

  • Scan memory: This option scans programs that run in the system’s memory.

  • Scan for keyloggers: Keyloggers record the input from the device’s keyboard and can disclose sensitive information to hackers, including account numbers and passwords.

  • Scan for rootkits: Rootkits enable administrator-level access to the device with a primary function of hiding processes, files, logins, and logs. When combined with malware, they can be used to conceal the presence of intruders.

  • Scan cookies: This option scans cookies stored by browsers installed on the device.

  • Scan for Potentially Unwanted Applications (PUA): PUAs typically include undesirable programs that get installed on the device when bundled and downloaded with free software, often without the user’s consent.

  • Scan archives: Infected archive files are not an immediate threat and scanning them can be resource-intensive. Infected archive files are only a threat to the system if they are extracted from the archive and executed without having on-access scanning enabled.

    • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here.

    • Maximum depth (levels): Defines the directory level depth that will be scanned, in increments of two.

  • Scan email archives: This option scans email files and databases, including the file formats of .eml, .msg, .pst, .dbx, .mbx, .tbb, and others.

    IMPORTANT:This scanning option is resource-intensive.

Remediate Actions

Configure the default remediation action for infected files, suspect files, and rootkits. Each file type, except rootkit, has a layered approach to configure for action taken, a default action and a secondary action if the default action fails. Configuration options are shown below:

File type

Default action

If default action fails:

Infected Files

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Suspect Files

  • Delete

  • Move to Quarantine

  • Ignore

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Rootkits

  • Disinfect

  • Ignore

(not applicable)

NOTE:For information about remediation of scanned archive files, see About Scanned Archive Files.

3.5.6 Quarantine

Each device has a local quarantine. The quarantine is an encrypted folder that contains malware-infected or malware-suspected files that have been detected by a scan. Quarantined files cannot do any harm because they cannot be executed or read.

Files are moved to quarantine based upon the scan remediation actions defined in the policies assigned to a device.

Quarantined files are sent to the Malware Research Lab on a regular basis to analyze and create routines for disinfection. If new signatures are created that can disinfect these types of files, those signatures will be included in the malware signature update, whereupon, the quarantined file will get disinfected and removed from quarantine.

All configurable options are enabled by default. For information about each option, see below:

  • Delete quarantined files older than (days): This setting is provided to delete files that stay in quarantine for an extended period of time because the malware signatures updates have not provided a routine to disinfect the quarantined files. It cannot be disabled. The default setting to delete files is 30 days. The range for configuration is in increments from 1 to 180 days.

  • Submit quarantined files and critical threat data to Malware Research Lab every (hours): You may want to configure this setting based on the amount of activity you get for quarantined files, while also considering conserving resources. Disabling this setting is not recommended. The default setting is every hour. The range for configuration is incremental from 1 to every 24 hours.

  • Rescan quarantine after malware signature updates: This option is provided to disinfect quarantined files that could not be disinfected previously after a fix is included in a content update. Disabling this setting is not recommended. However, if your dashboard consistently shows low volume of quarantined files or the quarantined files are not essential to your daily operations, the flexibility is provided to disable the feature.

  • Copy files to quarantine before applying the disinfect action: This option is provided to prevent data loss in case of false positives. You can restore legitimate files from quarantine from the Antimalware page on a selected device.

  • Allow users to take action on local quarantine: Enables endpoint users to restore or delete files quarantined on their devices via Endpoint Security Agent Actions in the ZENworks Agent.

3.5.7 Exclusions

Scan exclusions can include both built-in file exclusions and custom exclusions. Built-in exclusions include Windows directories recommended for exclusion by Microsoft and some ZENworks directories. However, ZENworks built-in exclusions are not controlled by this setting. These built-in items will not be scanned for the scan types you configure in the policy. Scan types include, On-Access, Full, Quick, and Contextual scans.

For information about Microsoft recommended exclusions for Windows, see Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows.

Custom exclusions can include file exclusions added directly in the Custom Exclusions panel, exclusions implemented by assigned Antimalware Exclusion policies, or a combination of both. Scan types include, On-Access, Full, Quick, External Device, and Contextual scans. Scan Exclusion types are designated as File, Folder, Extension, or Process.

  • Built-in Exclusions: Select the types of scans for which the built-in exclusions apply.

  • Custom Exclusions: Select whether to apply Antimalware Exclusion policies assigned to the device, custom exclusions, or both.

    To add custom exclusions, click New after enabling custom exclusions and complete and save the configuration items in the New Exclusion dialog box for each exclusion that you add. The criteria required for the Exclusion field for each exclusion type is provided below:

    • File, Folder, and Process:

      • Enter a path. For example:

        - Explicit: Used for exclusions in the on-demand scan types, Full, Quick, External Device, and Contextual, which are only applicable to local drives (fixed and removable), not on network mapped drives.

        • Folder: C:\temp

        • File: E:\temp\Myfile.txt

        - UNC path: Used for exclusions in the On-Access and Network scan types only. These path types are ignored if used for on-demand scans. To ensure the path works in all environments, it is recommended that you enter the path using both formats.

        • \\hostName\shareName\filePath

        • \\IPaddress\shareName\filePath

        NOTE:An exclusion path for an On-Access Scan can include any file path the end user has rights to access.

      • Enter an environment variable. For example: %ProgramFiles%

      • Enter a wildcard. Use an asterisk (*) or double asterisk (**) to substitute for zero or more characters. Use a question mark (?) to substitute for exactly one character. Use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters. See the examples below. For example:

        • File exclusion in a location: C:\Test\* or C:\Test\*.png

          (excludes all files from the Test folder)

        • File exclusion in any location: **\example.txt

          (excludes any file named example.txt regardless of its location on the device)

        • Folder exclusion: C:\Test\*

          (excludes all folders from the Test folder)

        • Process exclusion:

          C:\Program Files\WindowsApps\Microsoft.Not??.exe

          (excludes the Microsoft Notes processes)

      NOTE:Process type exclusions require the name of the executable file, which can also include file names with wildcard characters.

    • Extension: Enter one or more file extensions to be excluded from scanning, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example:

      txt or .txt