The Antimalware Enforcement Policy enables you to configure and deploy the Antimalware Agent to Windows managed devices (servers and clients) to protect against malware threats in your zone. This policy is the primary enforcer of the ZENworks Endpoint Security Antimalware capability, which protects managed devices from malware threats by performing on-access and on-demand scans on those devices. This policy is required to use an Antimalware Scan Exclusions, Custom Scan, or Network Scan policy. Policy defaults are automatically set in the policy during policy creation.
You can initiate creation and deployment of the Antimalware Enforcement Policy from the Policies page or from the Protecting Against Malware page in Security > Getting Started. Only one Antimalware Enforcement policy is enforced on a device. If multiple policies are assigned, the standard policy resolution methods are used to determine which policy is "closest" to the device and is therefore applied. Several of the more granular settings when creating a new policy are preset based on the higher-level settings you choose in the Policy wizard. To see or customize the granular settings, open the policy from the Policies page after policy creation and click the Details tab.
NOTE:Before you assign and publish the Antimalware Enforcement Policy to devices, ensure that all pre-existing antimalware or antivirus software is removed from those devices. This includes completing any required reboots from software removal. For more information about prerequisites to installing the Antimalware Agent, see Agent Installation Requirements.
For information about modifying or customizing the policy after policy creation, see Antimalware Enforcement Policy.
The following instructions assume that you are on the Configure On-Access Scanning page in the Create New Antimalware Enforcement Policy wizard. For information about creating policies in general or the common steps in policy creation, see Creating Security Policies
in the ZENworks Endpoint Security Policies Reference.
You can retain the most balanced approach between security and system performance by retaining the default setting of Normal or configure on-access scans with greater security or with greater performance by choosing Aggressive or Permissive, respectively. Once the policy is created, you will have the option to make more specific configuration changes through the Details tab on the selected policy. Although not recommended, you can also disable on-accessing scanning altogether.
The descriptions below are the same shown for each scan level when selected in the page. They are also provided here in aggregate for comparison.
Aggressive: Provides advanced security with moderate use of resources. Scans all files accessed from local and network drives including archived and lower risk files.
Normal: Provides best balance between security and performance. Scans all files accessed from local drives and application files accessed from network drives. Does not scan archived and lower risk files.
Permissive: Provides basic security with reduced use of resources. Scans application files accessed from local drives and incoming emails. Does not scan lower risk files, spyware, and less dangerous types of malware. This option is recommended only for use on devices with resource limitations.
All on-demand scanning options are enabled by default. Familiarize yourself with the descriptions for the different options in the policy wizard page to make informed decisions on how to tailor on-demand scans to your enterprise needs. After the policy is created, you can customize the settings for these scans as needed, including disabling or enabling the different scan options provided in the page.
To configure how often Full and Quick scans run, navigate to Configuration > Security > Antimalware Agent Schedules. The default options are as follows:
Full Scan: New installation set to run a full scan once weekly.
Quick Scan: New installation set to run a quick daily scan, 6 out of 7 days of the week.
For information about configuring the schedules, see Antimalware Agent Schedules.
Each device has a local quarantine. The quarantine is an encrypted folder that contains malware-infected or malware-suspected files that have been detected by a scan. Quarantined files cannot do any harm because they cannot be executed or read.
Files are moved to quarantine based upon the scan remediation actions defined in the policies assigned to a device.
Quarantined files are sent to the Malware Research Lab on a regular basis to analyze and create routines for disinfection. If new signatures are created that can disinfect these types of files, those signatures will be included in the malware signature update, whereupon, the quarantined file will get disinfected and removed from quarantine.
All configurable options are enabled by default. For information about each option, see below:
Delete quarantined files older than (days): This setting is provided to delete files that stay in quarantine for an extended period of time because the malware signatures updates have not provided a routine to disinfect the quarantined files. It cannot be disabled. The default setting to delete files is 30 days. The range for configuration is in increments from 1 to 180 days.
Submit quarantined files and critical threat data to Malware Research Lab every (hours): You may want to configure this setting based on the amount of activity you get for quarantined files, while also considering conserving resources. Disabling this setting is not recommended. The default setting is every hour. The range for configuration is incremental from 1 to every 24 hours.
Rescan quarantine after malware signature updates: This option is provided to disinfect quarantined files that could not be disinfected previously after a fix is included in a content update. Disabling this setting is not recommended. However, if your dashboard consistently shows low volume of quarantined files or the quarantined files are not essential to your daily operations, the flexibility is provided to disable the feature.
Copy files to quarantine before applying the disinfect action: This option is provided to prevent data loss in case of false positives. You can restore legitimate files from quarantine from the Antimalware page on a selected device.
Allow users to take action on local quarantine: Enables endpoint users to restore or delete files quarantined on their devices via Endpoint Security Agent Actions in the ZENworks Agent.
Scan exclusions can include both built-in file exclusions and custom exclusions. Built-in exclusions include Windows directories recommended for exclusion by Microsoft and some ZENworks directories. However, ZENworks built-in exclusions are not controlled by this setting. These built-in items will not be scanned for the scan types you configure in the policy. Scan types include, On-Access, Full, Quick, and Contextual scans.
For information about Microsoft recommended exclusions for Windows, see Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows.
Custom exclusions can include file exclusions added directly in the Custom Exclusions panel, exclusions implemented by assigned Antimalware Exclusion policies, or a combination of both. Scan types include, On-Access, Full, Quick, External Device, and Contextual scans. Scan Exclusion types are designated as File, Folder, Extension, or Process.
For more detailed information about configuring exclusions in this policy after you create the policy, see Exclusions.
You can only assign Antimalware policies to devices. They cannot be assigned to users. For information about assigning and publishing Endpoint Security policies, see the topics below in the ZENworks Endpoint Security Policies Reference: