3.13 Antimalware

ZENworks Endpoint Security Antimalware is a capability available in the ZENworks Endpoint Security Management product. The following sections provide information you should understand and consider as you design your Antimalware implementation:

3.13.1 Antimalware Agent

The Antimalware Agent, or scan engine, detects malware threats on a device and remediates those threats. There are decisions you need to make related to the installation, update, re-registration, and uninstall workflows.

Incompatibility with other Security Software

The Antimalware Agent is not compatible with other antimalware or antivirus security software. Running the ZENworks Antimalware Agent simultaneously with other security software on an endpoint device may affect their operation and cause problems with the system.

Best practice would be to ensure that no other antimalware/antivirus solution is on the endpoint before installing the Antimalware Agent. To assist with this, the Antimalware Agent does the following during installation:

  • On Windows 10, checks to see if another antimalware/antivirus solution is registered with Windows Security for virus and threat protection. If so, the installation fails and an error is returned to ZENworks Control Center.

  • On Windows Server (all supported versions), no check is made. With servers, the expectation is that you have complete control over what is running and can ensure that no other antimalware/antivirus solution is installed.

  • On all endpoints, Windows Defender is disabled during installation.

Installation

The Antimalware Agent installation package is approximately 750 MB. By default, the agent is downloaded and installed on a device during enforcement of the Antimalware Enforcement policy. Download and installation is done at enforcement time to make it easy to set up Antimalware in a small ZENworks zone or a test zone environment.

In a production zone with a large number of devices, you should download and install the agent during policy enforcement. This can cause issues with both the ZENworks server and network bandwidth consumption. Instead, you should use a scheduled installation using one of the following best practices:

  • Antimalware Agent Installation Schedule: You can modify the agent installation schedule for device folders or individual devices to randomize the download and installation time. The agent installation schedule allows for both daily and monthly schedules with start and end times that provide randomization within the installation window. For example, you could choose to install the agent on a specific day between set start and end times (for example, Tuesday between 9:00 am and 6:00 pm). By using a start and end time, the agent installation is randomized across the target devices during the designated installation period. For instructions, see Security Settings in the ZENworks Management Zone Settings Reference.

  • Staged Policy Rollout: Rather than assign the Antimalware Enforcement policy to all devices at one time, assign the policy to smaller, targeted device groups to stage the rollout of the Antimalware Agent. For example, rather than assign the policy to the Windows 10 Workstations dynamic group that includes all Windows 10 workstations, create smaller device groups based on logical groupings such as organizations or departments and stage the rollout to those groups. Or use existing device folder structures to accomplish the same purpose.

ZENworks servers are configured to use one-third (1/3) of their Tomcat thread count for content download. The default thread count is 1000, which means that approximately 350 devices could successfully download the agent from one server at one time. This is an approximation and could vary depending on server hardware and network performance. For information about tuning the maximum number of Tomcat threads used, see Maximum HTTPS Tomcat Threads.

Update

The Antimalware Agent performs two types of updates:

  • Agent Updates: This updates the scan engine and related Antimalware Agent files. The default schedule causes the Antimalware Agent to check for agent updates every four hours. This ensures that the agent receives an update shortly after it is released. Increasing the schedule interval can reduce network traffic, but Micro Focus recommends that you not increase the interval beyond a week.

    Be aware that increasing the agent update intervals does affect how quickly the Antimalware Agent is updated after initial installation. If you want to increase the schedule but have the Antimalware Agent still update after installation, you can use the Update Antimalware Agent quick task in ZENworks Control Center to force updates after the agent installation is complete.

    For instructions about how to change the agent update schedule, see Antimalware Agent Schedules in the ZENworks Endpoint Security Antimalware Reference.

  • Malware Signature Updates: This updates the Antimalware Agent’s database of known malware signatures. The default schedule causes the agent to check for signature updates every hour. Because signature updates can occur multiple times per day, Micro Focus recommends that you not increase this interval beyond a daily check (i.e, every 24 hours).

    Because malware signature updates are more critical than agent updates, a signature update is performed immediately after the agent installation is complete.

    For instructions about how to change the malware signature update schedule, see Antimalware Agent Schedules in the ZENworks Endpoint Security Antimalware Reference.

Uninstall

The Antimalware Agent is automatically uninstalled when the following occurs:

  • ZENworks Agent Uninstalled: When the ZENworks Agent is removed from a device, the Antimalware Agent is also removed.

  • Antimalware Enforcement Policy Unassigned: When the Antimalware Enforcement policy is unassigned from a device and the device receives the assignment change during the next ZENworks Agent refresh, the Antimalware Agent is uninstalled from the device. The uninstall is delayed 10 minutes to ensure that the assignment removal was intentional.

    You can use the ZAV.UninstallWindow system variable in ZENworks Control Center to increase the uninstall delay at the zone level for all devices (Configuration > Management Zone Settings > Device Management > System Variables), at the device folder (folder > Settings > Device Management > System Variables), or the device (device > Settings > Device Management > System Variables). For example, ZAV.UninstallWindow with a value of 60 increases the delay to one hour.

The zac malware-remove-agent (mr) command can also be used on a device to uninstall the Antimalware Agent. The command requires ZENworks administrator credentials. In addition, if the Antimalware Enforcement policy is also not removed from the device, the Antimalware Agent will be reinstalled at the next refresh to comply with the policy.

Unregistration/Reregistration

The Antimalware Agent remains installed when a device is unregistered from its ZENworks management zone.

If the device is registered to a new zone or reregistered with its old zone, one of the following occurs:

  • If the device has an Antimalware Enforcement policy assignment in the zone, the Antimalware Agent remains installed.

  • If the device does not have an Antimalware Enforcement policy assignment, the Antimalware Agent is removed after the 10 minute delay.

If a device is unregistered and will not be reregistered, the zac malware-remove-agent (mr) command can be used to uninstall the Antimalware Agent. The command requires ZENworks administrator credentials.

3.13.2 Ondemand Content System

For more information, see Ondemand Content System.

3.13.3 Antimalware Database

ZENworks Endpoint Security Antimalware requires its own database, separate from the ZENworks database, ZENworks Audit database, or optional Vertica database. The database stores Antimalware-related data such as detected malware threats and current malware status for devices.

Unlike the ZENworks database and the ZENworks Audit database, the Antimalware database is not created during system installation. It is created as part of the setup process when you decide to use Antimalware.

Database Requirements

The Antimalware database must be the same database type (PostgreSQL, MSSQL, or Oracle) as your ZENworks database.

For information about the database’s disk space and memory requirements, see ZENworks Antimalware Database Sizing.

Database Synchronization

The Antimalware database requires data--such as devices, policies, assignments, and configuration settings--to be synced to it from the ZENworks database. This data is required in order to correctly associate malware data with devices and display the data in ZENworks Control Center.

The data synchronization is implemented through a Change Data Capture (CDC) mechanism that uses Apache Kafka to stream data between the two databases. Apache Kafka is supported on Linux platforms only which means that you must have a Linux Primary Server to use Antimalware.

If you do not already have a Primary Server on Linux, Micro Focus recommends that you use the ZENworks Virtual Appliance. The Appliance is built on a customized SUSE Linux Enterprise Server (SLES) distribution and comes pre-installed with ZENworks. The Appliance can be deployed on VMware ESXi, Microsoft Hyper-V Server, XEN on SLES, and Citrix XenServer. For detailed requirements and installation instructions, see the ZENworks Appliance Deployment and Administration Reference.

The CDC requires no special consideration during the Antimalware design process. However, there are settings you can use to tune its performance. See Tuning Antimalware Database Synchronization for details.

3.13.4 Antimalware Event Processing

Whenever a malware threat is detected or an malware scan is run, the Antimalware Agent reports the event to the ZENworks server so that the malware threat and device status can be monitored in ZENworks Control Center.

Antimalware event files are rolled up via the Collection system. Every 5 minutes, the ZENworks Agent transfers any generated Antimalware events to its designated Collection Server as determined by its closest Collection Server list. If this is a Primary Server, the server’s Antimalware Service processes the event files and adds the events to the Antimalware database. If the Collection Server is a Satellite, it rolls the event files up to its parent Primary Server according to its Collection Roll-Up Schedule which is every 2 hours by default. The Primary Server then adds the event files to the Antimalware database.

Satellite Collection Roll-Up Schedule Recommendation

Micro Focus recommends that you keep your Satellite’s Collection Roll-Up Schedules to no more than every 2 hours. Longer intervals will result in delays reporting detected malware threats and device status to ZENworks Control Center.

Antimalware Service

As mentioned previously, the Antimalware service runs on Primary Servers and is responsible for processing Antimalware event files into the Antimalware database. On Linux Primary Servers, the service is a dockerized microservice. On Windows Primary Servers, its an application microservice.

The Antimalware service listens on 61100 (web server) port and 61195 (JMX) port.

In general, there are no design considerations for the Antimalware service. The service is configured--including opening the required ports--and started when you perform the Antimalware setup. For performance tuning details see Tuning the Antimalware Service.