3.13 Antimalware

ZENworks Endpoint Security Antimalware is a capability available in the ZENworks Endpoint Security Management product. The following sections provide information you should understand and consider as you design your Antimalware implementation:

3.13.1 Antimalware Agent

The Antimalware Agent, or scan engine, detects malware threats on a device and remediates those threats. There are decisions you need to make related to the installation, update, re-registration, and uninstall workflows.

Incompatibility with other Security Software

The Antimalware Agent is not compatible with other antimalware or antivirus security software. Running the ZENworks Antimalware Agent simultaneously with other security software on an endpoint device may affect their operation and cause problems with the system.

Best practice would be to ensure that no other antimalware/antivirus solution is on the endpoint before installing the Antimalware Agent. To assist with this, the Antimalware Agent does the following during installation:

  • On Windows 10, checks to see if another antimalware/antivirus solution is registered with Windows Security for virus and threat protection. If so, the installation fails and an error is returned to ZENworks Control Center.

  • On Windows Server (all supported versions), no check is made. With servers, the expectation is that you have complete control over what is running and can ensure that no other antimalware/antivirus solution is installed.

  • On all endpoints, Windows Defender is disabled during installation.

Installation

The Antimalware Agent installation package is approximately 750 MB. By default, the agent is downloaded and installed on a device during enforcement of the Antimalware Enforcement policy. Download and installation is done at enforcement time to make it easy to set up Antimalware in a small ZENworks zone or a test zone environment.

In a production zone with a large number of devices, you should download and install the agent during policy enforcement. This can cause issues with both the ZENworks server and network bandwidth consumption. Instead, you should use a scheduled installation using one of the following best practices:

  • Antimalware Agent Installation Schedule: You can modify the agent installation schedule for device folders or individual devices to randomize the download and installation time. The agent installation schedule allows for both daily and monthly schedules with start and end times that provide randomization within the installation window. For example, you could choose to install the agent on a specific day between set start and end times (for example, Tuesday between 9:00 am and 6:00 pm). By using a start and end time, the agent installation is randomized across the target devices during the designated installation period. For instructions, see Security Settings in the ZENworks Management Zone Settings Reference.

  • Staged Policy Rollout: Rather than assign the Antimalware Enforcement policy to all devices at one time, assign the policy to smaller, targeted device groups to stage the rollout of the Antimalware Agent. For example, rather than assign the policy to the Windows 10 Workstations dynamic group that includes all Windows 10 workstations, create smaller device groups based on logical groupings such as organizations or departments and stage the rollout to those groups. Or use existing device folder structures to accomplish the same purpose.

ZENworks servers are configured to use one-third (1/3) of their Tomcat thread count for content download. The default thread count is 1000, which means that approximately 350 devices could successfully download the agent from one server at one time. This is an approximation and could vary depending on server hardware and network performance. For information about tuning the maximum number of Tomcat threads used, see Maximum HTTP / HTTPS Tomcat Threads.

Update

The Antimalware Agent performs two types of updates:

  • Agent Updates: This updates the scan engine and related Antimalware Agent files. The default schedule causes the Antimalware Agent to check for agent updates every four hours. This ensures that the agent receives an update shortly after it is released. Increasing the schedule interval can reduce network traffic, but Micro Focus recommends that you not increase the interval beyond a week.

    Be aware that increasing the agent update intervals does affect how quickly the Antimalware Agent is updated after initial installation. If you want to increase the schedule but have the Antimalware Agent still update after installation, you can use the Update Antimalware Agent quick task in ZENworks Control Center to force updates after the agent installation is complete.

    For instructions about how to change the agent update schedule, see Antimalware Agent Schedules in the ZENworks Endpoint Security Antimalware Reference.

  • Malware Signature Updates: This updates the Antimalware Agent’s database of known malware signatures. The default schedule causes the agent to check for signature updates every hour. Because signature updates can occur multiple times per day, Micro Focus recommends that you not increase this interval beyond a daily check (i.e, every 24 hours).

    Because malware signature updates are more critical than agent updates, a signature update is performed immediately after the agent installation is complete.

    For instructions about how to change the malware signature update schedule, see Antimalware Agent Schedules in the ZENworks Endpoint Security Antimalware Reference.

Uninstall

The Antimalware Agent is automatically uninstalled when the following occurs:

  • ZENworks Agent Uninstalled: When the ZENworks Agent is removed from a device, the Antimalware Agent is also removed.

  • Antimalware Enforcement Policy Unassigned: When the Antimalware Enforcement policy is unassigned from a device and the device receives the assignment change during the next ZENworks Agent refresh, the Antimalware Agent is uninstalled from the device. The uninstall is delayed 10 minutes to ensure that the assignment removal was intentional.

    You can use the ZAV.UninstallWindow system variable in ZENworks Control Center to increase the uninstall delay at the zone level for all devices (Configuration > Management Zone Settings > Device Management > System Variables), at the device folder (folder > Settings > Device Management > System Variables), or the device (device > Settings > Device Management > System Variables). For example, ZAV.UninstallWindow with a value of 60 increases the delay to one hour.

The zac malware-remove-agent (mr) command can also be used on a device to uninstall the Antimalware Agent. The command requires ZENworks administrator credentials. In addition, if the Antimalware Enforcement policy is also not removed from the device, the Antimalware Agent will be reinstalled at the next refresh to comply with the policy.

Unregistration/Reregistration

The Antimalware Agent remains installed when a device is unregistered from its ZENworks management zone.

If the device is registered to a new zone or reregistered with its old zone, one of the following occurs:

  • If the device has an Antimalware Enforcement policy assignment in the zone, the Antimalware Agent remains installed.

  • If the device does not have an Antimalware Enforcement policy assignment, the Antimalware Agent is removed after the 10 minute delay.

If a device is unregistered and will not be reregistered, the zac malware-remove-agent (mr) command can be used to uninstall the Antimalware Agent. The command requires ZENworks administrator credentials.

3.13.2 Ondemand Content System

Antimalware content consists of malware signature updates and Antimalware Agent updates. Unlike other ZENworks content, Antimalware content is pulled “ondemand” through the ZENworks system of Content Servers (Primaries and Satellites).

The Antimalware Agent initiates requests for content and each request moves upstream through the Content Server channels until the request can be fulfilled by a Content Server. Unfulfilled requests continue upstream until they reach a Primary Server functioning as an Ondemand Content Master. If the Ondemand Content Master does not have the requested content, it contacts the external Antimalware cloud service to request the content.

There are decisions you need to make regarding your Ondemand Content flow to ensure best performance within your network environment:

Ondemand Content Masters

Ondemand Content Masters (OCMs) are the ZENworks Primary Servers assigned to request Antimalware content from the external Antimalware cloud service. During initial Antimalware configuration, one Primary Server is designated as the Antimalware Server to perform Antimalware-related maintenance tasks for system. By default, this Antimalware Server is also designated as an OCM.

You can have a single OCM or multiple OCMs depending on bandwidth and geographic needs. Not all Primary Servers must be OCMs. Any Primary Server that is not an OCM will contact an OCM when it does not already have the requested content.

OCM Requirements

An Ondemand Content Master must:

  • Have firewall access to the following external Antimalware cloud service URL:

    https://microfocus-2dcb60a8-26c9-4560-9cc2-34a16ea5f6e6.2d7dd.cdn.bitdefender.net

    If a proxy server is required for external access, the ODCExternalConfig.json file on the OCM must be configured with the proxy server details. For instructions, see Ondemand Content Master - Requirements in the ZENworks Ondemand Content Reference.

  • Have at least 10 GB of free disk space. By default, an OCM is configured to:

    • Use a maximum of 1000 GB of disk space

    • Not use the last 4 GB of free disk space

    • Clean up unused content after 30 days

    If the OCM has less than 4 GB of free disk space when it tries to cache requested content, it will delete older cached content to make room for the new content. If there is no cached content to delete, content requests will fail because it will not use the last 4 GB of free disk space. Therefore, Micro Focus recommends a minimum of 10 GB of free disk space. The maximum cache size, minimum disk space, and content retention period are all configurable. For configuration instructions see Ondemand Content Configuration in the ZENworks Ondemand Content Reference.

Content Server Requirements

Every Content Server (Primary Server or Satellite Content Server) can serve ondemand content. To do so, a Content Server must:

  • Have at least 10 GB of free disk space. By default, a Content Server is configured to:

    • Use a maximum of 1000 GB of disk space for ondemand content

    • Not use the last 4 GB of free disk space for ondemand content

    • Clean up unused ondemand content after 30 days

    If a Content Server has less than 4 GB of free disk space when it tries to cache requested content, it will delete older cached content to make room for the new content. If there is no cached content to delete, content requests will fail because it will not use the last 4 GB of free disk space. Therefore, Micro Focus recommends a minimum of 10 GB of free disk space. The maximum cache size, minimum disk space, and content retention period are all configurable. For configuration instructions see Ondemand Content Configuration in the ZENworks Ondemand Content Reference.

  • Use SSL. Primary Servers automatically use SSL for content. However, Satellite Content Servers do not use SSL by default for content and must be enabled. For instructions, see Content Role in the ZENworks Primary Server and Satellite Reference.

Ondemand Content Settings

By default, all Content Servers (Primary Servers, Satellites, and OCMs) have the following Ondemand Content settings:

  • Schedule and Throttling: Content can be downloaded from an upstream source at any time without any bandwidth restrictions.

  • Maximum Cache Size: The Content Server can use up to 1000 GB of disk space for ondemand content.

  • Minimum Free Disk Space: The Content Server will not use the last 4 remaining GB of disk space.

  • Content Retention: The Content Server cleans up unused ondemand content after 30 days.

  • Cached File Time to Live (TTL): There are two types of files with different times to live. Micro Focus recommends not modifying the settings unless you are experiencing bandwidth issues. Increasing the TTL will reduce bandwidth usage but can result in stale, outdated content.

    • Antimalware Metadata: These files represent the types of Antimalware content - malware signature updates and agent updates. The default TTL is 10 minutes, which means that when a request comes in for an update, if the metadata files are older than 10 minutes (i.e. they are stale) then the Content Server requests new update content from its upstream sources.

    • Antimalware Content: These files are the actual update content referenced by the metadata. The default TTL is 7 days.

For information about changing the Ondemand Content settings, see Ondemand Content Configuration in the ZENworks Ondemand Content Reference.

Closest Server Rules

The Ondemand Content system uses the Closest Server rules and Ondemand Content Master configuration to determine the routing of ondemand content requests:

  • Managed Devices: When a managed device’s Antimalware Agent requests a malware signature update or an agent update, its closest Content Server list is used. The agent contacts the first Content Server in the list and works down the list until it makes a successful connection. Because Ondemand Content requests require an SSL connection, any Satellite Content Server that is not enabled for SSL is ignored. Therefore, Micro Focus recommends that you either ensure that at least one Satellite in the closest Content Server list is configured for SSL or the list includes at least one Primary Server.

  • Satellite Content Server: When a Satellite Content Server receives a request that it cannot fulfill, it uses its closest Content Server list to determine its upstream source. As with managed devices, if a Satellite’s closest Content Servers list includes other Satellite Content Servers, you need to have enabled at least one of those Satellites for SSL or ensure that the list includes at least one Primary Server.

  • Primary Servers: Primary Servers require no special consideration or configuration. They are already enabled for SSL, each Primary Server knows the Ondemand Content Masters to contact if they can’t fulfill a request, and each Primary Server can contact all other Primary Servers.

External User Support

The Antimalware Agent must be able to contact a ZENworks Content Server in order to request and receive malware signature updates and agent updates. To support users who are external to your network, you have the following options:

  • DMZ Primary Server: Place a Primary Server in the DMZ and configure devices to use it as their Content Server when they are not on your internal network. Micro Focus recommends that you make the DMZ Primary Server an Ondemand Content Master so that it can fetch content directly from the external Antimalware content source; this removes hops in the content request process and reduces traffic from the DMZ Primary Server to internal OCMs. However, this is not a requirement provided the DMZ Primary Server has access to an internal OCM. For best practices for configuring Primary Servers in a DMZ, see Section 21.0, ZENworks DMZ Server.

  • VPN: Have managed devices connect via VPN. This is only recommended if you can ensure regulare VPN connections during scheduled update request times. Otherwise updates will fail and leave devices at risk.

3.13.3 Antimalware Database

ZENworks Endpoint Security Antimalware requires its own database, separate from the ZENworks database, ZENworks Audit database, or optional Vertica database. The database stores Antimalware-related data such as detected malware threats and current malware status for devices.

Unlike the ZENworks database and the ZENworks Audit database, the Antimalware database is not created during system installation. It is created as part of the setup process when you decide to use Antimalware.

Database Requirements

The Antimalware database must be the same database type (PostgreSQL, MSSQL, or Oracle) as your ZENworks database.

For information about the database’s disk space and memory requirements, see ZENworks Antimalware Database Sizing.

Database Synchronization

The Antimalware database requires data--such as devices, policies, assignments, and configuration settings--to be synced to it from the ZENworks database. This data is required in order to correctly associate malware data with devices and display the data in ZENworks Control Center.

The data synchronization is implemented through a Change Data Capture (CDC) mechanism that uses Apache Kafka to stream data between the two databases. Apache Kafka is supported on Linux platforms only which means that you must have a Linux Primary Server to use Antimalware.

If you do not already have a Primary Server on Linux, Micro Focus recommends that you use the ZENworks Virtual Appliance. The Appliance is built on a customized SUSE Linux Enterprise Server (SLES) distribution and comes pre-installed with ZENworks. The Appliance can be deployed on VMware ESXi, Microsoft Hyper-V Server, XEN on SLES, and Citrix XenServer. For detailed requirements and installation instructions, see the ZENworks Appliance Deployment and Administration Reference.

The CDC requires no special consideration during the Antimalware design process. However, there are settings you can use to tune its performance. See Tuning Antimalware Database Synchronization for details.

3.13.4 Antimalware Event Processing

Whenever a malware threat is detected or an malware scan is run, the Antimalware Agent reports the event to the ZENworks server so that the malware threat and device status can be monitored in ZENworks Control Center.

Antimalware event files are rolled up via the Collection system. Every 5 minutes, the ZENworks Agent transfers any generated Antimalware events to its designated Collection Server as determined by its closest Collection Server list. If this is a Primary Server, the server’s Antimalware Service processes the event files and adds the events to the Antimalware database. If the Collection Server is a Satellite, it rolls the event files up to its parent Primary Server according to its Collection Roll-Up Schedule which is every 2 hours by default. The Primary Server then adds the event files to the Antimalware database.

Satellite Collection Roll-Up Schedule Recommendation

Micro Focus recommends that you keep your Satellite’s Collection Roll-Up Schedules to no more than every 2 hours. Longer intervals will result in delays reporting detected malware threats and device status to ZENworks Control Center.

Antimalware Service

As mentioned previously, the Antimalware service runs on Primary Servers and is responsible for processing Antimalware event files into the Antimalware database. On Linux Primary Servers, the service is a dockerized microservice. On Windows Primary Servers, its an application microservice.

The Antimalware service listens on 61100 (web server) port and 61195 (JMX) port.

In general, there are no design considerations for the Antimalware service. The service is configured--including opening the required ports--and started when you perform the Antimalware setup. For performance tuning details see Tuning the Antimalware Service.