The Custom Scan Policy is an optional policy that lets you supplement the scans provided by the base Antimalware Enforcement policy. Examples of this are targeting emerging threats that may not be covered by the regularly scheduled scans, or an every other month scan of all archive files on a device. This policy enables you to define and schedule scans on local and removable drives, in addition to the Full and Quick scans already defined in the Antimalware Enforcement Policy.
The policy wizard configures base-level and default settings for the policy. You can see and configure more details after policy creation. For information about modifying or customizing policy details after policy creation, see Custom Scan Policy.
The following instructions assume that you are on the Select the Scan Level page in the policy wizard for the Create New Antimalware Custom Scan Policy.
For information about creating policies in general, see Creating Security Policies
in the ZENworks Endpoint Security Policies Reference.
You can retain the most balanced approach between security and system performance by retaining the default setting of Normal or configure scans with greater security or with greater performance by choosing Aggressive or Permissive, respectively. Once the policy is created, you will have the option to make more specific configuration changes through the Details tab on the selected policy.
The descriptions below are the same shown for each scan level when selected in the page. They are also provided here in aggregate for comparison.
Aggressive: Provides advanced security with moderate use of resources. Scans all files accessed from local drives including archived and lower risk files.
Normal: Provides best balance between security and performance. Scans all files accessed from local drives. Does not scan archived and lower risk files.
Permissive: Provides basic security with reduced use of resources. Scans application files accessed from local drives and incoming emails. Does not scan lower risk files, spyware, and less dangerous types of malware. This option is recommended only for use on devices with resource limitations.
Click New to add a scan target. Built-in options include All Local Drives or All Removable Drives, or you can adding a specific target and enter either a drive path or an environment variable, for example:
C:\Windows
%WINDIR%\system32
Once you add to or update the Scan Targets list, whichever items you have listed in the configuration are the targets that will be scanned.
NOTE:Ensure the paths or variables that you enter for scan targets are valid on the devices you assign the policy to. The policy does not validate these paths. In like manner, when the scan is run on devices, the Antimalware Agent runs the scan irrespective of a valid path. Invalid targets are simply logged as no malware detected.
Choose one of the three options for the scan schedule and select Wake-on-LAN if you need that requirement for your scan. Information about each setting is provided below:
No Schedule: Select this scheduling option if you do not want the scan to run automatically. This option has no preset to kickoff a scan. It is designed to allow the flexibility for running scans via the Initiate Malware Scan quick task, which you can initiate on a selected device when you select the option in the quick task list or by entering a zac command in the Windows Command Prompt on the agent device. For more information about these options, see the following references:
Antimalware Commands
in the ZENworks Command Line Utilities Reference
Date Specific: This schedule is designed to run a scan one or more times on the specified date(s) and time. For information about configuring this schedule, see Configure a Date Specific Schedule.
Recurring: This schedule enables you to configure scans to run at a specified interval. For information about configuring this schedule, see Configure a Recurring Schedule.
Wake-on-LAN: If the device is not on at the scheduled time, this option attempts to use Wake on LAN (WoL) technology to power on the device. The device must support Wake on LAN.
For information about Wake-on-LAN options or how it works, see Wake-on-LAN in ZENworks Control Center
in the ZENworks Using Wake-on-LAN reference.
Scan exclusions can include both built-in file exclusions and folders, files, and applications you designate for exclusion (custom). Built-in exclusions include Windows directories recommended for exclusion by Microsoft and some ZENworks directories, which can vary for Windows directories depending on the operating system. However, ZENworks built-in exclusions are not controlled by this setting. These items will not be scanned for the scan types you configure after the policy is created.
Custom exclusions can include exclusions added directly in the Exclusions tab of policy Details, exclusions implemented by selected Antimalware Scan Exclusion policies, or a combination of both. Exclusion types are designated as File, Folder, or Extension.
For information about configuring exclusions in the Custom Scan or Network Scan policies after policy creation, see Exclusions.
You can only assign Antimalware policies to devices. They cannot be assigned to users. For information about assigning and publishing Endpoint Security policies, see the topics below in the ZENworks Endpoint Security Policies Reference: