3.2 Creating a Network Scan Policy

The Network Scan Policy is optional, but it gives you the capability to scan network drives, which you cannot do with the Enforcement or Custom Scan policies. This policy gives you the capability to target a network drive from a specific device. For example, you could use this policy to scan a file storage disk in an array of disks.

Network Credentials

Network credentials must be configured in the policy to access network files. In order to configure this setting, you must already have credentials specified for the applicable network in the Credential Vault before you create this policy.

For information about adding credentials in the Credential Vault, see Using the Credential Vault in the ZENworks Control Center Reference.

The policy wizard configures base-level and default settings for the policy. You can see and configure more details after policy creation. For information about modifying or customizing policy details after policy creation, see Network Scan Policy. The following instructions assume that you are on the Select the Scan Level page in the policy wizard for the Create New Antimalware Network Scan Policy.

For information about creating policies in general, see Creating Security Policies in the ZENworks Endpoint Security Policies Reference.

3.2.1 Select the Scan Level

You can retain the most balanced approach between security and system performance by retaining the default setting of Normal or configure scans with greater security or with greater performance by choosing Aggressive or Permissive, respectively. Once the policy is created, you will have the option to make more specific configuration changes through the Details tab on the selected policy.

The descriptions below are the same shown for each scan level when selected in the page. They are also provided here in aggregate for comparison.

  • Aggressive: Provides advanced security with moderate use of resources. Scans all files accessed from local and network drives including archived and lower risk files.

  • Normal: Provides best balance between security and performance. Scans all files accessed from local drives and application files accessed from network drives. Does not scan archived and lower risk files.

  • Permissive: Provides basic security with reduced use of resources. Scans application files accessed from local and network drives and incoming emails. Does not scan lower risk files, spyware, and less dangerous types of malware. This option is recommended only for use on devices with resource limitations.

3.2.2 Add the Scan Targets

Click New to add a scan target. The target path must use IP address or FQDN format. As a best practice for a single network directory and file you should enter both the IP and FQDN paths. For example:

  • \\hostName\shareName\filePaths

  • \\IPaddress\shareName\filePath

Once you add to or update the Scan Targets list, whichever items you have listed in the configuration are the targets that will be scanned.

Network Scan File Credentials: To enable scans on network files, click to browse and locate the applicable credential from the Credential Vault, and add the credentials in the domain\user format. For more information, see Network Credentials.

3.2.3 Set the Scan Schedule

Choose one of the three options for the scan schedule and select Wake-on-LAN if you need that requirement for your scan. Information about each setting is provided below:

  • No Schedule: Select this scheduling option if you do not want the scan to run automatically. This option has no preset to kickoff a scan. It is designed to allow the flexibility for running scans via the Initiate Malware Scan quick task, which you can initiate on the policy when you select it in the quick task Policies list or by entering a zac command in the Windows Command Prompt on the agent device. For more information about these options, see the following references:

  • Date Specific: This schedule is designed to run a scan one or more times on the specified date(s) and time. For information about configuring this schedule, see Configure a Date Specific Schedule.

  • Recurring: This schedule enables you to configure scans to run at a specified interval. For information about configuring this schedule, see Configure a Recurring Schedule.

  • Wake-on-LAN: If the device is not on at the scheduled time, this option attempts to use Wake on LAN (WoL) technology to power on the device. The device must support Wake on LAN.

    For information about Wake-on-LAN options or how it works, see Wake-on-LAN in ZENworks Control Center in the ZENworks Using Wake-on-LAN reference.

3.2.4 Configure Scan Exclusions

Scan exclusions can include both built-in file exclusions and folders, files, and applications you designate for exclusion (custom). Built-in exclusions include Windows directories recommended for exclusion by Microsoft and some ZENworks directories, which can vary for Windows directories depending on the operating system. However, ZENworks built-in exclusions are not controlled by this setting. These items will not be scanned for the scan types you configure after the policy is created.

Custom exclusions can include exclusions added directly in the Exclusions tab of policy Details, exclusions implemented by selected Antimalware Scan Exclusion policies, or a combination of both. Exclusion types are designated as File, Folder, or Extension.

For information about configuring exclusions in the Custom Scan or Network Scan policies after policy creation, see Exclusions.

3.2.5 Assign and Publish the Policy

You can only assign Antimalware policies to devices. They cannot be assigned to users. For information about assigning and publishing Endpoint Security policies, see the topics below in the ZENworks Endpoint Security Policies Reference: