3.7 Network Scan Policy

This section provides information about the settings you can view and modify in the Details page of a selected Antimalware Network Scan Policy. If you want to update settings on devices that already have the selected policy assigned, you need to republish the policy after making modifications, and then execute a refresh on those devices.

To open the Details page of the policy in ZENworks Control Center, navigate to Policies, select the policy in the Policies page or folder, click the policy name link, and select the Details tab.

3.7.1 Scan Settings

For the most part, the Scan Settings in the Custom Scan and Network Scan policies mirror several of the settings you can configure in the Antimalware Enforcement Policy, depending on the scan type. When you deploy either of these policies, they run on the schedule you set in the Schedule tab of the policy, as opposed to the Antimalware Enforcement Policy, which runs on the zone Antimalware schedule. Reference the sections below for more information about these settings.

User Rights

This setting enables you to configure rights for end users to initiate their own scans and pause, postpone, or cancel those scans as well as do the same for administrator-initiated scans, if so enabled.

The right for a user to cancel an administrator-initiated scan is disabled by default. The administrator can initiate a scan via a policy, quick task, or zac command.

NOTE:If the user pauses a scan and reboots the device before restarting the scan, the scan will resume on restart, but will no longer be visible to the user in the Agent Status Console.

Files to Scan

You can configure which type of files get scanned when the scheduled scan runs. See the descriptions below to better understand what each option does:

  • All files: Scans all files on the specified network path except files excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement Policy settings.

  • Applications only: Scans only application files on the specified network path except applications excluded from scans by built-in and custom exclusion settings defined in the Antimalware Enforcement Policy settings.

    For more information about the type of application files that get scanned or how to customize that list, see Application Only File Scans.

  • Defined file extensions only: Scans only files that possess a file extension added in the Defined file extensions field for local files as applicable.

    Enter one or more file extensions to be scanned, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example: txt or.txt

Scan Behavior

These settings provide flexibility for configuring the behavior details of files to be scanned. Enable or disable as applicable to your desired protection in relation to system performance.

  • Scan only new or changed files: This setting gives you an option that may improve system responsiveness with a minimum trade-off of security.

  • Scan boot sectors: Boot sectors contain the required code to start the boot process. An infection could disable the drive and prevent the system from starting.

  • Scan registry: This option scans the Windows Registry database that stores settings for operating system components.

  • Scan memory: This option scans programs that run in the system’s memory.

  • Scan for keyloggers: Keyloggers record the input from the device’s keyboard and can disclose sensitive information to hackers, including account numbers and passwords.

  • Scan for rootkits: Rootkits enable administrator-level access to the device with a primary function of hiding processes, files, logins, and logs. When combined with malware, they can be used to conceal the presence of intruders.

  • Scan cookies: This option scans cookies stored by browsers installed on the device.

  • Scan for Potentially Unwanted Applications (PUA): PUAs typically include undesirable programs that get installed on the device when bundled and downloaded with free software, often without the user’s consent.

  • Scan archives: Infected archive files are not an immediate threat and scanning them can be resource-intensive. Infected archive files are only a threat to the system if they are extracted from the archive and executed without having on-access scanning enabled.

    • Skip files larger than (MB): Only scans files that are equal to or smaller than the size proscribed here.

    • Maximum depth (levels): Defines the directory level depth that will be scanned, in increments of two.

  • Scan email archives: This option scans email files and databases, including the file formats of .eml, .msg, .pst, .dbx, .mbx, .tbb, and others.

    IMPORTANT:This scanning option is resource-intensive.

Remediate Actions

Configure the default remediation action for infected files, suspect files, and rootkits. Each file type, except rootkit, has a layered approach to configure for action taken, a default action and a secondary action if the default action fails. Configuration options are shown below:

File type

Default action

If default action fails:

Infected Files

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

  • Disinfect

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Suspect Files

  • Delete

  • Move to Quarantine

  • Ignore

  • Delete

  • Move to Quarantine

  • Ignore

 

 

 

Rootkits

  • Disinfect

  • Ignore

(not applicable)

NOTE:For information about remediation of scanned archive files, see About Scanned Archive Files.

3.7.2 Add the Scan Targets

Click New to add a scan target. The target path must use IP address or FQDN format. As a best practice for a single network directory and file you should enter both the IP and FQDN paths. For example:

  • \\hostName\shareName\filePaths

  • \\IPaddress\shareName\filePath

Once you add to or update the Scan Targets list, whichever items you have listed in the configuration are the targets that will be scanned.

Network Scan File Credentials: To enable scans on network files, click to browse and locate the applicable credential from the Credential Vault, and add the credentials in the domain\user format. For more information, see Network Credentials.

3.7.3 Schedule

If you have a need to modify the schedule for when the scan runs and need more information, reference the configuration options below:

  • No Schedule: Select this scheduling option if you do not want the scan to run automatically. This option has no preset to kickoff a scan. It is designed to allow the flexibility for running scans via the Initiate Malware Scan quick task, which you can initiate on a selected device when you select the option in the quick task list or by entering a zac command in the Windows Command Prompt on the agent device. For more information about these options, see the following references:

  • Date Specific: This schedule is designed to run a scan one or more times on the specified date(s) and time. For information about configuring this schedule, see Configure a Date Specific Schedule.

  • Recurring: This schedule enables you to configure scans to run at a specified interval. For information about configuring this schedule, see Configure a Recurring Schedule.

  • Wake-on-LAN: If the device is not on at the scheduled time, this option attempts to use Wake on LAN (WoL) technology to power on the device. The device must support Wake on LAN.

    For information about Wake-on-LAN options or how it works, see Wake-on-LAN in ZENworks Control Center in the ZENworks Using Wake-on-LAN reference.

3.7.4 Exclusions

Scan exclusions can include both built-in file exclusions and folders, files, and applications you designate for exclusion (custom). Built-in exclusions include Windows directories recommended for exclusion by Microsoft and some ZENworks directories, which can vary for Windows directories depending on the operating system. However, ZENworks built-in exclusions are not controlled by this setting. These items will not be scanned for the scan types you configure after the policy is created.

Custom exclusions can include exclusions added directly in the Exclusions tab of policy Details, exclusions implemented by selected Antimalware Scan Exclusion policies, or a combination of both. Exclusion types are designated as File, Folder, or Extension.

  • Built-in Exclusions: This option is recommended and selected by default, but you can disable it.

  • Custom Exclusions: Select whether to apply Antimalware Scan Exclusion policies assigned to the device, custom exclusions, or both.

    To add custom exclusions, click New after enabling custom exclusions and complete and save the configuration items in the New Exclusion dialog box for each exclusion that you add. The criteria required for the Exclusion field for each exclusion type is provided below:

    • File and Folder:

      • Enter a path. The target path must use IP address or FQDN format. For example:

        • \\hostName\shareName\filePath

        • \\IPaddress\shareName\filePath

      • Enter an environment variable. For example: %ProgramFiles%

      • Enter a wildcard. Use an asterisk (*) or double asterisk (**) to substitute for zero or more characters. Use a question mark (?) to substitute for exactly one character. Use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters. See the examples below. For example:

        • File exclusion in a location: \\IPaddress\shareName\Test\* .png

          \\IPaddress\shareName\Test\*.png

          (excludes all files from the Test folder)

        • File exclusion in any location: **\example.txt

          (excludes any file named example.txt regardless of its location on the device)

        • Folder exclusion: \\IPaddress\shareName\Test\*

          (excludes all folders from the Test folder)

    • Extension: Enter one or more file extensions to be excluded from scanning, separated by a semicolon “;”. You can enter extensions with or without the preceding dot. For example:

      txt or .txt