The Anti-malware functionality in Defense.com Endpoint Protection is based on security content scanning and heuristic analysis. This helps to protect systems against all types of malware threats, including: viruses, worms, Trojans, spyware, adware, keyloggers, rootkits and other types of malicious software.
This guide covers each aspect of the Anti-malware module in detail. Your Defense.com representative can configure the functionality to meet the needs of your business.
Compatibility
The Anti-malware module is available for:
Windows for workstations
Windows for servers
Linux
macOS
Detection
Our Anti-malware scanner module uses two methods of detection:
A traditional scanning method is employed where scanned content is matched against a signature database. This scanning method is effective against confirmed threats that have been researched and documented. However, no matter how promptly the signature database is updated, there is always a vulnerability window between the time when a new threat is discovered and when a fix is released.
Against brand-new, undocumented threats, a second layer of protection is provided by our heuristic engine. Heuristic algorithms detect malware based on behavioural characteristics. This module runs suspicious files in a virtual environment to test their impact on the system and ensure they pose no threat.
The Anti-malware module behaves differently depending on how the installed endpoint is configured:
Detection and prevention mode: This operation mode sets the Anti-malware module to detect and block threats. When it detects a virus or other malware, the endpoint agent will automatically attempt to remove the malware code from the infected file and reconstruct the original file. This operation is referred to as disinfection.
Files that cannot be disinfected are moved to quarantine in order to isolate the infection. When a virus is in quarantine, it cannot do any harm because it cannot be executed or read. It is also possible to configure scan exclusions if you do not want specific files or file types to be scanned.
EDR (Report only) mode: This operation mode exclusively enables On-execute scanning, set to only report threats, and not blocking them.
This mode of operation is available for users that want to install a lightweight EDR solution in their environments, that can run alongside other prevention solutions.
Scanning
There are three types of scanning options available:
On-access: prevents new malware threats from entering the system.
On-execute: proactively protects against threats, and can automatically discover and block fileless attacks at pre-execution, depending on how the security agent installed on endpoints is set to operate.
On-demand: allows detecting and removing malware already residing in the system.
On-access scanning
On-access scanning prevents new malware threats from entering the system by scanning local and network files when they are accessed (opened, moved, copied or executed), boot sectors and potentially unwanted applications (PUA).
Note: This feature has certain limitations on Linux-based systems.
File location
Scanning preferences can be configured separately for local files (stored on the local endpoint) or network files (stored on network shares). If Anti-malware is enabled on all computers in the network, you may disable the network files scan to allow for faster network access.
You can set the security agent to scan all accessed files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous. Scanning all accessed files provides the best protection, while scanning applications only can increase the system's performance.
It is possible to select only specific file extensions to be scanned. For system performance reasons, it is also possible to exclude larger files from scanning and define a file size limit.
Scan options
The following scan options are available:
Only new or changed files
By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.
Boot sectors
Scans the system’s boot sector. This sector of the hard disk contains the necessary code to start the boot process. When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.
Process memory
Scans the memory of a process to detect in-memory malicious behaviour.
Keyloggers
Keyloggers record what you type and transmits this over the Internet to the threat actor. This makes it possible to find out sensitive information from the stolen data, such as bank account numbers and passwords, and use it to gain personal benefits.
Potentially Unwanted Applications (PUA)
A PUA is a program that may be unwanted and can sometimes be bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down system performance.
Archives
This option is available if you want to enable on-access scanning of archived files. Scanning inside archives is a slow and resource-intensive process, therefore it is not recommended for real-time protection.
Scan actions
Depending on the type of file detected, the following actions are automatically taken:
Default action for infected files
Files are identified as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.
The Defense.com Endpoint Protection agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.
By default, if an infected file is detected, the Defense.com agent will automatically attempt to disinfect it.
If disinfection fails, the file is moved to quarantine to contain the infection.
Note: For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.
Default action for suspect files
Files are detected as suspicious by the heuristic analysis and other technologies.
These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.
Suspect files cannot be disinfected, because no disinfection routine is available.
When a suspect file is detected, users will be denied access to that file to prevent a potential infection.
Custom actions
Custom actions can also be configured if required. Two actions can be selected for each type of file; the second action can be taken if the first one fails.
Deny access
Deny access to detected files.
Disinfect
Remove the malware code from infected files. This is the recommended first action to take on infected files.
Delete
Delete detected files from the disk, without any warning. It is advisable to avoid using this action.
Move to quarantine
Move detected files from their current location to the quarantine folder. Quarantined files cannot be executed or opened; therefore, the risk of infection is eliminated.
Take no action
Only report the infected files.
On-execute scanning
Your Defense.com representative can configure your Anti-malware module to protect against malicious processes when they are executed. It covers the following protection layers:
Advanced Threat Control
Fileless Attack Protection
Ransomware Mitigation
Advanced Threat Control
Advanced Threat Control is a proactive detection technology which uses advanced heuristic methods to detect new potential threats in real time.
Advanced Threat Control continuously monitors applications running on the endpoint, looking for suspicious, malware-like actions. Each of these actions is scored and an overall score is computed for each process. When the overall score for a process reaches a given threshold, the process is considered to be harmful.
Once this threshold has been reached, Advanced Threat Control will automatically try to disinfect the detected file. If the disinfection routine fails, the file will be deleted.
Fileless Attack Protection
Fileless Attack Protection is set by default to detect and block fileless malware at pre-execution, including terminating PowerShell running malicious command line, blocking malicious traffic, analysing memory buffer prior to code injection, and blocking the code injection process.
Ransomware Mitigation
Ransomware Mitigation uses detection and remediation technologies to keep your data safe from ransomware attacks. Whether the ransomware is known or new, Defense.com Endpoint Protection detects abnormal encryption attempts and blocks the process. Afterwards, it recovers the files from backup copies and restores them to their original location.
For more information about how on-execute scanning options can be configured, please contact your Defense.com representative.
On-demand scanning
Your Defense.com representative can add and configure Anti-malware scan tasks that will run regularly on your target systems, according to a defined schedule. Scanning is performed silently in the background, regardless of whether the user is logged into the system or not.
Though not mandatory, it is recommended to schedule a comprehensive system scan to run weekly on all endpoints. Scanning endpoints regularly is a proactive security measure that can help detect and block malware that might evade real-time protection features.
In addition to regular scans, it is also possible to configure the automatic detection and scanning of external storage media that have been allowed using the Device Control function.
Scan tasks
Different scan tasks can be used for on-demand scanning, including:
Quick scan
This uses in-the-cloud scanning to detect malware running in the system. Running a Quick scan usually takes less than a minute and uses a fraction of the system resources needed by a regular virus scan.
When malware or rootkits are found, Defense.com automatically proceeds with disinfection. If, for any reason, the file cannot be disinfected, then it is moved to quarantine. This type of scanning ignores suspicious files.
Full scan
This scan checks the entire endpoint for all types of malware, such as viruses, spyware, adware, rootkits and others.
Defense.com automatically tries to disinfect files detected with malware. In cases where malware cannot be removed, it is contained in quarantine.
Custom scan
Your Defense.com representative can configure Custom scans to choose specific locations to be scanned, with custom scan options.
Configuring scan tasks
Scan schedule
Your Defense.com representative can help you to set up a regular endpoint scan schedule. This can be configured to run every few hours, days or weeks, starting with a specified date and time.
Endpoints must be powered-on when the schedule is due. A scheduled scan will not run when due if the machine is turned off, hibernating or in sleep mode. In such situations, the scan will be postponed until the next time it is turned on.
Note: The scheduled scan will run at the target endpoint local time. For example, if the scheduled scan is set to start at 6:00 PM and the endpoint is in a different timezone, the scanning will start at 6:00 PM (endpoint time).
You can also specify what happens when the scan task could not start at the scheduled time (for example, if the endpoint was offline or shutdown). If the scheduled run time is missed, you can choose to have the scan task run as soon as possible when the endpoint is back online, or attempt to run again at the next scheduled time.
Scan options
The following types of scans can be configured for deployment:
File types
You can set the security agent to scan all accessed files (regardless of their file extension), application files, or specific file extensions you consider to be dangerous. Scanning all accessed files provides the best protection, while scanning applications only can increase the system's performance.
Archives
Archives containing infected files are not an immediate threat to system security, however, it is recommended to use this option to detect and remove any potential threats, even if it is not an immediate concern.
Archive scanning can be configured with maximum size limits and maximum depth levels. It is also possible to enable scanning of email message files and email databases, including file formats such as .eml, .msg, .pst, .dbx, .mbx, and .tbb.
Note: email archive scanning is resource intensive and can impact system performance.
Boot sectors
Scans the system boot sector. When malware infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.
Registry
Scan registry keys. Windows Registry is a database that stores configuration settings and options for the Windows operating system components, as well as for installed applications.
Rootkits
Scan for rootkits and objects hidden using such software.
Keyloggers
Scan for keylogger software.
Network shares
Scan mounted network drives. This is deactivated by default for Quick scans, and is enabled by default for Full scans.
Memory
Scan programs running in the system memory.
Cookies
Scan the cookies stored by browsers on the endpoint.
Potentially Unwanted Applications (PUA)
A PUA is a program that may be unwanted and can sometimes be bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down system performance.
Scan actions
Depending on the type of file detected, the following actions are automatically taken:
Default action for infected files
Files are identified as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.
The Defense.com Endpoint Protection agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.
By default, if an infected file is detected, the Defense.com agent will automatically attempt to disinfect it.
If disinfection fails, the file is moved to quarantine to contain the infection.
Note: For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.
Default action for suspect files
Files are detected as suspicious by the heuristic analysis and other technologies.
These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.
Suspect files cannot be disinfected, because no disinfection routine is available.
Scan tasks are configured by default to ignore suspect files.
If malware presence is confirmed, a signature is released to allow removing the malware.
Default action for rootkits
Rootkits represent specialized software used to hide files from the operating system.
Though not malicious in nature, rootkits are often used to hide malware or to conceal the presence of an intruder into the system.
Detected rootkits and hidden files are ignored by default.
Custom actions
Custom actions can also be configured if required. Two actions can be selected for each type of file; the second action can be taken if the first one fails. The following actions are available:
Take no action
No action will be taken on detected files. These files will only appear in the scan log.
Disinfect
Remove the malware code from infected files. This is the recommended first action for infected files.
Delete
Delete detected files from the disk, without any warning.
Move to quarantine
Move detected files from their current location to the quarantine folder, where they cannot be executed or opened.
Device scanning
Your Defense.com agent can be configured to automatically detect and scan external storage devices when they are connected to a Windows endpoint.
Detected devices fall into one of these categories:
CDs/DVDs.
USB storage devices, such as flash pens and external hard-drives.
Devices with more than a specified amount of stored data.
Device scans automatically attempt to disinfect files detected as infected or to move them to quarantine if disinfection is not possible.
Note: some devices such as CDs/DVDs are read-only. No action can be taken on infected files contained on these storage devices.
For more information about how your Anti-malware options can be configured, please contact your Defense.com representative.