Tags
Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System Communication Client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to configure antivirus settings in a Mac OS profile

Release Time
06/11/2018
Views
847 times
Category
profiles
Tags

  • The antivirus section of a profile lets you control how the virus scanner in CCS operates on managed Mac devices. There are two main sections:
     
    • Preferences – Configure general CCS settings, update server, password protection, and log settings.
       
    • Antivirus – Has three sub-sections:
       
      • Scanner Settings – Configure options for real-time, manual and scheduled scans. Choose files you want to exclude from scans.
         
      • Scan Profiles – Scan profiles tell CCS which items to scan. You can pick a full or quick scan, or create a custom profile to scan specific areas. Once saved, you can apply a scan profile to any scheduled scan.
         
      • Scheduled Scans - Choose when you want the scan profile to run on managed devices.
         
  • It is essential to add an antivirus section to a profile if you want virus scans on your endpoints. 

Process in detail

  • Log into ITarian
     
  • Click ‘Applications’ > ‘Endpoint Manager’.
     
  • Click 'Configuration Templates' > 'Profiles'
     
  • Open the MAC profile you want to work on.
     
    • Open the 'Antivirus' tab and click 'Edit'

      OR
       
    • Click 'Add Profile Section' > 'Antivirus' if it hasn't yet been added




There are two tabs you can configure in an AV profile:

  • Preferences - General CCS settings, updates, parental control and logs
     
  • Antivirus - Settings for all scan types. Create custom scan profiles and scheduled scans.

Preferences


General Settings


 

  • Automatically check for program updates - CCS checks for program updates every 24 hours AND every time users start their computers. If updates are found, they are automatically downloaded and installed. (Default = Enabled).
     
  • Show balloon messages – CCS can generate notifications when it is learning the activity of previously unknown components of trusted applications.  The balloon messages appear in the bottom-right hand corner of the computer screen - just above the tray icons.  (Default = Disabled).

Update Settings

  • The updates tab lets you specify an alternate host from which endpoints should download updates. By default, updates are downloaded from https://download.comodo.com



 

  • You can add the URL of a different download host if required. For example, you may want to distribute the updates from a local server to conserve bandwidth.
     
  • Click 'Add':



 

  • Enter the URL / IP address of the host from which endpoints should collect antivirus updates. This can be a local, staging server that you have designated as your distribution server.
     
  • Select the 'Enable' to activate the host
     
  • Click 'OK' to apply your changes
     
  • Repeat the process to add more hosts. Endpoints will download from the first server that has the update available. They will contact the next server in the list if the first server does not have the update, and so on.

Parental Control

  • Parental control lets you password protect the CCS settings area on your endpoints. End-users will need to provide the password before they can access CCS settings. This prevents inexperienced users from making changes which could compromise the endpoint.




     
    • Enable password protection for the settings - Activates password protection for all important CCS settings. Specify the password in the 'Password' field.
       
    • Suppress Antivirus alerts if password protection is enabled - If selected, threats on the device are automatically blocked but no alert is shown to the end-user. This avoids situations where a user might click 'Allow' just to make an alert go away.

Logging


 

By default, CCS logs all virus events that occur on an endpoint. Users can view the log at ‘Antivirus Tasks’ > 'View Antivirus Events'.

  • Write to local log database (COMODO format) - Deselect if you don't want CCS to store logs locally.

Antivirus

  • Open the ‘Antivirus’ section of a profile as explained above
     
  • Click the 'Antivirus' tab
     
  • The antivirus tab has three sections:
     
    • Scanner Settings - Configure settings that apply to real-time/manual/scheduled scans, and specify items to be excluded from virus scans.
       
    • Scan Profiles - A scan profile tells CCS which files, folders, and drives should be included in the scan. You can use a scan profile in a manual/on-demand scan, or add it to a schedule. This area lists all existing profiles and lets you create new profiles.
       
    • Scheduled Scans - Choose when you want the scan profile to run on managed devices.

Scanner Settings

The scanner settings area has four sections:

Realtime Scanning


 

  • Real time scanning
     
    • On Access - Real-time protection is enabled. The scanner constantly monitors background processes for threats, and checks files whenever they are created, opened or copied. Threats are detected before they get a chance to execute (Default)
       
    • Disabled - Real-time protection is switched off. Files are allowed to run without being checked for threats.
       
    • Do not scan files larger than (MB) - The maximum file size that the antivirus should attempt to scan. CCS will not scan files larger than the size specified here. (Default = 20 MB)
       
    • Keep an alert on the screen for (seconds) - How long threat notifications should stay on-screen if not dismissed by the end-user. (Default = 120 seconds)
       
    • Automatically quarantine threats found during scanning – Any discovered threats are moved to a secure holding area where they can cause no harm. (Default = Enabled)
       
      • You can review quarantined items and delete, ignore or restore them:

        Device details interface -  Click 'Devices' > 'Device List' > 'Device Management' > click the name of a Mac device > 'Antivirus' tab. See View items quarantined on a device if you need help with this

        Security Sub-Systems interface - Click 'Security Sub-Systems' > 'Antivirus' > 'Quarantined Files' tab. See How to manage quarantined items in Endpoint Manager to read more
         
    • Automatically update virus database - CCS will download any available updates at system start-up, and subsequently at regular intervals. (Default = Enabled).
       
    • Realtime scanning of files on network - Activate or deactivate automatic scans of files on network drives.
       
      • Enabled - CCS scans every file a user interacts with on a network drive, even if the file is not copied to the local machine.
         
      • Disabled - Files on network drives are not scanned when a user interacts with them. This can save time by eliminating needless scans on write-protected files. If an endpoint doesn’t have the rights to delete/quarantine network files anyway, then there is little reason to scan them at this point. The file will still get scanned if it is copied to the local machine.

        (Default = Enabled)

Manual Scanning

  • A manual scan is one you run 'on-demand' on specific files, folder or drives.
     
    • For example, you can launch a manual scan on your devices direct from Endpoint Manager. Go to 'Security Sub-Systems' > 'Antivirus' > 'Device List' > select a target device > Click the ‘Scan’ button.
       
    • FYI - We have an article on manual scans at https://wiki.itarian.com/frontend/web/topic/how-to-run-antivirus-scans-and-database-updates-from-endpoint-manager.

      ​​​​


       
    • Do not scan files large than (MB) - The maximum file size that the antivirus should attempt to scan. CCS will not scan files larger than the size specified here. (Default = 20 MB)
       
    • Scan archive files - CCS scans archive files such as .ZIP and .RAR files.  (Default = Enabled).
       
    • Automatically quarantine threats found during scanning - Any discovered threats are moved to a secure holding area where they can cause no harm. (Default = Enabled)
       
    • You can review quarantined items and delete, ignore or restore them:

      Device details interface -  Click 'Devices' > 'Device List' > 'Device Management' > click the name of a Mac device > 'Antivirus' tab. See View items quarantined on a device if you need help with this

      Security Sub-Systems interface - Click 'Security Sub-Systems' > 'Antivirus' > 'Quarantined Files' tab. See How to manage quarantined items in Endpoint Manager to read more.
       
    • Automatically update virus database before scanning - CCS will download any available updates at system start-up, and subsequently at regular intervals.

Scheduled Scanning



 

The preferences for scheduled scans are similar to manual scans as explained above, except:

  • Show scanning progress - End-users will see a scan progress bar when the scan is running. (Default = Enabled)

Exclusions

  • The 'Exclusions' tab lets you specify files and folders that should be ignored by the antivirus scanner.
     
  • Any item you exclude will be skipped by ALL types of scan - real-time, on-demand and scheduled.




 

  • Click 'Add'



 

  • Enter the full path of the item you want to exclude then click 'OK'.
     
  • Repeat the process to exclude more items.

Scan Profiles

  • Scan profiles tell CCS which files, folders or drives to scan on a device
     
  • CCS ships with two default profiles – 'Full Scan' and 'Quick Scan'
     
  • You can also create custom profiles which consist of specific items
     
  • Any profiles you create here can be added to a scheduled scan


 

Create a scan profile

  • Click 'Add'



 

  • Enter a label for the scan profile
     
  • Click 'Add' to specify the item you want to scan. This can be a folder, drive, file or area



 

  • Enter the path of the item you want to scan then click 'Ok'
     
  • The path will be added to the profile as follows:



 

  • Repeat the process to add more paths
     
  • Click 'Ok'

The profile will be added to the list and can be selected as part of a scheduled scan.


 

Scheduled Scans

  • The highly customizable scheduler lets you set up recurring scans on managed devices. CCS scans the items in the scan profile at the times you specify in the schedule.
     
  • You can create multiple schedules to take advantage of different scan profiles.



 

  • Click 'Add' to create a new scheduled scan



 

  • Name - Label of the schedule. Pick something that describes the frequency and target of the schedule. For example, ‘Daily scan of the apps folder’, or ‘Weekly scan of sales team laptops’.
     
  • Profile - Choose the pre-defined or custom scan profile you want to use in this scheduled scan. All profiles listed in the 'Scan Profiles' tab will be available in the drop-down.
     
  • Day of week - Select the days of the week on which the scan should run.
     
  • Time - The time the scan should start.

Click 'OK'



 

  • Repeat the process to add more scan schedules
     
  • Click 'Save' to apply the schedule to your configuration profile.

View items quarantined on a device

Click 'Devices' > 'Device List' > 'Device Management' > click the name of a Mac device > 'Antivirus' tab.

  • The 'Antivirus' tab shows all files currently quarantined on the device. Endpoint Manager periodically synchronizes with managed devices to collect and show history of all files in different times on devices.
     
  • You analyze the trustworthiness of the item and can restore files on the device or remove the files from the device. You can also set an admin rating to the files from this interface.

View and manage quarantined files

  • Click 'Devices' > 'Device List'
     
  • Click the 'Device Management' tab
     
    • Select a company or a group to view their devices

      Or
       
    • Select 'Show all' on the left to view every device enrolled to EM
       
  • Click the name of a MAC device
     
  • Click the 'Antivirus' tab > 'Quarantined Files'

  • Click ‘Request quarantined files’ on the right to manually refresh the list.

    File Name - The file that was moved to quarantine.

    File Path - The location on which the file is saved on the device

    Hash - The SHA1 hash value of the quarantined file

    Date Quarantined - Date and time at which the malware was identified and quarantined on the device.

    Comodo Rating - The file's trust level as rated by CCS.

    Admin Rating - The trust rating of the file as set by the administrator. Files can be rated as trusted, malicious or unrecognized.

    User’s last action – The response to the quarantined item by the admin.

    User’s last action status – The status of the response. The possible  statuses are:
     
    • Operation failed. Try again.
       
    • Command is queued.
       
    • Command has been sent to the device.
       
  • Select an item and click 'Delete File(s) From Device' to permanently remove the item from the device
     
  • Select an item and click 'Restore File(s) on Device' to move the item from the quarantine to its original location
     
  • Select an item and click  'Rate as unrecognized', 'Rate as Trusted' or 'Rate as Malicious' to set the corresponding rating to the file

A confirmation is shown and the changes are applied on the device.

  • Files rated as 'Malicious' stays in quarantine on the device.
     
  • Files rated as 'Unrecognized' will be restored to their original locations on the device. Future AV scans may flag them as 'malicious' again.
     
  • Files rated as 'Trusted' will be restored to their original locations in the device. These files will be white-listed and skipped by future antivirus scans.