Tags
Xcitium Client Security (XCS) what test Remote Control by ITarian RDS Server RDS EDR AEP csv access scope Comodo dialog box Windows UAC user access rights verification phone number password reset security code forgot password Android threat history generates alert lock device Android devices Mac OS devices mobile devices passcode Lock log SIEM log forwarding log storage log storage settings scan profile Parental control FLS file-lookup server internet access rights Real-time scan default profiles pre-configured profiles pre-defined profiles customize profile clone profile Clone unknown MAC profile Linux profile cloud-based service Maintenance Window maintenance analysis tool UFH check policy test policy Virtual Appliances DNS Resolver register invite graphs Dynamic IP Dome shield Integration O365 Comodo Office 365 removal tool CCS removal tool Comodo Secure Email Gateway subscriptions service Dome Antispam Valkyrie report info web Comodo SWG tutorial policy DLP PAC file iboss Bluecoat Websense Comodo Dome ICAP Dome Agent traffic URL C1 account SWG portal SSL Encrypted Traffic Dome Cloud enable widget chart endpoint dashboard file groups Rules exceptions Wi-Fi networks Wi-Fi setup security restrictions iCloud auto containment containment settings virtual file system sandbox environment client access control local configuration Comodo Client Security Rebranding Communication Client Rebranding security client re-brand Comodo Clients application rules global rules Portsets port sets Firewall ruleset rule set rulesets global proxy server global proxy antivirus settings Client Proxy remote control tool Firewall protection firewall settings configuration file export profile PowerShell VBS script Windows Standard Account Endpoint Manager Client Communication (EMCC) server security clients updates vulnerable security patches installed Client Communication Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System communication client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection Virtual Desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to configure antivirus settings in a Windows Profile

Release Time
07/02/2017
Views
8266 times

Click ‘Configuration Templates’ > ‘Profiles’ > open a Windows profile > Click ‘Add Profile Section’ > ‘Antivirus’Click ‘Configuration Templates’ > ‘Profiles’ > open a Windows profile > Click ‘Add Profile Section’ > ‘Antivirus’

Background

  • The antivirus section of a profile lets you control how the virus scanner operates on managed Windows endpoints.
     
  • There are three sub-sections you can configure:
     
    • Realtime scan – Settings that apply to the ‘always-on’ virus monitor which runs in the background.
       
    • Scans – Settings that apply to ‘on-demand’ scans and scheduled scans. You can use a pre-defined scan profile, or create a custom profile with specific settings.
       
    • Exclusions - Files and folders that should be skipped on devices to which the profile is applied. Items you add here are excluded from all types of scan.
       
  • It is essential to add an antivirus section to a profile if you want virus scanning on your endpoints.

Add an AV section to a profile

  • Login to ITarian
     
  • Click 'Applications' > 'Endpoint Manager'
     
  • Click 'Configuration Templates' > 'Profiles'
     
  • Click the ‘Profiles’ tab
     
  • Open the Windows profile applied to your target devices
     
  • Click 'Add Profile Section' > 'Antivirus'
     
    • Open the 'Antivirus' tab if it has already been added to the profile

       OR
       
    • Click 'Add Profile Section' > 'Antivirus' if it hasn't yet been added:


 

  • The antivirus section requires that target endpoints are restarted on application.
     
  • Click 'Confirm' to continue.

You can use the default AV settings or import them from a predefined profile:


 

  • The default settings differ slightly from those in the various profiles. For example, ‘Show antivirus alerts’ is disabled in the security level 1 profile but is enabled in the default settings.
     
  •  In either case, you can always modify the AV settings later as required.
     
  •  Make your selection then click ‘Ok’.

The AV settings screen opens.

  • Click the following links for help to configure each tab:
     
  • Click 'Save' to apply the section to your profile.

Realtime Scan

  • The real-time scanner runs in the background on managed endpoints, constantly protecting the user against known threats.
     
  • This area lets you configure the behavior of the real-time scanner. For example, you can choose whether alerts are shown on the endpoint, the default action when malware is found, the maximum file size to scan, and more.


 

  Enable Realtime Scan     

Activate the ‘always-on’ virus monitor on endpoints.

The real-time scanner constantly protects your devices from malware. It checks every running process and inspects files whenever they are created, opened or copied.

 (Default = Enabled)

   Enable Scanning                  Optimizations 

 Various techniques to improve antivirus scan performance and reduce resource use.

 (Default = Enabled)

   Do not show auto-scan       alerts

 CCS can automatically scan external devices as soon as they get connected to an endpoint. Example devices include USB sticks, external hard drives, etc.

 This setting lets you choose whether to show a notification to end-users when such a   device is connected.

  • Disabled – CCS shows a notification when a device connects. Users can decide whether or not to scan the device from the alert.
     
  • Enabled – No notification is shown when a device connects.

    You need to choose the default action that CCS should take:
     
    • Ignore – Do not scan the device
       
    • Scan – Scan the devices for viruses

(Default = Enabled with 'Ignore' option)

  Run cache builder when   the computer is idle

The cache builder runs whenever the computer is idle to boost the speed of real-time scans.

  (Default = Disabled)

Applies only to CCS versions 8.3 or lower.

Scan computer memory after the computer starts

If enabled, CCS runs a virus scan of system memory at computer startup.

 (Default = Disabled)

  Show antivirus alerts

 Choose whether threat alerts should be shown on the endpoint when malware is found.

  • Disabled – Alerts are not shown, and CCS will automatically deal with the threat. You need to choose the action that CCS should take:
     
  • Enabled – A pop-up alert is shown when malware is detected. The alert asks the user whether they want to quarantine or allow the threat.

 Default = ‘Enabled’ (show alerts)

Decompress and scan archive files of extensions

The antivirus will open and scan archive files such as .jar, RAR, ZIP, ARJ, WinARJ, and CAB.

 If enabled, you can choose which types of archives should be decompressed and scanned. Click the 'Extensions' link to view existing extensions and add new extensions.

 (Default = Disabled)

Set new on-screen alert timeout to (secs)

 Specify how long an alert should stay on the screen at an endpoint.
  (Default = 120 seconds)

Set new maximum file size to (MB)

Specify the maximum file size that the antivirus should attempt to scan.

 CCS will not scan files larger than the size specified here. (Default = 40 MB)

Set new maximum script size limit to (MB)

 Specify the maximum size of a script that the antivirus should attempt to scan.

 CCS will not scan scripts larger than the size specified here (Default = 4 MB)

Use heuristic scanning

The heuristic scan level determines how likely the scanner is to classify an unknown file as a threat.

  • Low - Lowest sensitivity to detecting unknown threats / generates fewest false positives. This setting balances a very strong ability to detect new viruses with a low rate of false positives. Comodo recommends this setting for most users. (Default)
     
  • Medium - Detects unknown threats with greater sensitivity than the 'Low' setting, but with a corresponding rise in possible false positives.
     
  • High - Highest sensitivity to detecting unknown threats / increased possibility of false positives.

   (Default = Enabled with 'Low ' option)

What is heuristics?

Heuristics is an antivirus technology designed to identify new, previously unknown threats.

 The technology identifies code typical of a virus, rather than looking for a signature that matches a signature on the blacklist. This allows the engine to discover brand new viruses, even if they are not in the current virus database.

Block all Microsoft Office documents containing macro script Block files containing macro script except for the specified files/folders so that you can prevent the damage of harmful macros in word files.
  • You can define exclusions so the necessary files/file groups are excluded from blocking. When this setting is enabled, the portal should send configurations to CCS so that CCS can block files containing macro scripts.

(Default = Disabled)

  • Click 'Exclusion'. The 'Manage Exclusions' dialog will appear with a list of defined exclusions under two tabs:
     
    • Exclusion Paths - Enter the location of an individual item that you want to exclude. Contained files can write to the files/folders you specify here. You can add multiple files by clicking 'Add' again.
    • Click 'Add' 

  • Exclusion Groups - Allow contained apps to access apps and files in a particular group. A file group is a collection of file types that have similar attributes, scope, or functionality. For example, 'Executables', 'Metro Apps', or 'Windows System Applications. Xcitium ships with a set of pre-defined file groups. You can create custom file groups from the 'Settings' > 'Settings' > 'System Templates' > 'File Groups Variables' interface. 
     
  • Click 'Add'


 

  • Click 'OK' to save your settings.
  • You can edit or remove the exclusions using the respective buttons in the 'Action' column in the File/Folders interface.

 

On-demand / Scheduled Scans

The scans area lets you configure profiles for on-demand and scheduled scans, and to create your own custom scans.

Each scan profile is a collection of settings that tell CCS:

  • Where to scan (which files, folders or drives should be covered by the scan)
     
  • When to scan (you have the option to specify a schedule)
     
  • How to scan (specify the behaviour of the scan engine when running this profile)

Once you have created a scan profile, you can apply it to scheduled scans and on-demand scans.

  • You can launch a manual scan on your devices direct from Endpoint Manager. Go to 'Security Sub-Systems' > 'Antivirus' > 'Device List' > select a target device > Click the ‘Scan’ button.
     
  • You can also run manual scans from the CCS installed on the Windows device. Click 'Tasks' > 'General Tasks' > 'Scan'. See this wiki page if you need help to run on-demand scans on the local device.

Endpoint Manager ships with three pre-configured scan profiles:

  • Full Scan - Scans every drive, folder, and file on the target device. External devices like USB drives and hard disk drives are also scanned.
     
  • Quick Scan - Scans critical areas which are most prone to attack from malware. Scanned areas include system memory, auto-run entries, hidden services, boot sectors and other significant areas.
     
  • Quarantined Files Scan - Only scans files which are currently quarantined. CCS will obtain the file’s latest trust rating from our master online database.
     
  • Unrecognized Files Scan - Only scans files that have an ‘Unknown’ trust rating. CCS will obtain the file’s latest trust rating from our master online database.

Background - A file can have a rating of ‘Trusted’, ‘Untrusted’, or ‘Unrecognized’.

  • Quarantined files usually have an ‘Untrusted’ rating, indicating that they are malware.
     
  • ‘Unrecognized’ means that the file has neither a ‘Trusted’ nor ‘Untrusted’ rating. Unrecognized files are automatically run in the container until they acquire a definitive ‘trusted’ or ‘untrusted’ rating.

If a scan finds that a file’s rating has changed, then it is moved appropriately.

Create a custom scan

  • Open the ‘Antivirus’ section of your profile
     
  • Click the ‘Scans’ tab
     
  •  Click 'Add'
     
  • Create a name for the custom scan profile, and choose the files, folder or regions you want to scan:



 

Next, choose your scan options:

  • Click  'Options'
     


 

   Enable scan optimizations

The antivirus will employ various optimization techniques to speed-   up the scan process (Default = Enabled).

  • Applies only to CCS versions 8.3 or lower.

   Decompress and scan compressed files

The antivirus will open and scan archive files. Supported formats include RAR, WinRAR, ZIP, WinZIP ARJ, WinARJ and CAB  archives (Default = Enabled).

     Use cloud while scanning

 Augments the local scan with a real-time look-up of Comodo's online signature database. This makes virus scans more accurate because the cloud database is the most up-to-date.

 With cloud scans enabled, CCS can detect new malware even if the local database is old. (Default = Enabled).

    Automatically clean threats

 CCS will automatically deal with detected threats. This is instead of showing the results screen with a list of threats.

You can choose the action to be taken from the drop-down. The available options are:

  • Disinfect
     
  • Quarantine

 (Default = Enabled with Disinfect option)

   Show scan results window

 Displays a results screen at the end of a virus scan. The screen shows all threats identified by the scan. (Default = Disabled)

    Use heuristic scanning

The heuristic scan level determines how likely the scanner is to classify an unknown file as a threat.

  • Low - Lowest sensitivity to detecting unknown threats / generates fewest false positives. This setting balances a very strong ability to detect new viruses with a low rate of false positives. Comodo recommends this setting for most users. (Default)
     
  • Medium - Detects unknown threats with greater sensitivity than the 'Low' setting, but with a corresponding rise in possible false positives.
     
  • High - Highest sensitivity to detecting unknown threats / increased possibility of false positives.

(Default = Enabled with 'Low ' option)

What is heuristics?

Heuristics is an antivirus technology designed to identify new, previously unknown threats.

 The technology identifies code typical of a virus, rather than looking for a signature that matches a signature on the blacklist. This allows the engine to discover brand new viruses, even if they are not in the current virus database.

   Apply this action to suspicious autorun entries

 

CCS will inspect auto-run entries, Windows services, startup items and scheduled tasks during each scan.

You can apply one of the following actions to services started by unrecognized or malicious processes:

  • Quarantine and Disable: The service will be stopped and permanently disabled. The file that started the service will be quarantined on the device.
     
  • Terminate and Disable - The service will be stopped and permanently disabled. If required, the service can be enabled manually. (Default)
     
  • Terminate - The service will be stopped for the current session.
     
  • Ignore -The detection will be logged but the service allowed to run normally.

 Applies only to CCS versions 10.7 or higher.

    Limit maximum file size to

Specify the maximum file size that the antivirus should attempt to scan.(Default = 40 MB).

     Run this scan with

Set the Windows priority for the scan. Choices are high, medium, low and, run in the background. (Default = Enabled with Background option)

   Update virus database before running

Makes CCS check for database updates before each scan. Available updates will be downloaded prior to the scan.

  (Default = Enabled).

  Detect potentially unwanted applications

CCS also scans for software that

   (i) A user may be unaware of is installed on their computer.

      or

   (ii) May contain functionality that wasn’t made clear to the user.

  Example PUA's include adware and browser toolbars.

 PUA's are often installed as an additional extra when the user is installing a different piece of software. Unlike malware, PUA's are   'legitimate' software with their own EULA agreements. However, the true functionality of the software might not have been made clear at the time of installation.

 For example, a browser toolbar that tells you the weather may also contain code that tracks your online activity.

   (Default = Enabled).

 

The next step is to schedule when the custom scan should run.

  • Click 'Schedule'


 

Frequency

  • Do not schedule this task - The scan is not run automatically at a set time. The scan is saved after you click ‘Ok’ and is available for manual, on-demand scans.
     
  • Every hour(s) - Run the scan once every n hours. For example, once every 3 hours.
     
  • Every Day - Runs the scan every day at the time specified.
     
  • Every Week - Runs the scan weekly on the days and time you specify
     
  • Every Month - Runs the scan monthly on the days and time you specify.
     
  • Selected days of month - Runs the scan on specific days in selected weeks of every month, at the time you specify. Select the weeks and days from the menus and set the time.

Run only when computer is not running on battery - Runs the scan only if the computer is connected to the mains supply. This is useful if you are using a laptop or any other battery-driven device.

Run only when computer is idle - Scans only run when there is little-to-no activity on the computer. Select this if you do not want to be disturbed, or if you are running resource-intensive programs and do not want the scan to take processing power.

Turn off computer if no threats are found at the end of the scan - Powers down the endpoint if the scan finds no threats. This is useful, for example, if you have scans scheduled to run at night.

  • Click 'OK' to save the profile. It will be listed along with the other scan profiles:




 

  • The scan profiles will be applied to your target devices when you save the full configuration profile.

Exclusions

  • The 'Exclusions' tab lets you specify files and folders that should be ignored by the antivirus scanner.
     
  • Items you add here are skipped by all types of the virus scan.

Add exclusions

  • Click 'Exclusions'
     
  • The 'Exclusions' screen has three subsections that allow you to add a list of file locations, list of applications/files and 'File Groups' which should be excluded from the antivirus scan.

Add a location to be excluded

  • Click Excluded Paths




 

  • Click 'Add'




 

  • Enter the full path that should be excluded from scanning and click 'OK'.




     
    • Repeat the process to include more paths
       
    • To change the path, click the edit button , edit the parameters and click 'OK'
       
    • To remove a path from the list, select it and click 'Remove'

Add excluded applications

  • Click 'Excluded Applications'
     
  • EDR agent will add as Exclusions in Windows Default profile.




 

  • Click 'Add'




 

  • Enter the full path including the application that should be excluded from scanning and click 'OK'​​
     
    • You can use wildcard characters ('*' and '?') in the path to specify several items in a folder

          The allowed characters are:
       
      • :* -  asterix symbol – Replaces several characters before or after the given text

        Examples:
         
        • C:\Users\* - Includes all files and subfolders in the folder C:\Users
           
        • C:\Users\test* - Includes all files whose names start with 'test' in the folder
           
        • C:\Users\*test.exe – Includes all files whose filenames end with 'test.exe' in the folder
           
      • ? - question mark – Replaces one character.

        Examples:
         
        • C:\Users\test?,exe - Includes all files that have anyone character after 'text' in the file name
           
        • C:\Users\test1.exe
           
        • C:\Users\test2.exe
           
        • C:\Users\test3.exe
           
  • Repeat the process to include more applications


 

  • To change the application path, click the edit button , edit the parameters and click 'OK'
     
  • To remove an application from the list, select it and click 'Remove'

Add Excluded Groups

Filegroups make it easy to exclude an entire class of file types. EM ships with a set of predefined groups, and you can create new groups and edit groups as required. See 'File Groups' under 'Settings' > 'System Templates' > 'File Groups Variables'.

  • Click 'Excluded Groups'



 

  • Click 'Add'.




 

  • Choose the group from the 'Group' drop-down and click 'OK'.

The group will be added to the exclusions.



 

  • Repeat the process to add more filegroups
     
  • Click the 'Save' button for the antivirus settings to take effect on the devices applied with the profile.

Further reading:

How to run virus scans on devices from the security sub-systems menu

How to run on-demand antivirus scans in CCS on Windows devices

How to view antivirus scan results and quarantined files on a device in Endpoint Manager

How to manage quarantined items in Endpoint Manager

How to configure antivirus settings in a Linux profile

How to configure antivirus settings in a Mac OS Profile