View And Manage Identified Malware, Endpoint Manager, Malware Detection

View and Manage Blocked Threats

Click 'Security' > 'Blocked Threats.'

The 'Current Malware List' shows malicious items on which no action has yet been taken. This is malware that was prevented from running but has NOT been quarantined or deleted.

You can use this interface to clean (delete), ignore, or quarantine the items.

You can also assign a 'Trusted' rating to an item if you think it is a false positive. The item will not be flagged by future scans.

By default, Endpoint Manager sends an alert to admins when new malware is added to this page. You can enable/disable these alerts in 'Settings' > 'System Templates' > 'Email Notifications'.

How do files get on this list?

View the malware list

Take action on the malware

Android devices

Windows devices

Mac OS devices

Linux devices

Export malware list

Background. This box explains the conditions under which a file will appear in the current malware list.

Windows Devices:

Real-time virus monitor:

Threats are shown in the list if:

Show antivirus alerts' is disabled and 'Block Threats' is chosen as the default action in the profile active on the device

OR

Show antivirus alerts' is enabled and the user decides to click ‘Ignore’ at the alert.

Threats are NOT shown in the list if:

Show antivirus alerts' is disabled and 'Quarantine Threats' is set as the default action.

OR

Show antivirus alerts' is enabled and the user quarantines the threat at an alert.

To view the settings above:

Click 'Configuration Templates' > 'Profiles' > Click the name of any Windows profile > 'Antivirus' tab > Open the 'Realtime Scan' tab.

See Realtime Scan settings in Antivirus Settings if you need more help with this.

Scheduled and manual scans:

Threats are shown in the list only if 'Automatically clean threats' is disabled in the profile active on the device.

To view the setting above:

Click 'Configuration Templates' > 'Profiles' > Click the name of any Windows profile > 'Antivirus' tab > 'Scans' tab > Click the 'Edit' icon beside a profile > Click the 'Options' bar.

See Custom Scans in Antivirus Settings if you need more help with this.

Mac OS Devices

Threats only appear in this list if 'Auto-Quarantine' is disabled in the profile on the device.

Threats will NOT appear in this list if:

'Auto quarantine' is enabled in 'Realtime scanning', 'Manual Scanning' and 'Scheduled Scanning.'

'Auto quarantine' is disabled but the user chooses to quarantine the item from an alert.

See Configure Antivirus Settings in Antivirus Settings for Mac OS Profile under Create a Mac OS Profile for more details.

Linux Devices:

Threats only appear in this list if 'Auto-Quarantine' is disabled in the profile on the device.

Threats will NOT appear in this list if:

'Auto quarantine' is enabled in 'Realtime scanning' and 'Scheduled Scanning.'

'Auto quarantine' is disabled but the user chooses to quarantine the item from an alert

See 'Configure Scanner Settings for XCS for Linux' in Antivirus Settings for Linux Profile in Create a Linux Profile for more details.

Android Devices:

Threats are shown in the list if the threat is ignored on the device. This can be because:

‘Manual control’ is selected in Android client antivirus settings, or

‘Automatic response’ is selected with ‘Ignore’ as the response in Android client antivirus settings.

To view the settings above:

Click 'Settings' > 'Portal Set-Up' > ‘Client Settings’ > ‘Android’ > ‘Antivirus’.

Click here for more information on this setting.

View the malware list

Click 'Security Sub-Systems' > 'Antivirus.'

Click the 'Current Malware List' tab.

Click a company or a group to view malware identified on their devices.

Or

Select 'Show All' to view malware identified on every device in EM.

Current Malware List - Column Descriptions
Column Heading	Description
OS	The operating system of the device on which the malware was identified.
Device Name	The label assigned to the device on which threat is identified. If no name was assigned, then the model number of the device is used. Gray text color shows the device has been offline for the past 24 hours. Click the name of the device to open its device details interface. See Manage Windows Devices, Manage Mac OS Devices, Manage Linux Devices and Manage Android / iOS Devices for more details.
Application Name	The label of the infected file.
Package Name / File Path	Windows, Linux and Mac OS devices - Shows the location of the malware. Android devices - Shows the package name or identifier. Click the icon to copy the package name/ file path to the clipboard.
File Hash	The SHA1 hash value of the file. Click the icon to copy the hash value to the clipboard.
Signature	The malware signature. Signatures enable the scanner to identify viruses. Each malware signature represents a snippet of malicious code unique to a virus. The signatures of known malware are stored in the local antivirus database. This is also known as the 'blacklist'. If the scanner finds a file with a signature that matches one on the blacklist, then it raises a virus alert.
Detection Date	Date and time that the malware was discovered.

Control
Delete Malware	Uninstalls/removes the malware infected item from the device. Applies to items identified from devices of all operating systems.
Ignore Malware	The item will be allowed to remain on the device. Applies to items identified from Android devices only.
Quarantine Malware	Moves the selected items to quarantine on the respective devices. Applies to items identified from Windows, Mac OS and Linux devices.
Rate as Trusted	Awards 'Trusted' file rating to the selected items. Please make sure before marking a file as trusted. Use this option only for false positives and genuine items. Applies only to items identified from Windows devices.
Export	Save the list of currently displayed threats as a comma separated values (CSV) file. The exported .csv is available in 'Dashboard' > 'Reports'. See Export the List of Malware for more details.

Click any column header to sort items in ascending/descending order.

Click the funnel icon on the right to filter items by various criteria.

Start typing or select the search criteria in the search field to find a particular item and click 'Apply.'

To display all items again, clear any filters and search criteria and click 'Apply.'

EM returns 20 results per page when you perform a search. You can increase results up to a maximum of 200.

Take action on the malware.

You can uninstall/delete malicious items from the devices on which they were found.

Alternatively, if you think an item is a false positive, you have the following options:

Ignore malware - Applies to items identified on Android devices only. The item will not be uninstalled and will be skipped in the future scans.

Rate as 'Trusted' - Applies to items identified on Windows devices only. The item will be allowed to run and will be skipped in future scans.

If an item is found to be suspicious, you can choose to move it to quarantine for later analysis and removal.

The options at the top of the table let you take actions on selected items. The available actions depend on the operating system of the device(s).

Threats identified on Android Devices

Action on malware depends on the Android device type. Knox and non-Knox devices. Knox is a security technology used by Samsung for its devices.

First, select the items on which you want to take the action. Then click one of the following:

Ignore Malware - Select if the item is a false positive. The item will remain on the device and skipped in future scans.

Delete Malware - Select if you want to remove the malware from the device.

Knox devices - Applications with viruses or infected files on the devices and from the SD card are deleted without any alert on the device.

Non-Knox devices - Infected files on the SD card are deleted without any alert. The following notification is sent to the affected device for removal of malware on the device.

Touch the alert to view a list of all items which are ready to be removed:

Tap on the malware to be removed, confirm the removal in the next dialog and follow the uninstall wizard.

Threats identified on Windows Devices:

First, select the items on which you want to take the action. Then click one of the following:

Delete Malware - Will remove the malware from the device.

Quarantine Malware - The items will be moved to quarantine on the respective devices. You can delete the items from quarantine later or restore them to their original locations. See View and Manage Quarantined Items for more details.

Rate as Trusted - Trusted files are considered safe to run. Trusted items can run outside the container on devices and will be skipped in future scans. See File Ratings Explained for more details on trust ratings of files.

Threats identified on Mac OS Devices:

First, select the items on which you want to take the action. Then click one of the following:

Delete Malware - Will remove the malware from the device.

Quarantine Malware - The items will be moved to quarantine on the respective devices. You can delete the items from quarantine later or restore them to their original locations. See View and Manage Quarantined Items for more details.

Threats identified on Linux Devices:

First, select the items on which you want to take the action. Then click one of the following:

Delete Malware - Will remove the malware from the device.

Quarantine Malware - The items will be moved to quarantine on the respective devices. You can delete the items from quarantine later or restore them to their original locations. See View and Manage Quarantined Items for more details.

Endpoint Manager

Endpoint Manager Administrator Guide 7.2

English

View and Manage Blocked Threats