Running a malware scan

To prevent a threat distribution on an infected device, you can run a malware scan in one of the following ways:

• From the alert or incident details.
• From the device details.
• From an investigation graph.

  This option is available if the investigation graph is built.

You can also configure the response action to run automatically when creating or editing a playbook.

To perform the Malware scan response action, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

It might take up to 15 minutes to launch a response action due to the synchronization interval between the managed device and the Administration Server.

To scan a device for malware:

1. In the main menu, go to the Monitoring & reporting section, and then select the Alerts or Incidents section.

   If you want to run a malware scan from an investigation graph, select the Incidents section.

2. Click the ID of the required alert or incident.
3. In the window that opens, do one of the following:
   • If you want to respond through the alert or incident details, go to the Assets tab, and then select check box next to the device to be scanned.

     You can select several devices, if necessary.

   • If you want to respond through the device details, go to the Assets tab, click the name of the required device, and then in the drop-down list, select View properties.
   • If you want to respond through an investigation graph, click the View on graph button. In the investigation graph that opens, click the device name to open the device details.
4. In the Select response actions drop-down list, select Run virus scan.

   The Virus scan window opens on the right side of the screen.

5. Select the type of malware scan:
   • Full scan

     You can switch the Network drives toggle button to include network devices into the scan. By default, this option is disabled.

     A full scan can slow down the device due to an increased load on its operation system.

   • Critical areas scan

     The kernel memory, running processes, and disk boot sectors are scanned if you select this type.

   • Custom scan

     In the Specify a path to the file field, specify a path to the file that you want to scan. If you want to set several paths, click the Add path button, and then specify the path.

6. Click the Scan button.

   The selected type of malware scan starts. If the operation is completed successfully, an appropriate message is displayed on the screen, and the alert or incident is displayed in the alert table or incident table with the Success action status. Otherwise, an error message is displayed, and the alert or incident is displayed with the Error action status.

After the malware scan operation is finished, you can view the result.

Page top