Support

Support for business applications

Kaspersky XDR Expert

Threat response

Response actions

Running a malware scan

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Running a malware scan

May 15, 2024

ID 262267

Get as PDF

To prevent a threat distribution on an infected device, you can run a malware scan in one of the following ways:

  • From the alert or incident details
  • From the device details
  • From an investigation graph

You can also configure the response action to run automatically when creating or editing a playbook.

To perform the Malware scan response action, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

It might take up to 15 minutes to launch a response action due to the synchronization interval between the managed device and Administration Server.

Running a malware scan from the alert or incident details

To scan a device for malware from the alert or incident details:

  1. Do one of the following:
    • In the main menu, go to Monitoring & reportingAlerts. In the ID column, click the ID of the alert that includes the device to be scanned.
    • In the main menu, go to Monitoring & reportingIncidents section. In the ID column, click the ID of the incident that includes the device to be scanned.
  2. In the window that opens, go to the Assets tab.
  3. Select check box next to the device to be scanned.

    You can select several devices, if necessary.

  4. In the Select response actions drop-down list, select Run virus scan.

    The Virus scan window opens on the right side of the screen.

  5. Select the type of malware scan:
    • Full scan

      You can switch the Network drives toggle button to include network devices into the scan. By default, this option is disabled.

      A full scan can slow down the device due to an increased load on its operation system.

    • Critical areas scan

      The kernel memory, running processes, and disk boot sectors are scanned if you select this type.

    • Custom scan

      In the Specify a path to the file field, specify a path to the file that you want to scan. If you want to set several paths, click the Add path button, and then specify the path.

  6. Click the Scan button.

The selected type of malware scan starts.

Running a malware scan from the device details

To scan a device for malware from the device details:

  1. Do one of the following:
    • In the main menu, go to Monitoring & reportingAlerts. In the ID column, click the ID of the alert that includes the device to be scanned.
    • In the main menu, go to Monitoring & reportingIncidents section. In the ID column, click the ID of the incident that includes the device to be scanned.
  2. In the window that opens, go to the Assets tab.
  3. Click the name of the required device, and then in the drop-down list, select View properties.

    You can click the Edit in KUMA button to edit parameters of the device in KUMA Console, if necessary.

  4. In the Select response actions drop-down list, select Run virus scan.

    The Virus scan window opens on the right side of the screen.

  5. Select the type of malware scan. The types are described at step 5 in Running a malware scan from the alert or incident details.
  6. Click the Scan button.

The selected type of malware scan starts.

Running a malware scan from an investigation graph

This option is available if the investigation graph is built.

To scan a device for malware from an investigation graph:

  1. In the main menu, go to Monitoring & reportingIncidents section. In the ID column, click the ID of the incident that includes the device to be scanned.
  2. Click the View on graph button.
  3. In the investigation graph that opens, click the device name to open the device details.
  4. In the Select response actions drop-down list, select Run virus scan.

    The Virus scan window opens on the right side of the screen.

  5. Select the type of malware scan. The types are described at step 5 in Running a malware scan from the alert or incident details.
  6. Click the Scan button.

The selected type of malware scan starts.

If the malware scan is completed successfully, an appropriate message is displayed on the screen, and the alert or incident is displayed in the alert table or incident table with the Success action status. Otherwise, an error message is displayed, and the alert or incident is displayed with the Error action status.

After the malware scan operation is finished, you can view the result.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.