New Ivanti Endpoint Security Auto Remediation Feature
StartIng with Ivanti Endpoint Management 2017.3, Ivanti Software is offering a new Endpoint Security feature called "Auto Remediation" This action can be triggered by malware, ransomware (in EPS), and through the API.
The following steps can be taken to enable and configure Auto Remediation in your environment.
- On the IEM Core Server, open the Agent Settings tool with in the Configuration Tool group.
- Depending on your access level, under My AgentSettings or Public Agent Settings, open the Security group and click on the Endpoint Security tree node.
- In the right-hand pane create a New Configuration or select an existing configuration to edit.
- Move to the Auto Remediation section in the left-hand pane and select "Enable".
- By default, the options "Triggered by malware", "Triggered by ransomware" and "Triggered by API" are selected.
In addition, the options "Triggered by keywords" can be used. These keywords look at the log files of the vendor Antivirus software and react based on the user-configured keywords.
- Next move to the Actions section of the configuration
Within this section you can configure various options:
- Isolate the device from the network but allow remote management. This feature allows you to make the computer unreachable on the network and also it cannot communicate with the network. It can only communicate with the IEM server or consoles.
This allows full access to run various actions such as Remote Control, Software Distribution, etc. In other words, the computer can continue to be fully managed by Ivanti Endpoint Manager in order to get it back to working order and on to the network again.
- Shutdown or restart (with delay) In addition you can create a message that will be seen by the end user prior to the reboot.
- Run Security Scan. This allows you to select specific agent Distribution and Patch settings to configure various behaviors. See Distribution and Patch Settings for specific information about these settings.
- Deploy a package. This will show you a list of all of the packages available to you. This package will be automatically deployed if Deploy a package has a package selected in the drop-down.
At this time the following Antivirus products are supported:
- Ivanti Antivirus
- Ivanti Antivirus 2017.3 (Kaspersky Endpoint Security for Windows 10.0 SP1)
- Symantec Endpoint Protection 14
- McAfee VirusScan Enterprise 8.8
- Trend Micro
- Trend Micro OfficeScan Client 5.0
- Sophos Anti-Virus 5.8
For "Triggered by malware", Ivanti also provides triggering the actions with or without the keywords. It means if the keywords are entered and "malware name includes the keyword" option is enabled, the actions would be triggered if the detected malware includes one of these keywords. And if the keywords are entered and "malware name excludes the keyword" option is enabled, the actions would not be triggered if the detected malware includes one of these keywords. For the keywords, please refer to below vendors' links.
- Kaspersky - A Malware Classification
- Symantec - Malicious code classifications and threat types
- McAfee - Threat Library Search Results
- Trend Micro - Virus/Malware
- Sophos - Advanced Targeted Malware Security | Sophos ATP for Corporate Networks and Network Threats