About new features/changes in Endpoint Security in 2017.3

Version 8

    Verified Product Versions

    Endpoint Manager 2017.x

    New Auto Actions

     

    Auto actions is a new feature in Endpoint Security in EPM 2017.3.   It can let you trigger actions on the Managed clients.  So far it supports 3 triggers and 4 actions as listed below:

     

     

     

     

    Triggers

     

    • Triggered by malware
    • Triggered by ransomware
    • Triggered by API

     

    Actions when detecting a virus

    • Isolate the device from the network but allow remote management
    • Shutdown or restart device
    • Run a Security Scan
    • Deploy a package

     

    Triggers - Triggered by Malware

    • Triggered by malware: When the antivirus product detects malware on the managed client it will trigger the selected actions.
    • This trigger can use keywords to trigger an action.  This means that Endpoint Security can trigger actions when the malware includes or excludes the keywords that the customer has input
    • So far it can support the following Antivirus products:
      • Kaspersky Antivirus
      • Ivanti Antivirus
      • Symantec
      • McAfee
      • Trend Micro
      • Sophos
    • For details see About the new "Auto action" feature in Ivanti Endpoint Security

     

    Triggers - Triggered by ransomware

     

    If you want to use this trigger the below configuration must be set:

     

    1. Open the Agent Settings tool in the EPM console under the Configuration tool group.
    2. Scroll down to "All Agent Settings"
    3. Go to the "Application Control" sub-node under "Security".
    4. Select the desired "Application Control" setting and double-click it.
    5. Under "General Settings" ensure that the "Auto detect and blacklist crypto-ransomware" option is checked.
      Ransomware.png

    Triggers - Triggered by API

     

    • The administrator can enable triggering by API so that it can trigger the actions when calling this API.
    • Call API Sample: http://(core name)/ldapi/adpi/v1/(Device ID)/EPSAutomationTrigger

     

    Actions

     

    • Isolate the device from the network
      • This feature allows you to make the computer unreachable on the network and also it cannot communicate with the network.  It can only communicate with the EPM server or consoles.  This allows full access to run various actions such as Remote Control, Software Distribution, etc.  In other words, the computer can continue to be fully managed by Ivanti Endpoint Manager in order to get it back to working order and onto the network again.

      • It can work through the Cloud Services Appliance (CSA) - This uses the Remote Control protocol in order to communicate.
    • Shutdown or restart
      • Delay X minutes: Client will shut down or restart in X minutes.
      • Shutdown message: Admin can input instructions for shutdown or restart to be displayed to the end user.
      • Countdown time and shutdown/restart message will pop up on the right-hand bottom corner of the client.
    • Run Security Scan
    • Deploy a package

     

    Auto Actions - UI

    • Enable: Triggers and Actions are enabled and able to be selected
    • Disable: Triggers and Actions are disabled and unable to be selected
      Auto Remediation.png

    Triggers - UI

    Triggers.png

    Actions -  UI

    Actions.png

     

    Security Activity

    • New Security Activity Node called "Automation Activity".

     

    Within this view, you can see the actions that were taken in response to a trigger as part of the automation activities within Endpoint Protection.

     

    SecurityActivityAutomation.png

     

    Alerting

     

    • Alerting options are now located in the Agent Settings tool rather than the Configuration tool group.

     

    EPS Alerting options available:

     

    Alerts.png

    Alerts - Send to Syslog Server

     

    The alert that you would configure for the automation activities is within the LDMS Default Ruleset and is called "Application Control - Automation action for malware or ransomware"

     

    Alerts - Send to Syslog Server

     

    • Send to Syslog server is the new feature in the Alerting component in EPM 2017.3
    • It can now support sending the syslog information to Loggly and Splunk.  The TCP/UDP ports are configurable.
      Alertrules.png
      SendToSyslogServer.png

    Reporting on Isolated Devices

     

    Currently there is no inventory entry for isolation.  Thus there are no canned reports or queries that can be made.  An enhancement request is in the works to add this feature.

     

    However, the following SQL query can be used to determine isolated devices:

     

    SELECT Computer_Idn FROM HIPS WHERE Isolated = 'Yes'

     

    The computer_idn can be used with the ‘Computer’ table to get the name, IP address.