Malware Protection
To ensure malware protection, a software agent is installed on the Managed RHEL VM. The communication between the agent installed on the Operating System and the management application takes place in the background. This includes updates of both the malware signatures and the agent application.
Functions/Configuration options
| Properties | Description |
|---|---|
| Scan-Detection-Method | The scan detection method used is scan on read and write. |
| Full Scan | Currently, full scans are not scheduled and cannot be triggered manually. |
| Event handling | The malware protection software can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats. Whatever action is taken, depends on the type of threat. |
| Event Logs | Event logs are stored here: /var/opt/ds_agent/diag |
| Exclusions | The customer can request for specific folders, files or processes to be excluded from the realtime malware scan by issuing a Change Request. |
| Quarantine | Detected files are sent to a central quarantine and can be restored by the provider if requested. |
| Restrictions | The agent used on the system may not be manually deinstalled or reconfigured. |
Event Log
Following information is logged for every malware detection:
- Time: Time the event took place on the computer.
- Infected File(s): The location and name of the infected file.
- Malware: The name of the malware that was found.
- Action Taken: Displays the results of the actions specified in the malware scan configuration associated with the event.
- Cleaned: Successfully terminated processes or deleted registries, files, cookies, or shortcuts, depending on the type of malware.
- Clean Failed: Malware could not be cleaned for a variety of possible reasons.
- Deleted: An infected file was deleted.
- Delete Failed: An infected file could not be deleted for a variety of possible reasons.
- Quarantined: An infected file was quarantined.
- Quarantine Failed: An infected file could not be quarantined for a variety of possible reasons.
- Access Denied: Prevented the infected file from being accessed without removing the file from the system.
- Passed: Did not take any action but logged the detection of the malware.
- Scan Type: The type of scan that found the malware (Real-Time, Scheduled, or Manual).
- Event Origin: Indicates from which part of the Deep Security system the event originated.
- Reason: The malware scan configuration that was in effect when the malware was detected.
- Major Virus Type: The type of malware detected. Possible values are: Joke, Trojan, Virus, Test, Spyware, Packer, Generic, or Other.
- Target(s): The file, process, or registry key (if any) that the malware was trying to affect.
- Target Type: The type of system resource that this malware was trying to affect, such as the file system or a process.
- File MD5: The MD5 hash of the file.
Handling of Malware Alerts
Malware alerts which could not be resolved automatically by the Anti-Malware system are logged centrally, and the alerts are analyzed by security experts to take further actions. All actions will be logged.
Default Policy (Linux)
The default Linux policy excludes the following items from the scans:
Paths (incl. subfolders):
- /proc/
- /sys/