Scan an Endpoint for Malware

In addition to blocking the execution of malware, Traps can scan your Windows endpoints and attached removable drives for dormant malware that is not actively attempting to run. If you enable Traps to quarantine malicious files, Traps can also automatically quarantine any malware it finds during the scan. Otherwise, Traps only reports the malware to Traps management service so that you can manually take additional action to remove the malware before it is triggered and attempts to harm the endpoint.
You can scan your endpoints for malware in two ways: you can enable automatic periodic scanning of endpoints as part of a malware security profile (see Add a New Malware Security Profile) and you can run an on-demand scan on one or more endpoints. If you enable scanning in a malware security profile, any new agents to which the profile applies will trigger an initial scan on the endpoint. After the initial scan, Traps will perform periodic scans per the settings you defined in the profile.
When a scan is triggered on an endpoint, Traps collects hashes of all executable files, all Office files containing macros, and all DLLs and sends them to Traps management service. Traps management service then submits the hashes to WildFire to determine whether any of the files are malware. If the hash is unknown to WildFire, Traps management service can also submit the file for in-depth analysis. Traps management service then logs a security event for each file that WildFire returns with a malware verdict.
Scanning is persistent—it resumes after reboots, process interruptions, and operating system crashes. If the endpoint was offline when the scan was scheduled, the scan will begin when the endpoint comes online. If the Traps agent loses connectivity, Traps pauses the scan until it receives a verdict from Traps management service. However, if the Traps local analysis service (tlaservice) stops or the scan state is corrupted, Traps cancels the scan.
You can scan an unlimited number of endpoints in a single bulk action and can monitor the progress of scans from
Actions Tracker
. The time a scan takes to complete depends on the number of endpoints, connectivity to those endpoints, and the number of files for which Traps management service needs to obtain verdicts.
After the scan is complete, you can view the high-level Scanning Report on
The Scanning Report provides clickable results to help you quickly identify any files that require remediation.
  • Malware
    —Takes you to a filtered view of Security Events reported by the Traps agent for this scan. For additional details about an event, select the event name. Use the information—such as the quarantine status and file path—to determine whether you need to take additional action to remediate the file on the endpoint.
  • Errors
    —Takes you to a filtered view of total events categorized by the event type
    File Scan Failed
    on the specific endpoint. A file can fail to scan if the agent cannot access a file.
To run a scan on-demand:
  1. Select
  2. Select the Windows endpoints you want to scan.
    To reduce the number of results, use the endpoint name search and filters from the
    menu at the top of the page.
  3. Initiate scanning ( scan-icon-new.png ) on the endpoints.
    You can also initiate a scan on an endpoint from the details view (
    Scan Now
    Scanning is available on Windows endpoints only. Traps management service ignores any scanning requests for non-Windows endpoints. Scanning is also not available for inactive endpoints.
    If you need to abort the scan, select the endpoint, and then abort ( abort-scan-icon-new.png ) the scan. Or, to abort the scan of a specific endpoint, select
    Abort Scan
    from the details view of an endpoint and then confirm the action.
  4. View the scan results.
    After Traps completes a scan, it reports the results to Traps management service. Traps management service logs a security event for each malicious file that Traps detected and summarizes the scanning results per endpoint.
    To view the Scanning Report for a specific endpoint:
    1. On
      , select the name of the endpoint for which you want to view the scan results.
      Traps management service displays additional details about the endpoint.
    2. Select
    3. View the Scanning Report.
      During the scan, the scan
      displays as
      After the scan completes, Traps management service displays the number of malicious files that Traps detected, the total number of
      , and the total number of file errors that occurred during the scan.
    4. To view malware detected during the scan, select
      Traps management service jumps to the filtered list of security events detected during the scan.
      The Traps management service logs scanning events for malicious files with an
      type of
      WildFire Malware
      and the
      . To view in-depth details about the file behavior, Review WildFire Analysis Details.
    5. To view files which failed to scan, select
      The Scanning Report displays the total number of errors that occurred during the scan. When you select
      , Traps management service jumps to the filtered list of all file scanning errors logged for the endpoint during the selected time period (default is 30 days). If you ran multiple scans on an endpoint, the total number of events logged for the endpoint can be greater than the number displayed in an individual Scanning Report.
      To repeat the query without locating the Scanning Report, use the query filters at the top of the Endpoint Logs page (
      , endpoint name, and event
      For additional context on an event, review the
      field to determine the file and reason for the scan failure.

Recommended For You