Scan an Endpoint for Malware

In addition to blocking the execution of malware, Traps can scan your Windows endpoints and attached removable drives for dormant malware that is not actively attempting to run. If you enable Traps to quarantine malicious files, Traps can also automatically quarantine any malware it finds during the scan. Otherwise, Traps only reports the malware to Traps management service so that you can manually take additional action to remove the malware before it is triggered and attempts to harm the endpoint.
You can scan your endpoints for malware in two ways: you can enable automatic periodic scanning of endpoints as part of a malware security profile (see Add a New Malware Security Profile) and you can run an on-demand scan on one or more endpoints. If you enable scanning in a malware security profile, any new agents to which the profile applies will trigger an initial scan on the endpoint. After the initial scan, Traps will perform periodic scans per the settings you defined in the profile.
When a scan is triggered on an endpoint, Traps collects hashes of all executable files, all Office files containing macros, and all DLLs and sends them to Traps management service. Traps management service then submits the hashes to WildFire to determine whether any of the files are malware. If the hash is unknown to WildFire, Traps management service can also submit the file for in-depth analysis. Traps management service then logs a security event for each file that WildFire returns with a malware verdict.
Scanning is persistent—it resumes after reboots, process interruptions, and operating system crashes. If the endpoint was offline when the scan was scheduled, the scan will begin when the endpoint comes online. If the Traps agent loses connectivity, Traps pauses the scan until it receives a verdict from Traps management service. However, if the Traps local analysis service (tlaservice) stops or the scan state is corrupted, Traps cancels the scan.
You can monitor the progress of a scan from Actions Tracker. The time a scan takes to complete depends on the number of endpoints, connectivity to those endpoints, and the number of files for which Traps management service needs to obtains verdicts.
After the scan is complete, you can view the high-level Scanning Report on Endpoints<endpoint_name>Policy.
tms-endpoints-scan-complete.png
The Scanning Report provides clickable results to help you quickly identify any files that require remediation.
  • Malware—Takes you to a filtered view of Security Events reported by the Traps agent for this scan. For additional details about an event, select the event name. Use the information—such as the quarantine status and file path—to determine whether you need to take additional action to remediate the file on the endpoint.
  • Errors—Takes you to a filtered view of total events categorized by the event type File Scan Failed on the specific endpoint. A file can fail to scan if the agent cannot access a file.
To run a scan on-demand:
  1. Select Endpoints.
  2. Select the Windows endpoints you want to scan.
    To reduce the number of results, use the endpoint name search and filters at the top of the table.
  3. Initiate scanning (
    scan-icon.png
    ) on the endpoints.
    You can also initiate a scan on an endpoint from the details view (Scan Now).
    tms-endpoints-initiate-scanning.png
    Scanning is available on Windows endpoints only. Traps management service ignores any scanning requests for non-Windows endpoints. Scanning is also not available for inactive endpoints.
    If you need to abort the scan, select the endpoint, and then abort (
    abort-scan-icon.png
    ) the scan. Or, to abort the scan of a specific endpoint, select Abort Scan from the details view of an endpoint and then confirm the action.
  4. View the scan results.
    After Traps completes a scan, it reports the results to Traps management service. Traps management service logs a security event for each malicious file that Traps detected and summarizes the scanning results per endpoint.
    To view the Scanning Report for a specific endpoint:
    1. On Endpoints, select the name of the endpoint for which you want to view the scan results.
      Traps management service displays additional details about the endpoint.
    2. Select Policy.
    3. View the Scanning Report.
      During the scan, the scan STATUS displays as Pending.
      After the scan completes, Traps management service displays the number of malicious files that Traps detected, the total number of FILES SCANNED, and the total number of file errors that occurred during the scan.
    4. To view malware detected during the scan, select Malware.
      Traps management service jumps to the filtered list of security events detected during the scan.
      tms-security-events-scan-results.png
      The Traps management service logs scanning events for malicious files with an EVENT type of WildFire Malware and the ACTION of Scanned. To view in-depth details about the file behavior, Review WildFire Analysis Details.
    5. To view files which failed to scan, select Errors.
      The Scanning Report displays the total number of errors that occurred during the scan. When you select Errors, Traps management service jumps to the filtered list of all file scanning errors logged for the endpoint during the selected time period (default is 30 days). If you ran multiple scans on an endpoint, the total number of events logged for the endpoint can be greater than the number displayed in an individual Scanning Report.
      tms-logs-endpoint-scan-failed.png
      To repeat the query without locating the Scanning Report, use the query filters at the top of the Endpoint Logs page (Time, endpoint name, and event Type).
      For additional context on an event, review the Message field to determine the file and reason for the scan failure.

Related Documentation