Scanning for anti-malware on-demand

Configure Scans

Configure anti-malware scans to run on targeted computer groups immediately or on a set schedule you define. For more information on scans, see Microsoft: Defender Scans.

  1. From the Enforce menu, select Anti-Malware and click the On Demand Scans tab.
  2. Click Create Scan. In the Details section, enter a Name for the scan and choose one of the following scan types.
    • Select Quick scan to search for malware in Windows system start-up locations such as registry keys and certain file folders.
    • Select Full scan for a more thorough scanning of systems that may have been compromised. An immediate scan would generally be a full scan due to possible suspicious activity. This scan type can take over an hour to complete.

  3. In the Targeting section,
    • Choose Computer Group and select a group from the pulldown.
    • Choose Individual Computer and create a Computer Group to which you will add individual computers for scanning. Add individual computers to the group by clicking inside the edit field and selecting them.
  4. In the Schedule section,
    • Choose Run immediately
    • Choose Run on a defined schedule and configure a Start time. Optionally, select to distribute the scan over a set number of minutes, hours or days.
  5. Click Show Preview to view how many targeted clients are online for scanning. The list will not include clients targeted for scans configured to take place in the future.
  6. Click Create and Run Scan.

View Scan Details

See the status of a scan by clicking on the scan name. The status can be one of the following:

  • Pending - The scan action has not begun yet.
  • Open - The scan action has not expired yet.
  • Closed - The scan action has completed or expired. Note that the status can be closed even if the scan is still running on endpoints. Closed indicates the action is no longer being issued to new endpoints.
  • Stopped - The saved scan configuration has expired and been automatically deleted or ended by the administrator.

You can also view the status of a scan from the Actions window in the Tanium Console. Scans work similar to other Tanium scheduled actions. See Tanium Actions Overview for more information.

The Endpoints Scanned column and the Scan Results graph are not updated immediately and may have a delay of up to twenty minutes before it displays that a scan has completed on an endpoint.

Advanced Filtering

Filter scan results by clicking the + sign and adding parameters such as count and operator.

The Tanium Server combines the filters with Booleans AND/OR. For example, if you select a computer group filter and also configure a results filter, the server combines the logic of both filters.

 

View Scan Results

Drill Down

Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Drill Down capability to investigate further.

From the scan results grid,

  1. Select the check box for the scan and click the Drill Down button.
  2. In the Drill Down window, apply a question to the scan results, such as Computer Name. This question would display a list of computer names where the threat was detected.
  3. From there, you can click the Deploy Action button to take an action on the threat.

Live Updates

In the Results grid toolbar, the Live Updates field shows the percentage of Tanium Clients that reported results. By default, the Tanium Console updates the grid as more Tanium Clients report results.

You can click Pause to stop the grid from updating and click Play to resume updating.

Copy Results

You can copy results to the clipboard in text format.

  • To copy the complete results, click Copy Table
  • To copy the contents of a grid cell, press the Alt key (Windows) and click in the grid cell. The Tanium Console then displays a message indicating that the clipboard has a copy of the cell contents.

Export Results

You can export results to a .CSV file.

  • To export the complete results, click Export Table
  • Give the table a name and select a table format type.
    • Single Rows - Flattened: Display a row for each result. This would mean five rows per endpoint: one row for each process that the High CPU Processes sensor returned.
    • Multiple Lines Per Row - Stacked: Display one row for all the results. This would mean each row lists all the top five processes for each Computer Name.

Check Health

From the Enforce menu, select Anti-Malware and click the Health tab. There you can view the current status of anti-malware definition files, including the time the last updated was downloaded.

Click Create Scan to configure a new to scan to target certain groups or to run at a set time. See Configure Scans.