Scanning for anti-malware on-demand
Configure anti-malware scans to run on targeted computer groups immediately or on a set schedule you define. For more information on scans, see Microsoft: Defender Scans.
- From the Enforce menu, select Anti-Malware and click the On Demand Scans tab.
- Click Create Scan. In the Details section, enter a Name for the scan and choose one of the following scan types.
- Select Quick scan to search for malware in Windows system start-up locations such as registry keys and certain file folders.
- Select Full scan for a more thorough scanning of systems that may have been compromised. An immediate scan would generally be a full scan due to possible suspicious activity. This scan type can take over an hour to complete.
- Choose Computer Group and select a group from the pulldown.
- Choose Individual Computer and create a Computer Group to which you will add individual computers for scanning. Add individual computers to the group by clicking inside the edit field and selecting them.
See the status of a scan by clicking on the scan name. The status can be one of the following:
- Pending - The scan action has not begun yet.
- Open - The scan action has not expired yet.
- Closed - The scan action has completed or expired. Note that the status can be closed even if the scan is still running on endpoints. Closed indicates the action is no longer being issued to new endpoints.
- Stopped - The saved scan configuration has expired and been automatically deleted or ended by the administrator.
You can also view the status of a scan from the Actions window in the Tanium Console. Scans work similar to other Tanium scheduled actions. See Tanium Actions Overview for more information.
The Endpoints Scanned column and the Scan Results graph are not updated immediately and may have a delay of up to twenty minutes before it displays that a scan has completed on an endpoint.
The Tanium Server combines the filters with Booleans AND/OR. For example, if you select a computer group filter and also configure a results filter, the server combines the logic of both filters.
Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Merge capability combine questions to further investigate result.
From the scan results grid,
- Select the check box for the scan and click the Merge/Edit button.
- In the Merge/Edit window, combine multiple questions, create new questions, or build advanced questions and apply them to scan results. See the Tanium Interact User Guide for information about filtering and merging question results.
Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Drill Down capability to investigate further.
From the scan results grid,
Select the check box for the scan and click the Drill Down button.
In the Drill Down window, apply a question to the scan results, such as Computer Name. This question would display a list of computer names where the threat was detected.
From there, you can click the Deploy Action button to take an action on the threat. See Create a remediation policy.
You can copy results to the clipboard in text format.
From the scan results grid, click the scan name.
Select the check box for the scan and click the Copy button.
In the Results grid toolbar, the Live Updates field shows the percentage of Tanium Clients that reported results. By default, the Tanium Console updates the grid as more Tanium Clients report results.
You can click Pause to stop the grid from updating and click Play to resume updating.
You can export results to a .CSV file.
- To export the complete results, click Export .
- Give the table a name and select a table format type.
- Single Rows - Flattened: Display a row for each result. This would mean five rows per endpoint: one row for each process that the High CPU Processes sensor returned.
- Multiple Lines Per Row - Stacked: Display one row for all the results. This would mean each row lists all the top five processes for each Computer Name.
From the Enforce menu, select Anti-Malware and click the Health tab. There you can view the current status of anti-malware definition files, including the time the last updated was downloaded.
Click Create Scan to configure a new to scan to target certain groups or to run at a set time. See Configure scans.
Last updated: 4/14/2021 10:18 AM | Feedback