Scanning for anti-malware on-demand

Configure scans

Configure anti-malware scans to run on targeted computer groups immediately or on a set schedule you define. For more information on scans, see Microsoft: Defender Scans.

  1. From the Enforce menu, click Device Actions and then click Create Scan.
  2. In the Details section, enter a name for the scan and choose one of the following scan types.
    • Select Quick scan to search for malware in Windows system start-up locations such as registry keys and certain file folders.
    • Select Full scan for a more thorough scanning of systems that may have been compromised. An immediate scan would generally be a full scan due to possible suspicious activity. This scan type can take over an hour to complete.
  3. In the Targeting section:
    • Choose Computer Group and select a group from the dropdown list.
    • Choose Individual Computer and create a Computer Group to add individual computers for scanning. Add individual computers to the group by clicking inside the edit field and then selecting them.
  4. In the Schedule section:
    • Choose Run immediately to run the scan immediately.
    • Choose Run on a defined schedule and configure a Start time. Optionally, select to distribute the scan over a set number of minutes, hours or days.
  5. Click Show Preview to view how many targeted clients are online for scanning. The list does not include clients targeted for scans that are configured to take place in the future.
  6. Click Create.

View scan details

See the status of a scan by clicking on the scan name. The status can be one of the following statuses:

  • Pending - The scan action has not begun yet.
  • Open - The scan action has not expired yet.
  • Closed - The scan action has completed or expired. Note that the status can be closed even if the scan is still running on endpoints. Closed indicates the action is no longer being issued to new endpoints.
  • Stopped - The saved scan configuration has expired and been automatically deleted or ended by the administrator.

You can also view the status of a scan from the Actions window in the Tanium Console. Scans work similar to other Tanium scheduled actions. For more information, see Tanium Console User Guide: Actions Overview.

The Endpoints Scanned column and the Scan Results graph are not updated immediately and may have a delay of up to twenty minutes before it displays that a scan has completed on an endpoint.


Filter scan results using the dropdown categories.

The Tanium Server combines the filters with Booleans AND/OR. For example, if you select a computer group filter and also configure a results filter, the server combines the logic of both filters.

View scan results


Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Merge capability to combine questions to further investigate results.

From the scan results grid:

  1. Select the checkbox for the scan and click Merge/Edit.
  2. In the Merge/Edit window, combine multiple questions, create new questions, or build advanced questions and apply them to scan results. See the Tanium Interact User Guide for information about filtering and merging question results.

Drill Down

Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Drill Down capability to investigate further.

From the scan results grid:

  1. Select the checkbox for the scan and click Drill Down.
  2. In the Drill Down window, apply a question to the scan results, such as Computer Name. This question would display a list of computer names where the threat was detected.
  3. From there, you can click Deploy Action to take an action on the threat. See Create a remediation policy.

Copy Results

You can copy results to the clipboard in text format.

  1. From the scan results grid, click the scan name.
  2. Select the checkbox for the scan and click Copy.

Live Updates

In the Results grid toolbar, the Live Updates field shows the percentage of Tanium Clients that reported results. By default, the Tanium Console updates the grid as more Tanium Clients report results.

You can click Pause to stop the grid from updating and click Resume to resume updating.

Export Results

You can export results to a .CSV file.

  • To export the complete results, click Export .
  • Give the table a name and select a table format type.
    • Single Rows - Flattened: Display a row for each result. This would mean five rows for each endpoint: one row for each process that the High CPU Processes sensor returned.
    • Multiple Lines Per Row - Stacked: Display one row for all the results. This would mean each row lists all the top five processes for each Computer Name.

Check Health

In the Anti-malware Health section of the Enforce Overview page, you can view the current status of anti-malware definition files, including the time the last update was downloaded.