Scanning for anti-malware on-demand

Configure scans

Configure anti-malware scans to run on targeted computer groups immediately or on a set schedule that you define. Defender runs the anti-malware scans, if installed. If Defender is not installed and SCEP is installed, SCEP runs the scans.

For information about different scan types, see Microsoft: Defender Scans.

  1. From the Enforce menu, click Anti-Malware, then click the Scans tab and Create Scan.
  2. In the Details section, enter a name for the scan and choose one of the following scan types.
    • Select Quick scan to search for malware in Windows system start-up locations such as registry keys and certain file folders.
    • Select Full scan for a more thorough scanning of systems that may have been compromised. An immediate scan would generally be a full scan due to possible suspicious activity. This scan type can take over an hour to complete.
  3. In the Targeting section:
    • Choose Computer Group and select a group from the list.
    • Choose Individual Computer and create a Computer Group to add individual computers for scanning. Add individual computers to the group by clicking inside the edit field and then selecting them.
  4. In the Schedule section:
    • Choose Run Now to run the scan immediately.
    • Choose Custom and configure when you want the scan to start. Optionally, select to distribute the scan over a set number of minutes, hours or days.
    When you schedule a scan, make sure the scheduled start time has not passed and that you allow enough time for the endpoint to receive the scheduling information. If the endpoint receives the scheduling information after the scheduled start time, then the scan does not run.
  5. Click Create.

View scan details

Required access rights

To view scans, you must have one of the following access rights:

  • The Unrestricted Management Rights permission.
  • Access to the computer groups targeted by the scan.
    You must have access to the exact computer group targeted by the scan to view the scan. Access to another computer group that includes the endpoints from the targeted computer group does not provide viewing access. For example, if you have access to the All Windows computer group, but not the All Windows 10 computer group, you cannot view scans that target only the All Windows 10 computer group.

View the scan details

To see the status of a scan, click the scan name. Scans have one of the following statuses:

  • Pending: The scan action has not begun yet.
  • Running: The scan action has not expired yet.
  • Completed: The scan action has completed or expired. Note that the status can be Completed even if the scan is still running on endpoints. Completed indicates the action is no longer being issued to new endpoints.
  • Deleted: The saved scan configuration has expired and been automatically deleted or ended by the administrator.

You can also view the status of a scan from the Actions window in the Tanium Console. Scans work similar to other Tanium scheduled actions. For more information, see Tanium Console User Guide: Actions Overview.

The Endpoints Scanned column and the Scan Results graph are not updated immediately and may have a delay of up to twenty minutes before it displays that a scan has completed on an endpoint.

Filtering

Filter scan results using the dropdown categories.

The Tanium Server combines the filters with Booleans AND/OR. For example, if you select a computer group filter and also configure a results filter, the server combines the logic of both filters.

View scan results

Required access rights

To view scans, you must have one of the following access rights:

  • The Unrestricted Management Rights permission.
  • Access to the computer groups targeted by the scan.
    You must have access to the exact computer group targeted by the scan to view the scan. Access to another computer group that includes the endpoints from the targeted computer group does not provide viewing access. For example, if you have access to the All Windows computer group, but not the All Windows 10 computer group, you cannot view scans that target only the All Windows 10 computer group.

Merge

Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Merge capability to combine questions to further investigate results.

From the scan results grid:

  1. Select the checkbox for the scan and click Merge.
  2. In the Select Merge Questions window, combine multiple questions, create new questions, or build advanced questions and apply them to scan results. See the Tanium Interact User Guide for information about filtering and merging question results.

Drill Down

Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Drill Down capability to investigate further.

From the scan results grid:

  1. Select the checkbox for the scan and click Drill Down.
  2. In the Drill Down window, apply a question to the scan results, such as Computer Name. This question would display a list of computer names where the threat was detected.
  3. From there, you can click Deploy Action to take an action on the threat. See Create a remediation policy.

Copy Results

You can copy results to the clipboard in text format.

  1. From the scan results grid, click the scan name.
  2. Select the checkbox for the scan and click Copy.

Live Updates

In the Results grid toolbar, the Live Updates field shows the percentage of Tanium Clients that reported results. By default, the Tanium Console updates the grid as more Tanium Clients report results.

You can click Pause to stop the grid from updating and click Resume to resume updating.

Export Results

You can export results to a CSV file.

  • To export the complete results, click Export .
  • Give the table a name and select a table format type.
    • Single Rows - Flattened: Display a row for each result. This would mean five rows for each endpoint: one row for each process that the High CPU Processes sensor returned.
    • Multiple Lines Per Row - Stacked: Display one row for all the results. This would mean each row lists all the top five processes for each Computer Name.

Manage quarantined files

You can view a list of threats that are detected on endpoints and then view and manage the endpoints and files that are affected by each threat. Each item in the list has one of the following statuses:

  • Quarantined: The file was quarantined by SCEP or Defender.
  • Error: There was a problem restoring the file from quarantine.

In some cases, when an error occurs, Tanium might not be able to restore a file from quarantine. When this scenario occurs, you must manually correct the issue on the endpoint.

You can schedule Defender to automatically remove files from quarantine. Create an anti-malware policy and configure the setting Windows Components > Microsoft Defender Antivirus > Configure removal of items from Quarantine folder. For instructions, see Create an Anti-malware policy.

View threats detected on endpoints

View a list of threats detected on endpoints to see the severity of each threat and the number of endpoints affected by the threat.

Because different endpoint scan methods can sometimes classify threats with different severity levels, some threats can be displayed multiple times.

  1. From the Enforce menu, click Anti-Malware and then click the Management tab.

  2. (Optional) To filter the list by severity, select a severity from the Filters list.
  3. From the list of threats, click a threat to view the affected endpoints and their statuses.

Restore all files quarantined at the same time for the same threat

When you select a file to restore, that file and all other files that were quarantined at the same time for the same threat are restored from quarantine. The version of Windows Defender on the endpoint must support selecting specific files to restore. Otherwise, you can choose to restore all quarantined files on the endpoint, or just the most recent file or group of files to be quarantined.

Note that it can take a few minutes to restore a file from quarantine. If multiple copies of the same file are quarantined, Tanium only restores the latest version of the file.

You cannot individually restore files from quarantine that have Unicode characters in the file name. To restore files that have Unicode characters in the file name, you must select Restore All Items from Quarantine.

  1. From the Enforce menu, click Anti-Malware and then click the Management tab.
  2. From the list of threats, click a threat to view the affected endpoints.
  3. From the list of endpoints with quarantined files, click the slideout icon next to the endpoint that contains the files you want to restore from quarantine

    .
  4. Select the files you want to restore from quarantine.
    • If the version of Defender on the endpoint supports selecting specific files to restore, select the checkbox next to the file you want to restore and click Restore from Quarantine. Remember that this restores all files quarantined at the same time as the file you selected. Click Yes to confirm.

    • If the version of Defender on the endpoint does not support selecting specific files, checkboxes are not displayed next to individual files on the slideout panel. Click Restore from this Endpoint and select All Quarantined Items to restore all quarantined files on the endpoint. Or select Most Recent Quarantined Items to restore only the last file or group of files to be quarantined on that endpoint. Click Yes to confirm.

    Most Recent Quarantined Items restores the last group of files quarantined for a specific threat on an endpoint. Before restoring files, the endpoint checks if additional files have been quarantined more recently for the same threat. If additional affected files are found, then no files are restored. Review the list of affected files before you attempt the restore operation again.

Restore all quarantined files on an endpoint

Select an endpoint and then quickly restore all files from quarantine. You might do this, for example, when all files on an endpoint are quarantined in error because of a false positive result during a scan.

Before proceeding, be certain you want to restore ALL files from quarantine on the selected endpoints. This cannot be undone.

  1. From the Enforce menu, click Anti-Malware and then click the Management tab.
  2. From the list of threats, click a threat to view the affected endpoints.
  3. From the list of endpoints with quarantined files, select the checkbox next to the endpoint on which you want to restore files and click Restore All Items from Quarantine.

  4. To confirm, click Yes. Note that it can take a few minutes to restore a file from quarantine.

Restore all quarantined files on all endpoints

Before proceeding, be certain you want to restore ALL files from quarantine on ALL endpoints. This cannot be undone.

  1. From the Enforce menu, click Anti-Malware and then click the Management tab.

  2. From the list of threats, click a threat to view the affected endpoints.
  3. Click Restore All Quarantined Items from All Endpoints. Click Yes to confirm. Note that it can take a few minutes to restore a file from quarantine.

Check Health

In the Anti-malware Health section of the Enforce Overview page, you can view the current status of anti-malware definition files, including the time the last update was downloaded.