Configure anti-malware scans to run on targeted computer groups immediately or on a set schedule you define. For more information on scans, see Microsoft: Defender Scans.
- From the Protect menu, click On Demand Scans.
- Click Create Scan. In the Details section, enter a Name for the scan and choose one of the following scan types.
- Select Quick scan to search for malware in Windows system start-up locations such as registry keys and certain file folders.
- Select Full scan for a more thorough scanning of systems that may have been compromised. An immediate scan would generally be a full scan due to possible suspicious activity. This scan type can take over an hour to complete.
- Choose Computer Group and select a group from the pulldown.
- Choose Individual Computer and create a Computer Group to which you will add individual computers for scanning. Add individual computers to the group by clicking inside the edit field and selecting them.
- Choose Run immediately
- Choose Run on a defined schedule and configure a Start time. Optionally, select to distribute the scan over a set number of minutes, hours or days.
See the status of a scan by clicking on the scan name. The status can be one of the following:
- Pending - The scan action has not begun yet.
- Open - The scan action has not expired yet.
- Closed - The scan action has completed or expired. Note that the status can be closed even if the scan is still running on endpoints. Closed indicates the action is no longer being issued to new endpoints.
- Stopped - The saved scan configuration has expired and been automatically deleted or ended by the administrator.
You can also view the status of a scan from the Actions window in the Tanium Console. Scans work similar to other Tanium scheduled actions. See Tanium Actions Overview for more information.
The Endpoints Scanned column and the Scan Results graph are not updated immediately and may have a delay of up to twenty minutes before it displays that a scan has completed on an endpoint.
Filter scan results by clicking the + sign and adding parameters such as count and operator.
The Tanium Server combines the filters with Booleans AND/OR. For example, if you select a computer group filter and also configure a results filter, the server combines the logic of both filters.
Click the scan name to view all threats detected on endpoints. If threats were found, they are listed in the results section. You can use the Drill Down capability to investigate further.
From the scan results grid,
- Select the check box for the scan and click the Drill Down button.
- In the Drill Down window, apply a question to the scan results, such as Computer Name. This question would display a list of computer names where the threat was detected.
- From there, you can click the Deploy Action button to take an action on the threat such as a Protect remediation. (See Create a remediation policy for details.)
In the Results grid toolbar, the Live Updates field shows the percentage of Tanium Clients that reported results. By default, the Tanium Console updates the grid as more Tanium Clients report results.
You can click Pause to stop the grid from updating and click Play to resume updating.
You can copy results to the clipboard in text format.
- To copy the complete results, click Copy Table
- To copy the contents of a grid cell, press the Alt key (Windows) or Option key (macOS) and click in the grid cell. The Tanium Console then displays a message indicating that the clipboard has a copy of the cell contents.
You can export results to a .CSV file.
- To export the complete results, click Export Table
- Give the table a name and select a table format type.
- Single Rows - Flattened: Display a row for each result. This would mean five rows per endpoint: one row for each process that the High CPU Processes sensor returned.
Last updated: 8/4/2020 11:34 AM | Feedback