Malware Protection

Owned by Aaron Gabriel (Deactivated)
Last updated: 15 May 2024 by Soniya Patil
9 min read

Topics Discussed

Product Overview

The Malware Protection services provide protection against malicious software ("malware"). Armor utilizes an enterprise-class malware protection application and deploys the application agent with the Armor Agent. The malware protection agent registers with an Armor management console that receives scan results and activity logs in real-time. Armor malware protection provides an extra level of detection on your hosts to identify suspicious activity and alert you to it. In addition to eradicating malware, each exploit generates community-powered insights—the collective knowledge of these insights is applied across more than 1,200 client environments.

 

malware.mp4

 

The malware protection agent registers with the Armor management portal (AMP) console, which receives scan results and activity logs in real-time. These logs are entered into the Spartan platform database, where SOC teams monitor alerts 24/7/365. If a critical detection occurs, the security information and event management platform (SIEM) will alert in near real-time. If new malware is discovered during our security operations and analytics, We work directly with the anti-virus (AV) vendor to have signatures created, and our teams create custom mitigation and/or detection techniques as threats emerge. This means an attack on one Armor customer provides protection for all others.

Frequently Asked Questions

How often are Malware scans performed?

Real-time scans continuously monitor for malware. Every time a file is received, opened, downloaded, copied, or modified, a real-time scan occurs. (In comparison, manual and scheduled scans only detect malware at specific times, when you run them.) If Deep Security detects no security risk, the file remains in its location and users can proceed to access the file. If Deep Security detects a security risk, it displays a notification message, showing the name of the infected file and the specific security risk.

Does Malware Protection help keep my environment compliant?

Yes. Armor's Malware Protection service addresses key change control processes required by PCI DSS, HIPAA, HITRUST, SAN CSC, NIST, and other frameworks.

To fully use this screen, you must add the following permission to your account:

  • Read AVAM

  • Write Trend Manual Scan

  • Read Trend Manual Scan

Enable Trend Sub-Agent

As a prerequisite to installing Malware Protection, you must install the Trend sub-agent. Use the commands below to manage the Trend sub-agent.

For cloned assets with the Trend sub-agent installed, users will still need to enable the modules and run recommendation scans as needed.

You can also manage the Trend sub-agent in the Armor Toolbox.

Install Trend Sub-Agent:

Windows: C:\.armor\opt\armor.exe trend install Linux: /opt/armor/armor trend install

Uninstall Trend Sub-Agent:

Windows: C:\.armor\opt\armor.exe trend uninstall Linux: /opt/armor/armor trend uninstall

Trend Sub-Agent Status:

Windows: C:\.armor\opt\armor.exe trend status Linux: /opt/armor/armor trend status

The following Trend commands are not relevant to the Malware service.

Turn On Recommended Scans:

Turn Off Recommended Scans:

Schedule a Recommended Scan (Runs on Next Trend Sub-Agent Heartbeat):

Set Recommendation Scan Interval:

Get Recommendation Scan Interval:

Restart Trend:


Trend Sub-Agent Help

Enable Malware Protection Service

Use the following commands to manage the Malware Protection service. Once the Trend sub-agent and the Malware service are enabled, you will be able to manages services in the Armor Toolbox.

Turn On Malware Protection:

Turn Off Malware Protection:

Malware Protection Status:

Malware Protection Help

View Malware Events

The Total Malware Events table displays detected malware events from the past 30 days. You can click the widget to filter the data in the table below the widgets.

The Malware Protection subagent detects the following malware types:

  • TROJAN (TROJ)

  • WORM

  • EICAR (VIRUS)

  • VIRTUS

  • RANSOM (RANSOMWARE)

  • SPYWARE

  • ADWARE

  • COINMINER (COIN_MINER)

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Malware Protection.

  3. Review the widgets for malware events.

  4. (Optional) Click a widget to filter the table.

View Service Health Data for Malware Protection

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Malware Protection.

  3. Navigate to the Malware Protection Service table.

  4. The status icons above the Malware Protection Service tableindicate the overall Malware Protection status for all of your instances. There are three status types:

    • OK (in green) indicates that your server's agent has communicated (hearbeated) with Armor.

    • Warning (in yellow) indicates that your server's agent appears to be reporting behind its expected timelines.

    • Needs Attention (in red) indicates that your server's agent has not properly communicated (heartbeated) with Armor.

Column

Description

Column

Description

Name

For Armor Enterprise Cloud, the name of the virtual machine you created in AMP.

For Armor Anywhere, the name of the instance that contains the installed Anywhere agent, which includes the Malware Protection subagent.

Provider

For Armor Enterprise Cloud, the entry will display Armor.

For Armor Anywhere, the name of the public cloud provider for the instance will appear.

Last Communication Date

The date and time that the Malware Protection subagent last communicated with Armor.

  • Never displays if your server's agent has not run a Malware scan.

Last Scan

The date and time of the last Malware scan.

  • Never indicates that your server's agent has not run a Malware scan.

  • Persistent indicates that your server's agent has real-time scanning enabled.

Scan

The Scan button will display if your subagent has heartbeated within the last four hours, AND a scan is not already in progress for the virtual machine or instance.

The Scan button will NOT display if an initial Malware scan has not been run, nor if your sub-agent has not heartbeated for that particular virtual machine or instance within the last four hours.

The Scan button will be disabled if there are five active scans running on your account.

The number of active scans will display in the top right corner of the table.

To learn how the overall Malware Protection status is determined, see Understand service health data for Malware Protection (below).

Understand Service Health Data for Malware Protection

In the Malware Protection screen, the Malware Protection Service table displays the various malware protection statuses of your virtual machines or instances:

  • Green indicates a virtual machine in a Secured Malware Protection status.

  • Yellow indicates a virtual machine in a Warning Malware Protection status.

  • Red indicates a virtual machine in a Critical Malware Protection status.

The Malware Protection status can change based on the following two conditions:

  • The date of your last scan (Last Scan)

  • The date that Armor last received your data (Last Communication Date)

The overall status of your virtual machine is based on the individual status of your virtual machine's subcomponents (subagents), including Malware Protection.


Condition 1. Date of last scan

If the last scan for Malware Protection took place between 7 to 13 days ago, then the Malware Protection status changes from Secured to Warning.

If the last scan for Malware Protection took place 14 days ago or more, then the Malware Protection status changes from Warning to Critical.

Date of last scan

Security status

Date of last scan

Security status

7 to 13 days ago

Warning

14 days or more

Critical

Condition 2. Date that Armor last received your data

If Armor last received data between 24 to 48 hours ago, then the Malware Protection status changes from Secured to Warning.

If Armor last received data over 48 hours ago, then the Malware Protection status changes from Warning to Critical.

Date of Armor receiving your data

Security status

Date of Armor receiving your data

Security status

24 to 48 hours ago

Warning

Over 48 hours

Critical

Armor labels the Malware Protection status based on the worst status of the two conditions. For example, if the date of your last scan was 9 days ago, but Armor last received your data 72 hours ago, then overall, the Malware Protection status is Critical.

View Detailed Malware Protection Data

The Malware Protection details screen displays the malware that has been detected in your virtual machine or instance. This screen only shows data for the last 90 days.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Malware Protection.

  3. Locate and select the desired virtual machine or instance.

Column

Description

Column

Description

Malware Name

The name of the malware detected in your virtual machine or instance.

File Name

The location of the malware detected in your virtual machine or instance.

Action Taken

The action taken against the malware:

  • Quarantine

  • Clean

  • Rename

  • Pass

  • Deny Access

Date

The date when the malware was detected.

Run a Malware Scan

In the Malware Protection screen, you can run a manual scan for your virtual machine or instance. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security. 

  2. Click Malware Protection.

  3. Within the Malware Protection Service table, locate the desired virtual machine or instance, then click Scan.

    1. The Scan column will display Scanning while the scan is running.

Users can also run a manual scan using the Armor Toolbox or using the CLI commands below:

View Malware Scan Activity

In the Malware Protection screen, on the Scan Activity tab, you can view details on current and past scans.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Malware Protection.

  3. Click Scan Activity.

COLUMN

DESCRIPTION

COLUMN

DESCRIPTION

Name

This column displays the name of the virtual machine or instance.

User

This column displays the name of the user who initiated the scan.

Time Started

This column displays the date and time that the scan was initiated.

Last Updated

This column displays the date and time of the last status check for the scan.

Status

This column displays the status of the scan:

  • Pending indicates that the scan is currently in the queue.

  • Started indicates that the scan has been initiated, but is still in-progress.

  • Completed indicates that the scan has run successfully.

  • Paused indicates that the scan has been paused.

  • Resumed indicates that the scan has resumed running (after being paused).

  • Failed indicates that the scan did not run successfully.


Export Malware Protection Data

To export the data:

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Malware Protection.

  3. (Optional) Use the filter function to customize the data displayed.

  4. Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).

Log Search for Malware

Users can search for Anti-virus/Malware events in Log Search. For instructions on how to access and use Log Search, please see our documentation here.

An example of AV/Malware logs can be seen below:

For a full list of Log Search fields and descriptions, please visit our glossary here.