Specifying Threat Actions for a Shavlik Protect Agent Policy

If an agent detects a threat on a target machine, there are a number of different actions you can configure it to take. You use the Threat Actions tab to specify what an agent should do if it encounters a particular category of threat.

Note: The threat actions defined here will be performed whenever a threat defined on either the Threat Tasks tab or the Active Protection tab is detected by an agent.  

This tab enables you to define exactly what action you want an agent to perform if it detects a threat on a target machine. By default an agent will quarantine all threats that are categorized as dialers, malware, miscellaneous, viruses, or worms, and it will report on all other threats. You can, however, customize what actions to take for each threat category. You simply:

  1. Select a threat category or sub-category in the threat category box.

  2. Select the action you want to take if an agent detects the threat on a target machine.

  3. Click Apply to selected.

If you want to apply an action to all categories, select the action and then click Apply to all.

 

Apply action to threat(s)

For the threat currently selected in the threat category list, specify what action you want the agent to perform:

  • Allow: Allows the selected threat to remain on the target machine. No notification is provided to the user or to the console.

  • Report Only: Allows the selected threat to remain on the target machine, but a report will be generated and sent to the console.

  • Quarantine always: The agent will place the infected file into quarantine. It will stay in quarantine for 30 days (the number of days is configurable), after which the file will be deleted. Placing an infected file into quarantine gives you time to evaluate the file before it is permanently deleted from the target machine. If you decide to rollback a file, delete a file, or export information about a quarantined file you can do so remotely from the console or by using the agent client program.

  • Delete by task, Quarantine by AP: If a threat task detects the threat the infected file will be immediately deleted from the target machine. If the threat is detected by Active Protection the infected file will be quarantined.

Note: Files that contain file infector viruses are considered unsafe to quarantine or delete, so these files will be disinfected and will not be quarantined or deleted.

Recommended Best Practice: You might consider initially quarantining everything. This provides the most protection while still allowing you to rollback files you deem safe. After monitoring the results for a week or two you should get a good feel for what settings make the best sense for your organization. If you see that something is routinely getting quarantined that you determine is actually safe (for example, cookies for frequently-visited websites), feel free to use a less restrictive setting for that category.

Threat categories

This box lists the different categories of threats that can be detected by Shavlik Protect Agent . You can expand each category to display sub-categories of threats. A description for each threat category is provided in the Threat Description box.

Quarantine

You can configure the following quarantine settings on each agent.

  • Delete items older than dd days: Specify how long infected files will reside in the quarantine directory before being deleted.

  • Maximum size (MB): Specify the maximum amount of disk space reserved for the quarantine directory on each agent machine. If the size limit is reached, the oldest files in the quarantine directory will be removed when new files need to be added.

Threat description

 

Provides a detailed description of the threat currently selected in the threat category list.

Save and update agents

Saves all changes to the policy file and stores it on the console. Also updates any agent machines that are currently assigned this policy as follows:

  • If an agent machine is online and configured to listen for policy updates, the updated policy will be pushed out to that machine immediately.

  • If an agent machine is online but is not configured to listen for policy updates, the updated policy will be pushed out the next time the agent checks in with the console.

  • If an agent machine is not currently online, the updated policy will be pushed out the next time the agent checks in with the console.

The Agent Policy Editor will be closed.

Cancel

Indicates you want to exit the Agent Policy Editor without saving your most recent changes. A "Do you want to save your changes?" prompt will appear that gives you a second chance to save your changes. If you click Yes the policy will be saved and the associated agents updated (the same as Save and Update Agents).  If you click No the Agent Policy Editor will be closed without saving your changes.