Running a malware scan

To prevent a threat distribution on an infected device, you can run a malware scan in one of the following ways:

• From the alert or incident details
• From the device details
• From an investigation graph

You can also configure the response action to run automatically when creating or editing a playbook.

To perform the Malware scan response action, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

It might take up to 15 minutes to launch a response action due to the synchronization interval between the managed device and Administration Server.

Running a malware scan from the alert or incident details

To scan a device for malware from the alert or incident details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device to be scanned.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device to be scanned.
2. In the window that opens, go to the Assets tab.
3. Select check box next to the device to be scanned.

   You can select several devices, if necessary.

4. In the Select response actions drop-down list, select Run virus scan.

   The Virus scan window opens on the right side of the screen.

5. Select the type of malware scan:
   • Full scan

     You can switch the Network drives toggle button to include network devices into the scan. By default, this option is disabled.

     A full scan can slow down the device due to an increased load on its operation system.

   • Critical areas scan

     The kernel memory, running processes, and disk boot sectors are scanned if you select this type.

   • Custom scan

     In the Specify a path to the file field, specify a path to the file that you want to scan. If you want to set several paths, click the Add path button, and then specify the path.

6. Click the Scan button.

The selected type of malware scan starts.

Running a malware scan from the device details

To scan a device for malware from the device details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the device to be scanned.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device to be scanned.
2. In the window that opens, go to the Assets tab.
3. Click the name of the required device, and then in the drop-down list, select View properties.

   You can click the Edit in KUMA button to edit parameters of the device in KUMA Console, if necessary.

4. In the Select response actions drop-down list, select Run virus scan.

   The Virus scan window opens on the right side of the screen.

5. Select the type of malware scan. The types are described at step 5 in Running a malware scan from the alert or incident details.
6. Click the Scan button.

The selected type of malware scan starts.

Running a malware scan from an investigation graph

This option is available if the investigation graph is built.

To scan a device for malware from an investigation graph:

1. In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the device to be scanned.
2. Click the View on graph button.
3. In the investigation graph that opens, click the device name to open the device details.
4. In the Select response actions drop-down list, select Run virus scan.

   The Virus scan window opens on the right side of the screen.

5. Select the type of malware scan. The types are described at step 5 in Running a malware scan from the alert or incident details.
6. Click the Scan button.

The selected type of malware scan starts.

If the malware scan is completed successfully, an appropriate message is displayed on the screen, and the alert or incident is displayed in the alert table or incident table with the Success action status. Otherwise, an error message is displayed, and the alert or incident is displayed with the Error action status.

After the malware scan operation is finished, you can view the result.

Viewing the result of the malware scan

After the malware scan is finished, you can view its result in one of the following ways:

• From the alert or incident details
• From a response history
• From a playbook details

To view the result of the malware scan:

1. In the main menu, go to the Monitoring & reporting section, and then do one of the following:
   • If you want to view the result from alert or incident details, go to the Alerts or Incidents section, and then click the ID of the alert or incident for which malware scan was performed. In the window that opens, go to the History tab, and then select the Response history tab to display the list of events.
   • If you want to view the result from a response history, go to the Response history section.
   • If you want to view the result of the malware scan from a playbook, go to the Playbooks section, and then click the name of the playbook for which the malware scan was performed. In the window that opens, go to the History tab to display the list of events.
2. In the Action status column, click the status of the event for which you want to view the results of the malware scan.

   In the window that opens, a table of detections is displayed. In the Administration Server field, you can select the Administration Server for which a table of detections is displayed.

   The table contains the following columns:

   • Device. Device name or ID.
   • Path. Path to the file.
   • Hash. SHA256.
   • Detection name. Name of the detection that occurred on the device.
   • Action status. Threat processing result.
   • User. Account of the user who is associated with the detection.