Kaseya 2
AAnnttiiMMaallwwaarree
User Guide
Version 1.1
September 30, 2013
Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya’s “Click-Accept” EULA as updated from time to time by Kaseya at http://www.kaseya.com/legal.aspx. If Customer does not agree with the Agreement, please do not install, use or purchase any Software and Services from Kaseya as continued use of the Software or Services indicates Customer’s acceptance of the Agreement.”
©2013 Kaseya. All rights reserved. | www.kaseya.com
Contents
AntiMalware Overview ...... 1 AntiMalware System Requirements ...... 1 Machines ...... 2 Page Layout ...... 2 Explorer Grid ...... 3 Control Panel ...... 3 AntiMalware Columns ...... 5 Details Panel ...... 6 Dashboards ...... 7 Detections ...... 8 Profiles ...... 9 AntiMalware Statistics in the Executive Summary Report ...... 10 Anti-Malware - Anti-Malware Installation Statistics ...... 11 Index ...... 13
i
AntiMalware Overview
AntiMalware Overview
AntiMalware (KAM) provides Malwarebytes' Anti-Malware Pro endpoint security for managed machines. AntiMalware can be installed independently of Endpoint Security or Antivirus. AntiMalware is particularly adept at detecting and preventing ScareWare or Rogue Antivirus spyware that installs a virus, then attempts to bill the user to remove it. AntiMalware quickly detects, destroys, and blocks malicious software. Every process is monitored and malicious processes are stopped before they even start. Scanning and realtime protection both use advanced heuristic scanning technology to keep systems safe and secure against even the latest malware threats. . Support for Windows 2000, XP, Vista, and 7 (32-bit and 64-bit). . Light speed quick scanning. . Ability to perform full scans for all drives. . Database updates released daily protect against the newest malware in-the-wild. . Intelligent heuristics detect even the most persistent malware while remaining light on system resources. . Realtime protection monitors filesystem and internet traffic. . Scheduler to keep protection up-to-date automatically. . Quarantine to hold threats and restore them at your convenience. . Ignore list for both the scanner and the protection module.
Note: See KAM System Requirements (page 1).
Functions Description
Machines (page 2) Installs and uninstalls AntiMalware software on selected machines and provides a detailed view of the AntiMalware status of any selected machine. Dashboards (page 7) Displays a dashboard view of the status of all machines installed with AntiMalware. Detections (page 8) Displays virus threats you can take action on. Profiles (page 9) Manages AntiMalware profiles that are assigned to machine IDs.
AntiMalware System Requirements
Kaseya Server . The AntiMalware 1.1 module requires VSA 6.0.1 to 6.3. Requirements for Each Managed Machine . AntiMalware can be installed on any Kaseya managed machine, excluding Apple and Linux machines.
1 Machines
Note: Malwarebytes officially supports the following operating systems: Microsoft ® Windows 2000, XP, Vista, 7 (32-bit and 64-bit). Windows server editions are not supported; however, customers have successfully deployed Malwarebytes to machines running Windows server editions. Kaseya Anti-Malware will allow deployment to machines running Windows server editions, but it is not supported by Kaseya or Malwarebytes.
. Microsoft® Windows 2000 Service Pack 4 or higher. . 500MHZ processor. . 256 MB of RAM. . 15 MB free disk space.
Note: See general System Requirements (http://help.kaseya.com/WebHelp/EN/System-Requirements.asp).
Machines
AntiMalware > Machines The Machines page installs and uninstalls AntiMalware software on selected machines. This same page also provides a detailed view of the AntiMalware status of any selected machine. . Page Layout (page 2) . Explorer Grid (page 3) . Control Panel (page 3) . KAM Columns (page 5) . Detail Panel (page 6)
Page Layout
The layout of the Machines (page 2) page comprises the following main panels:
Control Panel Selected Column Set Machine ID / G roup ID filter
M a c h in e Navigation H e a d e r P a n e l
M a c h in e A n ti- M a lw a r e D e ta ils
Explorer Grid
Page Browser Rows Per Page . Navigation Panel - Used to navigate to the AntiMalware module. There are four functions: Machines (page 2), Dashboards (page 7), Detections (page 8), and Profiles (page 9). . Explorer Grid - Each managed machine in the VSA is listed in this panel. Page Browser - If more than one page of devices displays, pages forwards and back. Rows Per Page - Sets the number of devices displayed per page: 10, 30 or 100.
2 Machines
. Machine ID / Group ID Filter - Filters the list of machines ID listed in the Explorer Grid. . Control Panel - Executes tasks, either for the entire Explorer Grid or for a single selected machine. . Details Panel - This expandable/collapsible panel displays the properties and status of a single machine. The Details Panel (page 6) has two sections. Header - Identifies the selected machine in the Explorer Grid. AntiMalware - Displays a summary of the AntiMalware status of a machine.
Explorer Grid
The Explorer Grid of the Machines (page 2) page lists each machine currently installed with a KAM client and included in the machine ID / group ID filter.
Note: The only exception is when the Installation column set is selected. In this case all machines included the machine ID /group ID filter are displayed, whether or not the KAM client is installed.
. The set of columns displayed is determined by the Column Set selection in the Control Panel (page 3). The currently selected column set displays in the bar just above the Explorer Grid.
Note: See KAM Columns (page 5) for a description of each column available to display in any Explorer Grid column set. . Page forward using the Page Browser to display multiple pages of machines. . Machines per page sets the number of rows on each page.
Control Panel
The Control Panel at the top of the Machines (page 2) page executes tasks, either for the entire Explorer Grid (page 3) or for a single selected machine.
Actions . Open - Display machine AntiMalware information in a new window. You can also double-click a machine in the Explorer Grid to open this same window. . Cancel Pending Action - Cancel pending actions on selected machines. . Open new window - Opens the AntiMalware module in a new window. . Reboot - Reboot selected machines. Column Sets Selecting a column set displays a predefined set of columns. . Modify Columns - Customize the set of columns displayed by any column set. Or, select one of the following pre-defined sets of column listings.
3 Machines
. Installation - Display a installation columns in the Explorer Grid for all agent machines. . Scan - Display scan columns in the Explorer Grid for all agent machines installed with a KAM client. . Update - Display update columns in the Explorer Grid for all agent machines installed with a KAM client. . Status - Display status columns in the Explorer Grid for all agent machines installed with a KAM client. . Version - Display version columns in the Explorer Grid for all agent machines installed with a KAM client. . Licensing - Display licensing columns in the Explorer Grid for all agent machines installed with a KAM client. . Detections - Display threat detection columns in the Explorer Grid for all agent machines installed with a KAM client. . Profile - Display profile columns in the Explorer Grid for all agent machines installed with a KAM client. Assign Assign an AntiMalware configuration profile (page 9) to selected machines. Scan Schedules an AntiMalware scan on selected machines. . Start Date - Start date of the scan. . Time - Start time of the scan. . Distribution Window - Use the Immediate option to scan at the start date and time. Or reschedule the task to a randomly selected time no later than the specified number of periods from the start date and time, to spread network traffic and server loading. There are three types of scan: . Flash - A flash scan analyzes memory and auto-run objects. . Quick - A quick scan uses fast scanning technology to scan systems for malicious software. . Full - A full scan scans all files on the selected drives. A quick scan is recommended in most cases. Update Updates selected machines with the latest AntiMalware definitions. . Start Date - Start date of the update. . Time - Start time of the update. . Distribution Window - Use the Immediate option to scan at the start date and time. Or reschedule the task to a randomly selected time no later than the specified number of periods from the start date and time, to spread network traffic and server loading. Install . Install - Installs the AntiMalware client on selected machines. . Uninstall - Uninstalls the AntiMalware client on selected machines. . Verify - Installs a KAM client when a standalone version of Malwarebytes' AntiMalware is already installed on a managed machine. Auto Extend Enables and disables Auto-Extend for machines installed with AntiMalware. Displays the total number of licenses purchased and expired, and the number of full and partial licenses available. When Auto-Extend is enabled and a KAM license expires, a new, full license is pulled from your license pool automatically. This ensures the endpoint does not go without antimalware protection at any point,
4 Machines
as long as you have available licenses. Auto-Extend always uses a full license. In the event you uninstall KAM from an endpoint, that license goes into a partial license pool. When KAM is deployed to a new endpoint, Kaseya License Manager always checks the partial license pool first. If a partial license is available, the partial license is used on the endpoint with the new install. If no partial licenses are available, Kaseya uses a full KAM license. Licenses begin their clock ticking on the first day they are installed. If uninstalled, the clock continues to tick on that license. By deploying these partial licenses for new installations of KAM, you can get the most out of each 1-year license.
AntiMalware Columns
The following columns are available to select when modifying any column set in the Explorer Grid (page 3). Select Column Set in the Control Panel (page 3) to modify a column set. Anti-Malware . Active Detections - If Yes, detections exist that could not be automatically disinfected or deleted and require user attention. . Agent Guid Str - The unique GUID of the Kaseya agent, in string format. . Auto Extend - If checked, Auto Extend is enabled. Auto Extend automatically extends licensed security protection for the managed machine. If AntiMalware is uninstalled from the machine and its licensed time period partially used, its partially-used license is automatically assigned to the next machine installed with AntiMalware instead of a unused license. . Components - Identifies the status of AntiMalware components installed on this machine. . Database Date - The date and time of the AntiMalware definition database currently being used by this machine. . Database Version - The version of the AntiMalware definition database currently being used by this machine. . Date Installed - The date AntiMalware was installed. . FileExecutionBlocking Status - Running or Stopped. The Enable protection when windows starts checkbox must be checked to Enable File Execution Blocking in the Profiles (page 9) page. . Flags - Possible flags include: Definitions out of date . Id - The unique GUID of the Kaseya agent, in numerical format. . Install Phase Icon - If checked, AntiMalware is installed on the machine. . Install Schedule Date - The date AntiMalware is scheduled to be installed. . Install Status - Not Installed, Script Scheduled, Installed . Installed - If checked, the AntiMalware client is installed. . Kam Assign Completed - If Yes, a KAM profile is assigned to the machine. . Kam Protection Enabled - If Yes, protection is enabled on this machine. . Last Updated - The date the AntiMalware definition database was last updated. . License Date - The date AntiMalware security is scheduled to expire. . Log File - Click the View Log link to display the log file from the last scan. . Login Name - The currently logged on user. . Name - The machine ID.group ID.organization ID of the machine. . No Action - The number of detections that were not resolved. Subsequent scans may resolve a No Action detection. Multiple scans that fail to resolve a detection increment the No Action counter for each scan. See the Detections (page 8) page for more information about No Action detections. . Online Status - These icons indicate the agent check-in status of each managed machine. Hovering the cursor over a check-in icon displays the agent quick view window. Online but waiting for first audit to complete 5 Machines
Agent online Agent online and user currently logged on. Agent online and user currently logged on, but user not active for 10 minutes Agent is currently offline Agent has never checked in Agent is online but remote control has been disabled The agent has been suspended . Other - Number of detections that cannot be classified under any other category. Applies when Malwarebytes creates a new detection category that AntiMalware does not yet recognize. . Pending Actions - Icons representing install, assign, update and scan. . Profile - The AntiMalware profile assigned to this machine. . Profile Assignment Status - If Yes, a AntiMalware profile is assigned to the machine. . Program Version - The Malwarebytes version number of the AntiMalware client installed on this machine. . Protect Service Status - If Yes, the Malwarebytes service is running. . Protection Status - If checked, protection is enabled. . Reboot Needed - If Yes, a reboot is required. . Resolved - The number of detections resolved automatically by AntiMalware. . Scan Phase - Scheduled, Running, Error, Complete, Processing Result . Scan Scheduled Date - The date the next scan is scheduled to run. . Service Status - The status of the AntiMalware client. . Service Version - The version of the AntiMalware client. . Show Tool Tip - If 1, then Show Tool Tips is enabled. If 0, Show Tool Tips is not enabled. See Agent > Edit Profile (http://help.kaseya.com/WebHelp/EN/VSA-Online-Help.asp?Topic=256.htm). . Time Zone Offset - Displays the number of minutes. See System > Preferences (http://help.kaseya.com/WebHelp/EN/VSA-Online-Help.asp?Topic=503.htm). . Tool Tip Notes - Displays the notes assigned to an agent. See Agent > Edit Profile (http://help.kaseya.com/WebHelp/EN/VSA-Online-Help.asp?Topic=256.htm). . Transition Time - (obsolete - this column is being removed) . Uninstall Schedule Date - The date/time the AntiMalware client is scheduled to be uninstalled. . Update Phase - The status of the update. . Update Schedule Date - The date/time the AntiMalware database definitions are scheduled to be updated. . WebSiteBlocking Status - Running or Stopped. The Enable protection when windows starts checkbox must be checked to Enable Web Site Blocking in the Profiles (page 9) page.
Details Panel
Header . Name - The machine ID.group ID.organization ID of the machine. . OS - The operating system of the machine. . Network - The subnetwork the machine is on. AntiMalware tab
AntiMalware Summary
6 Dashboards
. Install Status - If checked, AntiMalware security is installed. Select view log to view the log for the machine. . Last Updated - The date and time the AntiMalware client was last updated. . Auto Extend - If checked, Auto Extend is enabled. Auto Extend automatically extends licensed security protection for the managed machine. If KAM is uninstalled from the machine and its licensed time period partially used, its partially-used license is automatically assigned to the next machine installed with KAM instead of a unused license. . Profile - The AntiMalware configuration profile assigned to this machine. . License Expiration - The date AntiMalware security is scheduled to expire. . Installed On - The date the Kaseya agent was installed. MalwareBytes Status . Component Status - Identifies the status of AntiMalware components installed on this machine.
- Malwarebytes service is running or stopped.
- Protection module is running or stopped.
- File Execution Blocking is running or stopped.
- Malicious website blocking is running or stopped. . Database Version - The version number of the AntiMalware definition database. . Database Date - The date and time of the AntiMalware definition database currently being used by this machine. . Program Version - The Kaspersky version number of the AntiMalware client installed on this machine. Messages . If a failure/error occurs during the installation of Malwarebytes, the message displays here.
Dashboards
AntiMalware > Dashboards The Dashboards page provides a dashboard view of the status of machines installed with AntiMalware.
Note: You must save changes to the currently displayed dashboard before navigating away from this page, or else all changes will be lost.
Actions . New - Creates a new dashboard.
Note: New dashboards are only visible to the user that created them.
. Save - Saves changes to the currently displayed dashboard. . Save As - Saves a copy of the currently displayed dashboard. . Delete - Deletes the currently displayed dashboard. Select Dashboard Select from a list of dashboards to display it.
7 Detections
Add Parts Add or delete individual parts to create custom dashboard views. . KAM Automatic License Extension - A bar chart displays the number of machines that have autoextend applied to their license in 30, 60, 90 or 91+ days. . KAM License Count - A bar chart displays the number of AntiMalware licenses used and the number of machines pending an install. . KAM License Expiration - A bar chart displays the number of machines that have expired licenses or will have expired licenses in 30, 60, 90 or 91+ days. . KAM License Summary - A chart displays the number of machines that are Available, Expired, In Use, Partials and Pending Install. . KAM Machines Needing Attention - A bar chart displays the number of AntiMalware managed machines needing attention, by category. Categories include No AM Installed, With Uncured Threats, Out of Date, Reboot Needed, Component Status. . KAM Machines with Detections - A bar chart displays the number of detections. . KAM Protection Status - A pie chart displays percentage categories of machines with AntiMalware protection. Percentage categories include Not Installed, Out of Date, Not Enabled, and Up to Date. . KAM Top Threats - A pie chart displays percentages for each category of AntiMalware detection. Open in Separate Window Displays the currently selected dashboard in a separate window.
Detections
AntiMalware > Detections The Detections page displays malware threats not automatically resolved by AntiMalware. Use the information listed on this page to investigate threats further and manually remove them. Detections may be identified as a PUP or PUM: . PUP - A potentially unwanted program. Not necessarily malicious. . PUM - A potentially unwanted modification. An unwanted change to your computer's settings. Table Columns . Machine - The machine ID. . Name - The name of the threat. . Time - The date and time the threat was detected. . Status - The status of the threat. Detection by Scanner Failed to unload process - A reboot is probably needed to complete the removal of malware. Unloaded process successfully Delete on reboot - A reboot is needed to complete the removal of malware. Quarantined and deleted successfully Not selected for removal - The item was not selected and probably is not a threat. Detection by Protection Module ALLOW - User has clicked Ignore on a malware detection.
8 Profiles
QUARANTINE - User has clicked Quarantine on a malware detection DENY - User has clicked Quarantine on a malware detection but the blocking was unsuccessful or detection already blocked. . Type - The category of threat. . Path - The location of the threat on the managed machine.
Profiles
AntiMalware > Profiles The Profiles page manages AntiMalware profiles. Each profile represents a different set of enabled or disabled options. Changes to a profile affect all machine IDs assigned that profile. A profile is assigned to machine IDs using AntiMalware > Machines (page 2). Typically different types of machines or networks require different profiles. A sample profile is provided for you. Actions . New - Creates a new profile. . Open - Opens an existing profile for editing and review. . Delete - Deletes an existing profile. . Save - Saves changes to the currently selected profile. Adding / Editing Profiles Click New to display the New Profile window, or click an existing profile, then click Open to display the Edit Profile window. Summary . Name - The name of the profile. . Description - A description of the profile. Protection Options
. - Enable Protection When Windows Starts - If checked, start protection module with windows.
. - Enable File Execution Blocking - If checked, start file execution blocking when protection module starts.
. - Enable Website Blocking - If checked, start malicious website blocking when protection module starts. . Show toolTip when IP blocked - If unchecked, a tooltip balloon does not display to the user when a when a malicious website is blocked. Scan Options . Restart the computer if needed as part of threat removal - If checked, restarts the computer to complete the removal of threats, if necessary. . Automatically remove threats - If checked, automatically removes threats. . Wake from sleep - If checked, attempts to wake the computer from sleep to perform a scheduled scan. . Enable Advanced Heuristics engine - If checked, adds another layer of protection to detect new and unknown malware. . Schedule Enabled - If checked, schedules a recurring scan. 9 AntiMalware Statistics in the Executive Summary Report
Frequency - Hourly, Daily, Weekly, Monthly, Once, On Reboot. Starting On - Date to start recurring scans. Time - Time to start recurring scans. Scan Type Flash - A flash scan analyzes memory and autorun objects. Quick - A quick scan uses fast scanning technology to scan systems for malicious software. Full - A full scan scans all files on the selected drives. A quick scan is recommended in most cases. Recover if Missed by - The number of hours to attempt to run the scan again if the machine was unavailable to scan at the scheduled time. Repeating every - The number of weeks to repeat Recovery if Missed by if the machine remains unavailable to scan. Update Options . Download and install program update if available - If checked, updates are downloaded and installed, if available. . Use proxy server to download updates - If checked, uses a proxy server to download updates. . Proxy server - Enter a valid proxy server name or IP address. . Port - Enter a port number. . Use Authentication - If checked, proxy authentication is required. . Username - If Use Authentication is checked, enter a valid username. . Password - If Use Authentication is checked, enter a valid password. . Schedule Enabled - If checked, schedules a recurring update. Frequency - Hourly, Daily, Weekly, Monthly, Once, On Reboot. Starting On - Date to start recurring updates. Time - Time to start recurring updates. Recover if Missed by - The number of hours to attempt to run the update again if the machine was unavailable to update at the scheduled time. Repeating every - The number of days to repeat Recovery if Missed by if the machine remains unavailable to update. Wake computer from sleep to perform task - If checked, the machine will be wakened, if necessary, to perform the update. Run flash scan after successful update - If checked, runs a flash scan just after the update.
AntiMalware Statistics in the Executive Summary Report
Info Center > Reporting > Reports > Executive Summary (http://help.kaseya.com/WebHelp/EN/VSA-Online-Help.asp?Topic=579.htm) The Executive Summary report includes a section called AntiMalware for the following statistics. If no filtering is selected, statistics are for all machines in all groups in all organizations. The number of days is specified in the report definition. . Summary Statistics
10 Anti-Malware - Anti-Malware Installation Statistics
Machine Installation Ratio - The number of machines installed with AntiMalware compared to the total number of machines. Machines with full scans last
Anti-Malware - Anti-Malware Installation Statistics
Info Center > Reporting > Reports > Anti-Malware Displays only if the AntiMalware add-on module is installed. The Anti-Malware Installation Statistics report definition generates reports for the following types of AntiMalware data maintained by the VSA. . Show Summary Table - Displays the number of machines installed with AntiMalware per machine group. Installation details include the install date and version installed, per machine in each machine group. . Show Installation Month Bar Chart - Displays a count of the number of machines installed with AntiMalware, per month.
11
Index
Index
A Anti-Malware - Anti-Malware Installation Statistics • 11 AntiMalware Columns • 5 AntiMalware Overview • 1 AntiMalware Statistics in the Executive Summary Report • 10 AntiMalware System Requirements • 1 C Control Panel • 3 D Dashboards • 7 Details Panel • 6 Detections • 8 E Explorer Grid • 3 M Machines • 2 P Page Layout • 2 Profiles • 9
13