What is Threat Detection on MetaAccess?

MetaAccess enables administrators protect devices from risky portable media drives and also detect advanced threats by scheduling threat scans within multiple options such as a Full System Scan or a Custom Scan (memory, system volume, additional volumes, a specific path) powered by MetaDefender technologies. By this way, MetaAccess helps administrators protect organizations from cyber security threats.

To protect devices from threats, an administrator can enable Threat Detection and define actions you want to perform on devices on a policy and apply that policy to device groups.

images/download/attachments/36834588/image2019-5-15_10-18-5.png

Threat Detection Settings

Scan source

Define what MetaDefender server you would like to scan files against with. OPSWAT Client supports to scan files with

  • MetaDefender Cloud: a cloud-based threat detection and prevention platform powered by MetaDefender technologies with multiple engines. You can select what engines you trust from available engines for MetaAccess customers. Only scan results from trust engines are counted.

images/download/attachments/36834588/image2019-5-15_11-32-15.png

  • MetaDefender API server: if you have MetaDefender API servers deployed in your organization. You can use configure the scan source as your own MetaDefender API server to let the agent scan files with your server. You can specify what workflow rule or agent you want to use to scan files on devices assigned to this policy. Follow instructions here to add your own MetaDefender API servers.

images/download/attachments/36834588/image2019-5-15_10-35-12.png

Threat Detection Mode

You can specify how you want to perform threat detection. Available options:

  • Hash lookup ONLY (fastest): the agent only looks up scan results from the scan server using a file hash. If the file is unknown (never scanned on the scan server), the agent will consider it as no threat detected. Note that this option can leave potential threats under detection.

  • Hash lookup plus file uploaded scan (Normal): the agent first does the hash lookup for a file. If a file is unknown, it will upload the file to the scan server to analyze threats. Scan time will depend on the workload of the scan server, network at a device, file size, file type, number of file scanned,...

  • Only file upload scan (Most secure): this option is most secure. The agent always submits files to the scan server to analyze threats. However, it can take a long time to scan a device.

images/download/attachments/36834588/image2019-5-15_11-34-59.png

Portable Media Security

Note: that this feature is only available on Windows

OPSWAT Client can auto-block a portable media when a user inserts to a device, and administrators can define what action they allow users do on a portable media drive. To do that, the administrators need to enable Portable Media Security on a policy.

images/download/attachments/36834588/image2019-5-15_11-55-53.png

Whenever this setting is applied on a device, the agent will auto-block a portable media drive when a user inserts it into a device and show a notification to the user. If the administrators allow users do some actions, the agent will popup a dialog with allowed actions. A user can pick an action to unblock his/her media drive from there.

images/download/attachments/36834588/image2019-5-15_12-2-54.png

  • Copy files from drive: allow a users to copy allowed files(1) from the drive to a path configured on the policy. Only files with no threats detected will be copied. The drive will still remain in blocked state.

  • Unblock drive: allow users to unblock the drive if no threats are found.

  • Copy files to drive: allow users to copy files from a local/network drive to the portable media drive. The agent won't scan files in this action. The drive will still remain in blocked state.

(1): allowed files are files OPSWAT Client considers as no threat detected based on the Threat Detection settings configured on a policy.

A user is also able to bring up the action popup by clicking on the media drive letter on the agent tray icon.

images/download/attachments/36834588/image2019-5-15_12-44-23.png

File Sanitization settings

images/download/attachments/36834588/image2019-5-15_13-54-16.png

Determine what file you want to copy to a local drive or upload to a MetaDefender Vault

  • If "Use sanitized files if available" is selected only

    • the agent will copy a sanitized files to the local drive instead of original files if the file was sanitized successfully.

    • the agent will upload sanitized files to to a MetaDefender Vault settings for Allowed Files , original files and Infected files will be uploaded to a MetaDefender Vault settings for Blocked Files

  • if both "Use sanitized files if available" and " Only use sanitized files, do not copy original files" are selected

    • the agent will only copy a sanitized files to the local drive if the file was sanitized successfully. If a file type is not supported for sanitization, the agent still copy the original files.

    • the agent will upload sanitized files to to a MetaDefender Vault settings for Allowed Files, Infected files will be uploaded to a MetaDefender Vault settings for Blocked Files

Actions when a scan is failed

The agent sometimes couldn't scan files with MetaDefender to determine if there are any threats for some reasons: scan server is not working, network issues,... Administrator can define what action they allow the agent treat files for this situation

images/download/attachments/36834588/image2019-5-15_13-58-15.png

  • Unblock the portable media: the agent will unblock the drive if it doesn't find any threats on other files

  • Copy files from drive: the agent will copy files to a local drive when it failed to detect threats

Media Manifest

If you have a MetaDefender Kiosk in your organization and users already scanned a drive with the MetaDefender Kiosk, you can save time for re-scanning files by enabling this feature. The agent will look for a manifest file on the drive which is generated by the MetaDefender Kiosk when it scans the drive. The agent will consider a file as no threat detected if it's allowed by the MetaDefender Kiosk and vice versa, it will consider a file as infected if it's blocked by the MetaDefender Kiosk. The administrator needs to upload a certificate which is used by the MetaDefender Kiosk here to distribute to the agent for authorization manifest file step.

images/download/attachments/36834588/image2019-5-15_14-7-1.png

MetaDefender Vault

This setting enables administrators ability to monitor potential threats from risky removable media usage. By enabling this setting, agents will upload allowed/blocked files to a MetaDefender Vault when a user unblocks or copies files from a portable media drive. The administrator need to spefify Vault API URL and token for uploading files.

images/download/attachments/36834588/image2019-5-15_14-21-23.png

Device Scan

This setting enables administrators to detect advanced threats by scheduling a scan on devices with multiple options such as a Full System Scan or a Custom Scan (memory, system volume, additional volumes, a specific path).

images/download/attachments/36834588/image2019-5-15_14-26-24.png

Note: If a device is running a persistent agent version earlier than 7.6.222.0, 10.4.214.0, or on-demand agent, the agent only performs running process scan every 24hrs if the setting "Scan threats with a MetaDefender server" is enabled

On-demand threat scan

Beside scanning threats by schedule, an administrator can do on-demand scan for specific devices from Devices/Device Details view if the device is running an agent 7.6.222.0+ or 10.4.214.0+.

From Devices View

  • Navigate to Devices page from Inventory > Devices on the left navigation

  • Select devices you would like to perform an on-demand scan

  • Select "Scan Threats" action from the Action dropdown.

images/download/attachments/36834588/image2019-5-15_14-36-6.png

  • Select what type of scan you want to perform on devices

  • Enter your PIN to confirm the action and click on the SCAN NOW button. The system will send a command to agents on selected devices and you can check the scan result on Device Details view, under Events section > Action Logs tab

From Device Details View

  • Navigate to Devices page from Inventory > Devices on the left navigation

  • Search for a device you would like to perform an on-demand scan

  • Go to Device Details view of that device

  • Select "Scan Threats" action from the Action dropdown.

images/download/attachments/36834588/image2019-5-15_14-47-41.png

  • Select what type of scan you want to perform on devices

  • Enter your PIN to confirm the action and click on the SCAN NOW button. The system will send a command to agents on selected devices and you can check the scan result on Device Details view, under Events section > Action Logs tab

Scan Report

You can find scan reports for threats scan on Device Details view

  • On-demand scan: it's recorded under Event section > Action Logs tab

images/download/attachments/36834588/image2019-5-15_14-54-25.png

  • Scheduled scan: the last scan result is recorded under DETAILED DEVICE INFORMATION section > Theat Detection tab. The system only shows first 200 threats, if a scan result has more than that, you have to click "Get Full Report" to send a command to the agent to get last full scan report. You then can download the full scan report from Action Logs under Events section

images/download/attachments/36834588/image2019-5-15_15-3-27.png

Status of a command under the action log can be:

  • Queued: the command is recorded and will be sent to an agent

  • In Progress: the command was sent to an agent

  • Completed: the command was completed and the agent reported data. In this case, the system will show you a link to download a scan report and a summary scan result.

  • Failed: the agent failed to perform the action for some reasons. A detailed error will be shown.

This article applies to MetaAccess product.
This article was last updated on 2019-05-15.
TT