Configure an anti-malware profile

Anti-malware profiles allow you to configure a set of parameters to verify the presence of active anti-malware software on enterprise devices.

On the Signal Configuration page, under Anti-malware Profiles, you can find all configured anti-malware profiles. With this feature, you can collect anti-malware signals that help you to evaluate the security posture of enterprise devices. There are two types of anti-malware profiles:

  • The Any Vendor profile. This profile can be neither modified nor deleted. It checks if any anti-malware software is installed and considered active on the end user's device:
    • On macOS, this corresponds to a preset list of anti-malware software that is detected by the EAA Client.

    • On Windows, this indicates any active anti-malware software registered with Windows Security Center.

  • Custom anti-malware profiles. You can configure a custom anti-malware profile for a specific vendor per operating system to confirm if its software is installed and considered active on the device.

    The following is the list of supported vendors that you can select for each of the operating systems. You can set the same or different anti-malware vendor for macOS and Windows.

    OS Vendors
    Windows Avast, AVG, Avira, Bitdefender, Carbon Black, Cisco, CrowdStrike, Cylance, ESET, FireEye, Forti Client, Kaspersky, K7, Malwarebytes, McAfee, Microsoft, Norton, Quick Heal, SentinelOne, Sophos, Symantec, Trend Micro, Webroot, Windows Defender.
    macOS Avast, AVG, Avira, Bitdefender, Carbon Black, CrowdStrike, ESET, Intego, Kaspersky, Malwarebytes, McAfee, Norton, SentinelOne, Sophos, Symantec, Tanium, Trend Micro, Webroot.

    You can apply the N/A (Not Applicable) value for one of the operating systems in your custom anti-malware profile if you're not interested in checking the anti-malware status of devices with that OS. N/A means that this profile will not be used to check the presence of active anti-malware software on devices with that operating system. So, for example, if you want to configure an anti-malware profile only for macOS devices, you can set the N/A value for Anti-malware for Windows criterion.

Note: You can set up to four additional anti-malware profiles. When you try to create the fifth profile, you receive an error message. In this situation, you have to delete one of the existing profiles, except the Any Vendor profile that cannot be deleted. Then, you can proceed with the creation of the new anti-malware profile.

How to

  1. In the EAA Management Portal, select System > Device Posture.
    The Device Posture page appears.
  2. On the Device Posture page, click the Signal Configuration tab.
  3. Scroll down to Anti-malware Profiles.
  4. In the Any Vendor profile, verify if the Any Vendor value is set for macOS and Windows.


  5. To configure a custom anti-malware profile, click Add Anti-malware Profile (+).
    The table below contains parameters that you have to configure for each custom anti-malware profile.
    Field Description
    Name

    Enter a unique anti-malware profile name.

    You can later select this anti-malware profile by its name and apply it as a value for the Anti-malware Profile tier/tag criterion, and use it to configure application access control rules (ACLs).

    Anti-malware for macOS and Windows Select from the list of supported vendors one of the anti-malware programs to check if its software is active on the device. See above the list of the supported programs.

    You can set the same or different anti-malware vendor for macOS and Windows.

    If you want to configure the custom anti-malware profile for only one of the available operating systems, you can apply Any Vendor or N/A value for the other OS. For example, assume that you want to check the status of Carbon Black software on macOS devices.
    • With the Any Vendor parameter set for Windows, this profile will be used to check the presence of any anti-malware software on devices with that operating system.
    • With the N/A (Not Applicable) parameter set for Windows, this profile will not be used to check the presence of active anti-malware software on devices with that operating system.
  6. Click Save and, next, Create Anti-malware Profile.

Next steps

After you created an anti-malware profile, signals collected from devices that have installed the selected vendor’s anti-malware are checked against anti-malware profile parameters.

Now you may apply your anti-malware profile as a part of tier and tag configuration to evaluate security posture of devices, and allow or deny access to applications. See Define device risk tiers.

Each device in your deployment will now be evaluated against any configured anti-malware profile and you may also use anti-malware profiles as criteria for creating inventory reports. See Create an inventory report.

The device history report provides you with the names of profiles that are met by a particular device. See Create a device history report.

From both inventory and device history reports, you can display the Device Details report where you can find the following information:

  • Anti-malware. Displays the status of the anti-malware software that is installed on the device. The status can be:

    • Active (v).

      On macOS, the active status means that Device Posture detected a specific anti-malware program as running on the device.

      On Windows, the active status means that Device Posture verified that a specific anti-malware program is installed, running and actively protecting the device.

    • Inactive (x).

      On macOS, the inactive status is not reported.

      On Windows, the inactive status means that Device Posture verified that a specific anti-malware program is installed and running but not actively protecting the device.

      Note: With versions of EAA Client earlier than 2.4.0, it is not possible to determine which of the installed anti-malware programs is active. The older versions of EAA Client can only confirm that at least one of the supported anti-malware programs installed on the device is active.

      As long as one of the program's statuses is active, Device Posture marks the Any Vendor profile as active.

    • Unknown - status cannot be determined (yellow circle).

      Refers to Windows devices running the EAA Client version earlier than 2.4.0. For those devices it is not possible to determine which of the installed anti-malware programs is active. Consequently, those devices are assigned the unknown status.

      The unknown status is not applicable to macOS devices. As mentioned above, macOS devices don't report the inactive status. Consequently, if any anti-malware software is detected on the device, it is always considered active.

  • Anti-malware Profile(s). Displays the list of configured anti-malware profiles and their statuses for the selected device.
    • Passed (v). Identifies the profiles that are met by the selected device.
    • Failed (x). Identifies the profiles that aren't met by the selected device.