Configure Anti-Malware

Configure the Anti-Malware module to define its behavior for a policy.

When designing the modules behavior and implementing it using the API, use the same background information and guidance that is provided int he Deep Security Help Center.

Policy objects contain two objects that you use to configure the Anti-Malware module:

  • AntiMalwarePolicyExtension: Controls the module state (on or off), identifies the malware scan configurations to use, and the schedule to use for real-time scans.
  • PolicySettings: Policy settings include many Anti-Malware-related settings that control the behavior of the module, such as the behavior of SmartScan, NSX security tagging, Connected Threat Defense, and scan performance. Configure Anti-Malware-related policy settings as described in Configure policy and default policy settings.

The following JSON represents the data structure of an AntiMalwarePolicyExtension object:

{
    "state": "on",
    "moduleStatus": {...},
    "realTimeScanConfigurationID": 1,
    "realTimeScanScheduleID": 4,
    "manualScanConfigurationID": 2,
    "scheduledScanConfigurationID": 3
}

The moduleStatus property is read-only. It provides the runtime status of the Anti-Malware module. (See Report on Computer Status.)

General steps

Use the following steps to configure the Anti-Malware module:

  1. Create an AntiMalwarePolicyExtension object and configure the properties (Python, JavaScript, Java).
  2. Create a PolicySettings object to configure runtime settings of the module. (See Configure policy and default policy settings.)
  3. Create a Policy object and add the AntiMalwarePolicyExtension> and PolicySettings objects (Python, JavaScript, Java).
  4. Use a PoliciesApi object to add or update the policy on Deep Security Manager.

For a complete example that creates an AntiMalwarePolicyExtension object and uses it to turn on the Anti-Malware module, set the real-time scan configuration to use, and specify the scan schedule for real-time scans, see: Python, JavaScript, Java

Also see the Modify a Policy operation in the API Reference. For information about authenticating API calls, see Authenticate with Deep Security Manager.

Create and modify malware scan configurations

Malware scan configurations determine how the Anti-Malware module performs scans to detect malware. A malware scan configuration can be used with multiple policies.

When designing malware scan behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.

Use an AntiMalwareConfiguration object to configure a malware scan configuration. Set the property values according to the scan behavior that you require, such as the scan type, the files and directories to scan, and the actions to take when malware is detected.

Tip:

To see all of the available properties of AntiMalwareConfiguration, expand the 200 response for the Describe an Anti-Malware Configuration operation in the API Reference.

To create a malware scan configuration, perform the following general steps:

  1. Create an AntiMalwareConfiguration object.
  2. Set the property values of the object. (See also Create and Modify Lists and Create and Configure Schedules.)
  3. Use an AntiMalwareConfigurationsApi object to update Deep Security Manager.

For example, set the directories to exclude from the malware scan:

  • Python:

    real_time_config = api.AntiMalwareConfiguration()
real_time_config.excluded_directory_list_id = dir_list_id

  • JavaScript:

    const realtimeConfig = new api.AntiMalwareConfiguration();
realtimeConfig.excludedDirectoryListID = dirListID;

  • Java:

    AntiMalwareConfiguration realtimeConfig = new AntiMalwareConfiguration();
realtimeConfig.setExcludedDirectoryListID(dirListId);

For information about creating a directory exclusion list, see Create and Modify Lists.

Use an AntiMalwareConfiugrationsApi object to modify or create a scan configuration on Deep Security Manager:

  • Python:

    am_configurations_api = api.AntiMalwareConfigurationsApi(api.ApiClient(configuration))
modified_am_config = am_configurations_api.modify_anti_malware(scan_config_id, real_time_config, api_version)

  • JavaScript:

    const amConfigurationsApi = new api.AntiMalwareConfigurationsApi();
return amConfigurationsApi.modifyAntiMalware(scanConfigID, realtimeConfig, apiVersion);

  • Java:

    AntiMalwareConfigurationsApi amConfigsApi = new AntiMalwareConfigurationsApi();
AntiMalwareConfiguration modifiedRealtimeConfig = amConfigsApi.modifyAntiMalware(scanConfigID, realtimeConfig, apiVersion);

The scan_config_id (or scanConfigID) parameter of modifyAntiMalware identifies the actual malware scan configuration on Deep Security Manager that is to be modified. This scan configuration is modified according to the AntiMalwareScanConfiguration object that is used as the real_time_config (or realtimeConfig) parameter. Any properties of the object that are not set remain unchanged on the actual malware scan configuration.

To create a malware scan configuration, use the createAntiMalware function or method of AntiMalwareConfugrationsApi.

For a complete example that sets the directory exclusions for a malware scan configuration and modifies the scan configuration on Deep Security Manager, see: Python, JavaScript, Java