Configure Anti-Malware

Configure the Anti-Malware module to define its behavior for a policy.

When designing the module’s behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.

Policy objects contain two objects that you use to configure the Anti-Malware module:

  • AntiMalwarePolicyExtension: Controls the module state (on or off), identifies the malware scan configurations to use, and the schedule to use for real-time scans.
  • PolicySettings: Policy settings include many Anti-Malware-related settings that control the behavior of the module, such as the behavior of SmartScan, NSX security tagging, Connected Threat Defence, and scan performance. Configure Anti-Malware-related policy settings as described in Configure policy and default policy settings.

The following JSON represents the data structure of an AntiMalwarePolicyExtension object:

{
    "state": "on",
    "moduleStatus": {...},
    "realTimeScanConfigurationID": 1,
    "realTimeScanScheduleID": 4,
    "manualScanConfigurationID": 2,
    "scheduledScanConfigurationID": 3
}

The moduleStatus property is read-only. It provides the runtime status of the Anti-Malware module. (See Report on Computer Status.)

General steps

Use the following steps to configure the Anti-Malware module:

  1. Create an AntiMalwarePolicyExtension object and configure the properties.
  2. Create a PolicySettings object to configure runtime settings of the module. (See Configure policy and default policy settings.)
  3. Create a Policy object and add the AntiMalwarePolicyExtension and PolicySettings objects.
  4. Use a PoliciesApi object to add or update the policy on Deep Security Manager.

Create an AntiMalwarePolicyExtension and set property values to configure the state, identify the malware scan configurations to use, and the schedule for real-time scans:

Python
anti_malware_policy_config = api.AntiMalwarePolicyExtension()
anti_malware_policy_config.state = "on"
anti_malware_policy_config.real_time_scan_configuration_id = real_time_scan_config_id
anti_malware_policy_config.real_time_scan_schedule_id = schedule_id
JavaScript
const antiMalwarePolicyExtension = new api.AntiMalwarePolicyExtension();
antiMalwarePolicyExtension.state = api.AntiMalwarePolicyExtension.StateEnum.on;
antiMalwarePolicyExtension.realTimeScanConfigurationID = realTimeScanConfigID;
antiMalwarePolicyExtension.realTimeScanScheduleID = scheduleID;
Java
AntiMalwarePolicyExtension antiMalwarePolicyExtension = new AntiMalwarePolicyExtension();
antiMalwarePolicyExtension.setState(AntiMalwarePolicyExtension.StateEnum.ON);
antiMalwarePolicyExtension.setRealTimeScanConfigurationID(realTimeScanConfigID);
antiMalwarePolicyExtension.setRealTimeScanScheduleID(scheduleID);

Add the AntiMalwarePolicyExtension object to a Policy object, and then use a PoliciesApi object to modify a policy on Deep Security Manager.

Python
policy = api.Policy()
policy.anti_malware = anti_malware_policy_config

policies_api = api.PoliciesApi(api.ApiClient(configuration))
return policies_api.modify_policy(policy_id, policy, api_version)
JavaScript
const policy = new api.Policy();
policy.antiMalware = antiMalwarePolicyExtension;

const policiesApi = new api.PoliciesApi();
return policiesApi
  .modifyPolicy(policyID, policy, apiVersion, { overrides: false });
Java
Policy policy = new Policy();
policy.setAntiMalware(antiMalwarePolicyExtension);

// Modify the policy on Deep Security Manager
PoliciesApi policiesApi = new PoliciesApi();
return policiesApi.modifyPolicy(policyID, policy, Boolean.FALSE, apiVersion);

The policy_id (or policyID) parameter of modifyPolicy identifies the actual policy on Deep Security Manager that is to be modified. This policy is modified according to the policy object that is used as the policy parameter.  Any properties of the policy parameter that are not set remain unchanged on the actual policy.

Example

The following example creates an AntiMalwarePolicyExtension object and uses it to turn on the Anti-Malware module, set the real-time scan configuration to use, and specify the scan schedule for real-time scans.

Python

View source

# Create and configure the Anti-maware policy
anti_malware_policy_config = api.AntiMalwarePolicyExtension()
anti_malware_policy_config.state = "on"
anti_malware_policy_config.real_time_scan_configuration_id = real_time_scan_config_id
anti_malware_policy_config.real_time_scan_schedule_id = schedule_id

# Add the configuration to the policy
policy = api.Policy()
policy.anti_malware = anti_malware_policy_config

# Modify the policy on Deep Security Manager
try:
    policies_api = api.PoliciesApi(api.ApiClient(configuration))
    return policies_api.modify_policy(policy_id, policy, api_version)

except api_exception as e:
    return "Exception: " + str(e)
JavaScript

View source

const policy = new api.Policy();
const policiesApi = new api.PoliciesApi();

// Create and configure the AntiMalwarePolicyExtension object
const antiMalwarePolicyExtension = new api.AntiMalwarePolicyExtension();
antiMalwarePolicyExtension.state = api.AntiMalwarePolicyExtension.StateEnum.on;
antiMalwarePolicyExtension.realTimeScanConfigurationID = realTimeScanConfigID;
antiMalwarePolicyExtension.realTimeScanScheduleID = scheduleID;

// Add to the policy
policy.antiMalware = antiMalwarePolicyExtension;

// Send the change to Deep Security Manager
policiesApi
  .modifyPolicy(policyID, policy, apiVersion, { overrides: false })
  .then(data => {
    resolve(data);
  })
  .catch(error => {
    reject(error);
  });
Java

View source

// Create a PolicyLevelConfigurationForTheAntiMalwareModule object and configure
AntiMalwarePolicyExtension antiMalwarePolicyExtension = new AntiMalwarePolicyExtension();
antiMalwarePolicyExtension.setState(AntiMalwarePolicyExtension.StateEnum.ON);
antiMalwarePolicyExtension.setRealTimeScanConfigurationID(realTimeScanConfigID);
antiMalwarePolicyExtension.setRealTimeScanScheduleID(scheduleID);

Policy policy = new Policy();
policy.setAntiMalware(antiMalwarePolicyExtension);

// Modify the policy on Deep Security Manager
PoliciesApi policiesApi = new PoliciesApi();
policy = policiesApi.modifyPolicy(policyID, policy, Boolean.FALSE, apiVersion);
Also see the Modify a Policy operation in the API Reference. For information about authenticating API calls, see Authenticate with Deep Security Manager.

Create and modify malware scan configurations

Malware scan configurations determine how the Anti-Malware module performs scans to detect malware. A malware scan configuration can be used with multiple policies.

When designing malware scan behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.

Use an AntiMalwareConfiguration object to configure a malware scan configuration.  Set the property values according to the scan behavior that you require, such as the scan type, the files and directories to scan, and the actions to take when malware is detected.

To see all of the available properties of AntiMalwareConfiguration, expand the 200 response for the Describe an Anti-Malware Configuration operation in the API Reference.

General steps for creating malware scan configurations

To create a malware scan configuration, perform the following general steps:

  1. Create an AntiMalwareConfiguration object.
  2. Set the property values of the object. (See also Create and Modify Lists and Create and Configure Schedules.)
  3. Use an AntiMalwareConfigurationsApi object to update Deep Security Manager.

For example, set the directories to exclude from the malware scan:

Python
real_time_config = api.AntiMalwareConfiguration()
real_time_config.excluded_directory_list_id = dir_list_id
JavaScript
const realtimeConfig = new api.AntiMalwareConfiguration();
realtimeConfig.excludedDirectoryListID = dirListID;
Java
AntiMalwareConfiguration realtimeConfig = new AntiMalwareConfiguration();
realtimeConfig.setExcludedDirectoryListID(dirListId);

For information about creating a directory exclusion list, see Create and Modify Lists.

Use an AntiMalwareConfiugrationsApi object to modify or create a scan configuration on Deep Security Manager:

Python
am_configurations_api = api.AntiMalwareConfigurationsApi(api.ApiClient(configuration))
modified_am_config = am_configurations_api.modify_anti_malware(scan_config_id, real_time_config, api_version)
JavaScript
const amConfigurationsApi = new api.AntiMalwareConfigurationsApi();
return amConfigurationsApi.modifyAntiMalware(scanConfigID, realtimeConfig, apiVersion);
Java
AntiMalwareConfigurationsApi amConfigsApi = new AntiMalwareConfigurationsApi();
AntiMalwareConfiguration modifiedRealtimeConfig = amConfigsApi.modifyAntiMalware(scanConfigID, realtimeConfig, apiVersion);

The scan_config_id (or scanConfigID) parameter of modifyAntiMalware identifies the actual malware scan configuration on Deep Security Manager that is to be modified. This scan configuration is modified according to the AntiMalwareScanConfiguration object that is used as the real_time_config (or realtimeConfig) parameter.  Any properties of the object that are not set remain unchanged on the actual malware scan configuration.

To create a malware scan configuration, use the createAntiMalware function or method of AntiMalwareConfugrationsApi.

Example malware scan configuration

The following example sets the directory exclusions for a malware scan configuration and modifies the scan configuration on Deep Security Manager.

Python

View source

# Create an anti-malware scan configuration
real_time_config = api.AntiMalwareConfiguration()

# Set the exclusion
real_time_config.excluded_directory_list_id = dir_list_id

try:
    # Modify the anti-malware scan configuration on Deep Security Manager
    am_configurations_api = api.AntiMalwareConfigurationsApi(api.ApiClient(configuration))
    return am_configurations_api.modify_anti_malware(scan_config_id, real_time_config, api_version)

except api_exception as e:
    return "Exception: " + str(e)
JavaScript

View source

// Create a malware scan configuration
const realtimeConfig = new api.AntiMalwareConfiguration();

// Set the exclusion
realtimeConfig.excludedDirectoryListID = dirListID;

// Modify the scan configuration on Deep Security Manager
const amConfigurationsApi = new api.AntiMalwareConfigurationsApi();
amConfigurationsApi
  .modifyAntiMalware(scanConfigID, realtimeConfig, apiVersion)
  .then(scanConfig => {
    resolve(scanConfig.ID);
  })
  .catch(error => {
    reject(error);
  });
Java

View source

// create a real time scan configuration object
AntiMalwareConfiguration realtimeConfig = new AntiMalwareConfiguration();

// Set the ID of the directory exclusion list
realtimeConfig.setExcludedDirectoryListID(dirListId);

// Update Deep Security Manager
AntiMalwareConfigurationsApi amConfigsApi = new AntiMalwareConfigurationsApi();
realtimeConfig = amConfigsApi.modifyAntiMalware(scanConfigID, realtimeConfig, apiVersion);

To use an HTTP client to interact with a malware scan configuration, use the /api/antimalwareconfigurations endpoint. (See the Anti Malware Configurations operations in the API Reference.)