Table of contents

Configure Anti-Malware

Configure the Anti-Malware module to define its behavior for a policy.

When designing the module’s behavior and implementing it using the API, use the background information and guidance that is provided in About Anti-Malware.

Policy objects contain two objects that you use to configure the Anti-Malware module:

  • AntiMalwarePolicyExtension: Controls the module state (on or off), identifies the malware scan configurations to use, and the schedule to use for real-time scans.
  • PolicySettings: Policy settings include many Anti-Malware-related settings that control the behavior of the module, such as the behavior of SmartScan, NSX security tagging, Connected Threat Defence, and scan performance. Configure Anti-Malware-related policy settings as described in Configure policy and default policy settings.

The following JSON represents the data structure of an AntiMalwarePolicyExtension object:

{
    "state": "on",
    "moduleStatus": {...},
    "realTimeScanConfigurationID": 1,
    "realTimeScanScheduleID": 4,
    "manualScanConfigurationID": 2,
    "scheduledScanConfigurationID": 3
}

The moduleStatus property is read-only. It provides the runtime status of the Anti-Malware module. (See Report on Computer Status.)

General steps

Use the following steps to configure the Anti-Malware module:

  1. Create an AntiMalwarePolicyExtension object and configure the properties.
  2. Create a PolicySettings object to configure runtime settings of the module. (See Configure policy and default policy settings.)
  3. Create a Policy object and add the AntiMalwarePolicyExtension and PolicySettings objects.
  4. Use a PoliciesApi object to add or update the policy on Workload Security.

Create an AntiMalwarePolicyExtension and set property values to configure the state, identify the malware scan configurations to use, and the schedule for real-time scans:

anti_malware_policy_config = api.AntiMalwarePolicyExtension()
anti_malware_policy_config.state = "on"
anti_malware_policy_config.real_time_scan_configuration_id = real_time_scan_config_id
anti_malware_policy_config.real_time_scan_schedule_id = schedule_id

Add the AntiMalwarePolicyExtension object to a Policy object, and then use a PoliciesApi object to modify a policy on Workload Security.

policy = api.Policy()
policy.anti_malware = anti_malware_policy_config

policies_api = api.PoliciesApi(api.ApiClient(configuration))
return policies_api.modify_policy(policy_id, policy, api_version)

The policy_id (or policyID) parameter of modifyPolicy identifies the actual policy on Workload Security that is to be modified. This policy is modified according to the policy object that is used as the policy parameter. Any properties of the policy parameter that are not set remain unchanged on the actual policy.

Example

The following example creates an AntiMalwarePolicyExtension object and uses it to turn on the Anti-Malware module, set the real-time scan configuration to use, and specify the scan schedule for real-time scans.

View source

# Create and configure the Anti-maware policy
anti_malware_policy_config = api.AntiMalwarePolicyExtension()
anti_malware_policy_config.state = "on"
anti_malware_policy_config.real_time_scan_configuration_id = real_time_scan_config_id
anti_malware_policy_config.real_time_scan_schedule_id = schedule_id

# Add the configuration to the policy
policy = api.Policy()
policy.anti_malware = anti_malware_policy_config

# Modify the policy on Workload Security
policies_api = api.PoliciesApi(api.ApiClient(configuration))
return policies_api.modify_policy(policy_id, policy, api_version)

Also see the Modify a Policy operation in the API Reference. For information about authenticating API calls, see Authenticate with Workload Security.

Create and modify malware scan configurations

Malware scan configurations determine how the Anti-Malware module performs scans to detect malware. A malware scan configuration can be used with multiple policies.

When designing malware scan behavior and implementing it using the API, use the background information and guidance that is provided in .

Use an AntiMalwareConfiguration object to configure a malware scan configuration. Set the property values according to the scan behavior that you require, such as the scan type, the files and directories to scan, and the actions to take when malware is detected.

To see all of the available properties of AntiMalwareConfiguration, expand the 200 response for the Describe an Anti-Malware Configuration operation in the API Reference.

General steps for creating malware scan configurations

To create a malware scan configuration, perform the following general steps:

  1. Create an AntiMalwareConfiguration object.
  2. Set the property values of the object. (See also Create and Modify Lists and Create and Configure Schedules.)
  3. Use an AntiMalwareConfigurationsApi object to update Workload Security.

For example, set the directories to exclude from the malware scan:

real_time_config = api.AntiMalwareConfiguration()
real_time_config.excluded_directory_list_id = dir_list_id

For information about creating a directory exclusion list, see Create and Modify Lists.

Use an AntiMalwareConfiugrationsApi object to modify or create a scan configuration on Workload Security:

am_configurations_api = api.AntiMalwareConfigurationsApi(api.ApiClient(configuration))
modified_am_config = am_configurations_api.modify_anti_malware(scan_config_id, real_time_config, api_version)

The scan_config_id (or scanConfigID) parameter of modifyAntiMalware identifies the actual malware scan configuration on Workload Security that is to be modified. This scan configuration is modified according to the AntiMalwareScanConfiguration object that is used as the real_time_config (or realtimeConfig) parameter. Any properties of the object that are not set remain unchanged on the actual malware scan configuration.

To create a malware scan configuration, use the createAntiMalware function or method of AntiMalwareConfugrationsApi.

Example malware scan configuration

The following example sets the directory exclusions for a malware scan configuration and modifies the scan configuration on Workload Security.

View source

# Create an anti-malware scan configuration
real_time_config = api.AntiMalwareConfiguration()

# Set the exclusion
real_time_config.excluded_directory_list_id = dir_list_id

# Modify the anti-malware scan configuration on Workload Security
am_configurations_api = api.AntiMalwareConfigurationsApi(api.ApiClient(configuration))
return am_configurations_api.modify_anti_malware(scan_config_id, real_time_config, api_version)

To use an HTTP client to interact with a malware scan configuration, use the /api/antimalwareconfigurations endpoint (see the Anti Malware Configurations operations in the API Reference).