Anti-virus – features and settings and how it works

This article provides information about the features and settings of the Junos Pulse MSS anti-virus and how it works.

Android has two separate scanning engines and the following information provides a brief background:

When the first Android client was built, we made the attempt to port in the legacy scanning engine over to Android. The legacy engine is the engine that just does binary comparisons of signatures to files on the device. This is how all Anti-Virus programs work; unless they say they’re doing heuristic or behavioral analysis.

It was determined that the legacy engine could not interact with installed applications. This is because of the Android security model that says that one application cannot interact or affect another application, unless they do it through a system API. Basically, the Junos Pulse application runs as a regular user on the device. Other installed applications also run as a regular user on the same device.

As a regular user, you cannot touch other users. Only administrators can touch other users; so you have to ask an administrator to touch the other users. That basically meant that the only thing the legacy engine could scan was the SD card.

We left that engine in the Android client, as it is still useful for detecting malicious packages on an SD card that may be waiting to be installed or possibly the SD card gets moved from one device to another and is auto-run to install the malicious app on another device. We still want users to know that it is on there. But, we can only scan the SD card with this engine in Android.

In order to be able to scan installed applications in Android, we had to ask the system to query the other applications for information, which we could use to determine whether or not they are malicious. This is where the manifest.xml file comes in. When an application is first installed, it has to basically send the manifest.xml to the Android package manager. The package manager then keeps a record of everything in the manifest for each application. We can ask the package manager about the information that was sent in on a manifest.xml file.

So, we had to write an engine that allows us to identify the characteristics in the manifest that isolates a malicious application. We wrote signatures or rules around those things and when we scan with that engine, we are not actually scanning the installed applications; we are simply querying the package manager for matches.

It is the only way to do it. But, it also gives us the ability to do the heuristic detection where we can group certain manifest characteristics together to form a single rule. And that’s what we have done for some spyware applications.

In all other platforms, we do not have the same restrictions and the legacy engine actually scans the file system for matches; just like a PC anti-virus.

The Pulse Mobile Security Suite provides the following features:

Anti-virus: Devices are protected by real-time anti-virus and malware protection with automatic updates (non-iOS devices only). You can scan files across network connections, perform on-demand scans, and provide virus and malware detection alerts. Note that users can enable the following options on Android devices:

  • Scan Memory Card on Insert: The memory card is scanned when it is first installed (if the power is on) and not when files are added.
  • Scan application on install: Applications are scanned for malware during installation. If the administrator defines any prohibited applications, scanning occurs during installation; even if this feature is disabled.
  • Android malware detection: Android devices receive signatures to detect both malware and suspicious applications; you can define a list of prohibited applications. Depending on the device type, malware and prohibited applications are deleted automatically or the user is prompted periodically to perform the deletion.

Default Anti-virus Settings:

  • Active: Displays the anti-virus application on the device (non-iOS devices only). Clear the check box to hide the application.
  • Disable Handset Modifications: Prevents users from changing the anti-virus settings on the device. The commands to enable or disable file scanning are not persistent. During periodic synchronizations with the gateway, the gateway settings override the settings on the device. Clear the check box, during synchronization, to allow the device settings to override the gateway settings.
  • Update Schedule: Select how often the device settings on the gateway, including virus definitions, are synchronized with the settings on non-iOS devices. Select never to disable synchronization with the gateway. If users change the update schedule on the device, it reset during the next synchronization.
  • Scan Memory Card: Enables periodic scans of the device’s secure digital (SD) memory card.
  • Scan Files: Enables periodic scans of the device’s files.
  • Android Malware Scan Interval: Enter the number of hours (1 to 72) or minutes (1 to 999) between scans for malware on Android devices. To disable malware scanning, enter zero.

About the author

Prasanna

Leave a Comment