Malware

IBM® MaaS360® Threat Management Solution protects devices by detecting and remediating malware infections on compromised devices.

Malware is malicious software that is designed to use or gain unauthorized access to a device or network. Hackers use malware for various reasons such as stealing sensitive information, gaining access to corporate data, and assuming control of devices. When users remove the device manufacturer's security restrictions by jailbreaking or rooting, the devices become more vulnerable to malware attacks. In addition, third-party apps that are installed through unauthorized app stores can introduce malware on devices.

MaaS360 monitors devices to identify jailbroken devices and malware-infected devices in your organization. When malware is detected, MaaS360 notifies users about the potential threat or blocks affected devices from accessing corporate resources.

Supported devices
  • Android
  • iOS

Deploying endpoint security policies

Policy configuration

Configure and push EPS policies to detect malware infections and initiate remediation actions on devices that contribute to malware infections.

Follow these steps to configure Device Security settings.

  1. From the IBM MaaS360 Portal home page, go to Security > Policies.
  2. Open an EPS policy and click Device Security.
  3. Click Edit.
  4. Configure the following settings.
    Setting Description Supported OS
    Track devices with malware If this setting is turned on, MaaS360 enables Device Security on devices. iOS, Android
    Remediation action for malware
    Select one of the following actions:
    • Notify user sends a notification to the user about the malware.
    • Block corporate access blocks access to corporate data in the secure container until the malware is cleared from the device.
    		 Android
    Exempt System Applications If this setting is turned on, all system apps are automatically exempted from scanning for malware detection. Android
    Exempted Applications The list of managed apps that are exempted from scanning for malware detection. Android

Policy assignments

Assign endpoint security policies to a device, user, device group, or user group from the corresponding workflows. For more information about policy assignments, see Configuring endpoint security policies.

Configuring risk rules

When a malware infection is detected, MaaS360 creates a risk incident and then validates that risk incident against the risk rule to calculate the severity and risk score for devices and users. By default, the risk rule for malware detection is enabled in the MaaS360 portal. You can use the Risk Rule Configurator to disable the risk rule or adjust the severity.
Note: This risk rule applies to Android devices only.
Follow these steps to configure risk rules for malware detection.
  1. From the IBM MaaS360 Portal home page, go to Security > Security Management > Risk Rule Configurator.
  2. Configure the following settings.
    Risk rule
    • Trusteer Malware Detected

    Condition: Define the severity of the malware infections.

    Default Condition
    If ... Then ...
    Trusteer® Malware Detected = True The severity is high

What happens when malware infections are detected on the device?

When EPS policies are applied to devices, MaaS360 activates Device Security and then monitors devices for malware infections. MaaS360 supports the following detection and response capabilities for malware.
  • The security status of the device is updated in the Security app.
  • A security alert is generated for users on their devices in real-time.
  • Access to corporate resources is blocked in the MaaS360 container until the user clears the malware infection from the device.

Tracking malware incidents on the Security Dashboard

Devices report all malware incidents to the MaaS360 portal in real-time. If those malware incidents meet the Risk Rule criteria set by the administrators, MaaS360 generates a risk incident in the dashboard.

Follow these steps to track security violations and incidents on the Security Dashboard.
  1. Go to Security > Security Dashboard.
  2. In the Top risk incidents widget, click the Affected devices numbered link.

    The affected devices with details are displayed.

  3. Click the username. The User Summary page displays all risk incidents against the affected device.
  4. Click Malware detected to view more details about that risk incident.

For more information about other common widgets on the Security Dashboard, see Tracking security events on the Security Dashboard.