Active Threat Sweep

Active Threat Sweep (ATS) will scan internal assets for malware and other threats on Windows-based systems. Additionally, it will identify assets that are in the gap (either not protected by anti-virus or using outdated anti-virus).

NOTE: You must have Active Threat Sweep service enabled on your account to use ATS. You can add Active Threat Sweep by selecting Accounts > Service Subscriptions from the navigation menu, or by contacting Fortra Technical Support.

The Threat Scanning service has two editions: Threat Scanning and Threat Scanning Lite. Threat Scanning Lite provides access to ATS scanning only, not Active View. This offering is currently part of several bundles offered by Fortra.

Configuration

There are two possible configuration methods for the utilization of ATS scans:

Select Scans > Scan Policies, and then select the policy entitled Threat Scan. The system scan is a simple process, but it requires the use of auto-add credentials.

  1. From the navigation menu, select Scan Settings > Scan Credentials and then go to Add Credential.
  2. Toggle Auto-Enabled to the ON position in the credential modal. This will automatically include these credentials in the scans using the Threat Scan system policy.

Add or modify a scan policy and enable Threat Scanning

  1. From the navigation menu, select Scans > Scan Policies. The Scan Policies page opens.
  2. To create or modify a policy, open the Credentials tab and then select Threat Scanning.

See related: Scanning

Additionally, ATS is set up to auto-submit unknown suspicious binaries for analysis by default.

To disable Threat Scanning

  1. From the navigation menu, select Scan Settings > Settings and then select the Scan Results tab.
  2. Toggle Threat Scanning Auto-Submit to OFF.

See related: Scanning

Once you select the system Threat Scan policy or modify a scan policy by enabling the Threat Scanning feature, you can run a scan.

See related: Create and Run Scans

View results

You can find Active Threat Sweep results on the following pages:

Results will indicate any active threats or missing or out-of-date anti-virus software on Windows-based systems.

FAQs

These frequently asked questions will help you with ATS scanning.

For Windows:

Generally, the easiest way for authenticated scans to run properly is to use a Windows account that is part of your domain administrators group in Active Directory (AD). This is because the account must have full administrative access to the asset being scanned. It also means full read / write access to the ADMIN$ and C$ shares. By default, members of the domain administrators group have this level of access.

We recommend you create a unique user in AD that is dedicated to only running authenticated scans. This user should then be added to the domain administrators group. We do not recommend you use an existing domain administrator account since customers may wish to track scanning activity and log in attempts. Additionally, some customers may prefer to disable the scanning account after their scans have completed and only have it enabled when scans are run.

  1. Log in to the primary domain controller that manages the domain where the assets to be scanned reside.
  2. Open the Active Directory Users and Computers MMC snap-in.
  3. Create a new user (for example, myfortrascanner) and set a password. Do not use control codes or other potential Unicode characters for the password as this may cause authentication issues.
  4. Select and then right-click the newly created user to open Properties.
  5. Under Properties, select Member Of.
  6. Select Add to add the user to the Domain Admins group, and then select OK to save the changes. Verify the new account works properly by testing whether or not you can log in to one of the assets to be scanned.

It is possible to run Windows authenticated scans without a Domain Administrator Account. To do so, a regular domain user account must be created and granted local administrator access on every Windows asset that is to be scanned. The local administrators on the asset must have permission to access the ADMIN$ and C$ shares. This approach to Windows authenticated scans is beneficial if you only have a select number of assets on which you want to run authenticated scans.

Yes, by entering the following command from a Windows machine against a target asset in PowerShell:

net use X: \\ip-address\C$ /USER:mydomain\myusername /PERSISTENT:no

Once the command has been executed successfully, you can verify the remote access to the drive by using Windows Explorer (Microsoft Edge). If the command succeeds, the credentials provided should be able to scan the asset’s IP address during a ATS scan.

You can add as many credentials as you need for each domain. When ATS launches your scan, the scanner intelligently determines which domain credentials it is required to authenticate to the asset being scanned.

If an invalid password is supplied in ATS for a valid domain account, the account ultimately will be locked out. Make sure the password is correctly entered. If you wish to confirm that your credentials are valid and working properly, you can set up and run an authenticated scan against a single asset in your domain to see if the scanner is able to authenticate successfully.

ATS incorporates a proprietary distributed GPG key pair technology that encrypts user-scanning credentials upon entry with RSA 2,048-bit public-key technology. Once encrypted, credentials can only be decrypted by the corresponding private key of the customer’s scanning appliances (ATS only stores the public key). This ensures any sensitive credential sets are limited in scope to the customer devices they apply to.

In summary, Fortra cannot see or alter your credentials, and what you enter into ATS exists only as an encrypted block of data.

ATS utilizes a proprietary dissolvable scanning agent for Windows-authenticated scans. The dissolvable agent is a small win32 PE file that is deployed to the Windows directory and launched via a service created and immediately removed. This is the standard method of remotely executing a program on a Windows asset.

The dissolvable agent allows ATS to gather asset-specific details such as installed software and other environment details. The agent communicates with the scanner via RPC over SMB to avoid having to allow any ports through the asset firewall. All collected details that are reported back to the scanner are encrypted before being transmitted. At the conclusion of the asset scan, the agent automatically removes itself (aka dissolves) from the system. Observing Windows logs relating to service creation and deletion are normal and should be expected during an authenticated scan.