A recent addition to the Patchman product portfolio, Patchman CLEAN is the name of the dynamic malware removal capabilities added on top of Patchman's standard signature-based malware removal.
On the detection end, Patchman CLEAN leverages more advanced scanning to not just match full file signatures, but detect malware based on matched patterns, making it more powerful and effective at finding polymorphic or injected malware, even in legitimate files.
On the remediation end, Patchman CLEAN adds new functionality capable of safely and automatically excising malicious code from legitimate files without compromising their functionality. As with all Patchman mechanisms, automated behaviour is fully configurable through policies.
How do I gain access to Patchman CLEAN?
Patchman CLEAN is part of the Patchman COVERAGE+ package, available through traditional upgrade paths. In order to enable it, you can navigate to the billing section of your Patchman Portal account, and choose the 'Change' option next to your current plan. This will show you an overview of available plans you can switch to.
If you are on a plan that supports an upgrade to Patchman COVERAGE+ (From CORE or COVERAGE respectively), you can select the plan here and upgrade.
How do I enable Patchman CLEAN?
Once you've gained access to a plan that supports the Patchman CLEAN functionality, you are able to configure the option in a number of ways. The first is determining cleaning behaviour and (optional) messaging to end-users within the policy. In order to do this, you can navigate to the policy page (https://portal.patchman.co/policies) and select the policy for which you'd like to configure CLEAN. You can then scroll down to the Patchman CLEAN section:
This shows various options, and will be familiar if you've used policies before. Essentially, after ticking 'Enable dynamic malware scanning' To activate the feature for the selected policy, you can configure when actions are scheduled (for reminders and cleans), whether they should trigger a notification to the end-user to which the detections apply, and if so, what e-mail template should be used. As with other sections, the e-mail templates are fully customisable.
The option 'Allow manual clean actions', if enabled, allows an end-user to manually trigger Patchman CLEAN actions from within their detection overview (if made available to them via End user login). When disabled, cleans are only triggered automatically.
Additional configuration options
Because the more comprehensive file scanning features added with Patchman CLEAN do introduce more performance impact (see also: What are the minimal requirements for running Patchman?), additional configuration options have been added to allow more control over scanning behaviour. These can be found on the server group settings.
Dynamic File Scanning:
This setting allows you to determine scanning behaviour. Dynamic scans, in this context, refer to Patchman CLEAN's pattern based scanning functionality. Available options include:
During every scan, scan every file dynamically
During every scan, dynamically scan files that have changed since the last dynamic scan
Only when the scan is in the configurable interval, scan every file dynamically
Scan every file dynamically when the scan is in the configurable interval, during all other scans only dynamically scan files that have changed since the last dynamic scan
Never perform dynamic scanning
If you select an option that includes the 'configurable interval', a further section appears below the drop-down that allows you to select which daily scans are part of the interval. This allows you to restrict dynamic scans to certain days, for example if you only wish to do a dynamic scan once or twice weekly:
When using the option to only scan changed files, bear in mind that this does not have optimal interaction with new malware detection definitions being added to Patchman CLEAN over time, as a file that has already been scanned will not be scanned again with the new definitions unless it changes.
In addition to setting behaviour surrounding dynamic scanning, you can also configure throttling to ensure that the more rigorous dynamic scans are cut short if exceeding certain conditions.
Three options are provided:
These options allow you to:
Throttle dynamic scanning by reverting to dynamically scanning changed files only after scanning for X hours.
Disable dynamic malware scanning and fall back to traditional scanning only after Y hours.
Abort all scans after Z hours.
This allows for control over the scanning cycles and their runtime.
Maximum file size
Additionally, scanning limits offer a maximum file size setting, allowing you do determine the cut-off for scanning large files: