Hitachi

JP1 Version 13 JP1/IT Desktop Management 2 Administration Guide

9.11 Operation procedure of malware infection device control by Microsoft Intune linkage

If you use Microsoft Intune as your MDM system and install Agent on managed devices and manage them in both Microsoft Intune and JP1/IT Desktop Management 2 - Manager, your anti-virus product (Microsoft Defender) can disable malware when it enters the device or by acting on it. If infected with malware, the damage may spread to the outside world.

When the network connection blocking setting of malware-infected device control is enabled, devices infected with malware are automatically blocked from the network in about 15 to 30 minutes after infection detection, depending on the environment, and the spread of damage to the outside can be suppressed. After the user takes measures against malware on the device whose network connection has been blocked and confirms that there is no threat, the administrator cancels the network connection block.

Anti-virus products (Microsoft Defender) may mistakenly detect non-malware information as malware. In this case, the device may be blocked from the network even though it is not infected with malware, which may interfere with business. For detected malware, you can also submit a malware sample to Microsoft for malware analysis.

If you disable the network connection blocking setting, network connection is not automatically blocked even if malware is detected incorrectly. As a result, there is no impact on operations. However, in the event of a real malware infection, a manual network connection blocking operation is required, which increases the burden on the administrator. In addition, if it takes a long time to block the network connection, malware damage may spread. The event output when malware is detected includes the name, severity, category, URL information, etc. of the malware. Use this information to determine whether to block the network connection.

To minimize the damage caused by the spread of malware infection, we recommend that you enable the network connection blocking setting and automatically block the network connection.

Steps for automatically blocked network connection

  1. Configure network connection control settings.

    For details, see 8.1 Enabling the network monitor.

  2. Configure event notification settings or link events with JP1/IM so that events with event numbers 1188 and 1190 are notified.

    This setting allows administrators to be notified of malware-infected or blocked events in network connection. When linking an event with JP1/IM, it is output to JP1/IM as a JP1 event.

    For details on configuring event notifications, see 15.7.1 Specifying settings for event notification. When linking JP1/IM with events, see the explanation of building a JP1/IM linkage configuration system in the manual JP1/IT Desktop Management 2 Configuration Guide and the JP1/IM manual.

  3. Install the Agent to the device. Also, make this device managed by Microsoft Intune and import the device information into JP1/IT Desktop Management 2 - Manager.

  4. Register the device to Microsoft Intune and then configure the connection settings with Microsoft Intune on the MDM linkage settings window. In addition, configure the following settings in MDM server information settings window:

    • Enable Control of Malware-Infected Devices: Checked

    • Block the network connection of the device if malware infection is detected: Checked

  5. When a malware-infected device is detected, the infected device automatically blocked network connection.

    Users should perform malware actions and virus scans to verify that the equipment is safe before contacting the administrator.

  6. After receiving the contact from the user, the administrator will use the administration screen or network control commands to release the blocked network connection.

    If you are blocking the network connection to a device that violates security, check the security judgment results before deciding whether to terminate the network connection. If you set the filter of "Event number = 1190" on the event window, you can check the device that has been automatically shut off.

Steps for manually blocked network connection

  1. Configure network connection control settings.

    For details, see 8.1 Enabling the network monitor.

  2. Configure event notification settings or link events with JP1/IM so that events with event numbers 1188 is notified.

    This setting allows administrators to be notified of malware-infected or blocked events in network connection. When linking an event with JP1/IM, it is output to JP1/IM as a JP1 event.

    For details on configuring event notifications, see 15.7.1 Specifying settings for event notification. When linking JP1/IM with events, see the explanation of building a JP1/IM linkage configuration system in the manual JP1/IT Desktop Management 2 Configuration Guide and the JP1/IM manual.

  3. Install the Agent to the device. Also, make this device managed by Microsoft Intune and import the device information into JP1/IT Desktop Management 2 - Manager.

  4. Register the device to Microsoft Intune and then configure the connection settings with Microsoft Intune on the MDM linkage settings window. In addition, configure the following settings in MDM server information settings window:

    • Enable Control of Malware-Infected Devices: Checked

    • Block the network connection of the device if malware infection is detected: Not checked

  5. When a malware-infected device is detected, an event with an event number of 1188 is output.

    Event notifications or event associations with JP1/IM notify the administrator of the event.

  6. The administrator checks the event and block the network connection of the target device on the management window or with a network control command.

    Users should perform malware actions and virus scans to verify that the equipment is safe before contacting the administrator.

  7. After receiving the contact from the user, the administrator will use the administration screen or network control commands to release the blocked network connection.

    If you are blocking the network connection to a device that violates security, check the security judgment results before deciding whether to terminate the network connection.

Steps to recover malware false detection

The antivirus product may inadvertently detect it as malware. If automatic blocking of malware-infected devices is enabled, the network connection may be automatically blocked due to false detection of malware.

If you determine that it is a false malware detection, use the window or network connection control command to disconnect the network connection of the blocked device, and then respond to the false detection of malware on the Microsoft Defender for Endpoint management window.

If many devices are blocked from the network due to false malware detection, download the network connection availability information for automatic shutdown recovery from the operation menu on the network control list setting window, and import it from the operation menu on the same window to restore the network connection. The downloaded automatic shutdown recovery network connection availability file is compressed in ZIP format. The file name of the network connection availability information after extracting the ZIP file is in the format "malware-ID-network-connection-blocking-date-and-time.csv". Refer to Event 1188 from the event window and import a CSV file of network connection availability information with the malware ID output in the detailed information as the file name.

To Page Top

Copyright (C) 2023, 2025, Hitachi, Ltd.

Copyright (C) 2023, 2025, Hitachi Solutions, Ltd.