Configuring the Avert Library Item

By Emalee Firestein

Learn how to configure and deploy the Avert Library Item

The Endpoint Detection & Response add-on is required to use this Library Item.

Add an Avert Library Item to your Library

  1. In the left-hand navigation bar, navigate to Library.
  2. In the upper right corner, click the "Add new" button.
  3. Scroll to Endpoint Security and select Avert.
  4. Click the Add & Configure button.
  5. Give the Avert Library Item a Title. Use the title to differentiate this Library Item from other Avert Library Items.
  6. Assign this Library Item to Blueprints containing devices you would like to target.

Configure General Settings

Configure the individual Malware and PUP posture mode preferences for your environment.

  1. Specify the desired posture setting for Malware.
  2. Specify the desired posture setting for PUP.
Detect mode will scan and report known malicious items. Protect mode will scan, report and automatically quarantine known malicious items.

User Alerts

When turned on, user alerts will notify end users when EDR has quarantined Malware or PUPs on their Mac computers. User alerts are turned on by default but can be turned off to suit certain workflows.

  1. Click the toggle switch next to Notify Users to turn user alerts on or off.

Configure Allow and Block lists

Allow and Block lists can be used to ensure that specific files or applications are always allowed or blocked in your environment regardless of whether or not a file or application is known to be malicious in Kandji Avert's threat feeds.

Block items are considered Malware and require the Malware posture to be in Protect mode to be blocked on the device.
  1. Click the  "Add item" button.
  2. Give the item a Name.
  3. Specify the item type Hash or Path for the file or application.
  4. If Path was selected, enter the application or file path. If Hash was selected, enter the file hash.
  5. Select Allow to allow a file or application. Select Block to block the file or application.
  6. Click Add to add the item to the Allow and Block list. Optionally, select the "Add another item" checkbox in the lower-left corner prior to clicking the Add button to add additional items.
  7. Click the Save button to save the Avert Library Item.

Determine Hash Value

The Hash item type is only supported for files. The Path item type is supported for both files and applications.

The following command can be used in Terminal to determine the SHA256 hash value of a file.

shasum -a 256 /path/to/file

View Edit Details in the Avert Library Item

You can audit changes to the Avert Library Item in the Activity tab of the Library Item, or the Global Activity section of the Kandji Web App. This will show what configurations were changed, what the previous state was, and who made the change.

  1. Click on Activity in your Avert Library item, or the left navigation menu.
  2. Select the disclosure triangle next to Library Item Edited for the entry you'd like to review.

Next Steps

Please see the Endpoint Detection & Response - Testing Malware Detection support article to see EDR in action.