On-Demand Scanning
On-Demand Scan
On-Demand Scanning lets you manually run antivirus scans on your assets at any time. This works alongside NGAV’s real-time protection, allowing you to explicitly scan for known malware on your system without waiting for them to be accessed. If threats are detected, high-priority alerts are sent to SIEM (InsightIDR) for investigation.
Key Capabilities
With On-Demand Scan, you can:
- Run scans on all operating systems across your entire organization, or target specific prevention groups or assets.
- Decide how to handle detections: Disinfect or Detection Only.
- Track on-demand scan progress in real time and review scan statistics (such as success or failure) for up to 5 days. Alerts generated by these scans remain available in SIEM (InsightIDR) beyond that period.
- Send all detections to SIEM (InsightIDR) for investigation.
Requirements
- Rapid7 Agent version 4.0.19 or later
- Next-Generation Antivirus version:
- Windows: NGAV 2.0 or later
- Linux/Mac: NGAV 3.0 or later
- On-Demand Scan must be turned on in Security Settings.
- On-Access Scanning (Antivirus) must be enabled. Disabling On-Access NGAV turns off all antivirus functionality, including both real-time protection and on-demand scans. If a user attempts to run an on-demand scan while this feature is off, the scan will fail.
- This setting can be enabled or disabled in the group-specific settings.
- When a Prevention Group is selected, the option is available on the Prevention Policy page under On-Access Scanning (Antivirus).
Scan Types
To help you detect and respond to threats effectively, On-Demand Scan offers two types of scans: Quick Scan and Full Scan.
- Quick Scan: This option targets the most common areas where malware is known to operate without scanning your entire system. Quick Scan is ideal for spot-checking suspicious activity or running between regular Full Scans.
- Full Scan: In addition to the areas covered by Quick Scan, this scan checks all files and drives, offering maximum visibility into hidden or dormant threats. Full Scan is more thorough but takes significantly longer than Quick Scan. Scan time varies depending on the size of your drives and number of files.
Quick Scan vs Full Scan Coverage
Here’s a side-by-side comparison to help you decide which scan type best fits your needs.
| Feature | Quick Scan | Full Scan |
|---|---|---|
| Best for | Fast check for active threats, spot-checking suspicious activity, or running between regular Full Scans. | Comprehensive assessment of your system. Best for maximum assurance that your device is free of threats. |
| Scan areas included | - Running processes and programs in memory - System startup items (boot sectors and registry keys on Windows, autorun items on Linux/macOS) - Common hiding spots for: Spyware, adware, dialers Potentially unwanted applications (PUAs) Packed files and malware loaders Key system directories (Linux/macOS: /etc, /lib) Light rootkit detection (Linux/macOS) | Everything in Quick Scan, plus: - All running processes and memory - Boot sectors and system registry keys - Entire system drives and directories (|ALLDRIVES|) - Smart scanning to prioritize high-risk areas - Detection for: Spyware, adware, dialers, PUAs Keyloggers and suspicious applications Cookies and packed files Rootkits (full scan for Linux/macOS) |
| Not included | - Entire drives and file systems - Archived files and cookies - Network drives and offline files - Full rootkit scan (Linux/macOS) - Items identified in exclusion rules | - Network drives - Offline files - Items identified in exclusion rules |
| Typical duration | Short (minutes) | Long (varies by drive size and number of files) |
| External drives | Not scanned | Not Scanned |
| Best practice | Use for rapid checks between full scans. | Include full scans as part of your regular security routine for complete coverage. |
Manage On-Demand Scan in Security Settings
- Go to Data Connectors > Agents.
- Select the Endpoint Prevention tab and click Settings.
- In the On-Demand Scan section, click Edit.
- Use the toggle to turn the feature on or off.
Turning off On-Demand Scanning immediately stops all active scans. Turning it back on does not restart any scans that were previously stopped. If you turn On-Demand Scan off, you must wait at least 5 minutes before turning it on again.
Run a Scan
When you run an On-Demand Scan, it uses the same global exclusion list as the On-Access scanning engine. Any items covered by these exclusions are skipped. To exclude a file or folder, add it to the global exclusion list.
- Go to Data Connectors > Agents > Endpoint Prevention > On-Demand.
- Click Run Scan.
- Choose the scan scope:
- Entire organization
- Selected prevention groups
- Selected assets
- Choose scan type: Quick Scan or Full Scan
- Choose scan action:
- Disinfect: Removes threats and sends alerts to SIEM (InsightIDR).
- Detection Only: Identifies threats without taking action.
- Click Run Scan.
Note: On-Demand Scan Timeouts An On-Demand scan begins as soon as it is initiated. The task allows a 30-minute window for all targeted online assets to start scanning. If an asset doesn’t begin scanning within the 30 minute window (for example, because it went offline), the scan will time out and its status will show as Failed.
After Your Scan
By default, detections generate high-priority alerts in SIEM (InsightIDR) where they can be triaged and investigated. After your scan completes, review alerts in SIEM (InsightIDR).
Alerts generated by on-demand scans:
- Are labeled as
Endpoint Detection - On-Demand Scanning Detected Malware - Cannot be reprioritized
- Include contextual metadata such as agent group and agent action
- Are categorized as Custom and Contextual (for Managed Customers)
If your review shows that safe items are being flagged, update your exclusion rules so they won’t trigger in future scans.
View Scan History
On-demand scan results are viewable for 5 days. Any alerts generated from those scans can be viewed in SIEM (InsightIDR) beyond that period.
- Go to Data Connectors > Agents > Endpoint Prevention > On-Demand.
- Review scan entries by:
- Type and scope
- Initiating user
- Start time and status
- Actions taken
Activation Modes
On-Demand scan behavior depends on your NGAV Activation Mode:
| Activation Mode | On-Demand Scan Behavior |
|---|---|
| Inactive | On-Demand Scans cannot run in this mode. |
| Detection-Only | On-Demand Scans run in detection-only mode by default. You can change the scan action to disinfect threats. |
| Active Prevention | On-Demand Scans run in both detection-only and disinfect modes. |
Scan Status
You can track the progress and results of each On-Demand scan.
| Status | Description |
|---|---|
| Not Started | A scan has been initiated, but is not yet running. |
| In Progress | The scan is currently running. |
| Completed | The scan completed successfully. |
| Cancelled | The On-Demand Scan feature was turned off mid-scan. |
| Failed | Scan could not start or complete. |