Malware Scan Configurations

Malware scan configurations are reusable saved settings that you can apply when configuring anti-malware in a policy or for a computer. A malware scan configuration specifies what types of malware scanning Deep Security will perform and which files it will scan. You can set up multiple malware scan configurations to suit your needs.

CPU usage and RAM usage varies by your anti-malware configuration. To optimize anti-malware performance on the Deep Security Agent, see Performance tips for anti-malware.

Create or edit a malware scan configuration

Go to Policies > Common Objects > Other > Malware Scan Configurations.

Deep Security comes with some pre-defined malware scan configurations. From the Malware Scan Configurations page, you can:

  • Double-click an existing scan configuration to view and edit its properties. The properties are described in the next section.
  • Select a configuration and click Duplicate to create a copy that you can edit separately.
  • Create a new configuration by clicking New and then New Real-Time Scan Configuration or New Manual/Scheduled Scan Configuration. For information on the differences between real-time, manual, and scheduled scans, see Protect servers from malware in four steps.

Malware scan configuration properties

When you create or edit a malware scan configuration, the properties that you can set for the configuration are divided into these tabs:

There are two kinds of malware scan configurations: Real-time Scan and Manual/Scheduled Scan. While most actions are available to both types of scans, some actions, like Deny Access are available to Real-time Scans only, and other options, like CPU Usage are available to Manual/Scheduled Scans only.

General

General Information

Name and description of the malware scan configuration, and whether this is a Real-Time or a Manual/Scheduled scan. For information on the differences between real-time, manual, and scheduled scans, see Protect servers from malware in four steps.

Document Exploit Protection

Select Scan documents for exploits if you want Deep Security to scan for embedded exploit code and known vulnerabilities. You can then select:

  • Scan for exploits against known critical vulnerabilities only: Only detects known critical vulnerabilities.
  • Scan for exploits against known critical vulnerabilities and aggressive detection of unknown suspicious exploits: Detects more issues but may also result in more false positives. If you want to automatically submit files to Deep Discovery Analyzer, you must select this option.

These options are part of the Connected Threat Defense feature. For more information, see Detect emerging threats using Connected Threat Defense.

Behavior Monitoring

Behavior monitoring enhances your malware and ransomware detection and clean rate. These settings enable you to go beyond malware pattern matching and identify suspicious files that could potentially contain emerging malware that hasn’t yet been added to malware patterns (known as a zero-day attack).

  • Detect suspicious activity and unauthorized changes (incl. ransomware): Enables the threat detection, anti-exploit, and ransomware detection features that are described in Enhanced anti-malware and ransomware scanning with behavior monitoring.
  • Back up and restore ransomware-encrypted files: When this option is selected, Deep Security will create backup copies of files that are being encrypted, in case they are being encrypted by a ransomware process.

Endpoint Correlation

Some malware writers use a wrapper file to deliver malware and avoid detection by conventional scanning. When the wrapper file is executed, it often creates or drops another file or process.

If you select Use endpoint correlation to identify the origin file of detected malware, Deep Security will identify and prevent these types of threats. Endpoint Correlation analyzes the “crime chain” (or infection chain) of a malware outbreak and can trigger a chain clean-up for malware accomplice files that are deemed suspicious but have not yet been put into a malware signature pattern.

Spyware and Grayware

When Enable spyware/grayware protection is selected, the spyware scan engine will scan for spyware and grayware and quarantine suspicious files.

IntelliTrap

The Enable IntelliTrap option is available only for real-time scans. Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering your network by blocking real-time compressed executable files and pairing them with other malware characteristics.

Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting or cleaning) files when you enable IntelliTrap. If users regularly exchange real-time compressed executable files, disable IntelliTrap. IntelliTrap uses the virus scan engine, IntelliTrap Pattern, and IntelliTrap Exception Pattern.

Process Memory Scan

Malware writers often use customized packers that can trick file-based anti-malware engines and bypass detection. Typical virus patterns are constructed into binary machine code and this machine code can be repacked using packing tools. Since most conventional anti-malware detection is based on virus signatures, this repacking of the virus machine code can bypass conventional detection.

If you select Scan process memory for malware, Deep Security monitors process memory in real time and once a process is determined to be suspicious, Deep Security performs additional checks with the Trend Micro Smart Protection network to determine whether the process is a known malicious process. If these checks determine that the process is malicious, Deep Security will terminate the running process.

Alert

If you want Deep Security to raise an alert whenever this malware scan configuration triggers an event, select Alert when this Malware Scan Configuration logs an event.

Inclusions

Directories to scan: Specify which directories to scan for malware. You can scan All directories or select a defined Directory List.

Files to scan: Specify which files to scan for malware. Choose between All files, File types scanned by IntelliScan, or a defined File Extension List (which will scan all files with the extensions defined in the list).

IntelliScan only scans file types that are vulnerable to infection (for example, .zip or .exe). IntelliScan does not rely on file extensions to determine file type but instead reads the header and content of a file to determine whether it should be scanned. Compared to scanning all files, using IntelliScan provides a performance boost by reducing the total number of files to scan.

Exclusions

Allows you to exclude specific directories, files, and file extensions from being scanned. For example, if you are creating a malware scan configuration for a Microsoft Exchange server, you should exclude the SMEX quarantine folder to avoid re-scanning files that have already been confirmed to be malware.

The scan exclusion directory settings accept either forward slash "/" or backslash "\" to support both Windows and Linux conventions.

Syntax for defining Directory List exclusions:

Exclusion Format Description Examples
Directory DIRECTORY\ Excludes all files in the specified directory and all files in all subdirectories. C:\Program Files\
Excludes all files in the "Program Files" directory and all subdirectories.
Directory with wildcard (*) DIRECTORY\*\ Excludes any subdirectories with any subdirectory name, but does not exclude the files in the specified directory. C:\abc\*\
Excludes all files in all subdirectories of "abc" but does not exclude the files in the "abc" directory.

C:\abc\wx*z\
Matches:
C:\abc\wxz\
C:\abc\wx123z\
Does not match:
C:\abc\wxz
C:\abc\wx123z

C:\abc\*wx\
Matches:
C:\abc\wx\
C:\abc\123wx\
Does not match:
C:\abc\wx
C:\abc\123wx
Directory with wildcard (*) DIRECTORY\* Excludes any subdirectories with a matching name, but does not exclude the files in that directory and any subdirectories. C:\abc\*\
Matches:
C:\abc\
C:\abc\1
C:\abc\123
Does not match:
C:\abc
C:\abc\123\
C:\abc\123\456
C:\abx\
C:\xyz\

C:\abc\*wx\
Matches:
C:\abc\wx
C:\abc\123wx
Does not match:
C:\abc\wx\
C:\abc\123wx\

C:\abc\wx*z\
Matches:
C:\abc\wxz
C:\abc\wx123z
Does not match:
C:\abc\wxz\
C:\abc\wx123z\

C:\abc\wx*\
Matches:
C:\abc\wx
C:\abc\wx\
C:\abc\wx12
C:\abc\wx12\345\
C:\abc\wxz\
Does not match:
C:\abc\wx123z\
Environment variable ${ENV VAR} Excludes all files and subdirectories defined by an environment variable with the format ${ENV VAR}. For a Virtual Appliance, the value pairs for the environment variable must be defined in Policy or Computer Editor > Settings > General > Environment Variable Overrides. ${windir}
If the variable resolves to "c:\windows", excludes all the files in "c:\windows" and all its subdirectories.
Comments DIRECTORY #Comment Allows you to add comments to your exclusion definitions. c:\abc #Exclude the abc directory

Syntax for defining File List exclusions:

Exclusion Format Description Example
File FILE Excludes all files with the specified file name regardless of its location or directory. abc.doc
Excludes all files named "abc.doc" in all directories. Does not exclude "abc.exe".
File path FILEPATH Excludes the specific file specified by the file path. C:\Documents\abc.doc
Excludes only the file named "abc.doc" in the "Documents" directory.
File path with wildcard (*) FILEPATH Excludes all the specific files specified by the file path. C:\Documents\abc.co* (For Windows Agent platforms only) Excludes any file that has file name of "abc" and extension beginning with ".co" in the "Documents" directory.
File with wildcard (*) FILE* Excludes all files with a matching pattern in the file name. abc*.exe
Excludes any file that has prefix of "abc" and extension of ".exe".

*.db
Matches:
123.db
abc.db
Does not match:
123db
123.abd
cbc.dba

*db
Matches:
123.db
123db
ac.db
acdb
db
Does not match:
db123

wxy*.db
Matches:
wxy.db
wxy123.db
Does not match:
wxydb
File with wildcard (*) FILE.EXT* Excludes all files with a matching pattern in the file extension. abc.v*
Excludes any file that has file name of "abc" and extension beginning with ".v".

abc.*pp
Matches:
abc.pp
abc.app
Does not match:
wxy.app

abc.a*p
Matches:
abc.ap
abc.a123p
Does not match:
abc.pp

abc.*
Matches:
abc.123
abc.xyz
Does not match:
wxy.123
File with wildcard (*) FILE*.EXT* Excludes all files with a matching pattern in the file name and in the extension. a*c.a*p
Matches:
ac.ap
a123c.ap
ac.a456p
a123c.a456p
Does not match:
ad.aa
Environment variable ${ENV VAR} Excludes files specified by an environment variable with the format ${ENV VAR}. These can be defined or overridden using Policy or Computer Editor > Settings > General > Environment Variable Overrides. ${myDBFile}
Excludes the file "myDBFile".
Comments FILEPATH #Comment Allows you to add comments to your exclusion definitions. C:\Documents\abc.doc #This is a comment

Syntax for defining File Extension List exclusions:

Exclusion Format Description Example
File Extension EXT Excludes all files with a matching file extension. doc
Excludes all files with a ".doc" extension in all directories.
Comments EXT #Comment Allows you to add comments to your exclusion definitions. doc #This a comment

Syntax for defining Process Image File List exclusions (Real-Time Scans only):

Exclusion Format Description Example
File path FILEPATH Excludes the specific Process Image file specified by the file path. C:\abc\file.exe
Excludes only the file named "file.exe" in the "abc" directory.

Advanced

Real-Time Scan

Choose between scanning files when they are opened for reading, for writing, or both.

Scan Compressed Files

If you want the malware scan to scan compressed files (such as .zip files), select Scan compressed files. You can then set these options:

  • Maximum size of individual extracted files: The maximum size of the individual files in a compressed archive that Deep Security will scan.
    Scanning large files with multiple layers of compression can affect performance.
  • Maximum levels of compression: A file or group of files can undergo more than one round of compression. This option lets you specify how many levels of compression you want Deep Security to scan through.
  • Maximum number of files to extract: The maximum number of files that Deep Security will extract and scan from a compressed archive.

Scan Embedded Microsoft Office Objects

Certain versions of Microsoft Office use Object Linking and Embedding (OLE) to insert files and other objects into Office files. These embedded objects can contain malicious code. To scan these embedded objects, select Scan Embedded Microsoft Office Objects.

You can then specify the number of OLE Layers to scan. Because embedded objects can contain other objects, there can be multiple layers of embedding within a single Office file. To reduce the impact on performance, you can select to scan only a few layers of embedded objects within each file.

Remediation Actions

In most circumstances, the recommended default remediation actions that Deep Security uses are fine. However, if you want to customize the actions that Deep Security takes when it encounters malware, select Custom. You can then specify whether Deep Security should Use action recommended by ActiveAction or Use custom actions (which you can then define).

If you select Use action determined by ActiveAction, Deep Security can automatically decide which action to perform when it detects malware. ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly.

When the agent downloads virus pattern updates from an ActiveUpdate server or relay, it may change its ActiveAction scan actions.

The following table lists the actions that ActiveAction can take:

Malware Type Real-Time Scan Manual/Scheduled Scan Notes
Virus Clean Clean Viruses are able to infect normal files by inserting malicious code. Typically, whenever an infected file is opened, the malicious code automatically runs and delivers a payload in addition to infecting other files. Some of the more common types of viruses include COM and EXE infectors, macro viruses, and boot sector viruses.
Trojan Quarantine Quarantine Trojans are non-infecting executable malware files that do not have file infection capabilities.
Packer Quarantine Quarantine Packers are compressed and encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. Anti-malware checks executable files for compression patterns associated with malware.
Spyware Quarantine Quarantine Although possibly legitimate, grayware exhibit spyware-like behavior and may be unwanted.
CVE Exploit Quarantine Quarantine Related to the "Scan for exploits against known critical vulnerabilities only” setting. Because there is a high degree of confidence that this setting will detect valid vulnerabilities, the default action is to quarantine.
Aggressive Detection Rule Pass Pass Related to the "Scan for exploits against known critical vulnerabilities and aggressive detection of unknown suspicious exploits" setting. This setting detects more issues but may also result in more false positives, so the default action is to raise an event.
Cookies N/A Delete Cookies are text files stored by a web browser, transmitted back to the web server with each HTTP request. Cookies can contain authentication information, preferences, and (in the case of stored attacks from an infected server) SQL injection and XSS exploits.
Other Threats Clean Clean The Other Threats category includes joke programs, which display false notifications or manipulate screen behavior, but are generally harmless.
Possible Malware ActiveAction ActiveAction Possible malware is a file that appears suspicious but cannot be classified as a specific malware variant. When possible malware is detected, Trend Micro recommends that you contact your support provider for assistance in further analysis of the file.

Alternatively, you can select Use custom actions and manually specify the actions you want Deep Security to take upon detecting malware. There are five possible actions that Deep Security can take when it encounters an infected file:

  • Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event will still be recorded.)
  • Clean: Cleans a cleanable file before allowing full access to the file. (Not available for Possible Malware.)
  • Delete: Deletes the infected file.
  • Deny Access: This scan action can only be performed during Real-time scans. When Deep Security detects an attempt to open or execute an infected file, it immediately blocks the operation. If a malware scan configuration with the "Deny Access" option selected is applied during a Manual/Scheduled scan, a "Pass" action will be applied and an Anti-Malware Event will be recorded.
  • Quarantine: Moves the file to the quarantine directory on the computer or Virtual Appliance. (Once quarantined, you can download the file to a location of your choice. See Identified files for more information.)

Network Directory Scan

If you want to scan files and folders in network shares and mapped network drives, select Enable Network Directory Scan. This option is available only for real-time scans.

Resources accessed in "~/.gvfs" via GVFS, a virtual file system available for the GNOME desktop, will be treated as local resources, not network drives.

CPU Usage

Specifies the CPU resources allocated to scanning on the Deep Security Agent machine:

  • High: Scans files one after another without pausing
  • Medium: Pauses when overall CPU usage exceeds 50%
  • Low: Pauses when overall CPU usage exceeds 20%

Assigned To

Indicates which policies and computers are using this malware scan configuration.