Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Malware Scan Configurations
Malware scan configurations are reusable saved settings that you can apply when configuring anti-malware in a policy or for a computer. A malware scan configuration specifies what types of malware scanning Deep Security will perform and which files it will scan. You can set up multiple malware scan configurations to suit your needs.
Create or edit a malware scan configuration
Go to Policies > Common Objects > Other > Malware Scan Configurations.
Deep Security comes with some pre-defined malware scan configurations. From the Malware Scan Configurations page, you can:
- Double-click an existing scan configuration to view and edit its properties. The properties are described in the next section.
- Select a configuration and click Duplicate to create a copy that you can edit separately.
- Create a new configuration by clicking New and then New Real-Time Scan Configuration or New Manual/Scheduled Scan Configuration. For information on the differences between real-time, manual, and scheduled scans, see Protect servers from malware in four steps.
Malware scan configuration properties
When you create or edit a malware scan configuration, the properties that you can set for the configuration are divided into these tabs:
There are two kinds of malware scan configurations: Real-time Scan and Manual/Scheduled Scan. While most actions are available to both types of scans, some actions, like Deny Access are available to Real-time Scans only, and other options, like CPU Usage are available to Manual/Scheduled Scans only.
General
General Information
Name and description of the malware scan configuration, and whether this is a Real-Time or a Manual/Scheduled scan. For information on the differences between real-time, manual, and scheduled scans, see Protect servers from malware in four steps.
Document Exploit Protection
Select Scan documents for exploits if you want Deep Security to scan for embedded exploit code and known vulnerabilities. You can then select:
- Scan for exploits against known critical vulnerabilities only: Only detects known critical vulnerabilities.
- Scan for exploits against known critical vulnerabilities and aggressive detection of unknown suspicious exploits: Detects more issues but may also result in more false positives. If you want to automatically submit files to Deep Discovery Analyzer, you must select this option.
These options are part of the Connected Threat Defense feature. For more information, see Detect emerging threats using Connected Threat Defense.
Behavior Monitoring
Behavior monitoring enhances your malware and ransomware detection and clean rate. These settings enable you to go beyond malware pattern matching and identify suspicious files that could potentially contain emerging malware that hasn’t yet been added to malware patterns (known as a zero-day attack).
- Detect suspicious activity and unauthorized changes (incl. ransomware): Enables the threat detection, anti-exploit, and ransomware detection features that are described in Enhanced anti-malware and ransomware scanning with behavior monitoring.
- Back up and restore ransomware-encrypted files: When this option is selected, Deep Security will create backup copies of files that are being encrypted, in case they are being encrypted by a ransomware process.
Endpoint Correlation
Some malware writers use a wrapper file to deliver malware and avoid detection by conventional scanning. When the wrapper file is executed, it often creates or drops another file or process.
If you select Use endpoint correlation to identify the origin file of detected malware, Deep Security will identify and prevent these types of threats. Endpoint Correlation analyzes the “crime chain” (or infection chain) of a malware outbreak and can trigger a chain clean-up for malware accomplice files that are deemed suspicious but have not yet been put into a malware signature pattern.
Spyware and Grayware
When Enable spyware/grayware protection is selected, the spyware scan engine will scan for spyware and grayware and quarantine suspicious files.
IntelliTrap
The Enable IntelliTrap option is available only for real-time scans. Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering your network by blocking real-time compressed executable files and pairing them with other malware characteristics.
Process Memory Scan
Malware writers often use customized packers that can trick file-based anti-malware engines and bypass detection. Typical virus patterns are constructed into binary machine code and this machine code can be repacked using packing tools. Since most conventional anti-malware detection is based on virus signatures, this repacking of the virus machine code can bypass conventional detection.
If you select Scan process memory for malware, Deep Security monitors process memory in real time and once a process is determined to be suspicious, Deep Security performs additional checks with the Trend Micro Smart Protection network to determine whether the process is a known malicious process. If these checks determine that the process is malicious, Deep Security will terminate the running process.
Alert
If you want Deep Security to raise an alert whenever this malware scan configuration triggers an event, select Alert when this Malware Scan Configuration logs an event.
Inclusions
Directories to scan: Specify which directories to scan for malware. You can scan All directories or select a defined Directory List.
Files to scan: Specify which files to scan for malware. Choose between All files, File types scanned by IntelliScan, or a defined File Extension List (which will scan all files with the extensions defined in the list).
Exclusions
Allows you to exclude specific directories, files, and file extensions from being scanned. For example, if you are creating a malware scan configuration for a Microsoft Exchange server, you should exclude the SMEX quarantine folder to avoid re-scanning files that have already been confirmed to be malware.
Syntax for defining Directory List exclusions:
Exclusion | Format | Description | Examples |
Directory | DIRECTORY\ | Excludes all files in the specified directory and all files in all subdirectories. | C:\Program Files\
Excludes all files in the "Program Files" directory and all subdirectories. |
Directory with wildcard (*) | DIRECTORY\*\ | Excludes any subdirectories with any subdirectory name, but does not exclude the files in the specified directory. | C:\abc\*\
Excludes all files in all subdirectories of "abc" but does not exclude the files in the "abc" directory. C:\abc\wx*z\ Matches: C:\abc\wxz\ C:\abc\wx123z\ Does not match: C:\abc\wxz C:\abc\wx123z C:\abc\*wx\ Matches: C:\abc\wx\ C:\abc\123wx\ Does not match: C:\abc\wx C:\abc\123wx |
Directory with wildcard (*) | DIRECTORY\* | Excludes any subdirectories with a matching name, but does not exclude the files in that directory and any subdirectories. | C:\abc\*\
Matches: C:\abc\ C:\abc\1 C:\abc\123 Does not match: C:\abc C:\abc\123\ C:\abc\123\456 C:\abx\ C:\xyz\ C:\abc\*wx\ Matches: C:\abc\wx C:\abc\123wx Does not match: C:\abc\wx\ C:\abc\123wx\ C:\abc\wx*z\ Matches: C:\abc\wxz C:\abc\wx123z Does not match: C:\abc\wxz\ C:\abc\wx123z\ C:\abc\wx*\ Matches: C:\abc\wx C:\abc\wx\ C:\abc\wx12 C:\abc\wx12\345\ C:\abc\wxz\ Does not match: C:\abc\wx123z\ |
Environment variable | ${ENV VAR} | Excludes all files and subdirectories defined by an environment variable with the format ${ENV VAR}. For a Virtual Appliance, the value pairs for the environment variable must be defined in Policy or Computer Editor > Settings > General > Environment Variable Overrides. | ${windir}
If the variable resolves to "c:\windows", excludes all the files in "c:\windows" and all its subdirectories. |
Comments | DIRECTORY #Comment | Allows you to add comments to your exclusion definitions. | c:\abc #Exclude the abc directory |
Syntax for defining File List exclusions:
Exclusion | Format | Description | Example |
File | FILE | Excludes all files with the specified file name regardless of its location or directory. | abc.doc
Excludes all files named "abc.doc" in all directories. Does not exclude "abc.exe". |
File path | FILEPATH | Excludes the specific file specified by the file path. | C:\Documents\abc.doc
Excludes only the file named "abc.doc" in the "Documents" directory. |
File path with wildcard (*) | FILEPATH | Excludes all the specific files specified by the file path. | C:\Documents\abc.co* (For Windows Agent platforms only) Excludes any file that has file name of "abc" and extension beginning with ".co" in the "Documents" directory. |
File with wildcard (*) | FILE* | Excludes all files with a matching pattern in the file name. | abc*.exe
Excludes any file that has prefix of "abc" and extension of ".exe". *.db Matches: 123.db abc.db Does not match: 123db 123.abd cbc.dba *db Matches: 123.db 123db ac.db acdb db Does not match: db123 wxy*.db Matches: wxy.db wxy123.db Does not match: wxydb |
File with wildcard (*) | FILE.EXT* | Excludes all files with a matching pattern in the file extension. | abc.v*
Excludes any file that has file name of "abc" and extension beginning with ".v". abc.*pp Matches: abc.pp abc.app Does not match: wxy.app abc.a*p Matches: abc.ap abc.a123p Does not match: abc.pp abc.* Matches: abc.123 abc.xyz Does not match: wxy.123 |
File with wildcard (*) | FILE*.EXT* | Excludes all files with a matching pattern in the file name and in the extension. | a*c.a*p
Matches: ac.ap a123c.ap ac.a456p a123c.a456p Does not match: ad.aa |
Environment variable | ${ENV VAR} | Excludes files specified by an environment variable with the format ${ENV VAR}. These can be defined or overridden using Policy or Computer Editor > Settings > General > Environment Variable Overrides. | ${myDBFile}
Excludes the file "myDBFile". |
Comments | FILEPATH #Comment | Allows you to add comments to your exclusion definitions. | C:\Documents\abc.doc #This is a comment |
Syntax for defining File Extension List exclusions:
Exclusion | Format | Description | Example |
File Extension | EXT | Excludes all files with a matching file extension. | doc
Excludes all files with a ".doc" extension in all directories. |
Comments | EXT #Comment | Allows you to add comments to your exclusion definitions. | doc #This a comment |
Syntax for defining Process Image File List exclusions (Real-Time Scans only):
Exclusion | Format | Description | Example |
File path | FILEPATH | Excludes the specific Process Image file specified by the file path. | C:\abc\file.exe
Excludes only the file named "file.exe" in the "abc" directory. |
Advanced
Real-Time Scan
Choose between scanning files when they are opened for reading, for writing, or both.
Scan Compressed Files
If you want the malware scan to scan compressed files (such as .zip files), select Scan compressed files. You can then set these options:
- Maximum size of individual extracted files: The maximum size of the individual files in a compressed archive that Deep Security will scan.
Scanning large files with multiple layers of compression can affect performance.
- Maximum levels of compression: A file or group of files can undergo more than one round of compression. This option lets you specify how many levels of compression you want Deep Security to scan through.
- Maximum number of files to extract: The maximum number of files that Deep Security will extract and scan from a compressed archive.
Scan Embedded Microsoft Office Objects
Certain versions of Microsoft Office use Object Linking and Embedding (OLE) to insert files and other objects into Office files. These embedded objects can contain malicious code. To scan these embedded objects, select Scan Embedded Microsoft Office Objects.
You can then specify the number of OLE Layers to scan. Because embedded objects can contain other objects, there can be multiple layers of embedding within a single Office file. To reduce the impact on performance, you can select to scan only a few layers of embedded objects within each file.
Remediation Actions
In most circumstances, the recommended default remediation actions that Deep Security uses are fine. However, if you want to customize the actions that Deep Security takes when it encounters malware, select Custom. You can then specify whether Deep Security should Use action recommended by ActiveAction or Use custom actions (which you can then define).
If you select Use action determined by ActiveAction, Deep Security can automatically decide which action to perform when it detects malware. ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly.
The following table lists the actions that ActiveAction can take:
Malware Type | Real-Time Scan | Manual/Scheduled Scan | Notes |
Virus | Clean | Clean | Viruses are able to infect normal files by inserting malicious code. Typically, whenever an infected file is opened, the malicious code automatically runs and delivers a payload in addition to infecting other files. Some of the more common types of viruses include COM and EXE infectors, macro viruses, and boot sector viruses. |
Trojan | Quarantine | Quarantine | Trojans are non-infecting executable malware files that do not have file infection capabilities. |
Packer | Quarantine | Quarantine | Packers are compressed and encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. Anti-malware checks executable files for compression patterns associated with malware. |
Spyware | Quarantine | Quarantine | Although possibly legitimate, grayware exhibit spyware-like behavior and may be unwanted. |
CVE Exploit | Quarantine | Quarantine | Related to the "Scan for exploits against known critical vulnerabilities only” setting. Because there is a high degree of confidence that this setting will detect valid vulnerabilities, the default action is to quarantine. |
Aggressive Detection Rule | Pass | Pass | Related to the "Scan for exploits against known critical vulnerabilities and aggressive detection of unknown suspicious exploits" setting. This setting detects more issues but may also result in more false positives, so the default action is to raise an event. |
Cookies | N/A | Delete | Cookies are text files stored by a web browser, transmitted back to the web server with each HTTP request. Cookies can contain authentication information, preferences, and (in the case of stored attacks from an infected server) SQL injection and XSS exploits. |
Other Threats | Clean | Clean | The Other Threats category includes joke programs, which display false notifications or manipulate screen behavior, but are generally harmless. |
Possible Malware | ActiveAction | ActiveAction | Possible malware is a file that appears suspicious but cannot be classified as a specific malware variant. When possible malware is detected, Trend Micro recommends that you contact your support provider for assistance in further analysis of the file. |
Alternatively, you can select Use custom actions and manually specify the actions you want Deep Security to take upon detecting malware. There are five possible actions that Deep Security can take when it encounters an infected file:
- Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event will still be recorded.)
- Clean: Cleans a cleanable file before allowing full access to the file. (Not available for Possible Malware.)
- Delete: Deletes the infected file.
- Deny Access: This scan action can only be performed during Real-time scans. When Deep Security detects an attempt to open or execute an infected file, it immediately blocks the operation. If a malware scan configuration with the "Deny Access" option selected is applied during a Manual/Scheduled scan, a "Pass" action will be applied and an Anti-Malware Event will be recorded.
- Quarantine: Moves the file to the quarantine directory on the computer or Virtual Appliance. (Once quarantined, you can download the file to a location of your choice. See Identified files for more information.)
Network Directory Scan
If you want to scan files and folders in network shares and mapped network drives, select Enable Network Directory Scan. This option is available only for real-time scans.
CPU Usage
Specifies the CPU resources allocated to scanning on the Deep Security Agent machine:
- High: Scans files one after another without pausing
- Medium: Pauses when overall CPU usage exceeds 50%
- Low: Pauses when overall CPU usage exceeds 20%
Assigned To
Indicates which policies and computers are using this malware scan configuration.