Deep Security 10.3 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Configure malware scans
Malware scan configurations are reusable saved settings that you can apply when configuring anti-malware in a policy or for a computer. A malware scan configuration specifies what types of malware scanning Deep Security performs and which files it scans. Some policy properties also affect the behavior of malware scans.
- Create or edit a malware scan configuration
- Scan for specific types of malware
- Specify the files to scan
- Specify when real-time scans occur
- Configure how to handle malware
- Identify malware files by file hash digest
- Configure notifications on the computer
The Deep Security Best Practice Guide also provides several recommendations for configuration malware scans.
Create or edit a malware scan configuration
Create or edit a malware scan configuration to control the behavior of a real-time, manual, or scheduled scan. (For more information, see Malware scan configurations.) You can create multiple malware scan configurations as required.
- After you create a malware scan configuration, you can then associate it with a scan in a policy or computer (see Select the types of scans to perform)
- When you edit a malware scan configuration that a policy or computer is using, the changes affect the scans that are associated with the configuration.
To create a malware scan configuration that is similar to an existing one, duplicate the existing configuration and then edit it.
You can create two types of malware scan configurations according to the type of scan it controls (see Types of malware scans):
- Real-time scan configuration: Controls real-time scans. Some actions such as Deny Access are only available to real-time scan configurations
- Manual/scheduled scan configuration: Controls either manual or scheduled scans. Some options such as CPU Usage are only available to manual/scheduled scan configurations
Deep Security provides a default malware scan configuration for each type of scan.
- Go to Policies > Common Objects > Other > Malware Scan Configurations.
- To create a scan configuration, click New and then click New Real-Time Scan Configuration or New Manual/Scheduled Scan Configuration. - Type a name to identify the scan configuration. You see the name in a list when configuring malware scans in a policy.
- (Optional) Type a description that explains the use case for the configuration.
 
- To view and edit an existing scan configuration, select it and click Properties.
- To duplicate a scan configuration, select it and click Duplicate.
To see the policies and computers that are using a malware scan configuration, see the AssignedTo tab of the properties.
Scan for specific types of malware
- Scan for spyware and grayware
- Scan for compressed executable files (real-time scans only)
- Scan process memory (real-time scans only)
- Scan compressed files
- Scan embedded Microsoft Office objects
See also:
Scan for spyware and grayware
When spyware and grayware protection is enabled, the spyware scan engine quarantines suspicious files when they are detected.
- Open the properties of the malware scan configuration.
- On the General tab, select Enable spyware/grayware protection.
- Click OK.
To identify a specific file that the spyware scan engine should ignore, see Create anti-malware exceptions.
Scan for compressed executable files (real-time scans only)
Viruses often use real-time compression algorithms to attempt to circumvent virus filtering. The IntelliTrap feature blocks real-time compressed executable files and pairing them with other malware characteristics.
- Open the properties of the malware scan configuration.
- On the General tab, select Enable IntelliTrap.
- Click OK.
Scan process memory (real-time scans only)
Monitor process memory in real time and perform additional checks with the Trend Micro Smart Protection network to determine whether a suspicious process is known to be malicious. If the process is malicious, Deep Security terminates the process. For more information, see Smart Protection in Deep Security
- Open the properties of the malware scan configuration.
- On the General tab, select Scan process memory for malware.
- Click OK.
Scan compressed files
Extract compressed files and scan the contents for malware. When you enable the scan, you specify the maximum size and number of files to extract (large files can affect performance). You also specify the levels of compression to inspect so that you can scan compressed files that reside inside compressed files. Level 1 compression is a single compressed file. Compressed files inside that file are level two. You can scan a maximum of 6 compression levels, however higher levels can affect performance.
- Open the properties of the malware scan configuration.
- On the Advanced tab, select Scan compressed files.
- Specify the maximum size of content files to extract, in MB, the levels of compression to scan, and the maximum number of files to extract.
- Click OK.
Scan embedded Microsoft Office objects
Certain versions of Microsoft Office use Object Linking and Embedding (OLE) to insert files and other objects into Office files. These embedded objects can contain malicious code.
Specify the number of OLE layers to scan to detect objects that are embedded in other objects. To reduce the impact on performance, you can scan only a few layers of embedded objects within each file.
- Open the properties of the malware scan configuration.
- On the Advanced tab, select Scan Embedded Microsoft Office Objects.
- Specify the number of OLE layers to scan.
- Click OK.
Specify the files to scan
To specify the files to scan for malware, identify files and directories to include in the scan and then of those files and directories, identify exclusions. You can also scan network directories:
Inclusions
Specify the directories to scan as well as the files inside the directories to scan.
To identify directories to scan, you can specify all directories or a list of directories. The directory list uses patterns with a specific syntax to identify the directories to scan. (See Syntax for directory lists.)
To identify the files to scan, use one of the following options:
- All files
- File types that are identified by IntelliScan. IntelliScan only scans file types that are vulnerable to infection, such as .zip or .exe. IntelliScan does not rely on file extensions to determine file type but instead reads the header and content of a file to determine whether it should be scanned. Compared to scanning all files, Intelliscan reduces the number of files to scan and improves performance.
- Files that have a file name extension that is included in a specified list: The file extension list uses patterns with a specific syntax. (See Syntax of file extension lists.)
- Open the properties of the malware scan configuration.
- Click the Inclusions tab.
- To specify the directories to scan, select All directories or Directory List.
- If you selected Directory List, from the drop-down menu either select an existing list or select New to create one.
- To specify the files to scan, select either All files, File types scanned by IntelliScan, or File Extension List.
- If you selected File Extension List, from the drop-down menu either select an existing list or select New to create one.
- Click OK.
Exclusions
Exclude specific directories, files, and file extensions from being scanned. For real-time scans (except when performed by Deep Security Virtual Appliance), you can also exclude specific process image files from being scanned. For example, if you are creating a malware scan configuration for a Microsoft Exchange server, you should exclude the SMEX quarantine folder to avoid re-scanning files that have already been confirmed to be malware.
To exclude directories, files, and process image files, you create a list that uses patterns to identify the item to exclude.
- Open the properties of the malware scan configuration.
- Click the Exclusions tab.
- Specify the directories to exclude:- Select Directory List.
- Select a directory list or select New to create one. (See Syntax for directory lists.)
- If you created a directory list, select it in the directory list.
 
- Similarly, specify the file list, file extension list, and process image file list to exclude. (See Syntax of file lists, Syntax of file extension lists, and Syntax of process image file lists (real-time scans only):.)
- Click OK.
Syntax for directory lists
| Exclusion | Format | Description | Examples | 
| Directory | DIRECTORY\ | Excludes all files in the specified directory and all files in all subdirectories. | C:\Program Files\ Excludes all files in the "Program Files" directory and all subdirectories. | 
| Directory with wildcard (*) | DIRECTORY\*\ | Excludes all subdirectories except for the specified subdirectory and the files that it contains. | C:\abc\*\ Excludes all files in all subdirectories of "abc" but does not exclude the files in the "abc" directory. C:\abc\wx*z\ Matches: C:\abc\wxz\ C:\abc\wx123z\ Does not match: C:\abc\wxz C:\abc\wx123z C:\abc\*wx\ Matches: C:\abc\wx\ C:\abc\123wx\ Does not match: C:\abc\wx C:\abc\123wx | 
| Directory with wildcard (*) | DIRECTORY\* | Excludes any subdirectories with a matching name, but does not exclude the files in that directory and any subdirectories. | C:\abc\* Matches: C:\abc\ C:\abc\1 C:\abc\123 Does not match: C:\abc C:\abc\123\ C:\abc\123\456 C:\abx\ C:\xyz\ C:\abc\*wx Matches: C:\abc\wx C:\abc\123wx Does not match: C:\abc\wx\ C:\abc\123wx\ C:\abc\wx*z Matches: C:\abc\wxz C:\abc\wx123z Does not match: C:\abc\wxz\ C:\abc\wx123z\ C:\abc\wx* Matches: C:\abc\wx C:\abc\wx\ C:\abc\wx12 C:\abc\wx12\345\ C:\abc\wxz\ Does not match: C:\abc\wx123z\ | 
| Environment variable | ${ENV VAR} | Excludes all files and subdirectories defined by an environment variable. For a Virtual Appliance, the value pairs for the environment variable must be defined in Policy or Computer Editor > Settings > General > Environment Variable Overrides. | ${windir} If the variable resolves to "c:\windows", excludes all the files in "c:\windows" and all its subdirectories. | 
| Comments | DIRECTORY #Comment | Adds a comment to your exclusion definitions. | c:\abc #Exclude the abc directory | 
Syntax of file lists
| Exclusion | Format | Description | Example | 
| File | FILE | Excludes all files with the specified file name regardless of its location or directory. | abc.doc Excludes all files named "abc.doc" in all directories. Does not exclude "abc.exe". | 
| File path | FILEPATH | Excludes the specific file specified by the file path. | C:\Documents\abc.doc Excludes only the file named "abc.doc" in the "Documents" directory. | 
| File path with wildcard (*) | FILEPATH | Excludes all the specific files specified by the file path. | C:\Documents\abc.co* (For Windows Agent platforms only) Excludes any file that has file name of "abc" and extension beginning with ".co" in the "Documents" directory. | 
| File with wildcard (*) | FILE* | Excludes all files with a matching pattern in the file name. | abc*.exe Excludes any file that has prefix of "abc" and extension of ".exe". *.db Matches: 123.db abc.db Does not match: 123db 123.abd cbc.dba *db Matches: 123.db 123db ac.db acdb db Does not match: db123 wxy*.db Matches: wxy.db wxy123.db Does not match: wxydb | 
| File with wildcard (*) | FILE.EXT* | Excludes all files with a matching pattern in the file extension. | abc.v* Excludes any file that has file name of "abc" and extension beginning with ".v". abc.*pp Matches: abc.pp abc.app Does not match: wxy.app abc.a*p Matches: abc.ap abc.a123p Does not match: abc.pp abc.* Matches: abc.123 abc.xyz Does not match: wxy.123 | 
| File with wildcard (*) | FILE*.EXT* | Excludes all files with a matching pattern in the file name and in the extension. | a*c.a*p Matches: ac.ap a123c.ap ac.a456p a123c.a456p Does not match: ad.aa | 
| Environment variable | ${ENV VAR} | Excludes files specified by an environment variable with the format ${ENV VAR}. These can be defined or overridden using Policy or Computer Editor > Settings > General > Environment Variable Overrides. | ${myDBFile} Excludes the file "myDBFile". | 
| Comments | FILEPATH #Comment | Adds a comment to your exclusion definitions. | C:\Documents\abc.doc #This is a comment | 
Syntax of file extension lists
| Exclusion | Format | Description | Example | 
| File Extension | EXT | Matches all files with a matching file extension. | doc Matches all files with a ".doc" extension in all directories. | 
| Comments | EXT #Comment | Adds a comment to your exclusion definitions. | doc #This a comment | 
Syntax of process image file lists (real-time scans only):
| Exclusion | Format | Description | Example | 
| File path | FILEPATH | Excludes the specific Process Image file specified by the file path. | C:\abc\file.exe Excludes only the file named "file.exe" in the "abc" directory. | 
Scan a network directory (real-time scan only)
If you want to scan files and folders in network shares and mapped network drives that reside in a Network File System (NFS), Server Message Block (SMB) or Common Internet File System (CIFS), select Enable Network Directory Scan. This option is available only for real-time scans.
Specify when real-time scans occur
Choose between scanning files when they are opened for reading, when they are written to, or both.
- Open the properties of the malware scan configuration.
- On the Advanced tab, select one of the options for the Real-Time Scan property.
- Click OK.
Configure how to handle malware
Configure how Deep Security behaves when malware is detected:
Customize malware remedial actions
When Deep Security detects malware, it performs a remedial action to handle the file. There are five possible actions that Deep Security can take when it encounters malware:
- Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event will still be recorded.)
- Clean: Cleans a cleanable file before allowing full access to the file. (Not available for Possible Malware.)
- Delete: Deletes the infected file.
- Deny Access: This scan action can only be performed during Real-time scans. When Deep Security detects an attempt to open or execute an infected file, it immediately blocks the operation. If a malware scan configuration with the "Deny Access" option selected is applied during a Manual/Scheduled scan, a "Pass" action will be applied and an Anti-Malware Event will be recorded.
- Quarantine: Moves the file to the quarantine directory on the computer or Virtual Appliance. (Once quarantined, you can download the file to a location of your choice. See View and restore identified malware for more information.)
The default remediation actions in the malware scan configurations are appropriate for most circumstances. However, you can customize the actions to take when Deep Security detects malware. You can either use the action that ActiveAction determines, or specify the action for each type of vulnerability.
ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly. (See ActiveAction actions.)
- Open the properties of the malware scan configuration.
- On the Advanced tab, for Remediation Actions select Custom.
- Specify the action to take:- To let ActiveAction decide which action to take, select Use action recommended by ActiveAction.
- To specify an action for each type of vulnerability, select Use custom actions, and then select the actions to use.
 
- Specify the action to take for Possible Malware.
- Click OK.
ActiveAction actions
The following table lists the actions that ActiveAction takes:
| Malware Type | Action | 
| Virus | Clean | 
| Trojans | Quarantine | 
| Packer | Quarantine | 
| Spyware/grayware | Quarantine | 
| Cookie | Delete (Does not apply to real-time scans) | 
| Other threats | Clean | 
| Possible malware | ActiveAction | 
Generate alerts for malware detection
When Deep Security detects malware, you can generate an alert.
- Open the properties of the malware scan configuration.
- On the General tab, for Alert select Alert when this Malware Scan Configuration logs an event.
- Click OK.
Identify malware files by file hash digest
Deep Security can calculate the hash value of a malware file and display it on the Events & Reports > Events > Anti-Malware Events page. Because a particular piece of malware can go by several different names, the hash value is useful because it uniquely identifies the malware. You can use the hash value when looking up information about the malware from other sources.
- Open the policy or computer editor that you want to configure.
- Click Anti-Malware > Advanced.
- Under File Hash Calculation, clear the Default or Inherited check box. (Default is displayed for a root policy and Inherited is displayed for child policies).            
			When Inherited is selected, the file hash settings are inherited from the current policy's parent policy. When Default is selected, Deep Security does not calculate any hash values. 
- Select the Calculate hash values of all anti-malware events.
- By default, Deep Security will use produce SHA-1 hash values. If you want to produce additional hash values, you can select one or both of MD5 and SHA256.
- You can also change the maximum size of malware files that will have hash values calculated. The default is to skip files that are larger than 128MB, but you can change the value to anything between 64 and 512 MB.
Configure notifications on the computer
On Windows-based agents, you might occasionally see onscreen notification messages alerting you of Deep Security actions you must take that are related to the anti-malware and web reputation modules. For example, you might see the message, A reboot is required for Anti-Malware cleanup task. You must click OK on the dialog box to dismiss it.
If you don't want these notifications to appear:
- Go to the Computer or Policy editor You can change these settings for a policy or for a specific computer.
To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details).
To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details).. You can change these settings for a policy or for a specific computer.
To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details).
To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)..
- Click Settings on the left.
- Under the General tab, scroll to the Notifications section.
- Set Suppress all pop-up notifications on host to Yes. The messages still appear as alerts or events in Deep Security Manager. For more information about the notifier, see Deep Security Notifier.


