About Anti-Malware

The Deep Security anti-malware module provides agent computers with both real-time and on-demand protection against file-based threats, including malware, viruses, Trojans, and spyware. To identify threats, the anti-malware module checks files on the local hard drive against a comprehensive threat database. The anti-malware module also checks files for certain characteristics, such as compression and known exploit code.

Portions of the threat database are hosted on Trend Micro servers or stored locally as patterns. Deep Security Agents periodically download anti-malware patterns and updates to ensure protection against the latest threats.

A newly installed Deep Security Agent cannot provide anti-malware protection until it has contacted an update server to download anti-malware patterns and updates. Ensure that your Deep Security Agents can communicate with a Deep Security Relay or the Trend Micro Update Server after installation.

The anti-malware module eliminates threats while minimizing the impact on system performance. The anti-malware module can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.

To turn on and configure the anti-malware module, see Enable and configure anti-malware.

Types of malware scans

The anti-malware module performs several types of scans. See also Select the types of scans to perform.

Real-time scan

Scan immediately each time a file is received, opened, downloaded, copied, or modified, Deep Security scans the file for security risks. If Deep Security detects no security risk, the file remains in its location and users can proceed to access the file. If Deep Security detects a security risk, it displays a notification message that shows the name of the infected file and the specific security risk.

Real-time scans are in effect continuously unless another time period is configured using the Schedule option.

You can configure real-time scanning to run when it will not have a large impact on performance; for example, when a file server is scheduled to back up files.

This scan can run on all platforms supported by the anti-malware module.

Manual scan

Runs a full system scan on all processes and files on a computer. The time required to complete a scan depends on the number of files to scan and the computer's hardware resources. A manual scan requires more time than a Quick Scan.

A manual scan executes when Full Scan for Malware is clicked.

This scan can be run on all platforms supported by the anti-malware module.

Scheduled scan

Runs automatically on the configured date and time. Use scheduled scan to automate routine scans and improve scan management efficiency.

A scheduled scan runs according to the date and time you specify when you create a Scan computers for Malware task using scheduled tasks (see Schedule Deep Security to perform tasks).

This scan can be run on all platforms supported by the anti-malware module.

Quick scan

Only scans a computer's critical system areas for currently active threats. A Quick Scan will look for currently active malware but it will not perform deep file scans to look for dormant or stored infected files. It is significantly faster than a Full Scan on larger drives. Quick scan is not configurable.

A Quick Scan runs when you click Quick Scan for Malware.

Quick Scan can run only on Windows computers.

Scan objects and sequence

The following table lists the objects scanned during each type of scan and the sequence in which they are scanned.

Targets Full Scan (Manual or Scheduled) Quick Scan
Drivers 1 1
Trojan 2 2
Process Image 3 3
Memory 4 4
Boot Sector 5 -
Files 6 5
Spyware 7 6

Malware scan configurations

Malware scan configurations are sets of options that control the behavior of malware scans. When you configure anti-malware using a policy or for a specific computer, you select a malware scan configuration to use. You can create several malware scan configurations and use them with different policies when different groups of computers have different scan requirements.

Real-time, manual, and scheduled scans all use malware scan configurations. Deep Security provides a default malware scan configuration for each type of scan. These scan configurations are used in the default security policies. You can use the default scan configurations as-is, modify them, or create your own.

Quick Scans are not configurable, and do not use malware scan configurations.

You can specify which files and directories are included or excluded during a scan and which actions are taken if malware is detected on a computer (for example, clean, quarantine, or delete).

For more information, see Configure malware scans and exclusions.

Malware events

When Deep Security detects malware it triggers an event that appears in the event log. From there you can see information about the event, or create an exception for the file in case of false positives. You can also restore files that are actually benign.

For details, see:


Smart Scan uses threat signatures that are stored on Trend Micro servers and provides several benefits:

  • Provides fast, cloud-based, real-time security status lookups
  • Reduces the time required to deliver protection against emerging threats
  • Reduces network bandwidth consumed during pattern updates (bulk of pattern definition updates only need to be delivered to the cloud, not to many computers)
  • Reduces cost and overhead of corporate-wide pattern deployments
  • Lowers kernel memory consumption on computers (consumption increases minimally over time)

When Smart Scan is enabled, Deep Security first scans locally for security risks. If Deep Security cannot assess the risk of the file during the scan, it will try to connect to a local Smart Scan server. If no local Smart Scan Server is detected, Deep Security will attempt to connect to the Trend Micro Global Smart Scan server. For more information on this feature, see Smart Protection in Deep Security.

Predictive Machine Learning

Deep Security provides enhanced malware protection for unknown threats and zero-day attacks through Predictive Machine Learning. Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging security risks through digital DNA fingerprinting, API mapping, and other file features.

Predictive Machine Learning is effective in protecting against security breaches that result from targeted attacks using techniques such as phishing and spear phishing. In these cases, malware that is designed specifically to target your environment can bypass traditional malware scanning techniques.

During real-time scans, when Deep Security detects an unknown or low-prevalence file, Deep Security scans the file using the Advanced Threat Scan Engine (ATSE) to extract file features. It then sends the report to the Predictive Machine Learning engine on the Trend Micro Smart Protection Network. Through the use of malware modeling, Predictive Machine Learning compares the sample to the malware model, assigns a probability score, and determines the probable malware type that the file contains.

If the file is identified as a threat, Deep Security cleans, quarantines, or deletes the file to prevent the threat from continuing to spread across your network.

For information about using Predictive Machine Learning, see Detect emerging threats using Predictive Machine Learning.

Threat Intelligence

Threat Intelligence (formerly called "Connected Threat Defense") provides enhanced malware protection for new and emerging threats by setting up a connection between Deep Security and Trend Micro’s sandboxing technology. For details, see Detect emerging threats using Threat Intelligence.

Malware types

The anti-malware module protects against many file-based threats. See also Scan for specific types of malware and Configure malware handling


Viruses infect files by inserting malicious code. Typically, when an infected file is opened the malicious code automatically runs and delivers a payload in addition to infecting other files. Below are some of the more common types of viruses:

  • COM and EXE infectors infect DOS and Windows executable files, which typically have COM and EXE extensions.
  • Macro viruses infect Microsoft Office files by inserting malicious macros.
  • Boot sector viruses infect the section of hard disk drives that contain operating system startup instructions

The anti-malware module uses different technologies to identify and clean infected files. The most traditional method is to detect the actual malicious code that is used to infect files and strip infected files of this code. Other methods include regulating changes to infectable files or backing up such files whenever suspicious modifications are applied to them.


Some malware does not spread by injecting code into other files. Instead, it has other methods or effects:

  • Trojans: Malware files that execute and infect the system when opened (like the mythological Trojan horse).
  • Backdoors: Malicious applications that open port numbers to allow unauthorized remote users to access infected systems.
  • Worms: Malware programs that use the network to propagate from system to system. Worms are known to propagate by taking advantage of social engineering through attractively packaged email messages, instant messages, or shared files. They are also known to copy themselves to accessible network shares and spread to other computers by exploiting vulnerabilities.
  • Network viruses: Worms that are memory-only or packet-only programs (not file-based). Anti-malware is unable to detect or remove network viruses.
  • Rootkits: File-based malware that manipulate calls to operating system components. Applications, including monitoring and security software, need to make such calls for very basic functions, such as listing files or identifying running processes. By manipulating these calls, rootkits are able to hide their presence or the presence of other malware.


Packers are compressed and encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. Anti-malware checks executable files for compression patterns associated with malware.


Spyware and grayware comprises applications and components that collect information to be transmitted to a separate system or collected by another application. Spyware/grayware detections, although exhibiting potentially malicious behavior, may include applications used for legitimate purposes such as remote monitoring. Spyware/grayware applications that are inherently malicious, including those that are distributed through known malware channels, are typically detected as other Trojans.

Spyware and grayware applications are typically categorized as:

  • Spyware: software installed on a computer to collect and transmit personal information.
  • Dialers: malicious dialers are designed to connect through premium-rate numbers causing unexpected charges. Some dialers also transmit personal information and download malicious software.
  • Hacking tools: programs or sets of programs designed to assist unauthorized access to computer systems.
  • Adware (advertising-supported software): any software package that automatically plays, displays, or downloads advertising material.
  • Cookies: text files stored by a Web browser. Cookies contain website-related data such as authentication information and site preferences. Cookies are not executable and cannot be infected; however, they can be used as spyware. Even cookies sent from legitimate websites can be used for malicious purposes.
  • Keyloggers: software that logs user keystrokes to steal passwords and other private information. Some keyloggers transmit logs to remote systems.

What is grayware?

Although they exhibit what can be intrusive behavior, some spyware-like applications are considered legitimate. For example, some commercially available remote control and monitoring applications can track and collect system events and then send information about these events to another system. System administrators and other users may find themselves installing these legitimate applications. These applications are called "grayware".

To provide protection against the illegitimate use of grayware, the anti-malware module detects grayware but provides an option to "approve" detected applications and allow them to run.


Cookies are text files stored by a web browser, transmitted back to the web server with each HTTP request. Cookies can contain authentication information, preferences, and (in the case of stored attacks from an infected server) SQL injection and XSS exploits.

Other threats

Other threats includes malware not categorized under any of the malware types. This category includes joke programs, which display false notifications or manipulate screen behavior but are generally harmless.

Possible malware

Possible malware is a file that appears suspicious but cannot be classified as a specific malware variant. When possible malware is detected, Trend Micro recommends that you contact your support provider for assistance in further analysis of the file. By default, these detections are logged and files are sent back to Trend Micro for analysis in a protected manner.