Enhanced anti-malware and ransomware scanning with behavior monitoring

Deep Security provides security settings that you can apply to Windows and Linux machines that are protected by a Deep Security Agent to enhance your malware and ransomware detection and clean rate. These settings enable you to go beyond malware pattern matching and identify suspicious files that could potentially contain emerging malware that hasn’t yet been added to the anti-malware patterns (known as a zero-day attack).

In this article:

For an overview of the anti-malware module, see About Anti-Malware.

How does enhanced scanning protect you?

Threat detection: To avoid detection, some types of malware attempt to modify system files or files related to known installed software. These types of changes often go unnoticed because the malware takes the place of legitimate files. Deep Security can monitor system files and installed software for unauthorized changes to detect and prevent these changes from occurring.

Anti-exploit: Malware writers can use malicious code to hook in to user mode processes in order to gain privileged access to trusted processes and to hide the malicious activity. Malware writers inject code into user processes through DLL injection, which calls an API with escalated privilege. They can also trigger an attack on a software exploit by feeding a malicious payload to trigger code execution in memory. In Deep Security, the anti-exploit functionality monitors for processes that may be performing actions that are not typically performed by a given process. Using a number of mechanisms, including Data Execution Prevention (DEP), Structured Exception Handling Overwrite Protection (SEHOP), and heap spray prevention, Deep Security can determine whether a process has been compromised and then terminate the process to prevent further infection.

Extended ransomware protection: Recently, ransomware has become more sophisticated and targeted. Most organizations have a security policy that includes anti-malware protection on their endpoints, which offers a level of protection against known ransomware variants; however, it may not be sufficient to detect and prevent an outbreak for new variants. The ransomware protection offered by Deep Security can protect documents against unauthorized encryption or modification. Deep Security has also incorporated a data recovery engine that can optionally create copies of files being encrypted to offer users an added chance of recovering files that may have been encrypted by a ransomware process.

How to enable enhanced scanning

Enhanced scanning is configured as part of the anti-malware settings that are applied to a policy or individual computer. For general information on configuring anti-malware protection, see Enable and configure anti-malware.

These settings can only be applied to Windows and Linux machines that are protected by a Deep Security Agent.

Enhanced scanning may have a performance impact on agent computers running applications with heavy loads. We recommend reviewing the Performance tips for anti-malware before deploying Deep Security Agents with enhanced scanning enabled.

The first step is to enable enhanced scanning in a real-time malware scan configuration:

  1. In Deep Security Manager, go to Policies > Common Objects > Other > Malware Scan Configurations.
  2. Double-click an existing real-time scan configuration to edit it (for details on malware scan configurations, see Configure malware scans and exclusions).
  3. On the General tab, under Behavior Monitoring, select Enable Behavior Monitoring. In the Action to take list, choose the remediation action that you want Deep Security to take when it detects malware:
    • ActiveAction (recommended): Use the action that ActiveAction determines. ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly. (See ActiveAction actions.)
    • Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event is still recorded.)
  4. Optionally, select Back up and restore ransomware-encrypted files. When this option is selected, Deep Security will create backup copies of files that are being encrypted, in case they are being encrypted by a ransomware process. This option applies only to computers running Windows.

  5. Click OK.

By default, real-time scans are set to scan all directories. If you change the scan settings to scan a directory list, the enhanced scanning may not work as expected. For example, if you set Directories to scan to scan "Folder1" and ransomware occurs in Folder1, it may not be detected if the encryption associated with the ransomware happens to files outside of Folder1.

Next, apply the malware scan configuration to a policy or an individual computer:

  1. In the Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Anti-Malware > General.
  2. Ensure that the Anti-Malware State is On or Inherited (On).
  3. The General tab contains sections for Real-Time Scan, Manual Scan, and Scheduled Scan. In the appropriate sections, use the Malware Scan Configuration list to select the scan configuration that you created above.
  4. Click Save.

What happens when enhanced scanning finds a problem?

When Deep Security discovers activity or files that match the enhanced scan settings you have enabled, it will log an event (go to Events & Reports > Events > Anti-Malware Events to see a list of events). The event will be identified as "Suspicious activity" or "Unauthorized change" in the Major Virus Type column and details will be displayed in the Target(s) and TargetType columns.

Deep Security performs many types of checks related to the enhanced scan settings, and the actions that it takes depend on the type of check that finds an issue. Deep Security may "Deny Access", "Terminate", or "Clean" a suspicious object. These actions are determined by Deep Security and are not configurable, with the exception of the "Clean" action:

  • Deny Access: When Deep Security detects an attempt to open or execute a suspicious file, it immediately blocks the operation and records an anti-malware event.
  • Terminate: Deep Security terminates the process that performed the suspicious operation and records an anti-malware event.
  • Clean: Deep Security checks the Malware Scan Configuration and performs the action specified for Trojans on the Actions tab. One or more additional events will be generated relating to the action performed on the Trojan files.

Double-click an event to see details:

Events related to ransomware have an additional Targeted Files tab:

If you investigate and find that an identified file is not harmful, you can right-click the event and click Allow to add the file to a scan exclusion list for the computer or policy. You can check the scan exclusion list in the policy or computer editor, under Anti-Malware > Advanced > Behavior Monitoring Protection Exceptions.

What if my agents can't connect to the Internet directly?

The enhanced scanning features described in this article require Internet access to check files against the Global Census Server and Good File Reputation Service. If your Deep Security Agents cannot access the Internet directly, see Configure agents that have no internet access for workarounds.