The Anti-Malware section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:
Anti-malware modules in Deep Security Agent and Virtual Appliances provide both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, anti-malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as patterns that can be updated. Anti-malware also checks files for certain characteristics, such as compression and known exploit code.
To address threats, anti-malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.
Turn anti-malware on or off. You can configure this policy or computer to inherit its anti-malware on / off state from its parent policy or you can override the setting locally.
Real-time scans continuously monitor for malware. Every time a file is received, opened, downloaded, copied, or modified, a real-time scan occurs. (In comparison, manual and scheduled scans only detect malware at specific times, when you run them.) If Deep Security detects no security risk, the file remains in its location and users can proceed to access the file. If Deep Security detects a security risk, it displays a notification message, showing the name of the infected file and the specific security risk.
Real-time scans require that you select a scan configuration and, optionally, a time period when real-time scanning will be in effect. Malware scan configurations determine which file types are scanned in which directories, what types of malware to scan for, and what to do with malware when it is detected. You can examine a Scan Configuration's properties by selecting it from the menu and then clicking Edit. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.
Manual Scan is an on-demand scan and starts immediately after a user runs the scan on the computer. The time it takes to complete scanning depends on the number of files to scan and the computer's hardware resources.
To perform manual malware scans, you must select a scan configuration. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.
Scheduled scans run automatically on the configured date and time. Use scheduled scan to automate routine scans and improve scan management efficiency.
To perform scheduled malware scans, you must select a scan configuration. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.
Malware Scan (Computer Editor only)
Displays the times and dates of the last manual and scheduled malware scans and allows you to perform or abort a quick or full malware scan.
Smart Scan shifts much of the malware and spyware scanning functionality to a Smart Protection server. Instead of downloading a complete malware pattern file to the local computer, a much smaller version of the pattern is downloaded which can identify files as either "confirmed safe", or "possibly dangerous". "Possibly dangerous" files are compared against the larger complete pattern files stored on Trend Micro Smart Protection Network to determine with certainty whether the files pose a danger or not. This method keeps locally stored pattern files small, and reduces the size and number of updates required by Agents
Smart Protection Server for File Reputation Service
Smart Protection Service for File Reputation supplies file reputation information required by Smart Scan. Select whether to connect directly to Trend Micro's Smart Protection Network service or whether to connect to one or more locally installed Smart Protection Servers.
Select the When off domain, connect to global Smart Protection Service. (Windows only.) option to use the global Smart Protection Service if the computer is off domain. The computer is considered to be off domain if it cannot connect to its domain controller. (This option is for Windows Agents only.)
Smart Protection Server Connection Warning
This option determines whether error events are generated and Alerts are raised if a computer loses its connection to the Smart Protection Server.
Maximum disk space used to store quarantined files determines the disk quota for quarantined files. It applies globally to all computers
The Virtual Appliance is not available with Deep Security as a Service.
Quarantined files will be automatically deleted from a Virtual Appliance under the following circumstances:
- If a VM undergoes vMotion, quarantined files associated with that VM will be deleted from the Virtual Appliance.
- If a VM is deactivated from the Deep Security Manager, quarantined files associated with that VM will be deleted from the Virtual Appliance.
- If a Virtual Appliance is deactivated from the Deep Security Manager, all the quarantined files stored on that Virtual Appliance will be deleted.
- If a Virtual Appliance is deleted from the vCenter, all the quarantined files stored on that Virtual Appliance will also be deleted.
Maximum file size to scan: Files exceeding this file size will not be scanned. (Setting a value of 0 means that there is no maximum size. All files will be scanned.)
Resource Allocation for Malware Scans
Use multithreaded processing for Malware Scans (if available) enables multi-threaded processing on systems that support this capability. It only applies to manual and scheduled scans, not to real-time scanning. To apply the setting, after you have enabled it, restart the computer.
Allowed Spyware / Grayware
Allowed Spyware/Grayware is a list of applications that have been identified as spyware / grayware by Deep Security, but that you want to override and allow.
To specify a Scan Exclusion File List in a Malware Scan Configuration: in the Deep Security Manager, go to Policies > Common Objects > Malware Scan Configurations. You can specify a File List in the Scan Exclusions Area on the Exclusions tab of the Malware Scan Configuration's Properties window.
To select a Malware Scan Configuration in a Security Policy: open the Policy editorTo open the Policy editor, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). and on the General tab, select the Malware Scan Configuration from the list in any of the Real-Time Scan, Manual Scan, or Scheduled Scan areas.
You can add software to this list in one of two ways: either add it using an anti-malware event where the application was detected, or manually enter the name of the spyware / grayware.
To add spyware/grayware to the list of allowed spyware/grayware using an Anti-Malware Event:
- Find the detection Event in the Anti-Malware Events page.
- Right-click on the Event.
- Select Allow.
If the application has already been detected by the scan engine, it may already have been quarantined or deleted, depending on what your current spyware/grayware settings are. If it has been quarantined you will have to restore or reinstall the application. See Anti-Malware > Quarantined Files for information on restoring quarantined files. Alternatively, you can run a spyware/grayware scan with Action set to "Pass" mode so that all spyware/grayware detections are recorded on the Anti-Malware Events page but "passed" over and neither quarantined nor deleted. You can then add the selected spyware/grayware to the allowed list using this method and afterwards set Action to "Quarantine" or "Delete" modes.
To manually add spyware/grayware to the list of allowed spyware/grayware:
Note the name of the application as it is displayed in the Anti-Malware Event log and add it manually to the Allowed Spyware/Grayware List.
Local Event Notification
Display local notifications when malware is detected determines whether the Deep Security Notifier (if it is installed locally on the computer) will display a pop up notification that malware has been detected.
Does not apply to Deep Security as a Service
Scan Caching is used by the Virtual Appliance to maximize the efficiency of Malware and Integrity Monitoring Scans of virtual machines. For information on Scan Cache configurations, see Virtual Appliance Scan Caching.
NSX Security Tags
Does not apply to Deep Security as a Service
Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.
You can choose to only apply the NSX Security Tag if the remediation action attempted by the Anti-Malware engine fails. (The remediation action is determined by the Malware Scan Configuration that is in effect. To see which Malware Scan Configuration is in effect, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Anti-Malware > General tab and check the Real-Time Scan, Manual Scan, and Scheduled Scan areas.)
You can also choose to have the Security Tag removed if a subsequent Malware Scan does not detect any malware. You should only use this setting if all Malware Scans will be of the same kind.
Allowed Objects Identified by Suspicious Activity/Unauthorized Change scan
This feature is coming soon in Deep Security 10.
File Hash Calculation
This feature is coming soon in Deep Security 10.
Quarantined Files are displayed the same way as they are in the main Deep Security Manager window except that only files that were quarantined on this computer are listed. For more information, see Quarantined files.
Anti-Malware Events are displayed the same way they are in the main Deep Security Manager window except that only events associated with this Policy or specific computer are displayed. For more information, see Anti-malware events.