Anti-malware settings

The Anti-Malware section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:

Anti-malware modules in Deep Security Agent and Virtual Appliances provide both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, anti-malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as patterns that can be updated. Anti-malware also checks files for certain characteristics, such as compression and known exploit code.

To address threats, anti-malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.

CPU usage and RAM usage varies by your anti-malware configuration. To optimize anti-malware performance on Deep Security Agent, see Performance tips for anti-malware.
A newly installed Deep Security Agent cannot provide anti-malware protection until it has contacted an update server to download anti-malware patterns and updates. Verify that your Deep Security Agents can communicate with a Deep Security Relay or the global Trend Micro Update Servers after installation.

General

Anti-Malware State

Turn anti-malware on or off. You can configure this policy or computer to inherit its anti-malware on / off state from its parent policy or you can override the setting locally.

Real-Time Scan

Real-time scans continuously monitor for malware. Every time a file is received, opened, downloaded, copied, or modified, a real-time scan occurs. (In comparison, manual and scheduled scans only detect malware at specific times, when you run them.) If Deep Security detects no security risk, the file remains in its location and users can proceed to access the file. If Deep Security detects a security risk, it displays a notification message, showing the name of the infected file and the specific security risk.

Real-time scans require that you select a scan configuration and, optionally, a time period when real-time scanning will be in effect. Malware scan configurations determine which file types are scanned in which directories, what types of malware to scan for, and what to do with malware when it is detected. You can examine a Scan Configuration's properties by selecting it from the menu and then clicking Edit. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.

Manual Scan

Manual Scan is an on-demand scan and starts immediately after a user runs the scan on the computer. The time it takes to complete scanning depends on the number of files to scan and the computer's hardware resources.

To perform manual malware scans, you must select a scan configuration. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.

Scheduled Scan

Scheduled scans run automatically on the configured date and time. Use scheduled scan to automate routine scans and improve scan management efficiency.

To perform scheduled malware scans, you must select a scan configuration. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.

Malware Scan (Computer Editor only)

Displays the times and dates of the last manual and scheduled malware scans and allows you to perform or abort a quick or full malware scan.

Smart Protection

Smart Scan

Smart Scan shifts much of the malware and spyware scanning functionality to a Smart Protection server. Instead of downloading a complete malware pattern file to the local computer, a much smaller version of the pattern is downloaded which can identify files as either "confirmed safe", or "possibly dangerous". "Possibly dangerous" files are compared against the larger complete pattern files stored on Trend Micro Smart Protection Network to determine with certainty whether the files pose a danger or not. This method keeps locally stored pattern files small, and reduces the size and number of updates required by Agents/Appliances.

A computer that is configured to use Smart Scan does not download full anti-malware patterns to its local disk. So if your anti-malware license expires while a computer is configured to use Smart Scan, and you disable Smart Scan, the computer will not have any local patterns to use for anti-malware scans.

Smart Protection Server for File Reputation Service

Smart Protection Service for File Reputation supplies file reputation information required by Smart Scan. Select whether to connect directly to Trend Micro's Smart Protection Network service or whether to connect to one or more locally installed Smart Protection Servers.

Select the When off domain, connect to global Smart Protection Service. (Windows only.) option to use the global Smart Protection Service if the computer is off domain. The computer is considered to be off domain if it cannot connect to its domain controller. (This option is for Windows Agents only.)

You can view and edit the list of available proxies on the Proxies tab on the Administration > System Settings screen.

Smart Protection Server Connection Warning

This option determines whether error events are generated and Alerts are raised if a computer loses its connection to the Smart Protection Server.

If you have a locally installed Smart Protection server, this option should be set to Yes on at least one computer so that you are notified if there is a problem with the Smart Protection server itself.

Advanced

Quarantined Files

Maximum disk space used to store quarantined files determines the disk quota for quarantined files. It applies globally to all computers: physical machines, virtual machines, and Virtual Appliances. The setting can be overridden at the Policy level and at the Computer level. If you are using a Virtual Appliance to provide protection to virtual machines, all quarantined files from the protected VMs will be stored on the Virtual Appliance. As a result, you should increase the amount of disk space for quarantined files on the Virtual Appliance.

The Virtual Appliance is not available with Deep Security as a Service.

Quarantined files will be automatically deleted from a Virtual Appliance under the following circumstances:

  • If a VM undergoes vMotion, quarantined files associated with that VM will be deleted from the Virtual Appliance.
  • If a VM is deactivated from the Deep Security Manager, quarantined files associated with that VM will be deleted from the Virtual Appliance.
  • If a Virtual Appliance is deactivated from the Deep Security Manager, all the quarantined files stored on that Virtual Appliance will be deleted.
  • If a Virtual Appliance is deleted from the vCenter, all the quarantined files stored on that Virtual Appliance will also be deleted.

Scan Limitation

Maximum file size to scan: Files exceeding this file size will not be scanned. (Setting a value of 0 means that there is no maximum size. All files will be scanned.)

Resource Allocation for Malware Scans

Use multithreaded processing for Malware Scans (if available) enables multi-threaded processing on systems that support this capability. It only applies to manual and scheduled scans, not to real-time scanning. To apply the setting, after you have enabled it, restart the computer.

Multi-threaded processing may reduce the number of CPU cores available at a given time to the computer's other processes.

Allowed Spyware / Grayware

Allowed Spyware/Grayware is a list of applications that have been identified as spyware / grayware by Deep Security, but that you want to override and allow.

This option is only effective on Windows computers. On Linux computers, you can achieve a similar result by using Scan Exclusion File Lists to identify specific files that should be ignored during Malware scans. Scan Exclusion objects are a property of Malware Scan Configurations, and Malware Scan Configurations are a property of Security Policies.

To specify a Scan Exclusion File List in a Malware Scan Configuration: in the Deep Security Manager, go to Policies > Common Objects > Malware Scan Configurations. You can specify a File List in the Scan Exclusions Area on the Exclusions tab of the Malware Scan Configuration's Properties window.

To select a Malware Scan Configuration in a Security Policy: open the Policy editorTo open the Policy editor, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). and on the General tab, select the Malware Scan Configuration from the list in any of the Real-Time Scan, Manual Scan, or Scheduled Scan areas.
Applications in the Allowed Spyware/Grayware list will be ignored by the spyware/Grayware scan engine. The presence of the applications will not be recorded or stored as Anti-Malware Events.

You can add software to this list in one of two ways: either add it using an anti-malware event where the application was detected, or manually enter the name of the spyware / grayware.

To add spyware/grayware to the list of allowed spyware/grayware using an Anti-Malware Event:

  1. Find the detection Event in the Anti-Malware Events page.
  2. Right-click on the Event.
  3. Select Allow.

If the application has already been detected by the scan engine, it may already have been quarantined or deleted, depending on what your current spyware/grayware settings are. If it has been quarantined you will have to restore or reinstall the application. See Anti-Malware > Quarantined Files for information on restoring quarantined files. Alternatively, you can run a spyware/grayware scan with Action set to "Pass" mode so that all spyware/grayware detections are recorded on the Anti-Malware Events page but "passed" over and neither quarantined nor deleted. You can then add the selected spyware/grayware to the allowed list using this method and afterwards set Action to "Quarantine" or "Delete" modes.

To manually add spyware/grayware to the list of allowed spyware/grayware:

Note the name of the application as it is displayed in the Anti-Malware Event log and add it manually to the Allowed Spyware/Grayware List.

Entries in this list are case-sensitive. They must appear exactly as they do in the Event log.

Local Event Notification

Display local notifications when malware is detected determines whether the Deep Security Notifier (if it is installed locally on the computer) will display a pop up notification that malware has been detected.

VM Scan Cache

Does not apply to Deep Security as a Service

Scan Caching is used by the Virtual Appliance to maximize the efficiency of Malware and Integrity Monitoring Scans of virtual machines. For information on Scan Cache configurations, see Virtual Appliance Scan Caching.

NSX Security Tags

Does not apply to Deep Security as a Service

Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.

NSX Security Tags are part of the VMware vSphere NSX environment and are not to be confused with Deep Security Event Tags. For more information on Deep Security Event Tagging, see Apply tags to identify and group events.

You can choose to only apply the NSX Security Tag if the remediation action attempted by the Anti-Malware engine fails. (The remediation action is determined by the Malware Scan Configuration that is in effect. To see which Malware Scan Configuration is in effect, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Anti-Malware > General tab and check the Real-Time Scan, Manual Scan, and Scheduled Scan areas.)

You can also choose to have the Security Tag removed if a subsequent Malware Scan does not detect any malware. You should only use this setting if all Malware Scans will be of the same kind.

Allowed Objects Identified by Suspicious Activity/Unauthorized Change scan

This feature is coming soon in Deep Security 10.

File Hash Calculation

This feature is coming soon in Deep Security 10.

Quarantined Files

Quarantined Files are displayed the same way as they are in the main Deep Security Manager window except that only files that were quarantined on this computer are listed. For more information, see Quarantined files.

Events

Anti-Malware Events are displayed the same way they are in the main Deep Security Manager window except that only events associated with this Policy or specific computer are displayed. For more information, see Anti-malware events.