Anti-malware settings

The Anti-Malware section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:

Anti-malware modules in Deep Security Agent and Virtual Appliances provide both real-time and on-demand protection against threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, anti-malware checks file signatures or monitors process behaviors against a comprehensive threat database, portions of which are hosted on servers or kept locally as patterns that can be updated. Anti-malware also checks files for certain characteristics, such as compression and known exploit code.

To address threats, anti-malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.

CPU usage and RAM usage varies by your anti-malware configuration. To optimize anti-malware performance on Deep Security Agent, see Performance tips for anti-malware.
A newly installed Deep Security Agent cannot provide anti-malware protection until it has contacted an update server to download anti-malware patterns and updates. Verify that your Deep Security Agents can communicate with a Deep Security Relay or the global Trend Micro Update Servers after installation.

General

Anti-Malware State

Turn anti-malware on or off. You can configure this policy or computer to inherit its anti-malware on / off state from its parent policy or you can override the setting locally.

Real-Time Scan

Real-time scans continuously monitor for malware. Every time a file is received, opened, downloaded, copied, or modified, a real-time scan occurs. (In comparison, manual and scheduled scans only detect malware at specific times, when you run them.) If Deep Security detects no security risk, the file remains in its location and users can proceed to access the file. If Deep Security detects a security risk, it displays a notification message, showing the name of the infected file and the specific security risk.

Real-time scans require that you select a scan configuration and, optionally, a time period when real-time scanning will be in effect. Malware scan configurations determine which file types are scanned in which directories, what types of malware to scan for, and what to do with malware when it is detected. You can examine a Scan Configuration's properties by selecting it from the menu and then clicking Edit. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.

Manual Scan

Manual Scan is an on-demand scan and starts immediately after a user runs the scan on the computer. The time it takes to complete scanning depends on the number of files to scan and the computer's hardware resources.

To perform manual malware scans, you must select a scan configuration. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.

Scheduled Scan

Scheduled scans run automatically on the configured date and time. Use scheduled scan to automate routine scans and improve scan management efficiency.

To perform scheduled malware scans, you must select a scan configuration. To configure malware scan configurations, go to Policies > Common Objects > Other > Malware Scan Configurations.

Malware Scan (Computer Editor only)

Displays the times and dates of the last manual and scheduled malware scans and allows you to perform or abort a quick or full malware scan.

Smart Protection

Smart Scan

Smart Scan shifts much of the malware and spyware scanning functionality to a Smart Protection server. Instead of downloading a complete malware pattern file to the local computer, a much smaller version of the pattern is downloaded which can identify files as either "confirmed safe", or "possibly dangerous". "Possibly dangerous" files are compared against the larger complete pattern files stored on Trend Micro Smart Protection Network to determine with certainty whether the files pose a danger or not. This method keeps locally stored pattern files small, and reduces the size and number of updates required by Agents/Appliances.

A computer that is configured to use Smart Scan does not download full anti-malware patterns to its local disk. So if your anti-malware license expires while a computer is configured to use Smart Scan, and you disable Smart Scan, the computer will not have any local patterns to use for anti-malware scans.

Smart Protection Server for File Reputation Service

Smart Protection Service for File Reputation supplies file reputation information required by Smart Scan. Select whether to connect directly to Trend Micro's Smart Protection Network service or whether to connect to one or more locally installed Smart Protection Servers.

Select the When off domain, connect to global Smart Protection Service. (Windows only.) option to use the global Smart Protection Service if the computer is off domain. The computer is considered to be off domain if it cannot connect to its domain controller. (This option is for Windows Agents only.)

You can view and edit the list of available proxies on the Proxies tab on the Administration > System Settings screen.

Smart Protection Server Connection Warning

This option determines whether error events are generated and Alerts are raised if a computer loses its connection to the Smart Protection Server.

If you have a locally installed Smart Protection server, this option should be set to Yes on at least one computer so that you are notified if there is a problem with the Smart Protection server itself.

Connected Threat Defense

This is new in Deep Security 10.

Does not apply to Deep Security as a Service

Connected Threat Defense provides enhanced malware protection for new and emerging threats by setting up a connection between Deep Security and Trend Micro’s sandboxing technology, Deep Discovery Analyzer. For details, see Detect emerging threats using Connected Threat Defense.

Submit files identified as suspicious by Document Exploit Protection scanning to Deep Discovery Analyzer: If you want Deep Security to send suspicious files to Deep Discovery Analyzer, set this option to Yes or Inherited (Yes).

Use Control Manager’s Suspicious Object List: If you have set up a connection between Deep Security and Trend Micro Control Manager and you want to use the suspicious object list from the Control Manager to detect malicious files, set this option to Yes or Inherited (Yes).

Advanced

Identified Files

Maximum disk space used to store identified files determines the disk quota for identified files. It applies globally to all computers: physical machines, virtual machines, and Virtual Appliances. The setting can be overridden at the policy level and at the computer level. If you are using a Virtual Appliance to provide protection to virtual machines, all identified files from the protected VMs will be stored on the Virtual Appliance. As a result, you should increase the amount of disk space for identified files on the Virtual Appliance.

The Virtual Appliance is not available with Deep Security as a Service.

Identified files will be automatically deleted from a Virtual Appliance under the following circumstances:

  • If a VM undergoes vMotion, identified files associated with that VM will be deleted from the Virtual Appliance.
  • If a VM is deactivated from the Deep Security Manager, identified files associated with that VM will be deleted from the Virtual Appliance.
  • If a Virtual Appliance is deactivated from the Deep Security Manager, all the identified files stored on that Virtual Appliance will be deleted.
  • If a Virtual Appliance is deleted from the vCenter, all the identified files stored on that Virtual Appliance will also be deleted.

Scan Limitation

Maximum file size to scan: Files exceeding this file size will not be scanned. (Setting a value of 0 means that there is no maximum size. All files will be scanned.)

Resource Allocation for Malware Scans

Use multithreaded processing for Malware Scans (if available) enables multi-threaded processing on systems that support this capability. It only applies to manual and scheduled scans, not to real-time scanning. To apply the setting, after you have enabled it, restart the computer.

Multi-threaded processing may reduce the number of CPU cores available at a given time to the computer's other processes.

Allowed Spyware / Grayware

Allowed Spyware/Grayware is a list of applications that have been identified as spyware / grayware by Deep Security, but that you want to override and allow.

You can add software to this list in one of two ways: either add it using an anti-malware event where the application was detected, or manually enter the name of the spyware / grayware.

To add spyware/grayware to the list of allowed spyware/grayware using an Anti-Malware Event:

  1. Find the detection event in the Events & Reports > Events > Anti-Malware Events page.
  2. Right-click the event.
  3. Click Allow.

If the application has already been detected by the scan engine, it may already have been quarantined or deleted, depending on what your current spyware/grayware settings are. If it has been quarantined you will have to restore or reinstall the application. See Restore quarantined files for information on restoring quarantined files. Alternatively, you can run a spyware/grayware scan with Action set to "Pass" mode so that all spyware/grayware detections are recorded on the Anti-Malware Events page but "passed" over and neither quarantined nor deleted. You can then add the selected spyware/grayware to the allowed list using this method and afterwards set Action to "Quarantine" or "Delete" modes.

To manually add spyware/grayware to the list of allowed spyware/grayware:

Note the name of the application as it is displayed in the Anti-Malware Event log and add it manually to the Allowed Spyware/Grayware List.

Entries in this list are case-sensitive. They must appear exactly as they do in the Event log.

Local Event Notification

Display local notifications when malware is detected determines whether the Deep Security Notifier (if it is installed locally on the computer) will display a pop up notification that malware has been detected.

Document Exploit Protection Rule Exceptions

Document Exploit Protection Rule Exceptions is a list of rules that have identified suspicious files by Deep Security, but that you want to override and allow. You can add rules of suspicious files to this list in one of two ways: either add it using an anti-malware event where the rule was detected, or manually enter the name of the rule.

To add rules to the list of document exploit protection rule exceptions using an Anti-Malware Event:

  1. Find the detection event in the Events & Reports > Events > Anti-Malware Events page.
  2. Right-click the event.
  3. Select Allow.

To manually add rules to the list of document exploit protection rule exceptions, note the name of the rule as it is displayed in the Anti-Malware Event log and add it manually to the Document Exploit Protection Rule Exceptions.

Entries in this list are case-sensitive. They must appear exactly as they do in the Event log.

VM Scan Cache

Does not apply to Deep Security as a Service

Scan Caching is used by the Virtual Appliance to maximize the efficiency of Malware and Integrity Monitoring Scans of virtual machines. For information on Scan Cache configurations, see Virtual Appliance Scan Caching.

NSX Security Tagging

Does not apply to Deep Security as a Service

Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.

NSX Security Tags are part of the VMware vSphere NSX environment and are not to be confused with Deep Security Event Tags. For more information on Deep Security Event Tagging, see Apply tags to identify and group events.

You can choose to only apply the NSX Security Tag if the remediation action attempted by the Anti-Malware engine fails. (The remediation action is determined by the Malware Scan Configuration that is in effect. To see which Malware Scan Configuration is in effect, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Anti-Malware > General tab and check the Real-Time Scan, Manual Scan, and Scheduled Scan areas.)

You can also choose to have the Security Tag removed if a subsequent Malware Scan does not detect any malware. You should only use this setting if all Malware Scans will be of the same kind.

Behavior Monitoring Protection Exceptions

Behavior Monitoring Protection Exceptions is a list of files that have been identified as malware by Deep Security, but that you want to override and allow. You can add files to this list in one of two ways: either add it using an anti-malware event where the file was detected, or manually enter the file.

To add files to the list of behavior monitor protection exceptions using an anti-malware event:

  1. Find the detection event in the Events & Reports > Events > Anti-Malware Events page.
  2. Right-click the event.
  3. Click Allow.

To manually add files to the list of behavior monitor protection exceptions, note the file as it is displayed in the Anti-Malware Event log and add it manually to the Behavior Monitoring Protection Exceptions list.

Entries in this list are case-sensitive. They must appear exactly as they do in the Event log.

File Hash Calculation

Deep Security can calculate the hash value of a malware file and display it on the Events & Reports > Events > Anti-Malware Events page. Because a particular piece of malware can go by several different names, the hash value is useful because it uniquely identifies the malware. You can use the hash value when looking up information about the malware from other sources.

To change the current file hash settings for this policy:

  1. Clear the Default or Inherited checkbox. (Default is displayed for a root policy and Inherited is displayed for child policies).

    When Inherited is selected, the file hash settings are inherited from the current policy's parent policy.

    When Default is selected, Deep Security does not calculate any hash values.

  2. Select the Calculate hash values of all anti-malware events.
  3. By default, Deep Security will use produce SHA-1 hash values. If you want to produce additional hash values, you can select MD5 and / or SHA256.
  4. You can also change the maximum size of malware files that will have hash values calculated. The default is to skip files that are larger than 128MB, but you can change the value to anything between 64 and 512 MB.

Identified Files

Identified Files are displayed the same way as they are in the main Deep Security Manager window except that only files that were identified on this computer are listed. For more information, see Identified files.

Events

Anti-Malware Events are displayed the same way they are in the main Deep Security Manager window except that only events associated with this Policy or specific computer are displayed. For more information, see Anti-malware events.