Malware Scan Configurations

You can configure anti-malware scans to change how it detects viruses and spyware, and how files are handled when Deep Security determines that they are infected.

CPU usage and RAM usage varies by your anti-malware configuration. To optimize anti-malware performance on Deep Security Agent, see Performance tips for anti-malware.

Configuration options include what files to scan, whether the scanning is done in real time or on a scheduled basis, and what actions to carry out if malware is detected. This page lets you define global Malware Scan Configurations. How, in what combination, and when these configurations are in effect on a computer is set at the Policy and at the computer levels. Like most settings in Deep Security, many global settings can be overridden at the Policy and computer levels. (See Policies, Inheritance and Overrides for more information.)

There are two kinds of Malware Scan Configurations: Real-time Scan and Manual/Scheduled Scan. While most actions are available to both types of scans, some actions, like Deny Access are available to Real-time Scans only, and other options, like CPU Usage are available to Manual/Scheduled Scans only.

From the global Malware Scan Configuration page you can

  • Create New () Real-time or Manual/Scheduled Scan configurations
  • Import () an existing Scan Configuration from an XML file (located under the New menu.)
  • View the Properties () of a Malware Scan Configuration.
  • Duplicate () (and then modify) existing file configurations.
  • Delete the highlighted configuration file from the configuration list.
  • Export () the displayed or selected configuration to a XML or CSV file.
  • Add or Remove Columns () from the display.
  • Search () for a particular configuration file.

Properties

General Information

  • Name and description of the Malware Scan Configuration, and whether this is a Real-Time or a Manual/Scheduled scan type.

Scan Settings

  • Directories to scan: Specify which directories to scan for malware. You can scan All directories or select from a defined Directory List.
  • Files to scan: Specify which files to scan for malware. Choose between All files, File types scanned by IntelliScan, or choose from a defined File Extension List (which will scan all files with the extensions defined in the list).
    IntelliScan only scans file types that are vulnerable to infection (for example, .zip or .exe). IntelliScan does not rely on file extensions to determine file type but instead reads the header and/or content of a file to determine whether it should be scanned. Compared to scanning all files, using IntelliScan provides a performance boost by reducing the total number of files to scan.

Exclusions

Allows you to exclude specific directories, files, and file extensions from being scanned. For example, if you are creating a Malware Scan Configuration for a Microsoft Exchange server, you should exclude the SMEX quarantine folder to avoid re-scanning files that have already been confirmed to be malware.

The scan exclusion directory settings accept either forward slash "/" or backslash "\" to support both Windows and Linux conventions.

The following table describes the syntax available for defining Directory List exclusions:

Exclusion Format Description Examples
Directory DIRECTORY Excludes all files in the specified directory and all files in all subdirectories. C:\Program Files\
Excludes all files in the "Program Files" directory and all subdirectories.
Directory with wildcard (*) DIRECTORY\*\ Excludes any subdirectories with any subdirectory name, but does not exclude the files in the specified directory.

C:\abc\*\
Excludes all files in all subdirectories of "abc" but does not exclude the files in the "abc" directory.

C:\abc\wx*z\
In Windows, matches:
C:\abc\wxz\
C:\abc\wx1\2\3z\

/abc/wx*z/
In Non-Windows, matches:

/abc/wxz/
/abc/wx123z/

Does not match:

abc/wx1/2/3z/

C:\abc\*wx\

In Windows, matches:

C:\abc\wx\
C:\abc\123\wx\

/abc/*wx/

In Non-Windows, matches:

/abc/123wx/

Does not match:
/abc/123/wx/

Environment variable ${ENV VAR} Excludes all files and subdirectories defined by an environment variable with the format ${ENV VAR}. For a Virtual Appliance, the value pairs for the environment variable must be defined in Policy/Computer Editor > Settings > General > Environment Variable Overrides. ${windir}
If the variable resolves to "c:\windows", excludes all the files in "c:\windows" and all its subdirectories.
Comments DIRECTORY #Comment Allows you to add comments to your exclusion definitions. c:\abc #Exclude the abc directory

The following table describes the syntax available for defining File List exclusions:

Exclusion Format Description Example
File FILE Excludes all files with the specified file name regardless of its location or directory. abc.doc
Excludes all files named "abc.doc" in all directories. Does not exclude "abc.exe".
File path FILEPATH Excludes the specific file specified by the file path. C:\Documents\abc.doc
Excludes only the file named "abc.doc" in the "Documents" directory.
File path with wildcard (*) FILEPATH Excludes all the specific files specified by the file path. C:\Documents\abc.co* (For Windows platforms only) Excludes any file that has file name of "abc" and extension beginning with ".co" in the "Documents" directory.
File with wildcard (*) FILE* Excludes all files with a matching pattern in the file name. abc*.exe
Excludes any file that has prefix of "abc" and extension of ".exe".

*.db
Matches:
123.db
abc.db
Does not match:
123db
123.abd
cbc.dba

*db
Matches:
123.db
123db
ac.db
acdb
db
Does not match:
db123

wxy*.db
Matches:
wxy.db
wxy123.db
Does not match:
wxydb
File with wildcard (*) FILE.EXT* Excludes all files with a matching pattern in the file extension. abc.v*
Excludes any file that has file name of "abc" and extension beginning with ".v".

abc.*pp
Matches:
abc.pp
abc.app
Does not match:
wxy.app

abc.a*p
Matches:
abc.ap
abc.a123p
Does not match:
abc.pp

abc.*
Matches:
abc.123
abc.xyz
Does not match:
wxy.123
File with wildcard (*) FILE*.EXT* Excludes all files with a matching pattern in the file name and in the extension. a*c.a*p
Matches:
ac.ap
a123c.ap
ac.a456p
a123c.a456p
Does not match:
ad.aa
Environment variable ${ENV VAR} Excludes files specified by an environment variable with the format ${ENV VAR}. These can be defined or overridden using Policy/Computer Editor > Settings > General > Environment Variable Overrides. ${myDBFile}
Excludes the file "myDBFile".
Comments FILEPATH #Comment Allows you to add comments to your exclusion definitions. C:\Documents\abc.doc #This is a comment

The following table describes the syntax available for defining File Extension List exclusions:

Exclusion Format Description Example
File Extension EXT Excludes all files with a matching file extension. doc
Excludes all files with a ".doc" extension in all directories.
Comments EXT #Comment Allows you to add comments to your exclusion definitions. doc #This a comment

The following table describes the syntax available for defining Process Image File List exclusions (Real-Time Scans only):

Exclusion Format Description Example
File path FILEPATH Excludes the specific Process Image file specified by the file path. C:\abc\file.exe
Excludes only the file named "file.exe" in the "abc" directory.

Upon detection

If you select Use action determined by ActiveAction, Deep Security can automatically decide which action to perform when it detects malware. ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly.

When the agent downloads virus pattern updates from an ActiveUpdate server or relay, it may change its ActiveAction scan actions.

The following table lists the actions that ActiveAction can take:

Malware Type Real-Time Scan Manual/Scheduled Scan Notes
Virus Clean Clean Viruses are able to infect normal files by inserting malicious code. Typically, whenever an infected file is opened, the malicious code automatically runs and delivers a payload in addition to infecting other files. Some of the more common types of viruses include COM and EXE infectors, macro viruses, and boot sector viruses.
Trojan Quarantine Quarantine Trojans are non-infecting executable malware files that do not have file infection capabilities.
Packer Quarantine Quarantine Packers are compressed and / or encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. Anti-malware checks executable files for compression patterns associated with malware.
Spyware (Grayware) Quarantine Quarantine Although possibly legitimate, grayware exhibit spyware-like behavior and may be unwanted.
Possible malware Pass Pass Files detected as possible malware are typically unknown malware components. By default, these detections are logged and files are anonymously sent back to Trend Micro for analysis.
Cookies N/A Delete Cookies are text files stored by a web browser, transmitted back to the web server with each HTTP request. Cookies can contain authentication information, preferences, and (in the case of stored attacks from an infected server) SQL injection and XSS exploits.
Other Threats Clean Clean The Other Threats category includes joke programs, which display false notifications or manipulate screen behavior, but are generally harmless.

Alternatively, you can manually specify the actions you want Deep Security to take upon detecting malware. There are five possible actions that Deep Security can take when it encounters an infected file:

  1. Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event will still be recorded.)
  2. Clean: Cleans a cleanable file before allowing full access to the file. (Not available for Possible Malware.)
  3. Delete: Deletes the infected file.
  4. Deny Access: This scan action can only be performed during Real-time scans. When Deep Security detects an attempt to open or execute an infected file, it immediately blocks the operation. If a Malware Scan Configuration with the "Deny Access" option selected is applied during a Manual or Scheduled scan, a "Pass" action will be applied and an Anti-Malware Event will be recorded.
  5. Quarantine: Moves the file to the quarantine directory on the computer or Virtual Appliance. (Once quarantined, you can download the file to a location of your choice. See Anti-Malware > Quarantined Files for more information.)

Possible malware

Select an action to take if a file is identified as possible malware. Possible malware is a file that appears suspicious but cannot be classified as a specific malware variant. If you leave this option set to "Default", the action will be what was selected in Upon Detection, above. When possible malware is detected, Trend Micro recommends that you contact your support provider for assistance in further analysis of the file.

General Options

  • Enable Spyware/Grayware Scan: The spyware scan engine scans for spyware / grayware and performs the actions specified on the Actions tab.
  • Scan Compressed Files: Specify under what conditions to scan a file and whether to scan compressed files.
    • Maximum levels of compression from which to extract files: A file or group of files can undergo more than one round of compression. This option lets you specify through how many levels of compression you want Deep Security to scan.
    • Maximum size of individual extracted files: The maximum size of the individual files in a compressed archive to scan.
      Scanning large files with multiple layers of compression can affect performance.
    • Maximum number of files to extract: The maximum number of files to extract from a compressed archive and scan.
  • Scan Embedded Microsoft Office Objects: Certain versions of Microsoft Office use Object Linking and Embedding (OLE) to insert files and other objects into Office files. These embedded objects can contain malicious code. Because embedded objects can contain other objects, there can be multiple layers of embedding within a single Office file. To reduce the impact on performance, you can select to scan only a few layers of embedded objects within each file.
    • Scan for exploit code in Microsoft Office Objects: Exploit Detection heuristically identifies malware by checking Microsoft Office files for exploit code.
    The specified number of layers is applicable to both OLE objects and Scan for exploit options.
  • Enable IntelliTrap (Real-Time scan only): Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering your network by blocking real-time compressed executable files and pairing them with other malware characteristics. (IntelliTrap only works in Real-Time mode.)
    Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting or cleaning) files when you enable IntelliTrap. If users regularly exchange real-time compressed executable files, disable IntelliTrap. IntelliTrap uses the virus scan engine, IntelliTrap Pattern, and IntelliTrap Exception Pattern.
  • Enable Network Directory Scan (Real-Time scan only): To scan files and folders in network shares and mapped network drives, enable this option.
    Resources accessed in "~/.gvfs" via GVFS, a virtual file system available for the GNOME desktop, will be treated as local resources, not network drives.
  • Scan files when (Real-Time scan only): Choose between scanning files only when they are opened for reading, or when they are opened for both reading and writing.
  • CPU Usage (Manual/Scheduled scan only): Specifies the CPU resources allocated to scanning.
    • High: Scans files one after another without pausing
    • Medium: Recommended; pauses when overall CPU usage exceeds 50%
    • Low: Pauses when overall CPU usage exceeds 20%

Alert

Select whether an Alert is raised if this Malware Scan Configuration triggers an event.

Assigned To

Indicates which Policy(s) and computer(s) are using this particular Malware Scan Configuration.