Virus/Malware Scan Actions

The scan action OfficeScan performs depends on the virus/malware type and the scan type that detected the virus/malware. For example, when OfficeScan detects a Trojan horse program (virus/malware type) during Manual Scan (scan type), it cleans (action) the infected file.

For information on the different virus/malware types, see Viruses and Malware.

Scan Actions

The following are the actions OfficeScan can perform against viruses/malware:

Delete

OfficeScan deletes the infected file.

Quarantine

OfficeScan renames and then moves the infected file to a temporary quarantine directory on the client computer located in <Client installation folder>\Suspect.

The OfficeScan client then sends quarantined files to the designated quarantine directory. See Quarantine Directory for details.

The default quarantine directory is on the OfficeScan server, under <Server installation folder>\PCCSRV\Virus. OfficeScan encrypts quarantined files sent to this directory.

If you need to restore any of the quarantined files, use the VSEncrypt tool. For information on using this tool, see Server Tuner.

Clean

OfficeScan cleans the infected file before allowing full access to the file.

If the file is uncleanable, OfficeScan performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass. To configure the second action, go to Networked Computers > Client Management > Settings > {Scan Type} > Action tab.

Rename

OfficeScan changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.

The virus/malware may execute when opening the renamed infected file.

Pass

OfficeScan performs no action on the infected file but records the virus/malware detection in the logs. The file stays where it is located.

OfficeScan can only use this scan action when it detects any type of Virus (except "Probable Virus/Malware") during Manual Scan, Scheduled Scan, and Scan Now. OfficeScan cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.

For the "probable virus/malware" type, OfficeScan always performs no action on detected files (regardless of the scan type) to mitigate False Positive. If further analysis confirms that probable virus/malware is indeed a security risk, a new pattern will be released to allow OfficeScan to perform the appropriate scan action. If actually harmless, probable virus/malware will no longer be detected.

For example:

OfficeScan detects "x_probable_virus" on a file named "123.exe" and performs no action at the time of detection. Trend Micro then confirms that "x_probable_virus" is a Trojan horse program and releases a new Virus Pattern version. After loading the pattern's new version, OfficeScan will detect "x_probable_virus" as a Trojan program and, if the action against such programs is "Clean", will clean "123.exe".

Deny Access

This scan action can only be performed during Real-time Scan. When OfficeScan detects an attempt to open or execute an infected file, it immediately blocks the operation.

Users can manually delete the infected file.

Scan Action Options

When configuring the scan action, select from the following options:

Use ActiveAction

ActiveAction is a set of pre-configured scan actions for specific types of viruses/malware. Use ActiveAction if you are not sure which scan action is suitable for each type of virus/malware. With ActiveAction, you do not have to spend time customizing the scan actions.

The following table illustrates how ActiveAction handles each type of virus/malware:

Trend Micro recommended scan actions against viruses/malware

Virus/
Malware Type

Real-time Scan

Manual Scan/Scheduled Scan/Scan Now

 

First Action

Second Action

First Action

Second Action

Joke program

Quarantine

N/A

Quarantine

N/A

Trojan horse program

Quarantine

N/A

Quarantine

N/A

Virus

Clean

Quarantine

Clean

Quarantine

Test virus

Deny Access

N/A

Pass

N/A

Packer

Quarantine

N/A

Quarantine

N/A

Others

Clean

Quarantine

Clean

Quarantine

Probable virus/malware

Pass

N/A

Pass

N/A

Use the same action for all virus/malware types

Select this option if you want the same action performed on all types of virus/malware, except probable virus/malware. For Probable Virus/Malware, the action is always "Pass".

Use a specific action for each virus/malware type:

Manually select a scan action for each virus/malware type. For Probable Virus/Malware, no action is configurable and the action is always "Pass".

If you choose "Clean" as the first action, select a second action that OfficeScan performs if cleaning is unsuccessful. If the first action is not "Clean", no second action is configurable.

Quarantine Directory

If the action for an infected file is "Quarantine", the OfficeScan client encrypts the file and moves it to a temporary quarantine folder located in <Server installation folder>\SUSPECT and then sends the file to the designated quarantine directory. Accept the default quarantine directory, which is located on the OfficeScan server computer, or specify a different directory by typing the location in URL, UNC path, or absolute file path format.

Refer to the following table for guidance on when to use URL, UNC path, or absolute file path:

Quarantine directory

Quarantine Directory

Accepted Format

Example

Notes

A directory on the OfficeScan server computer

URL

http://
<osceserver>

This is the default directory.

Configure settings for this directory, such as the size of the quarantine folder. For details, see Quarantine Manager.

UNC path

\\<osceserver>\
ofcscan\Virus

A directory on another OfficeScan server computer (if you have other OfficeScan servers on the network)

URL

 

http://
<osceserver2>

 

Ensure that clients can connect to this directory. If you specify an incorrect directory, the OfficeScan client keeps the quarantined files on the SUSPECT folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder".

If you use UNC path, ensure that the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group.

UNC path

\\<osceserver2>\
ofcscan\Virus

Another computer on the network

UNC path

\\<computer_
name>\temp

A different directory on the client computer

Absolute path

C:\temp

Back Up Files Before Cleaning

If OfficeScan is set to clean an infected file, it can first back up the file. This allows you to restore the file in case you need it in the future. OfficeScan encrypts the backup file to prevent it from being opened, and then stores the file on the <Client installation folder>\Backup folder.

To restore encrypted backup files, see Restoring Encrypted Files.

Display a Notification Message When Virus/Malware is Detected

When OfficeScan detects virus/malware during Real-time Scan and Scheduled Scan, it can display a notification message to inform the user about the detection.

To modify the notification message, go to Notifications > Client User Notifications > Virus/Malware tab.

See also: