Virus_Malware_Scan_Actions
The scan action OfficeScan performs depends on the virus/malware type and the scan type that detected the virus/malware. For example, when OfficeScan detects a Trojan horse program (virus/malware type) during Manual Scan (scan type), it cleans (action) the infected file.
For information on the different virus/malware types, see Viruses and Malware.
The following are the actions OfficeScan can perform against viruses/malware:
OfficeScan deletes the infected file.
OfficeScan renames and then moves the infected file to a temporary quarantine directory on the client computer located in <Client installation folder>\Suspect.
The OfficeScan client then sends quarantined files to the designated quarantine directory. See Quarantine Directory for details.
The default quarantine directory is on the OfficeScan server, under <Server installation folder>\PCCSRV\Virus. OfficeScan encrypts quarantined files sent to this directory.
If you need to restore any of the quarantined files, use the VSEncrypt tool. For information on using this tool, see Server Tuner.
OfficeScan cleans the infected file before allowing full access to the file.
If the file is uncleanable, OfficeScan performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass. To configure the second action, go to Networked Computers > Client Management > Settings > {Scan Type} > Action tab.
OfficeScan changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.
The virus/malware may execute when opening the renamed infected file.
OfficeScan performs no action on the infected file but records the virus/malware detection in the logs. The file stays where it is located.
OfficeScan can only use this scan action when it detects any type of Virus (except Probable Virus/Malware) during Manual Scan, Scheduled Scan, and Scan Now. OfficeScan cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.
For the "probable virus/malware" type, OfficeScan always performs no action on detected files (regardless of the scan type) to mitigate False Positive. If further analysis confirms that probable virus/malware is indeed a security risk, a new pattern will be released to allow OfficeScan to perform the appropriate scan action. If actually harmless, probable virus/malware will no longer be detected.
For example:
OfficeScan detects "x_probable_virus" on a file named "123.exe" and performs no action at the time of detection. Trend Micro then confirms that "x_probable_virus" is a Trojan horse program and releases a new Virus Pattern version. After loading the pattern's new version, OfficeScan will detect "x_probable_virus" as a Trojan program and, if the action against such programs is "Clean", will clean "123.exe".
This scan action can only be performed during Real-time Scan. When OfficeScan detects an attempt to open or execute an infected file, it immediately blocks the operation.
Users can manually delete the infected file.
When configuring the scan action, select from the following options:
Use ActiveAction
ActiveAction is a set of pre-configured scan actions for specific types of viruses/malware. Use ActiveAction if you are not sure which scan action is suitable for each type of virus/malware. With ActiveAction, you do not have to spend time customizing the scan actions.
ActiveAction is not available for spyware/grayware scan.
The following table illustrates how ActiveAction handles each type of virus/malware:
|
Trend Micro recommended scan actions against |
|
Virus/ |
Real-time Scan |
Manual Scan/Scheduled Scan/Scan Now |
||
|
|
First Action |
Second Action |
First Action |
Second Action |
|
Joke program |
Quarantine |
Delete |
Quarantine |
Delete |
|
Trojan horse program |
Quarantine |
Delete |
Quarantine |
Delete |
|
Virus |
Clean |
Quarantine |
Clean |
Quarantine |
|
Test virus |
Deny Access |
N/A |
Pass |
N/A |
|
Packer |
Quarantine |
N/A |
Quarantine |
N/A |
|
Others |
Clean |
Quarantine |
Clean |
Quarantine |
|
Probable virus/malware |
Pass |
N/A |
Pass |
N/A |
Use the same action for all virus/malware types
Select this option if you want the same action performed on all types of virus/malware, except probable virus/malware. For Probable Virus/Malware, the action is always "Pass".
Use a specific action for each virus/malware type:
Manually select a scan action for each virus/malware type. For Probable Virus/Malware, no action is configurable and the action is always "Pass".
If you choose "Clean" as the first action, select a second action that OfficeScan performs if cleaning is unsuccessful. If the first action is not "Clean", no second action is configurable.
If the action for an infected file is "Quarantine", the OfficeScan client encrypts the file and moves it to a temporary quarantine folder located in <Server installation folder>\SUSPECT and then sends the file to the designated quarantine directory. Accept the default quarantine directory, which is located on the OfficeScan server computer, or specify a different directory by typing the location in URL, UNC path, or absolute file path format.
You can restore encrypted quarantined files in case you need to access them in the future. For details, see Restoring Encrypted Files.
Refer to the following table for guidance on when to use URL, UNC path, or absolute file path:
|
Quarantine directory |
|
Quarantine Directory |
Accepted Format |
Example |
Notes |
|
A directory on the OfficeScan server computer |
URL |
http:// |
This is the default directory. Configure settings for this directory, such as the size of the quarantine folder. For details, see Quarantine Manager. |
|
UNC path |
\\<osceserver>\ |
||
|
A directory on another OfficeScan server computer (if you have other OfficeScan servers on the network) |
URL
|
http://
|
Ensure that clients can connect to this directory. If you specify an incorrect directory, the OfficeScan client keeps the quarantined files on the SUSPECT folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder". If you use UNC path, ensure that the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group. |
|
UNC path |
\\<osceserver2>\ |
||
|
Another computer on the network |
UNC path |
\\<computer_ |
|
|
A different directory on the client computer |
Absolute path |
C:\temp |
If OfficeScan is set to clean an infected file, it can first back up the file. This allows you to restore the file in case you need it in the future. OfficeScan encrypts the backup file to prevent it from being opened, and then stores the file on the <Client installation folder>\Backup folder.
To restore encrypted backup files, see Restoring Encrypted Files.
When OfficeScan detects virus/malware during Real-time Scan and Scheduled Scan, it can display a notification message to inform the user about the detection.
To modify the notification message, go to Notifications > Client User Notifications > Virus/Malware tab.
See also: