scanactvm
The scan action OfficeScan performs depends on the virus/malware type and the scan type that detected the virus/malware. For example, when OfficeScan detects a Trojan horse program (virus/malware type) during Manual Scan (scan type), it cleans (action) the infected file.
For information on the different virus/malware types, see Viruses and Malware.
The following are the actions OfficeScan can perform against viruses/malware:
|
Action |
Description |
|
OfficeScan deletes the infected file. |
|
|
OfficeScan renames and then moves the infected file to a temporary quarantine directory on the client computer located in <Client installation folder>\Suspect. The OfficeScan client then sends quarantined files to the designated quarantine directory. See Quarantine Directory for details. The default quarantine directory is on the OfficeScan server, under <Server installation folder>\PCCSRV\Virus. OfficeScan encrypts quarantined files sent to this directory. If you need to restore any of the quarantined files, use the VSEncrypt tool. For information on using this tool, see Server Tuner. |
|
|
OfficeScan cleans the infected file before allowing full access to the file. If the file is uncleanable, OfficeScan performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass. To configure the second action, go to Networked Computers > Client Management > Settings > {Scan Type} > Action tab. This action can be performed on all types of malware except probable virus/malware. |
|
|
OfficeScan changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application. The virus/malware may execute when opening the renamed infected file. |
|
|
OfficeScan can only use this scan action when it detects any type of Virus during Manual Scan, Scheduled Scan, and Scan Now. OfficeScan cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan. |
|
|
This scan action can only be performed during Real-time Scan. When OfficeScan detects an attempt to open or execute an infected file, it immediately blocks the operation. Users can manually delete the infected file. |
Different types of virus/malware require different scan actions. Customizing scan actions requires knowledge about virus/malware and can be a tedious task. OfficeScan uses ActiveAction to counter these issues.
ActiveAction is a set of pre-configured scan actions for viruses/malware. If you are not familiar with scan actions or if you are not sure which scan action is suitable for a certain type of virus/malware, Trend Micro recommends using ActiveAction.
Using ActiveAction provides the following benefits:
ActiveAction uses scan actions that are recommended by Trend Micro. You do not have to spend time configuring the scan actions.
Virus writers constantly change the way virus/malware attack computers. ActiveAction settings are updated to protect against the latest threats and the latest methods of virus/malware attacks.
ActiveAction is not available for spyware/grayware scan.
The following table illustrates how ActiveAction handles each type of virus/malware:
|
Trend Micro Recommended Scan Actions Against |
|
Virus/ |
Real-time Scan |
Manual Scan/Scheduled Scan/Scan Now |
||
|
|
First Action |
Second Action |
First Action |
Second Action |
|
Joke program |
Quarantine |
Delete |
Quarantine |
Delete |
|
Trojan horse program |
Quarantine |
Delete |
Quarantine |
Delete |
|
Virus |
Clean |
Quarantine |
Clean |
Quarantine |
|
Test virus |
Deny Access |
N/A |
Pass |
N/A |
|
Packer |
Quarantine |
N/A |
Quarantine |
N/A |
|
Others |
Clean |
Quarantine |
Clean |
Quarantine |
|
Probable virus/malware |
Deny Access or user- |
N/A |
Pass or user- |
N/A |
For probable virus/malware, the default action is "Deny Access" during Real-time Scan and "Pass" during Manual Scan, Scheduled Scan, and Scan Now. If these are not your preferred actions, you can change them to Quarantine, Delete, or Rename.
Select this option if you want the same action performed on all types of virus/malware, except probable virus/malware. If you choose "Clean" as the first action, select a second action that OfficeScan performs if cleaning is unsuccessful. If the first action is not "Clean", no second action is configurable.
If you choose "Clean" as the first action, OfficeScan performs the second action when it detects probable virus/malware.
Manually select a scan action for each virus/malware type.
For all virus/malware types except probable virus/malware, all scan actions are available. If you choose "Clean" as the first action, select a second action that OfficeScan performs if cleaning is unsuccessful. If the first action is not "Clean", no second action is configurable.
For probable virus/malware, all scan actions, except "Clean", are available.
If the action for an infected file is "Quarantine", the OfficeScan client encrypts the file and moves it to a temporary quarantine folder located in <Server installation folder>\SUSPECT and then sends the file to the designated quarantine directory.
You can restore encrypted quarantined files in case you need to access them in the future. For details, see Restoring Encrypted Files.
Accept the default quarantine directory, which is located on the OfficeScan server computer. The directory is in URL format and contains the server’s host name or IP address.
If the server is managing both IPv4 and IPv6 clients, use the host name so that all clients can send quarantined files to the server.
If the server only has or is identified by its IPv4 address, only pure IPv4 and dual-stack clients can send quarantined files to the server.
If the server only has or is identified by its IPv6 address, only pure IPv6 and dual-stack clients can send quarantined files to the server.
You can also specify an alternative quarantine directory by typing the location in URL, UNC path, or absolute file path format. Clients should be able to connect to this alternative directory. For example, the alternative directory should have an IPv6 address if it will receive quarantined files from dual-stack and pure IPv6 clients. Trend Micro recommends designating a dual-stack alternative directory, identifying the directory by its host name, and using UNC path when typing the directory.
Refer to the following table for guidance on when to use URL, UNC path, or absolute file path:
|
Quarantine Directory |
|
Quarantine Directory |
Accepted Format |
Example |
Notes |
|
A directory on the OfficeScan server computer |
URL |
http:// |
This is the default directory. Configure settings for this directory, such as the size of the quarantine folder. For details, see Quarantine Manager. |
|
UNC path |
\\<osceserver>\ |
||
|
A directory on another OfficeScan server computer (if you have other OfficeScan servers on the network) |
URL
|
http://
|
Ensure that clients can connect to this directory. If you specify an incorrect directory, the OfficeScan client keeps the quarantined files on the SUSPECT folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder". If you use UNC path, ensure that the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group. |
|
UNC path |
\\<osceserver2>\ |
||
|
Another computer on the network |
UNC path |
\\<computer_ |
|
|
A different directory on the client computer |
Absolute path |
C:\temp |
If OfficeScan is set to clean an infected file, it can first back up the file. This allows you to restore the file in case you need it in the future. OfficeScan encrypts the backup file to prevent it from being opened, and then stores the file on the <Client installation folder>\Backup folder.
To restore encrypted backup files, see Restoring Encrypted Files.
Damage Cleanup Services cleans computers of file-based and network viruses, and virus and worm remnants (Trojans, registry entries, and viral files).
The client triggers Damage Cleanup Services before or after virus/malware scanning, depending on the scan type.
When Manual Scan, Scheduled Scan, or Scan Now runs, the client triggers Damage Cleanup Services first and then proceeds with virus/malware scanning. During virus/malware scanning, the client may trigger Damage Cleanup Services again if cleanup is required.
During Real-time Scan, the client first performs virus/malware scanning and then triggers Damage Cleanup Services if cleanup is required.
You can select the type of cleanup that Damage Cleanup Services runs:
Standard cleanup: The client performs any of the following actions during standard cleanup:
Detects and removes live Trojans
Kills processes that Trojans create
Repairs system files that Trojans modify
Deletes files and applications that Trojans drop
Advanced cleanup: In addition to the standard cleanup actions, the client stops activities by rogue security software, also known as FakeAV. The client also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV behavior.
While providing proactive protection, advanced cleanup also results in a high number of false-positives.
Damage Cleanup Services does not run cleanup on probable virus/malware unless you select the option Run cleanup when probable virus/malware is detected. You can only select this option if the action on probable virus/malware is not Pass or Deny Access. For example, if the client detects probable virus/malware during Real-time Scan and the action is quarantine, the client first quarantines the infected file and then runs cleanup if necessary. The cleanup type (standard or advanced) depends on your selection.
When OfficeScan detects virus/malware during Real-time Scan and Scheduled Scan, it can display a notification message to inform the user about the detection.
To modify the notification message, go to Notifications > Client User Notifications > Virus/Malware tab.
When OfficeScan detects probable virus/malware during Real-time Scan and Scheduled Scan, it can display a notification message to inform the user about the detection.
To modify the notification message, go to Notifications > Client User Notifications > Virus/Malware tab.
See also: