Scan Problems

SPYWARE/GRAYWARE SCAN

Real-time Scan detects spyware/grayware already added to the approved list.

SCAN RESULTS

Scan results display in the virus/malware or spyware/grayware logs. Take the necessary steps if virus/malware scan action is unsuccessful or if spyware/grayware scan requires user action.

Virus/Malware scan results

1. Scan action is successful

• Deleted

• Quarantined

• Cleaned

• Renamed

• Passed

• Passed a potential security risk. MORE >>

  Explanation: See http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=POSSIBLE_VIRUS.

  Solution: Refer to http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=POSSIBLE%5FVIRUS&VSect=Sn.

   

• Access denied

2. Scan action is unsuccessful

• Unable to clean or quarantine/delete/rename the file. MORE >>

  Explanation: Clean is the first action, Quarantine/Delete/Rename is the second action, and both actions are unsuccessful.

  Solution: Refer to the following scan results below:

  Unable to clean the file

  Unable to quarantine/delete/rename the file

   

• Unable to send the quarantined file to the designated quarantine folder. MORE >>

  Explanation: Although OfficeScan successfully quarantined a file in the \Suspect folder of the client computer, it cannot send the file to the designated quarantine directory.

  Solution:

  To troubleshoot the problem, determine which scan type (Manual Scan, Real-time Scan, Scheduled Scan, or Scan Now) detected the virus/malware and then check the quarantine directory specified in Networked Computers > Client Management > Settings > {Scan Type} > Action tab.

   

  A. The quarantine directory is on the OfficeScan server computer.

  • Check if the client can connect to the server.

  • If you use URL as the quarantine directory format:

  • Make sure the computer name you specify after "http://" is correct.

  • Check the size of the infected file. If it exceeds the maximum file size specified in Administration > Quarantine Manager, adjust the setting to accommodate the file. You may also take other actions such as deleting the file.

  • Check the size of the quarantine directory folder and determine whether it has exceeded the folder capacity specified in Administration > Quarantine Manager. You can either adjust the folder capacity or manually delete files in the quarantine directory.

  • If you use UNC path, make sure the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group. Also check if the quarantine directory folder exists and if the UNC path is correct.

   

  B. The quarantine directory is on another OfficeScan server computer.

  Perform the same actions as in item A above. However for the 4th and 5th bullet items, check the settings on the Web console of the other OfficeScan server.

   

  C. The quarantine directory is on another computer on the network.

  • Note: You can only use UNC path for this scenario.

  • Check if the client can connect to the computer.

  • Make sure the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group.

  • Check if the quarantine directory folder exists.

  • Check if the UNC path is correct.

   

  D. The quarantine directory is on a different directory on the client computer.

  • Note: You can only use absolute path for this scenario.

  • Check if the quarantine directory folder exists.

   

• Unable to quarantine/delete/rename the file. MORE >>

  Explanation 1: The infected file may be locked by another application, is executing, or is in a CD. OfficeScan will quarantine/delete/rename the file after the application releases the file or after it has been executed.

  Solution: For infected files in the CD, Trend Micro recommends not using the CD as the virus may infect other computers on the network.

   

  Explanation 2: The infected file is in the Temporary Internet Files folder of the client computer. Since the computer downloads files while you are browsing the Web, the Web browser may have locked the infected file. When the Web browser releases the file, OfficeScan will quarantine/delete/rename the file.

  Solution: None

   

• Unable to clean the file. MORE >>

  Explanation 1: The infected file is in the Temporary Internet Files folder of the client computer. Since the computer downloads files while you are browsing the Web, the Web browser may have locked the infected file. When the Web browser releases the file, OfficeScan will clean the file.

  Solution: N/A

   

  Explanation 2: The Virus Scan Engine does not clean the following files:

  • Files infected with Trojans: Trojans are programs that perform unexpected or unauthorized, usually malicious, actions such as displaying messages, erasing files, or formatting disks. Trojans do not infect files, thus cleaning is not necessary.

  Solution: OfficeScan uses the Virus Cleanup Engine and Virus Cleanup Template to remove Trojans.

  • Files infected with worms: A computer worm is a self-contained program (or set of programs) able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. Worms are uncleanable because the file is a self-contained program.

  Solution: Trend Micro recommends deleting worms.

  • Write-protected infected files

  Solution: Remove the write-protection to allow OfficeScan to clean the file.

  • Password-protected files (for example, password-protected compressed files or password-protected Microsoft Word files)

  Solution: Remove the password protection for OfficeScan to clean these files.

  • Backup files: Files with the RB0~RB9 extensions are backup copies of infected files. OfficeScan creates a backup of the infected file in case the virus/malware damaged the file during the cleaning process.

  Solution: If OfficeScan successfully cleans the infected file, you do not need to keep the backup copy. If your system functions normally, you may delete the backup file.

  • Infected files in the Recycle Bin: OfficeScan may not remove infected files in the Recycle Bin because the system is running.

  Solution: Delete infected files in the Recycle Bin. MORE >>

  For computers running Windows 2000/XP/Server 2003 with NTFS File System:

  1. Log on to the computer with Administrator privilege.

  2. Close all running applications to prevent applications from locking the file, which would make Windows unable to delete it.

  3. Open the command prompt, and type the following to delete the files:

  cd \

  cd recycled

  del *.* /S

  The last command deletes all files in your Recycle Bin.

   

  For computers running other Operating Systems (or NT platforms without NTFS):

  1. Restart the computer in MS-DOS mode.

  2. Open a command prompt, and type the following to delete the files:

  cd \

  cd recycled

  del *.* /S

  The last command deletes all files in your Recycle Bin.

  3. Restart your computer in normal mode.

   

  • Infected files in Windows Temp folder or Internet Explorer temporary folder: OfficeScan may not clean infected files in the Windows Temp folder or the Internet Explorer temporary folder because the computer uses them. The files to clean may be temporary files needed for Windows operation.

  Solution:

  Delete infected files in the Windows Temp folder. MORE >>

  For computers running Windows 2000/XP/Server 2003 with NTFS File System:

  1. Log on to the computer with Administrator privilege.

  2. Close all running applications to prevent applications from locking the file, which would make Windows unable to delete it.

  3. Open the command prompt and go to the Windows Temp folder (located at C:\\Windows\Temp for Windows XP/Server 2003 computers and at C:\\WinNT\Temp for Windows NT/2000 computers by default).  

  4. Type the following to delete the files:

  cd temp

  attrib -h

  del *.* /S

  The last command deletes all files in the Windows Temp folder.

   

  For computers running other operating systems (or those without NTFS):

  1. Restart your computer in MS-DOS mode.

  2. At the command prompt, go to the Windows Temp folder. The default Windows Temp folder in Windows XP/Server 2003 is C:\Windows\Temp. The default Windows Temp folder in Windows 2000 is C:\WinNT\Temp.

  3. Open the command prompt, and type the following to delete the files:

  cd temp

  attrib –h

  del *.* /S

  The last command deletes all files in your Windows Temp folder.

  4. Restart your computer in normal mode.

   

  Delete infected files in the Internet Explorer temporary folder. MORE >>

  For computers running Windows 2000/XP/Server 2003 with NTFS File System:

  1. Log on to the computer with Administrator privilege.

  2. Close all running applications to prevent applications from locking the file, which would make Windows unable to delete it.

  3. Open a command prompt and go to the Internet Explorer Temp folder (located in C:\\Documents and Settings\{Your user name}\Local Settings\Temporary Internet Files for Windows 2000/XP/Server 2003 computers by default).  

  4. Type the following to delete the files:

  cd tempor~1

  attrib -h

  del *.* /S

  The last command deletes all files in your Internet Explorer temporary folder.

   

  For computers running other operating systems (or those without NTFS):

  1. Restart your computer in MS-DOS mode.

  2. At the command prompt, go to the Internet Explorer temporary folder. The default Internet Explorer temporary folder in Windows 2000/XP/Server 2003 is C:\Documents and Settings\{Your user name}\Local Settings\Temporary Internet Files.

  3. Type the following commands:

  cd tempor~1

  attrib –h

  del *.* /S

  The last command deletes all files in your Internet Explorer temporary folder.

  4. Restart your computer in normal mode.

   

   

• Passed: Real-time Scan takes the "Pass" action on files infected with a boot virus even if the scan action is Clean (first action) and Quarantine (second action). MORE >>

  Explanation: One of the specifications of Real-time Scan is to pass boot viruses because attempting to clean a boot virus may damage the Master Boot Record (MBR) of the infected computer.

  Solution: Run Manual Scan so OfficeScan can clean or quarantine the file.

   

Spyware/Grayware scan results

1. Scan action is successful

The first level result is "Successful, no action required". The second level results are as follows:

• Cleaned

• Passed

• Access denied

2. Result requires user action

The first level result is "Further action required". The second level results will have at least one of the following messages:

• Spyware/Grayware unsafe to clean. MORE >>

  Explanation: This message displays if the Spyware Scan Engine attempts to clean any single folder and the following criteria are met:

  • Items to clean exceed 250MB.

  • The operating system uses the files in the folder. The folder may also be necessary for normal system operation.

  • The folder is a root directory (such as C: or F:)

  Solution: Contact your Support provider for assistance.

   

• Spyware/Grayware scan stopped manually. Please perform a complete scan.

• Spyware/Grayware cleaned, restart required. Please restart the computer.

• Spyware/Grayware scan result unidentified. Please contact Trend Micro technical support.