When you enable real-time scanning, it continuously runs in the background of your Portal. Similarly, scheduled scans occur automatically according to the configured schedule. You can disable real-time and scheduled scans without affecting your scan configuration settings. When you decide to resume real-time scanning, simply re-enable the scan.
If you disable real-time scanning, background scanning and file blocking will not occur, making your Portal vulnerable to infection. If you disable scheduled scanning, scanning and blocking of your SQL content store will not occur. Disabling scheduled scanning makes your system vulnerable to infected files being stored on your SharePoint servers.
By default, PortalProtect scans all files on your SharePoint Portal servers, which provides the maximum security. However, scanning every single file requires a lot of time and resources. Therefore, you may wish to consider limiting the number of files PortalProtect includes in its Real-time, Manual, and Scheduled scans.
You can configure PortalProtect to limit scanning to the following files:
All scannable files: scans all content passing through or being stored on the SharePoint environment.
IntelliScan: use Trend Micro IntelliScan to perform an efficient scan.
Scan specific file types: PortalProtect provides a list of file extensions and true file types, from which you can choose for scanning. You can add to this list by typing the file extension in the Specify file extensions configuration field.
Most antivirus solutions today offer you two options in determining which files to scan for potential threats. PortalProtect will either scan all files (the safest approach), or only true file types and those files with certain file extensions. However, a trend of disguising files by changing the extension makes the latter option less effective.
IntelliScan™ is a Trend Micro technology that identifies a file’s “true file type,” regardless of the file name extension. IntelliScan uses a method of identifying which files to scan that is more efficient than the standard Scan All files option.
IntelliScan examines the header of every file, but based on certain indicators, selects only files that it determines are susceptible for virus scanning.
Because IntelliScan scans only files that are vulnerable to infection, using IntelliScan brings you the following benefits:
Performance optimization. IntelliScan uses fewer system resources than the Scan All option.
Shorter scanning period. The scan time is shorter than when you Scan All files.
When PortalProtect is set to scan true file types, the scan engine examines the file header rather than the file name to ascertain the actual file type. For example, if the scan engine is set to scan all executable files and it encounters a file named family.gif, the scan result will not assume the file is a graphic file and cease scanning. Instead, the scan engine opens the file header and examines the internally registered data type to determine whether the file is indeed a graphic file, or, for example, an executable that someone renamed to avoid detection.
True file type scanning works in conjunction with Trend Micro Intelliscan, to scan only those file types known to be of potential danger. These technologies can mean a reduction in the overall number of files that the scan engine must examine (perhaps as much as a two-thirds reduction), but it comes at the cost of potentially higher risk.
For example, .gif and .jpg files make up a large volume of all Web traffic, but they cannot harbor viruses, launch executable code, or carry out any known or theoretical exploits. Therefore, does this mean they are safe? Not entirely. It is possible for a malicious hacker to give a harmful file a “safe” file name to smuggle it past the scan engine and onto the network. This file could cause damage if someone renamed it and ran it.
For the highest level of security, Trend Micro recommends scanning all files.
When PortalProtect detects a file that matches your blocking or scanning configurations, it executes an action to protect your SharePoint environment. The type of action it executes depends on the type of scan it is performing (Real-time, Manual, or Scheduled) and the type of actions you have configured for that scan. Each time that PortalProtect executes an action, it logs an event. You can query these log events from the Logs menu.
Choose whether to set up a backup folder.
When you setup a backup folder, PortalProtect sends a copy of the file to the backup folder before it performs the configured actions.
Configure the action that PortalProtect executes when it detects viruses or malicious code. You can configure PortalProtect to use ActiveAction™ or configure a custom action. ActiveAction takes the most appropriate action based on the threat type.
You can set PortalProtect to backup a file to the Backup folder before it executes an action on it. This is a safety precaution designed to protect the original file from damage.
Backed up files should be deleted soon after you determine whether the modified file is usable and undamaged after PortalProtect executes an action on it. If the file is damaged or unusable, be sure to send it to Trend Micro for further analysis. It’s important to remember that even though PortalProtect may completely clean and remove a virus, the virus may have damaged the file code beyond repair.