The Anti-Malware module provides agent computers with both real-time and on-demand
protection against file-based threats, including malware, viruses, Trojans, and spyware.
To identify threats, the Anti-Malware module checks files on the local hard drive
against a comprehensive threat database. The Anti-Malware module also checks files
for certain characteristics, such as compression and known exploit code.
Portions of the threat database are hosted on Trend Micro servers or stored locally
as patterns. Agents periodically download anti-malware patterns and updates to ensure
protection against the latest threats.
NoteA newly-installed agent cannot provide anti-malware protection until it has contacted
an update server to download anti-malware patterns and updates. Ensure that your agents
can communicate with a relay or the Trend Micro Update Server after installation.
|
The Anti-Malware module eliminates threats while minimizing the impact on system performance.
The Anti-Malware module can clean, delete, or quarantine malicious files. It can also
terminate processes and delete other system objects that are associated with identified
threats.
To turn on and configure the Anti-Malware module, see Enable and configure Anti-Malware.
Types of malware scans
The Anti-Malware module performs several types of scans. See also Select the types of scans to perform.
Real-time scan
Scan immediately each time a file is received, opened, downloaded, copied, or
modified, the agent scans the file for security risks. If the agent detects no
security risk, the file remains in its location and users can proceed to access the
file. If the agent detects a security risk, it displays a notification message that
shows the name of the infected file and the specific security risk.
Real-time scans are in effect continuously unless another time period is configured
using the Schedule option.
NoteFor macOS agents, real-time scanning is supported continuously, but the
Schedule option (
) is not currently supported. |
TipYou can configure real-time scanning to run when it will not have a large impact
on performance; for example, when a file server is scheduled to back up files.
|
This scan can run on all platforms supported by the Anti-Malware module.
Manual scan
Runs a full system scan on all processes and files on a computer. The time required
to complete a scan depends on the number of files to scan and the computer's hardware
resources. A manual scan requires more time than a Quick Scan.
A manual scan executes when Full Scan for Malware is clicked.
This scan can be run on all platforms supported by the Anti-Malware module.
Scheduled scan
Runs automatically on the configured date and time. Use scheduled scan to automate
routine scans and improve scan management efficiency.
A scheduled scan runs according to the date and time you specify when you create a
Scan
computers for Malware task using scheduled tasks (see Schedule Server & Workload Protection to perform tasks.
This scan can be run on all platforms supported by the Anti-Malware module.
Quick scan
Only scans a computer's critical system areas for currently active threats. A Quick
Scan will look for currently active malware but it will not perform deep file scans
to look for dormant or stored infected files. It is significantly faster than a Full
Scan on larger drives. Quick Scan is not configurable.
A Quick Scan runs when you click Quick Scan for Malware.
NoteQuick Scan can run only on Windows computers.
|
Scan objects and sequence
The following table lists the objects scanned during each type of scan and the sequence
in which they are scanned.
Targets
|
Full Scan (Manual or Scheduled)
|
Quick Scan
|
Drivers
|
1
|
1
|
Trojan
|
2
|
2
|
Process Image
|
3
|
3
|
Memory
|
4
|
4
|
Boot Sector
|
5
|
-
|
Files
|
6
|
5
|
Spyware
|
7
|
6
|
Malware scan configurations
Malware scan configurations are sets of options that control the behavior of malware
scans. When you configure Anti-Malware using a policy or for a specific computer,
you select a malware scan configuration to use. You can create several malware scan
configurations and use them with different policies when different groups of computers
have different scan requirements.
Real-time, manual, and scheduled scans all use malware scan configurations. Server & Workload Protection provides a default malware scan
configuration for each type of scan. These scan configurations are used in the
default security policies. You can use the default scan configurations as-is, modify
them, or create your own.
NoteQuick Scans are not configurable, and do not use malware scan configurations.
|
You can specify which files and directories are included or excluded during a scan
and which actions are taken if malware is detected on a computer (for example, clean,
quarantine, or delete).
For more information, see Configure malware scans.
Malware events
When the agent detects malware it triggers an event that appears in the event log.
From there you can see information about the event, or create an exception for the
file in case of false positives. You can also restore files that are actually benign.
For details, see:
Smart Scan
Smart Scan uses threat signatures that are stored on Trend Micro servers and provides
several benefits:
- Provides fast, cloud-based, real-time security status lookups
- Reduces the time required to deliver protection against emerging threats
- Reduces network bandwidth consumed during pattern updates (bulk of pattern definition updates only need to be delivered to the cloud, not to many computers)
- Reduces cost and overhead of corporate-wide pattern deployments
- Lowers kernel memory consumption on computers (consumption increases minimally over time)
When Smart Scan is enabled, the agent first scans locally for security risks. If the
agent cannot
assess the risk of the file during the scan, it will try to connect to a local Smart
Scan server. If no local Smart Scan Server is detected, the agent attempts to
connect to the Trend Micro Global Smart Scan server. For more information on this
feature, see Smart Protection in Server & Workload Protection.
Predictive Machine Learning
Server & Workload Protection provides enhanced malware protection for unknown
threats and zero-day attacks through Predictive Machine Learning. Trend Micro
Predictive Machine Learning uses advanced machine learning technology to correlate
threat information and perform in-depth file analysis to detect emerging security
risks through digital DNA fingerprinting, API mapping, and other file features.
Predictive Machine Learning is effective in protecting against security breaches that
result from targeted attacks using techniques such as phishing and spear phishing.
In these cases, malware that is designed specifically to target your environment can
bypass traditional malware scanning techniques.
During real-time scans, when the agent detects an unknown or low-prevalence file,
the agent scans the file using the Advanced Threat Scan Engine (ATSE) to extract file
features. It then sends the report to the Predictive Machine Learning engine on the
Trend Micro Smart Protection Network. Through the use of malware modeling, Predictive
Machine Learning compares the sample to the malware model, assigns a probability score,
and determines the probable malware type that the file contains.
If the file is identified as a threat, the agent cleans, quarantines, or deletes the
file to prevent the threat from continuing to spread across your network.
For information about using Predictive Machine Learning, see Detect emerging threats using Predictive Machine Learning.
Malware types
The Anti-Malware module protects against many file-based threats. See also Scan for specific types of malware and Configure how to handle malware.
Virus
Viruses infect files by inserting malicious code. Typically, when an infected file
is opened the malicious code automatically runs and delivers a payload in addition
to infecting other files. Below are some of the more common types of viruses:
- COM and EXE infectors infect DOS and Windows executable files, which typically have COM and EXE extensions.
- Macro viruses infect Microsoft Office files by inserting malicious macros.
- Boot sector viruses infect the section of hard disk drives that contain operating system startup instructions
The Anti-Malware module uses different technologies to identify and clean infected
files. The most traditional method is to detect the actual malicious code that is
used to infect files and strip infected files of this code. Other methods include
regulating changes to infectable files or backing up such files whenever suspicious
modifications are applied to them.
Trojans
Some malware does not spread by injecting code into other files. Instead, it has other
methods or effects:
- Trojans: Malware files that execute and infect the system when opened (like the mythological Trojan horse).
- Backdoors: Malicious applications that open port numbers to allow unauthorized remote users to access infected systems.
- Worms: Malware programs that use the network to propagate from system to system. Worms are known to propagate by taking advantage of social engineering through attractively packaged email messages, instant messages, or shared files. They are also known to copy themselves to accessible network shares and spread to other computers by exploiting vulnerabilities.
- Network viruses: Worms that are memory-only or packet-only programs (not file-based). Anti-Malware is unable to detect or remove network viruses.
- Rootkits: File-based malware that manipulate calls to operating system components. Applications, including monitoring and security software, need to make such calls for very basic functions, such as listing files or identifying running processes. By manipulating these calls, rootkits are able to hide their presence or the presence of other malware.
Packer
Packers are compressed and encrypted executable programs. To evade detection, malware
authors often pack existing malware under several layers of compression and encryption.
Anti-Malware checks executable files for compression patterns associated with malware.
Spyware/grayware
Spyware and grayware comprises applications and components that collect information
to be transmitted to a separate system or collected by another application. Spyware/grayware
detections, although exhibiting potentially malicious behavior, may include applications
used for legitimate purposes such as remote monitoring. Spyware/grayware applications
that are inherently malicious, including those that are distributed through known
malware channels, are typically detected as other Trojans.
Spyware and grayware applications are typically categorized as:
- Spyware: software installed on a computer to collect and transmit personal information.
- Dialers: malicious dialers are designed to connect through premium-rate numbers causing unexpected charges. Some dialers also transmit personal information and download malicious software.
- Hacking tools: programs or sets of programs designed to assist unauthorized access to computer systems.
- Adware (advertising-supported software): any software package that automatically plays, displays, or downloads advertising material.
- Cookies: text files stored by a Web browser. Cookies contain website-related data such as authentication information and site preferences. Cookies are not executable and cannot be infected; however, they can be used as spyware. Even cookies sent from legitimate websites can be used for malicious purposes.
- Keyloggers: software that logs user keystrokes to steal passwords and other private information. Some keyloggers transmit logs to remote systems.
What is grayware?
Although they exhibit what can be intrusive behavior, some spyware-like applications
are considered legitimate. For example, some commercially available remote control
and monitoring applications can track and collect system events and then send information
about these events to another system. System administrators and other users may find
themselves installing these legitimate applications. These applications are called
"grayware".
To provide protection against the illegitimate use of grayware, the Anti-Malware module
detects grayware but provides an option to "approve" detected applications and allow
them to run.
Cookie
Cookies are text files stored by a web browser, transmitted back to the web server
with each HTTP request. Cookies can contain authentication information, preferences,
and (in the case of stored attacks from an infected server) SQL injection and XSS
exploits.
Other threats
Other threats includes malware not categorized under any of the malware types. This
category includes joke programs, which display false notifications or manipulate screen
behavior but are generally harmless.
Possible malware
Possible malware is a file that appears suspicious but cannot be classified as a specific
malware variant. When possible malware is detected, Trend Micro recommends that you
contact your support provider for assistance in further analysis of the file. By default,
these detections are logged and files are sent back to Trend Micro for analysis in
a protected manner.