Malware scan configurations are reusable saved settings that you can apply when
configuring Anti-Malware in a policy or for a computer. A malware scan configuration
specifies what types of malware scanning Server & Workload Protection performs and which files it scans. Some policy properties also affect the
behavior of malware scans.
TipCPU usage and RAM usage varies by your Anti-Malware configuration.
To optimize Anti-Malware performance on the agent, see Performance tips for Anti-Malware.
|
Create or edit a malware scan configuration
Create or edit a malware scan configuration to control the behavior of a real-time,
manual, or scheduled scan. (For more information, see Malware
scan configurations.) You can create multiple malware scan configurations
as required.
-
After you create a malware scan configuration, you can then associate it with a scan in a policy or computer (see Select the types of scans to perform)
-
When you edit a malware scan configuration that a policy or computer is using, the changes affect the scans that are associated with the configuration.
TipTo create a malware scan configuration that is similar to an
existing one, duplicate the existing configuration and then edit it.
|
You can create two types of malware scan configurations according to the type of scan
it controls (see Types of
malware scans):
-
Real-time scan configuration: Controls real-time scans. Some actions such as Deny Access are only available to real-time scan configurations.
-
Manual/scheduled scan configuration: Controls either manual or scheduled scans. Some options such as CPU Usage are only available to manual/scheduled scan configurations.
Server & Workload Protection provides a default malware scan
configuration for each type of scan.
- Go to .
- To create a scan configuration, click New and then click New
Real-Time Scan Configuration or New Manual/Scheduled Scan
Configuration.
- Type a name to identify the scan configuration. You see the name in a list when configuring malware scans in a policy.
- (Optional) Type a description that explains the use case for the configuration.
- To view and edit an existing scan configuration, select it and click Properties.
- To duplicate a scan configuration, select it and click Duplicate.
TipTo see the policies and computers that are using a malware scan
configuration, see the AssignedTo tab of the properties.
|
Test malware scans
Before continuing with further Anti-Malware configuration steps, test real-time and
manual/scheduled scans to ensure they're working correctly.
Test real-time scans:
- Make sure the real-time scan is enabled and that a configuration is selected.
- Go to the EICAR site and download their anti-malware test file. This standardized file will test the real-time scan's anti-virus capabilities. The file should be quarantined.
- In the Server & Workload Protection console, go to to verify the record of the EICAR file detection. If the detection is recorded, the Anti-Malware real-time scans are working correctly.
Test manual/scheduled scans:
NoteBefore you begin, make sure the real-time scan is disabled before testing
manual/scheduled scans.
|
- Go to Administration.
- Click .
- Select Scan Computers for Malware from the drop-down menu and select a frequency. Complete the scan configuration with your desired specifications.
- Go to the EICAR site and download their anti-malware test file. This standardized file will test the manual/scheduled scan's anti-virus capabilities.
- Select the scheduled scan and click Run Task Now. The test file should be quarantined.
- In the Server & Workload Protection console, go to to verify the record of the EICAR file detection. If the detection is recorded, the Anti-Malware manual/scheduled scans are working correctly.
Configure malware scanning capabilities and features
- Configure Anti-Malware Monitoring Level
- Enable AMSI protection (real-time scans only)
- Scan for spyware and grayware
- Scan for compressed executable files (real-time scans only)
- Scan process memory (real-time scans only)
- Scan compressed files
- Scan embedded Microsoft Office objects
See also:
Configure Anti-Malware Monitoring Level
ImportantMonitoring Level only supports agent version 20.0.1.25770 and later. Unsupported versions
use the default level of 2 - Moderate and cannot be changed.
Support for Linux agents is limited to 64-bit (x86-64) and 32-bit (x86) systems. Agents
deployed to other Linux architectures use the default level of 2 - Moderate and cannot be changed.
|
The Anti-Malware Monitoring Level setting allows you to set the sensitivity of the anti-malware scan and the strictness
applied when responding to potential threats. Higher levels allow for more strict
monitoring to help with situations like on-going threat investigations, but might
generate a large number of nonessential logs and impact endpoint performance.
Because of the potential impact on endpoint performance and the generation of additional
detection logs, Trend Micro recommends using the default setting of 2 - Moderate. Only use the higher levels if you are investigating an on-going threat, or if instructed
by your support provider.
-
Open the properties of the malware scan configuration.
-
On the General tab, under Anti-Malware Monitoring Level, configure the settings for Detection level and Prevention level.
Important
-
The Prevention level must be the same or lower than Detection level.
-
-
Click OK.
TipIf you want Anti-Malware Scan and Behavior Monitoring to exclude certain detection
rules, you can add the rule ID to the Rule Exceptions list by going to the Create Anti-Malware exceptions.
tab of the Computer or Policy editor. You can find rule IDs by viewing events in
Events & Reports. For more information, see |
Enable Windows AMSI protection (real-time scans only)
The Windows Antimalware Scan Interface (AMSI) is an interface provided by Microsoft in Windows 10 and later. Server & Workload Protection leverages AMSI to help detect malicious scripts. By default, this option is enabled
in Server & Workload Protection malware scan configurations.
-
Open the properties of the malware scan configuration.
-
On the General tab, select Enable AMSI protection.
-
Configure the settings for Detection level and Prevention level.
Important
-
Adjusting Detection and Prevention levels only supports agent version version 20.0.1.25770 and later. Unsupported versions use the default level of 2 - Moderate and cannot be changed.
-
Higher levels provide greater sensitivity but might generate a large number of nonessential logs and impact endpoint performance. Trend Micro recommends selecting 2 - Moderate for more relevant data with minimal impact on your endpoints.
-
The Prevention level must be the same or lower than Detection level.
-
The Action to take selection might affect the prevention actions taken for the selected prevention level.
-
-
For Action to take, choose the remediation action that you want Server & Workload Protection to take when it detects malware:
-
Terminate (recommended): Stops execution or running of the detected process.
-
Pass: Server & Workload Protection records an Anti-Malware Event without taking action on the process.
-
-
Click OK.
Scan for spyware and grayware
When spyware and grayware protection is enabled, the spyware scan engine quarantines
suspicious files when they are detected.
- Open the properties of the malware scan configuration.
- On the General tab, select Enable spyware/grayware protection.
- Click OK.
To identify a file that the spyware scan engine should ignore, see Create
Anti-Malware exceptions.
Scan for compressed executable files (real-time scans only)
Viruses often use real-time compression algorithms to attempt to circumvent virus
filtering. The IntelliTrap feature blocks real-time compressed executable files and
pairing them with other malware characteristics.
NoteBecause IntelliTrap identifies such files as security risks and may incorrectly
block safe files, consider quarantining (not deleting or cleaning) files when
you enable IntelliTrap. (See Configure how to handle malware.) If users regularly exchange
real-time compressed executable files, disable IntelliTrap. IntelliTrap uses the
virus scan engine, IntelliTrap Pattern, and IntelliTrap Exception Pattern.
|
NoteFor macOS agents, IntelliTrap is not supported.
|
- Open the properties of the malware scan configuration.
- On the General tab, select Enable IntelliTrap.
- Click OK.
Scan process memory (real-time scans only)
ImportantScan process memory does not support Linux and macOS agents.
|
Monitor process memory in real time and perform additional checks with the Trend
Micro Smart Protection network to determine whether a suspicious process is known
to
be malicious. If the process is malicious, Server & Workload Protection terminates the process. For more
information, see Smart
Protection in Server & Workload Protection
-
Open the properties of the malware scan configuration.
-
On the General tab, select Scan process memory for malware.
-
Configure the settings for Detection level and Prevention level.
Important
-
Adjusting Detection and Prevention levels only supports agent version version 20.0.1.25770 and later. Unsupported versions use the default level of 2 - Moderate and cannot be changed.
-
Higher levels provide greater sensitivity but might generate a large number of nonessential logs and impact endpoint performance. Trend Micro recommends selecting 2 - Moderate for more relevant data with minimal impact on your endpoints.
-
The Prevention level must be the same or lower than Detection level.
-
The Action to take selection might affect the prevention actions taken for the selected prevention level.
-
- Click OK.
Scan compressed files
Extract compressed files and scan the contents for malware. When you enable the scan,
you specify the maximum size and number of files to extract (large files can affect
performance). You also specify the levels of compression to inspect so that you can
scan compressed files that reside inside compressed files. Level 1 compression is
a
single compressed file. Compressed files inside that file are level two. You can
scan a maximum of 6 compression levels, however higher levels can affect
performance.
- Open the properties of the malware scan configuration.
- On the Advanced tab, select Scan compressed files.
- Specify the maximum size of content files to extract, in MB, the levels of compression to scan, and the maximum number of files to extract.
- Click OK.
Scan embedded Microsoft Office objects
NoteFor macOS agents, scanning embedded Microsoft Office objects is not supported.
|
Certain versions of Microsoft Office use Object Linking and Embedding (OLE) to insert
files and other objects into Office files. These embedded objects can contain
malicious code.
Specify the number of OLE layers to scan to detect objects that are embedded in other
objects. To reduce the impact on performance, you can scan only a few layers of
embedded objects within each file.
- Open the properties of the malware scan configuration.
- On the Advanced tab, select Scan Embedded Microsoft Office Objects.
- Specify the number of OLE layers to scan.
- Click OK.
Enable a manual scan for the notifier application
Enabling a manual scan through the the Trend Micro notifier
application is supported for Deep Security Agents 20.0.0-179+ for macOS
only.
This feature enables macOS users to trigger a scan through the notifier application.
It is disabled by default.
- From the computer editor or the policy editor, click the Anti-Malware tab.
- Click the General horizontal tab.
- In the Manual Scan section, click to select the checkbox for Allow agent to trigger or cancel a manual scan from Trend Micro's notifier application.
Specify the files to scan
Identify files and directories to include in the scan and then identify any
exclusions from those files and directories. . You can also scan network
directories:
Inclusions
Specify the directories to scan as well as the files inside the directories to
scan.
To identify the files to scan, use one of the following options:
- All files
- File types that are identified by IntelliScan. IntelliScan only scans file types that are vulnerable to infection, such as .zip or .exe. IntelliScan does not rely on file extensions to determine file type but instead reads the header and content of a file to determine whether it should be scanned. Compared to scanning all files, Intelliscan reduces the number of files to scan and improves performance.
- Files that have a file name extension that is included in a specified list: The file extension list uses patterns with a specific syntax. (See Syntax of file extension lists.)
To identify directories to scan, you can specify all directories or a list of
directories. The directory list uses patterns with a specific syntax to identify the
directories to scan. (See Syntax
for directory lists.)
- Open the properties of the malware scan configuration.
- Click the Inclusions tab.
- To specify the directories to scan, select All directories or Directory List.
- If you selected Directory List, from the drop-down menu either select an existing list or select New to create one.
- To specify the files to scan, select either All files, File types scanned by IntelliScan, or File Extension List.
- If you selected File Extension List, from the drop-down menu either select an existing list or select New to create one.
- Click OK.
Exclusions
Exclude directories, files, and file extensions from being scanned. For real-time
scans, you can also exclude process image files from being scanned.
Examples of files and folders to exclude:
- If you are creating a malware scan configuration for a Microsoft Exchange server, exclude the SMEX quarantine folder to avoid re-scanning files that have already been confirmed to be malware.
- If you have large VMware images, exclude the directory containing these images if you experience performance issues.
TipYou can also exclude files from Anti-Malware scanning when they are
signed by a trusted digital certificate. This type of exclusion is defined in
policy or computer settings. (See Exclude files signed by a trusted certificate.)
|
To exclude directories, files, and process image files, create a list that uses
patterns to identify the item to exclude.
- Open the properties of the malware scan configuration.
- Click the Exclusions tab.
- Specify the directories to exclude:
- Select Directory List.
- Select a directory list or select New to create one. (See Syntax for directory lists.)
- If you created a directory list, select it in the directory list.
- Similarly, specify the file list, file extension list, and process image file list to exclude. (See Syntax of file lists, Syntax of file extension lists, and Syntax of process image file lists (real-time scans only):.)
- Click OK.
Test file exclusions
Before continuing with further Anti-Malware configuration steps, test file exclusions
to ensure they're working correctly:
NoteBefore you begin, make sure the real-time scan is enabled and a configuration
is selected.
|
- Go to .
- Click .
- Go to the Exclusions tab, and select New from the directory list.
- Name the directory list.
- Under Directory(s) specify the path of the directory you want to
exclude from the scan. For example,
c:\Test Folder\
. Click OK . - Go to the General tab, name the manual scan, and click OK.
- Go to the EICAR site and download their anti-malware test file. Save the file in the folder specified in the previous step. The file should be saved and undetected by the Anti-Malware module.
Syntax for directory lists
NoteDirectory list items accept either forward slash "/" or backslash "" to support
both Windows and Linux conventions.
|
Exclusion
|
Format
|
Description
|
Examples
|
Directory
|
DIRECTORY\
|
Excludes all files in the specified directory and all files in
all subdirectories.
|
C:\Program Files\ Excludes all files in the
"Program Files" directory and all subdirectories.
|
Directory with wildcard (*)
|
DIRECTORY\*\
|
Excludes all subdirectories except for the specified
subdirectory and the files that it contains.
|
C:\abc\*\ Excludes all files in all subdirectories
of "abc" but does not exclude the files in the "abc" directory.
C:\abc\wx*z\ Matches: C:\abc\wxz\
C:\abc\wx123z\ Does not match: C:\abc\wxz C:\abc\wx123z
C:\abc\*wx\ Matches: C:\abc\wx\ C:\abc\123wx\
Does not match: C:\abc\wx C:\abc\123wx
|
Directory with wildcard (*)
|
DIRECTORY*\
|
Excludes any subdirectories with a matching name, but does not
exclude the files in that directory and any
subdirectories.
|
C:\Program Files\SubDirName*\
Excludes any subdirectories with a folder name that begins with
“SubDirName”. Does not exclude all files under C:\Program Files\
or any other subdirectories.
|
Environment variable
|
${ENV VAR}
|
Excludes all files and subdirectories defined by an
environment variable. For a Virtual Appliance, the value pairs
for the environment variable must be defined in Policy or
Computer Editor > Settings > General > Environment
Variable Overrides.
|
${windir} If the variable resolves to "c:\windows",
excludes all the files in "c:\windows" and all its
subdirectories.
|
Comments
|
DIRECTORY #Comment
|
Adds a comment to your exclusion definitions.
|
c:\abc #Exclude the abc directory |
Syntax of file lists
Exclusion
|
Format
|
Description
|
Example
|
File
|
FILE
|
Excludes all files with the specified file name regardless of
its location or directory.
|
abc.doc Excludes all files named "abc.doc" in all
directories. Does not exclude "abc.exe".
|
File path
|
FILEPATH
|
Excludes the single file specified by the file
path.
|
C:\Documents\abc.doc Excludes only the file named
"abc.doc" in the "Documents" directory.
|
File path with wildcard (*)
|
FILEPATH
|
Excludes all the files specified by the file path.
|
C:\Documents\abc.co* (For Windows Agent platforms
only) Excludes any file that has file name of "abc" and
extension beginning with ".co" in the "Documents" directory.
|
Filename is a wildcard (*)
|
FILEPATH\*
|
Excludes all files under the path, but does not include the
files in unspecified subdirectories
|
C:\Documents\* Excludes all files under the
directory C:\Documents\ C:\Documents\SubDirName*\*
Excludes all files within subdirectories with a folder name that
begins with “SubDirName”. Does not exclude all files under
C:\Documents\ or any other subdirectories.
C:\Documents\*\* Excludes all files within all
direct subdirectories under C:\Documents. Does
not exclude files in subsequent subdirectories.
|
File with wildcard (*)
|
FILE*
|
Excludes all files with a matching pattern in the file
name.
|
abc*.exe Excludes any file that has prefix of "abc"
and extension of ".exe". *.db Matches: 123.db
abc.db Does not match: 123db 123.abd cbc.dba *db
Matches: 123.db 123db ac.db acdb db Does not match: db123
wxy*.db Matches: wxy.db wxy123.db Does not
match: wxydb
|
File with wildcard (*)
|
FILE.EXT*
|
Excludes all files with a matching pattern in the file
extension.
|
abc.v* Excludes any file that has file name of
"abc" and extension beginning with ".v". abc.*pp
Matches: abc.pp abc.app Does not match: wxy.app
abc.a*p Matches: abc.ap abc.a123p Does not
match: abc.pp abc.* Matches: abc.123 abc.xyz Does
not match: wxy.123
|
File with wildcard (*)
|
FILE*.EXT*
|
Excludes all files with a matching pattern in the file name
and in the extension.
|
a*c.a*p
Matches: ac.ap a123c.ap ac.a456p a123c.a456p Does not match: ad.aa</td> </tr> <tr> <td>Environment variable</td> <td>${ENV VAR}</td> <td>Excludes files specified by an environment variable with the format ${ENV VAR}. These can be defined or overridden using <term>Policy or Computer Editor > Settings > General > Environment Variable Overrides.</term></td> <td> <term> ${myDBFile} </term> Excludes the file "myDBFile".</td> </tr> <tr> <td>Comments</td> <td>FILEPATH #Comment</td> <td>Adds a comment to your exclusion definitions.</td> <td> <codeblock>C:\Documents\abc.doc #This is a comment </codeblock> </td> </tr> |
Syntax of file extension lists
Exclusion
|
Format
|
Description
|
Example
|
File Extension
|
EXT
|
Matches all files with a matching file extension.
|
doc Matches all files with a ".doc" extension in
all directories.
|
Comments
|
EXT #Comment
|
Adds a comment to your exclusion definitions.
|
doc #This a comment |
Syntax of process image file lists (real-time scans only)
Exclusion
|
Format
|
Description
|
Example
|
File path
|
FILEPATH
|
Excludes the Process Image file specified by the file
path.
|
C:\abc\file.exe Excludes only the file named
"file.exe" in the "abc" directory.
|
Scan a network directory (real-time scan only)
If you want to scan files and folders in network shares and mapped network drives
that reside in a Network File System (NFS), Server Message Block (SMB) or Common
Internet File System (CIFS), select Enable Network Directory Scan. This
option is available only for real-time scans.
NoteResources accessed in "~/.gvfs" via GVFS, a virtual file system
available for the GNOME desktop, will be treated as local resources, not network
drives.
|
NoteIf a virus is detected when scanning a network folder on Windows, the agent may
display some "clean failed" (delete failed) events.
|
Specify when real-time scans occur
Choose between scanning files when they are opened for reading, when they are written
to, or both.
- Open the properties of the malware scan configuration.
- On the Advanced tab, select one of the options for the Real-Time Scan property.
- Click OK.
Configure how to handle malware
Configure how Server & Workload Protection behaves when malware is
detected:
Customize malware remedial actions
When Server & Workload Protection detects malware, it performs a
remedial action to handle the file. There are five possible actions that Server & Workload Protection can take when it encounters
malware:
-
Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event is still recorded.)
Note
The remedial action Pass should never be used for a possible virus. -
Clean: Cleans an infected file before allowing full access to it. If the file can't be cleaned, it is quarantined.
-
Delete: On Linux, the infected file is deleted without a backup.On Windows, the infected file is backed up and then deleted. Windows backup files can be viewed and restored in .
-
Deny Access: This scan action can only be performed during Real-time scans. When Server & Workload Protection detects an attempt to open or execute an infected file, it immediately blocks the operation. The infected file is left unchanged. When the Access Denied action is triggered, the infected files stay in their original location.
Note
Do not use the remedial action Deny Access when Real-Time Scan is set to During Write. When During Write is selected, files are scanned when they are written and the action Deny Access has no effect. -
Quarantine: Moves the infected file to the quarantine directory on the computer or Virtual Appliance. The quarantined file can be viewed and restored in .
Note
Malware marked as Quarantined on Linux might be marked as Deleted on Windows, despite the malware being identical on both operating systems. In either case, the file can be viewed and restored in .Note
On Windows, infected non-compressed files (for example, .txt files) are quarantined, while infected compressed files (for example, .zip files) are deleted. On Windows, both quarantined or deleted files have a backup that can be viewed and restored in . On Linux, all infected files (compressed or non-compressed) are quarantined, and can be viewed and restored in .
The default remediation actions in the malware scan configurations are appropriate
for most circumstances. However, you can customize the actions to take when Server & Workload Protection detects malware. You can either use the
action that ActiveAction determines, or specify the action for each type of
vulnerability.
ActiveAction is a predefined group of cleanup actions that are optimized for each
malware category. Trend Micro continually adjusts the actions in ActiveAction to
ensure that individual detections are handled properly. (See ActiveAction actions.)
NoteFor macOS agents, the supported custom actions are Virus, Trojans, and Spyware.
|
-
Open the properties of the malware scan configuration.
-
On the Advanced tab, for Remediation Actions select Custom.
-
Specify the action to take:
-
To let ActiveAction decide which action to take, select Use action recommended by ActiveAction.
-
To specify an action for each type of vulnerability, select Use custom actions, and then select the actions to use.
-
-
Specify the action to take for Possible Malware.
-
Click OK.
ActiveAction actions
The following table lists the actions that ActiveAction takes:
Malware Type
|
Action
|
Clean. If a
virus cannot be cleaned, it is deleted
(Windows) or quarantined (Linux or Solaris). There is an
exception to this behavior: On a Linux or Solaris agent, if a
virus of type 'Test Virus' is found, access is
denied to the infected file.
|
|
Quarantine
|
|
Quarantine
|
|
CVE Exploit
|
Quarantine
|
Aggressive Detection Rule
|
Pass(This setting detects more issues but may also result in
more false positives, so the default action is to raise an
event.)
|
Delete(Does not apply to real-time scans)
|
|
Clean
If a threat cannot be cleaned, it is handled as follows:
Also, on a Linux or Solaris agent, if a virus of type 'Joke' is
found, it is quarantined immediately. No attempt is made to
clean it.
|
|
Pass
|
For more information about CVE Exploit and Aggressive Detection Rule, see Scan documents for
exploits.
NoteWhen the agent downloads virus pattern updates from an ActiveUpdate server or
relay, it may change its ActiveAction scan actions.
|
Generate alerts for malware detection
When Server & Workload Protection detects malware, you can generate
an alert.
- Open the properties of the malware scan configuration.
- On the General tab, for Alert select Alert when this Malware Scan Configuration logs an event.
- Click OK.
Identify malware files by file hash digest
Server & Workload Protection can calculate the hash value of a
malware file and display it on the page. Because a particular piece of malware can go by several
different names, the hash value is useful because it uniquely identifies the
malware. You can use the hash value when looking up information about the malware
from other sources.
-
Open the policy or computer editor that you want to configure.
-
Click.
-
Under File Hash Calculation, clear the Default or Inherited check box. (Default is displayed for a root policy and Inherited is displayed for child policies).
Note
When Inherited is selected, the file hash settings are inherited from the current policy's parent policy.Note
When Default is selected, Server & Workload Protection does not calculate any hash values. -
Select the Calculate hash values of all anti-malware events.
-
By default, Server & Workload Protection will produce SHA-1 hash values. If you want to produce additional hash values, you can select one or both of MD5 and SHA256.
-
You can also change the maximum size of malware files that will have hash values calculated. The default is to skip files that are larger than 128MB, but you can change the value to anything between 64 and 512 MB.
Configure notifications on the computer
On Windows-based agents, you might occasionally see onscreen notification messages
alerting you of Server & Workload Protection actions you must take
that are related to the anti-malware and web reputation modules. For example, you
might see the message,
A reboot is required for Anti-Malware cleanup
task
. You must click OK on the dialog box to dismiss it.If you don't want these notifications to appear:
- Go to the Computer or Policy editor.
- Click Settings on the left.
- Set Suppress all pop-up notifications on host to Yes. The messages still appear as alerts or events in Server & Workload Protection. For more information about the notifier, see Notifier.
Run scheduled scans when Server & Workload Protection is not accessible
NoteThis feature is supported with version 20.0.3445+ agents on Windows.
|
Scheduled scans for malware are typically queued when the agent is offline. To have
a
scheduled scan run even when the agent is unable to connect to Server & Workload Protection:
-
Go to the Computer or Policy editor.
-
On the left, click Anti-Malware.
-
On the General tab, for Scheduled Scan select Enable agent to trigger scheduled scan for malware.
NoteWhen the checkbox is selected:
|
Troubleshooting
Some special cases may cause the agent not to trigger the offline scheduled scan:
- If the computer is shut down, the upcoming scheduled scan may not be triggered if it times out when the computer is restarted.
- If the computer is shut down during the scheduled scan, the interrupted scheduled scan will not continue when the computer is restarted.