Server & Workload Protection provides security settings that you can apply to Windows and Linux machines that
are protected by an agent to enhance your malware and ransomware detection and clean
rate. These settings enable you to go beyond malware pattern matching and identify
suspicious files that could potentially contain emerging malware that hasn’t yet been
added to the anti-malware patterns (known as a zero-day attack).
For an overview of the Anti-Malware module, see Protect against malware.
ImportantBehavior monitoring is not supported for macOS agents.
|
How does enhanced scanning protect you?
Threat detection: To avoid detection, some types of malware attempt to modify system files or files
related to known installed software. These types of changes often go unnoticed because
the malware takes the place of legitimate files. Server & Workload Protection can monitor system files and installed software for unauthorized changes to detect
and prevent these changes from occurring.
Anti-exploit: Malware writers can use malicious code to hook in to user mode processes in order
to gain privileged access to trusted processes and to hide the malicious activity.
Malware writers inject code into user processes through DLL injection, which calls
an API with escalated privilege. They can also trigger an attack on a software exploit
by feeding a malicious payload to trigger code execution in memory. In Server & Workload Protection, the anti-exploit functionality monitors for processes that may be performing actions
that are not typically performed by a given process. Using a number of mechanisms,
including Data Execution Prevention (DEP), Structured Exception Handling Overwrite
Protection (SEHOP), and heap spray prevention, Server & Workload Protection can determine whether a process has been compromised and then terminate the process
to prevent further infection.
Extended ransomware protection: Recently, ransomware has become more sophisticated and targeted. Most organizations
have a security policy that includes anti-malware protection on their endpoints, which
offers a level of protection against known ransomware variants; however, it may not
be sufficient to detect and prevent an outbreak for new variants. The ransomware protection
offered by Server & Workload Protection can protect documents against unauthorized encryption or modification. Server & Workload Protection has also incorporated a data recovery engine that can optionally create copies of
files being encrypted to offer users an added chance of recovering files that may
have been encrypted by a ransomware process.
How to enable enhanced scanning
Enhanced scanning is configured as part of the Anti-Malware settings that are applied
to a policy or individual computer. For general information on configuring Anti-Malware
protection, see Enable and configure Anti-Malware.
ImportantThese settings can only be applied to Windows and Linux machines that are protected
by an agent.
|
TipEnhanced scanning may have a performance impact on agent computers running applications
with heavy loads. We recommend reviewing the Performance tips for Anti-Malware before deploying agents with enhanced scanning enabled.
|
The first step is to enable enhanced scanning in a real-time malware scan configuration:
Procedure
- In the Server & Workload Protection console, go to .
- Double-click an existing real-time scan configuration to edit it (for details on malware scan configurations, see Configure malware scans).
- On the General tab, under Behavior Monitoring, select Enable Behavior Monitoring.
- Configure the settings for Detection level and Prevention level.
Important
-
Adjusting Detection and Prevention levels only supports agent version version 20.0.1.25770 and later. Unsupported versions use the default level of 2 - Moderate and cannot be changed.
-
Higher levels provide greater sensitivity but might generate a large number of nonessential logs and impact endpoint performance. Trend Micro recommends selecting 2 - Moderate for more relevant data with minimal impact on your endpoints.
-
The Prevention level must be the same or lower than Detection level.
-
The Action to take selection might affect the prevention actions taken for the selected prevention level.
-
- For Action to take, choose the remediation action that you want Server & Workload Protection to take when it detects malware:
-
ActiveAction (recommended): Use the action that ActiveAction determines. ActiveAction is a predefined group of cleanup actions optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly. (See ActiveAction actions.)
-
Pass: Server & Workload Protection records an Anti-Malware Event without taking action on the file.
-
- Optionally, select Back up and restore ransomware-encrypted files. When this option is selected, Server & Workload Protection will create backup copies of files that are being encrypted, in case they are being encrypted by a ransomware process. This option applies only to computers running Windows.
- Click OK.
Note
By default, real-time scans are set to scan all directories. If you change the scan settings to scan a directory list, the enhanced scanning may not work as expected. For example, if you set Directories to scan to scan "Folder1" and ransomware occurs in Folder1, it may not be detected if the encryption associated with the ransomware happens to files outside of Folder1. - Next, apply the malware scan configuration to a policy or an individual
computer:
- In the Computer or Policy editor, go to .
- Ensure that the Anti-Malware State is On or Inherited (On).
- The General tab contains sections for Real-Time Scan, Manual Scan, and Scheduled Scan. In the appropriate sections, use the Malware Scan Configuration list to select the scan configuration that you created above.
- Click Save.
What happens when enhanced scanning finds a problem?
When Server & Workload Protection discovers activity or files that match the enhanced scan settings you have enabled,
it will log an event (go to see a list of events). The event will be identified as "Suspicious activity" or "Unauthorized
change" in the Major Virus Type column and details will be displayed in the Target(s) and TargetType columns.
Server & Workload Protection performs many types of checks related to the enhanced scan settings, and the actions
that it takes depend on the type of check that finds an issue. Server & Workload Protection may "Deny Access", "Terminate", or "Clean" a suspicious object. These actions are
determined by Server & Workload Protection and are not configurable, with the exception of the "Clean" action:
- Deny Access: When Server & Workload Protection detects an attempt to open or execute a suspicious file, it immediately blocks the operation and records an Anti-Malware event.
- Terminate: Server & Workload Protection terminates the process that performed the suspicious operation and records an Anti-Malware event.
- Clean: Server & Workload Protection checks the Malware Scan Configuration and performs the action specified for Trojans on the Actions tab. One or more additional events will be generated relating to the action performed on the Trojan files.
Double-click an event to see details:
Events related to ransomware have an additional Targeted Files tab:
If you investigate and find that an identified file is not harmful, you can right-click
the event and click Allow to add the file to a scan exclusion list for the computer
or policy. You can check the scan exclusion list in the policy or computer editor,
under
.