Views:
Server & Workload Protection provides security settings that you can apply to Windows and Linux machines that are protected by an agent to enhance your malware and ransomware detection and clean rate. These settings enable you to go beyond malware pattern matching and identify suspicious files that could potentially contain emerging malware that hasn’t yet been added to the anti-malware patterns (known as a zero-day attack).
For an overview of the Anti-Malware module, see Protect against malware.
Note
Note
For macOS agents, behavior monitoring is not supported.

How does enhanced scanning protect you? Parent topic

Threat detection: To avoid detection, some types of malware attempt to modify system files or files related to known installed software. These types of changes often go unnoticed because the malware takes the place of legitimate files. Server & Workload Protection can monitor system files and installed software for unauthorized changes to detect and prevent these changes from occurring.
Anti-exploit: Malware writers can use malicious code to hook in to user mode processes in order to gain privileged access to trusted processes and to hide the malicious activity. Malware writers inject code into user processes through DLL injection, which calls an API with escalated privilege. They can also trigger an attack on a software exploit by feeding a malicious payload to trigger code execution in memory. In Server & Workload Protection, the anti-exploit functionality monitors for processes that may be performing actions that are not typically performed by a given process. Using a number of mechanisms, including Data Execution Prevention (DEP), Structured Exception Handling Overwrite Protection (SEHOP), and heap spray prevention, Server & Workload Protection can determine whether a process has been compromised and then terminate the process to prevent further infection.
Extended ransomware protection: Recently, ransomware has become more sophisticated and targeted. Most organizations have a security policy that includes anti-malware protection on their endpoints, which offers a level of protection against known ransomware variants; however, it may not be sufficient to detect and prevent an outbreak for new variants. The ransomware protection offered by Server & Workload Protection can protect documents against unauthorized encryption or modification. Server & Workload Protection has also incorporated a data recovery engine that can optionally create copies of files being encrypted to offer users an added chance of recovering files that may have been encrypted by a ransomware process.

How to enable enhanced scanning Parent topic

Enhanced scanning is configured as part of the Anti-Malware settings that are applied to a policy or individual computer. For general information on configuring Anti-Malware protection, see Enable and configure Anti-Malware.
Note
Note
These settings can only be applied to Windows and Linux machines that are protected by an agent.
Tip
Tip
Enhanced scanning may have a performance impact on agent computers running applications with heavy loads. We recommend reviewing the Performance tips for Anti-Malware before deploying agents with enhanced scanning enabled.
The first step is to enable enhanced scanning in a real-time malware scan configuration:

Procedure

  1. In the Server & Workload Protection console, go to Policies Common Objects Other Malware Scan Configurations.
  2. Double-click an existing real-time scan configuration to edit it (for details on malware scan configurations, see Configure malware scans).
  3. On the General tab, under Behavior Monitoring, select Enable Behavior Monitoring. In the Action to take list, choose the remediation action that you want Server & Workload Protection to take when it detects malware:
    • ActiveAction (recommended): Use the action that ActiveAction determines. ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly. (See ActiveAction actions.)
    • Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event is still recorded.)
  4. Optionally, select Back up and restore ransomware-encrypted files. When this option is selected, Server & Workload Protection will create backup copies of files that are being encrypted, in case they are being encrypted by a ransomware process. This option applies only to computers running Windows.
  5. Click OK.
    Note
    Note
    By default, real-time scans are set to scan all directories. If you change the scan settings to scan a directory list, the enhanced scanning may not work as expected. For example, if you set Directories to scan to scan "Folder1" and ransomware occurs in Folder1, it may not be detected if the encryption associated with the ransomware happens to files outside of Folder1.
  6. Next, apply the malware scan configuration to a policy or an individual computer:
    1. In the Computer or Policy editor, go to Anti-Malware General.
    2. Ensure that the Anti-Malware State is On or Inherited (On).
    3. The General tab contains sections for Real-Time Scan, Manual Scan, and Scheduled Scan. In the appropriate sections, use the Malware Scan Configuration list to select the scan configuration that you created above.
    4. Click Save.

What happens when enhanced scanning finds a problem? Parent topic

When Server & Workload Protection discovers activity or files that match the enhanced scan settings you have enabled, it will log an event (go to Events & Reports Events Anti-Malware Events to see a list of events). The event will be identified as "Suspicious activity" or "Unauthorized change" in the Major Virus Type column and details will be displayed in the Target(s) and TargetType columns.
Server & Workload Protection performs many types of checks related to the enhanced scan settings, and the actions that it takes depend on the type of check that finds an issue. Server & Workload Protection may "Deny Access", "Terminate", or "Clean" a suspicious object. These actions are determined by Server & Workload Protection and are not configurable, with the exception of the "Clean" action:
  • Deny Access: When Server & Workload Protection detects an attempt to open or execute a suspicious file, it immediately blocks the operation and records an Anti-Malware event.
  • Terminate: Server & Workload Protection terminates the process that performed the suspicious operation and records an Anti-Malware event.
  • Clean: Server & Workload Protection checks the Malware Scan Configuration and performs the action specified for Trojans on the Actions tab. One or more additional events will be generated relating to the action performed on the Trojan files.
behavior-monitoring-events=8357b82d-b287-4c9b-a6a8-02fa38c313a3.png
Double-click an event to see details:
behavior-monitoring-event-detail=e3926908-28d7-4b34-85fe-37f51710dab4.png
Events related to ransomware have an additional Targeted Files tab:
ransomware-event-details=61c13829-c452-482c-a168-3f00869c5292.png
targeted-files=62bf5d3a-0841-4b6b-bcd2-f0a8d1173901.png
If you investigate and find that an identified file is not harmful, you can right-click the event and click Allow to add the file to a scan exclusion list for the computer or policy. You can check the scan exclusion list in the policy or computer editor, under Anti-Malware Advanced Behavior Monitoring Protection Exceptions.