Scan Targets and Actions for Security Agents | Trend Micro Service Central

Views:

Configure the following settings for each scan type (Manual Scan, Scheduled Scan, and Real-time Scan):

Target Tab

Select a method:

All scannable files: includes all scannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.

Note:
This option provides the maximum security possible. However, scanning every file requires a lot of time and resources and might be redundant in some situations. Therefore, you might want to limit the amount of files the agent includes in the scan.
IntelliScan uses "true file type" identification: Scans files based on true-file type. See IntelliScan.
Scan files with the following extensions: Manually specify the files to scan based on their extensions. Separate multiple entries with commas.

Select a scan trigger:

Read: Scans files whose contents are read; files are read when they are opened, executed, copied, or moved.
Write: Scans files whose contents are being written; a file’s contents are written when the file is modified, saved, downloaded, or copied from another location.
Read or write

Scan Exclusions

The following settings are configurable:

Enable or disable exclusions
Exclude Trend Micro product directories from scans
Exclude other directories from scans

All subdirectories in the directory path you specify will also be excluded
Exclude file names or file names with full path from scans
Exclude file extensions

Wildcard characters, such as “*”, are not accepted for file extensions

Note:

(Advanced only) If Microsoft Exchange Server is running on the client, Trend Micro recommends excluding all Microsoft Exchange Server folders from scanning. To exclude scanning of Microsoft Exchange server folders on a global basis, go to Administration > Global Settings > Desktop/Server {tab} > General Scan Settings, and then select Exclude Microsoft Exchange server folders when installed on Microsoft Exchange server.

Advanced Settings

Scan Type	Option
Real-time Scan	Scan POP3 messages: By default, Mail Scan can only scan new messages sent through port 110 in the Inbox and Junk Mail folders. It does not support secure POP3 (SSL-POP3). Microsoft Outlook 2007, 2010, or 2013 Mozilla Thunderbird 1.5 or higher Mail Scan cannot detect security risks in IMAP messages. Use the Messaging Security Agent (Advanced only) to detect security risks and spam in IMAP messages.
Real-time Scan	Scan floppy disks during system shutdown
Real-time Scan	Enable IntelliTrap: IntelliTrap detects malicious code, such as bots, in compressed files. See IntelliTrap.
Real-time Scan	Quarantine malware variants detected in memory: If Real-time Scan and Behavior Monitoring are enabled and this option is selected, running process memory is scanned for packed malware. Any packed malware that Behavior Monitoring detects is quarantined.
Real-time Scan, Manual Scan, Scheduled Scan	Scan compressed files up to layer __: A compressed file has one layer for each time it has been compressed. If an infected file has been compressed to several layers, it must be scanned through the specified number of layer to detect the infection. Scanning through multiple layers, however, requires more time and resources.
Real-time Scan, Manual Scan, Scheduled Scan	Modify Spyware/Grayware Approved List: This setting cannot be configured from the agent console.
Manual Scan, Scheduled Scan	CPU Usage/Scan Speed: The Security Agent can pause after scanning one file and before scanning the next file. Select from the following options: High: No pausing between scans Medium: Pause between file scans if CPU consumption is higher than 50%, and do not pause if 50% or lower Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause if 20% or lower
Manual Scan, Scheduled Scan	Run advanced cleanup: The Security Agent stops activities by rogue security software, also known as FakeAV. The agent also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV behavior. Note: While providing proactive protection, advanced cleanup also results in a high number of false-positives.

Spyware/Grayware Approved List

Certain applications are classified by Trend Micro as spyware/grayware not because they can cause harm to the system on which they are installed, but because they potentially, expose the client or the network to malware or hacker attacks.

Worry-Free Business Security includes a list of potentially risky applications and, by default, prevents these applications from executing on clients.

If clients need to run any application that is classified by Trend Micro as spyware/grayware, you need to add the application name to the spyware/grayware approved list.

Action Tab

The following are the actions that Security Agents can perform against viruses/malware:

Table 1. Virus/Malware Scan Actions
Action	Description
Delete	Deletes the infected file.
Quarantine	Renames and then moves the infected file to a temporary quarantine directory on the client. The Security Agents then sends quarantined files to the designated quarantine directory, which is on the Security Server by default. The Security Agent encrypts quarantined files sent to this directory. If you need to restore any of the quarantined files, use the VSEncrypt tool.
Clean	Cleans the infected file before allowing full access to the file. If the file is uncleanable, the Security Agent performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass This action can be performed on all types of malware except probable virus/malware. Note: Some files are uncleanable. For details, see Uncleanable Files.
Rename	Changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application. The virus/malware may execute when opening the renamed infected file.
Pass	Only performed during Manual Scan and Scheduled Scan. The Security Agent cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.
Deny Access	Only performed during Real-time Scan. When the Security Agent detects an attempt to open or execute an infected file, it immediately blocks the operation. Users can manually delete the infected file.

The scan action the Security Agent performs depends on the scan type that detected the spyware/grayware. While specific actions can be configured for each virus/malware type, only one action can be configured for all types of spyware/grayware. For example, when the Security Agent detects any type of spyware/grayware during Manual Scan (scan type), it cleans (action) the affected system resources.

The following are the actions the Security Agent can perform against spyware/grayware:

Table 2. Spyware/Grayware Scan Actions
Action	Description
Clean	Terminates processes or deletes registries, files, cookies, and shortcuts.
Pass	Performs no action on detected spyware/grayware components but records the spyware/grayware detection in the logs. This action can only be performed during Manual Scan and Scheduled Scan. During Real-time Scan, the action is "Deny Access". The Security Agent will not perform any action if the detected spyware/grayware is included in the approved list.
Deny Access	Denies access (copy, open) to the detected spyware/grayware components. This action can only be performed during Real-time Scan. During Manual Scan and Scheduled Scan, the action is "Pass".

ActiveAction

Different types of virus/malware require different scan actions. Customizing scan actions requires knowledge about virus/malware and can be a tedious task. The Security Agent uses ActiveAction to counter these issues.

ActiveAction is a set of pre-configured scan actions for viruses/malware. If you are not familiar with scan actions or if you are not sure which scan action is suitable for a certain type of virus/malware, Trend Micro recommends using ActiveAction.

Using ActiveAction provides the following benefits:

ActiveAction uses scan actions that are recommended by Trend Micro. You do not have to spend time configuring the scan actions.
Virus writers constantly change the way virus/malware attack endpoints. ActiveAction settings are updated to protect against the latest threats and the latest methods of virus/malware attacks.

The following table illustrates how ActiveAction handles each type of virus/malware:

Table 3. Trend Micro Recommended Scan Actions Against Viruses and Malware
Virus/Malware Type	Real-time Scan		Manual Scan/Scheduled Scan
Virus/Malware Type	First Action	Second Action	First Action	Second Action
Joke program	Quarantine	Delete	Quarantine	Delete
Trojan horse program/Worms	Quarantine	Delete	Quarantine	Delete
Packer	Quarantine	N/A	Quarantine	N/A
Probable virus/malware	Pass	N/A	Pass or user-configured action	N/A
Virus	Clean	Quarantine	Clean	Quarantine
Test virus	Deny Access	N/A	N/A	N/A
Other malware	Clean	Quarantine	Clean	Quarantine

Note:

Some files are uncleanable. For details, see Uncleanable Files.
ActiveAction is not available for spyware/grayware scan.
The default values for these settings can change, when new pattern files become available.

Advanced Settings

Scan Type	Option
Real-time Scan, Scheduled Scan	Display an alert message on the desktop or server when a virus/spyware is detected
Real-time Scan, Scheduled Scan	Display an alert message on the desktop or server when a probable virus/spyware is detected
Manual Scan, Real-time Scan, Scheduled Scan	Run cleanup when probable virus/malware is detected: Only available if you choose ActiveAction and customized the action for probable virus/malware.