Configuring Malware or Malicious Code Criteria

The Message contains "malware or malicious code" criteria allows you to create rules that take actions on messages that contain malware, worms, or other malicious code.

Select Message contains.
Click the malware or malicious code link on the Rule > Scanning Criteria screen.
The Malware or Malicious Code screen appears.

Specify at least one of the following detection types under the Specify at least one detection type section.

Option	Description
Cleanable malware or malicious code	Apply the rule to messages or attachments that contain cleanable malware. Cleanable malware are those that can be safely removed from the contents of the infected file, resulting in an uninfected copy of the original message or attachment. Warning: Selecting Cleanable malware or malicious code as a rule criteria, and then selecting a rule action other than Delete or Clean, can result in infected messages or attachments entering your messaging environment. By default, Hosted Email Security is configured with malware rules to appropriately handle threats when it is installed.
Uncleanables with mass-mailing behavior	Apply the rule to messages that contain uncleanable malware, worms, or other threats that cannot be removed from messages or attachments, and that propagate by mass-mailing copies of themselves.
Uncleanables without mass-mailing behavior	Select the categories below as desired: Spyware Dialers Hacking tools Password cracking applications Adware Joke programs Remote access tools All others

Option

Description

Cleanable malware or malicious code

Apply the rule to messages or attachments that contain cleanable malware. Cleanable malware are those that can be safely removed from the contents of the infected file, resulting in an uninfected copy of the original message or attachment.

Warning:

Selecting Cleanable malware or malicious code as a rule criteria, and then selecting a rule action other than Delete or Clean, can result in infected messages or attachments entering your messaging environment. By default, Hosted Email Security is configured with malware rules to appropriately handle threats when it is installed.

Uncleanables with mass-mailing behavior

Apply the rule to messages that contain uncleanable malware, worms, or other threats that cannot be removed from messages or attachments, and that propagate by mass-mailing copies of themselves.

Uncleanables without mass-mailing behavior

Select the categories below as desired:

Spyware
Dialers
Hacking tools
Password cracking applications
Adware
Joke programs
Remote access tools
All others

Configure Predictive Machine Learning settings to leverage the Predictive Machine Learning engine to detect emerging unknown security risks.
1. Select Enable Predictive Machine Learning under the Specify Predictive Machine Learning settings section.
  For details, see About Predictive Machine Learning.
2. Optionally select the Allow Trend Micro to collect suspicious files to improve its detection capabilities check box.
  Note:
  By default, this option is selected.
  
  If you enable this option, Trend Micro only checks potentially risky messages and encrypts all content before transferring any information.
To perform scanning for less conventional threats, select Enable Advanced Threat Scan Engine under the Specify advanced settings section.
See About Advanced Threat Scan Engine.
- Select Enable Virtual Analyzer, and then select the security level from the drop-down list, to perform further observation and analysis for threats detected by the Advanced Threat Scan Engine.
- Select Include macro, JSE and VBE scanning to include macro threats during observation and analysis.
Note:
If Virtual Analyzer is enabled, Hosted Email Security performs observation and analysis on samples in a closed environment. It takes 3 minutes on average to analyze and identify the risk of an attachment, and the time could be as long as 30 minutes for some attachments.

Hosted Email Security logs advanced threats as follows:
- "Probable Advanced Threats": Suspected threats detected by the Advanced Threat Scan Engine or Social Engineering Attack Protection but not analyzed by Virtual Analyzer
  
  Tip:
  Some detected files may be safe. Trend Micro recommends selecting the Quarantine action for suspected threats detected by the Advanced Threat Scan Engine.
- "Analyzed Advanced Threats": Suspected threats detected by the Advanced Threat Scan Engine or Social Engineering Attack Protection and detected as the high risk by Virtual Analyzer
  Note:
  The Advanced Threat Scan Engine or Social Engineering Attack Protection considers messages as suspected threats according to the security level configured for Virtual Analyzer. That is:
  - if theHighsecurity level is configured, then the action will be applied on all messages that exhibit any suspicious behavior.
  - if theMediumsecurity level is configured, then the action will be applied on messages that have moderate to high probability of being malicious.
  - if theLowsecurity level is configured, then the action will be applied only on messages that have high probability of being malicious.
Click Save.