Virus/Malware Scan Actions

The scan action OfficeScan performs depends on the virus/malware type and the scan type that detected the virus/malware. For example, when OfficeScan detects a Trojan horse program (virus/malware type) during Manual Scan (scan type), it cleans (action) the infected file.

For information on the different virus/malware types, see Viruses and Malware.

The following are the actions OfficeScan can perform against viruses/malware.

Table 1. Virus/Malware Scan Actions

Action

Description

Delete

OfficeScan deletes the infected file.

Quarantine

OfficeScan renames and then moves the infected file to a temporary quarantine directory on the agent endpoint located in <Agent installation folder>\Suspect.

The OfficeScan agent then sends quarantined files to the designated quarantine directory.

See Quarantine Directory for details.

The default quarantine directory is on the OfficeScan server, under <Server installation folder>\PCCSRV\Virus. OfficeScan encrypts quarantined files sent to this directory.

If you need to restore any of the quarantined files, use Central Quarantine Restore.

For details, see Restoring Quarantined Files.

Clean

OfficeScan cleans the infected file before allowing full access to the file.

If the file is uncleanable, OfficeScan performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass.

To configure the second action, go to Agents > Agent Management. Click Settings > Scan Settings > {Scan Type} > Action tab.

This action can be performed on all types of malware except probable virus/malware.

Rename

OfficeScan changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.

The virus/malware may execute when opening the renamed infected file.

Pass

OfficeScan can only use this scan action when it detects any type of virus during Manual Scan, Scheduled Scan, and Scan Now. OfficeScan cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.

Deny Access

This scan action can only be performed during Real-time Scan. When OfficeScan detects an attempt to open or execute an infected file, it immediately blocks the operation.

Users can manually delete the infected file.