Virus/Malware Scan Results

The following scan results display in the virus/malware logs:

Table 1. Scan Results

Result

Description

Deleted

  • First action is "Delete" and the infected file was deleted.

  • First action is "Clean" but cleaning was unsuccessful. Second action is "Delete" and the infected file was deleted.

Quarantined

  • First action is "Quarantine" and the infected file was quarantined.

  • First action is "Clean" but cleaning was unsuccessful. Second action is "Quarantine" and the infected file was quarantined.

Cleaned

An infected file was cleaned.

Renamed

  • First action is "Rename" and the infected file was renamed.

  • First action is "Clean" but cleaning was unsuccessful. Second action is "Rename" and the infected file was renamed.

Access denied

  • First action is "Deny Access" and access to the infected file was denied when the user attempted to open the file.

  • First action is "Clean" but cleaning was unsuccessful. Second action is "Deny Access" and access to the infected file was denied when the user attempted to open the file.

  • Probable Virus/Malware was detected during Real-time Scan.

  • Real-time Scan may deny access to files infected with a boot virus even if the scan action is "Clean" (first action) and "Quarantine" (second action). This is because attempting to clean a boot virus may damage the Master Boot Record (MBR) of the infected endpoint. Run Manual Scan so OfficeScan can clean or quarantine the file.

Passed

  • First action is "Pass". OfficeScan did not perform any action on the infected file.

  • First action is "Clean" but cleaning was unsuccessful. Second action is "Pass" so OfficeScan did not perform any action on the infected file.

Passed a potential security risk

This scan result only displays when OfficeScan detects "probable virus/malware" during Manual Scan, Scheduled Scan, and Scan Now. Refer to the following page on the Trend Micro online Virus Encyclopedia for information about probable virus/malware and how to submit suspicious files to Trend Micro for analysis.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=POSSIBLE_VIRUS&VSect=Sn

Unable to clean or quarantine the file

"Clean" is the first action. "Quarantine" is the second action, and both actions were unsuccessful.

Solution: See Unable to quarantine the file/Unable to rename the file.

Unable to clean or delete the file

"Clean" is the first action. "Delete" is the second action, and both actions were unsuccessful.

Solution: See Unable to delete the file.

Unable to clean or rename the file

"Clean" is the first action. "Rename" is the second action, and both actions were unsuccessful.

Solution: See Unable to quarantine the file/Unable to rename the file.

Unable to quarantine the file/Unable to rename the file

Explanation 1

The infected file may be locked by another application, is executing, or is on a CD. OfficeScan will quarantine/rename the file after the application releases the file or after it has been executed.

Solution

For infected files on a CD, consider not using the CD as the virus may infect other endpoints on the network.

Explanation 2

The infected file is in the Temporary Internet Files folder of the agent endpoint. Since the endpoint downloads files while you are browsing, the web browser may have locked the infected file. When the web browser releases the file, OfficeScan will quarantine/rename the file.

Solution: None

Unable to delete the file

Explanation 1

The infected file may be contained in a compressed file and the Clean/Delete infected files within compressed files setting in Agents > Global Agent Settings on the Security Settings tab is disabled.

Solution

Enable the Clean/Delete infected files within compressed files option. When enabled, OfficeScan decompresses a compressed file, cleans/deletes infected files within the compressed file, and then re-compresses the file.

Note:

Enabling this setting may increase endpoint resource usage during scanning and scanning may take longer to complete.

Explanation 2

The infected file may be locked by another application, is executing, or is on a CD. OfficeScan will delete the file after the application releases the file or after it has been executed.

Solution

For infected files on a CD, consider not using the CD as the virus may infect other endpoints on the network.

Explanation 3

The infected file is in the Temporary Internet Files folder of the OfficeScan agent endpoint. Since the endpoint downloads files while you are browsing, the web browser may have locked the infected file. When the web browser releases the file, OfficeScan will delete the file.

Solution: None

Unable to send the quarantined file to the designated quarantine folder

Although OfficeScan successfully quarantined a file in the \Suspect folder of the OfficeScan agent endpoint, it cannot send the file to the designated quarantine directory.

Solution

Determine which scan type (Manual Scan, Real-time Scan, Scheduled Scan, or Scan Now) detected the virus/malware and then check the quarantine directory specified in Agents > Agent Management > Settings > {Scan Type} > Action tab.

If the quarantine directory is on the OfficeScan server computer or is on another OfficeScan server computer:

  1. Check if the agent can connect to the server.

  2. If you use URL as the quarantine directory format:

    1. Ensure that the endpoint name you specify after http:// is correct.

    2. Check the size of the infected file. If it exceeds the maximum file size specified in Administration > Settings > Quarantine Manager, adjust the setting to accommodate the file. You may also perform other actions such as deleting the file.

    3. Check the size of the quarantine directory folder and determine whether it has exceeded the folder capacity specified in Administration > Settings > Quarantine Manager. Adjust the folder capacity or manually delete files in the quarantine directory.

  3. If you use UNC path, ensure that the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group. Also check if the quarantine directory folder exists and if the UNC path is correct.

If the quarantine directory is on another endpoint on the network (You can only use UNC path for this scenario):

  1. Check if the OfficeScan agent can connect to the endpoint.

  2. Ensure that the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group.

  3. Check if the quarantine directory folder exists.

  4. Check if the UNC path is correct.

If the quarantine directory is on a different directory on the OfficeScan agent endpoint (you can only use absolute path for this scenario), check if the quarantine directory folder exists.

Unable to clean the file

Explanation 1

The infected file may be contained in a compressed file and the "Clean/Delete" infected files within compressed files setting in Agents > Global Agent Settings on the Security Settings tab is disabled.

Solution

Enable the Clean/Delete infected files within compressed files option. When enabled, OfficeScan decompresses a compressed file, cleans/deletes infected files within the compressed file, and then re-compresses the file.

Note:

Enabling this setting may increase endpoint resource usage during scanning and scanning may take longer to complete.

Explanation 2

The infected file is in the Temporary Internet Files folder of the OfficeScan agent endpoint. Since the endpoint downloads files while you are browsing, the web browser may have locked the infected file. When the web browser releases the file, OfficeScan will clean the file.

Solution: None

Explanation 3

The file may be uncleanable. For details and solutions, see Uncleanable Files.

Action required

OfficeScan is unable to complete the configured action on the infected file without user intervention. Hover over the Action required column to see the following details.

  • "Action required - Contact Support for details on how to remove this threat with the Anti-Threat Tool Kit "Clean Boot" tool found in the OfficeScan ToolBox"

  • "Action required - Contact Support for details on how to remove this threat with the Anti-Threat Tool Kit "Rescue Disk" tool found in the OfficeScan ToolBox"

  • "Action required - Contact Support for details on how to remove this threat with the Anti-Threat Tool Kit "Rootkit Buster" tool found in the OfficeScan ToolBox"

  • "Action Required - OfficeScan detected a threat on an infected agent. Restart the endpoint to finish cleaning the security threat"

  • "Action required – A full system scan is required to finish removing a detected rootkit threat from the endpoint"
Parent topic: Viewing Virus/Malware Logs