Scan Targets and Actions for Security Agents

Configure the following settings for each scan type (Manual Scan, Scheduled Scan, and Real-time Scan):

Target Tab

Select a method:

  • All scannable files: includes all scannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.

    Note:

    This option provides the maximum security possible. However, scanning every file requires a lot of time and resources and might be redundant in some situations. Therefore, you might want to limit the amount of files the agent includes in the scan.

  • IntelliScan uses "true file type" identification: Scans files based on true-file type. See IntelliScan.

  • Scan files with the following extensions: Manually specify the files to scan based on their extensions. Separate multiple entries with commas.

Select a scan trigger:

  • Read: Scans files whose contents are read; files are read when they are opened, executed, copied, or moved.

  • Write: Scans files whose contents are being written; a file’s contents are written when the file is modified, saved, downloaded, or copied from another location.

  • Read or write

Scan Exclusions

The following settings are configurable:

  • Enable or disable exclusions

  • Exclude Trend Micro product directories from scans

  • Exclude other directories from scans

    All subdirectories in the directory path you specify will also be excluded

  • Exclude file names or file names with full path from scans

  • Exclude file extensions

    Wildcard characters, such as “*”, are not accepted for file extensions

Note:

(Advanced only) If Microsoft Exchange Server is running on the client, Trend Micro recommends excluding all Microsoft Exchange Server folders from scanning. To exclude scanning of Microsoft Exchange server folders on a global basis, go to Administration > Global Settings > Desktop/Server {tab} > General Scan Settings, and then select Exclude Microsoft Exchange server folders when installed on Microsoft Exchange server.

Advanced Settings

Scan Type

Option

Real-time Scan

Scan POP3 messages: By default, Mail Scan can only scan new messages sent through port 110 in the Inbox and Junk Mail folders. It does not support secure POP3 (SSL-POP3).

  • Microsoft Outlook 2007, 2010, or 2013

  • Mozilla Thunderbird 1.5 or higher

Mail Scan cannot detect security risks in IMAP messages. Use the Messaging Security Agent (Advanced only) to detect security risks and spam in IMAP messages.

Real-time Scan, Manual Scan

Scan mapped drives and shared folders on the network: Select to scan directories physically located on other computers, but mapped to the local computer.

Real-time Scan

Scan floppy disks during system shutdown

Real-time Scan

Enable IntelliTrap: IntelliTrap detects malicious code, such as bots, in compressed files. See IntelliTrap.

Real-time Scan

Quarantine malware variants detected in memory: If Real-time Scan and Behavior Monitoring are enabled and this option is selected, running process memory is scanned for packed malware. Any packed malware that Behavior Monitoring detects is quarantined.

Real-time Scan, Manual Scan, Scheduled Scan

Scan compressed files up to layer __: A compressed file has one layer for each time it has been compressed. If an infected file has been compressed to several layers, it must be scanned through the specified number of layer to detect the infection. Scanning through multiple layers, however, requires more time and resources.

Real-time Scan, Manual Scan, Scheduled Scan

Modify Spyware/Grayware Approved List: This setting cannot be configured from the agent console.

Manual Scan, Scheduled Scan

CPU Usage/Scan Speed: The Security Agent can pause after scanning one file and before scanning the next file.

Select from the following options:

  • High: No pausing between scans

  • Medium: Pause between file scans if CPU consumption is higher than 50%, and do not pause if 50% or lower

  • Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause if 20% or lower

Manual Scan, Scheduled Scan

Run advanced cleanup: The Security Agent stops activities by rogue security software, also known as FakeAV. The agent also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV behavior.

Note:

While providing proactive protection, advanced cleanup also results in a high number of false-positives.

Spyware/Grayware Approved List

Certain applications are classified by Trend Micro as spyware/grayware not because they can cause harm to the system on which they are installed, but because they potentially, expose the client or the network to malware or hacker attacks.

Worry-Free Business Security includes a list of potentially risky applications and, by default, prevents these applications from executing on clients.

If clients need to run any application that is classified by Trend Micro as spyware/grayware, you need to add the application name to the spyware/grayware approved list.

Action Tab

The following are the actions that Security Agents can perform against viruses/malware:

Table 1. Virus/Malware Scan Actions

Action

Description

Delete

Deletes the infected file.

Quarantine

Renames and then moves the infected file to a temporary quarantine directory on the client.

The Security Agents then sends quarantined files to the designated quarantine directory, which is on the Security Server by default.

The Security Agent encrypts quarantined files sent to this directory.

If you need to restore any of the quarantined files, use the VSEncrypt tool.

Clean

Cleans the infected file before allowing full access to the file.

If the file is uncleanable, the Security Agent performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass

This action can be performed on all types of malware except probable virus/malware.

Note:

Some files are uncleanable. For details, see Uncleanable Files.

Rename

Changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.

The virus/malware may execute when opening the renamed infected file.

Pass

Only performed during Manual Scan and Scheduled Scan. The Security Agent cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.

Deny Access

Only performed during Real-time Scan. When the Security Agent detects an attempt to open or execute an infected file, it immediately blocks the operation.

Users can manually delete the infected file.

The scan action the Security Agent performs depends on the scan type that detected the spyware/grayware. While specific actions can be configured for each virus/malware type, only one action can be configured for all types of spyware/grayware. For example, when the Security Agent detects any type of spyware/grayware during Manual Scan (scan type), it cleans (action) the affected system resources.

The following are the actions the Security Agent can perform against spyware/grayware:

Table 2. Spyware/Grayware Scan Actions

Action

Description

Clean

Terminates processes or deletes registries, files, cookies, and shortcuts.

Pass

Performs no action on detected spyware/grayware components but records the spyware/grayware detection in the logs. This action can only be performed during Manual Scan and Scheduled Scan. During Real-time Scan, the action is "Deny Access".

The Security Agent will not perform any action if the detected spyware/grayware is included in the approved list.

Deny Access

Denies access (copy, open) to the detected spyware/grayware components. This action can only be performed during Real-time Scan. During Manual Scan and Scheduled Scan, the action is "Pass".

ActiveAction

Different types of virus/malware require different scan actions. Customizing scan actions requires knowledge about virus/malware and can be a tedious task. The Security Agent uses ActiveAction to counter these issues.

ActiveAction is a set of pre-configured scan actions for viruses/malware. If you are not familiar with scan actions or if you are not sure which scan action is suitable for a certain type of virus/malware, Trend Micro recommends using ActiveAction.

Using ActiveAction provides the following benefits:

  • ActiveAction uses scan actions that are recommended by Trend Micro. You do not have to spend time configuring the scan actions.

  • Virus writers constantly change the way virus/malware attack endpoints. ActiveAction settings are updated to protect against the latest threats and the latest methods of virus/malware attacks.

The following table illustrates how ActiveAction handles each type of virus/malware:

Table 3. Trend Micro Recommended Scan Actions Against Viruses and Malware

Virus/Malware Type

Real-time Scan

Manual Scan/Scheduled Scan

First Action

Second Action

First Action

Second Action

Joke program

Quarantine

Delete

Quarantine

Delete

Trojan horse program/Worms

Quarantine

Delete

Quarantine

Delete

Packer

Quarantine

N/A

Quarantine

N/A

Probable virus/malware

Quarantine

N/A

Pass or user-configured action

N/A

Virus

Clean

Quarantine

Clean

Quarantine

Test virus

Deny Access

N/A

N/A

N/A

Other malware

Clean

Quarantine

Clean

Quarantine

Notes and Reminders:

  • For probable virus/malware, the default action is "Deny Access" during Real-time Scan and "Pass" during Manual Scan and Scheduled Scan. If these are not your preferred actions, you can change them to "Quarantine", "Delete", or "Rename".

  • Some files are uncleanable. For details, see Uncleanable Files.

  • ActiveAction is not available for spyware/grayware scan.

  • The default values for these settings can change, when new pattern files become available.

Advanced Settings

Scan Type

Option

Real-time Scan, Scheduled Scan

Display an alert message on the desktop or server when a virus/spyware is detected

Real-time Scan, Scheduled Scan

Display an alert message on the desktop or server when a probable virus/spyware is detected

Manual Scan, Real-time Scan, Scheduled Scan

Run cleanup when probable virus/malware is detected: Only available if you choose ActiveAction and customized the action for probable virus/malware.