Scan Targets and Actions for Messaging Security Agents

Configure the following settings for each scan type (Manual Scan, Scheduled Scan, and Real-time Scan):

Target Tab

  • Scan Targets

  • Additional Threat Scan Settings

  • Scan Exclusions

Action Tab

  • Scan Actions/ActiveAction

  • Notifications

  • Advanced Settings

Scan Targets

Select scan targets:

  • All attachment files: Only encrypted or password-protected files are excluded.

    Note:

    This option provides the maximum security possible. However, scanning every file requires a lot of time and resources and might be redundant in some situations. Therefore, you might want to limit the amount of files the agent includes in the scan.

  • IntelliScan: Scans files based on true-file type. See IntelliScan.

  • Specific file types: Worry-Free Business Security will scan files of the selected types and with the selected extensions. Separate multiple entries with semicolons(;).

Select other options:

  • Enable IntelliTrap: IntelliTrap detects malicious code, such as bots, in compressed files. See IntelliTrap.

  • Scan message body: Scans the body of an email message that could contain embedded threats.

Additional Threat Scan Settings

Select other threats the agent should scan. For details about these threats, see Understanding Threats.

Select additional options:

  • Backup infected file before cleaning: Worry-Free Business Security makes a backup of the threat before cleaning. The backed-up file is encrypted and stored in the following directory on the client:

    <Messaging Security Agent installation folder>\storage\backup

    You can change the directory in the Advanced Options section, Backup Setting subsection.

    To decrypt the file, see Restoring Encrypted Files.

  • Do not clean infected compressed files to optimize performance

Scan Exclusions

Under the Target tab, go to the Exclusions section and select from the following criteria that the agent will use when excluding email messages from scans:

  • Message body size exceeds: The Messaging Security Agent only scans email messages when the size of the body of the message is smaller or equal to the specified amount.

  • Attachment size exceeds: The Messaging Security Agent only scans email messages when the size of the attachment file is smaller than or equal to the specified amount.

    Tip:

    Trend Micro recommends a 30 MB limit.

  • Decompressed file count exceeds: When the amount of decompressed files within the compressed file exceeds this number, then the Messaging Security Agent only scans files up to the limit set by this option.

  • Size of decompressed file exceeds: The Messaging Security Agent only scans compressed files that are smaller or equal to this size after decompression.

  • Number of layers of compression exceeds: The Messaging Security Agent only scans compressed files that have less than or equal to the specified layers of compression. For example, if you set the limit to 5 layers of compression, then the Messaging Security Agent will scan the first 5 layers of compressed files, but not scan files compressed to 6 or more layers.

  • Size of decompressed file is “x” times the size of compressed file: The Messaging Security Agent only scans compressed files when the ratio of the size of the decompressed file compared to the size of the compressed file is less than this number. This function prevents the Messaging Security Agent from scanning a compressed file that might cause a Denial of Service (DoS) attack. A DoS attack happens when a mail server's resources are overwhelmed by unnecessary tasks. Preventing the Messaging Security Agent from scanning files that decompress into very large files helps prevent this problem from happening.

    Example: For the table below, the value typed for the “x” value is 100.

    File size

    (not compressed)

    File size

    (not compressed)

    Result

    500 KB

    10 KB (ratio is 50:1)

    Scanned

    1000 KB

    10 KB (ratio is 100:1)

    Scanned

    1001 KB

    10 KB (ratio exceeds 100:1)

    Not scanned *

    2000 KB

    10 KB (ratio is 200:1)

    Not scanned *

    * The Messaging Security Agent takes the action you configure for excluded files.

Scan Actions

Administrators can configure the Messaging Security Agent to take actions according to the type of threat presented by virus/malware, Trojans, and worms. If you use customized actions, set an action for each type of threat.

Table 1. Messaging Security Agent Customized Actions

Action

Description

Clean

Removes malicious code from infected message bodies and attachments. The remaining email message text, any uninfected files, and the cleaned files are delivered to the intended recipients. Trend Micro recommends you use the default scan action clean for virus/malware.

Under some conditions, the Messaging Security Agent cannot clean a file.

During a Manual Scan or Scheduled Scan, the Messaging Security Agent updates the Information Store and replaces the file with the cleaned one.

Replace with text/file

Deletes the infected/filtered content and replaces it with text or a file. The email message is delivered to the intended recipient, but the text replacement informs them that the original content was infected and was replaced.

For Content Filtering and Data Loss Prevention, you can replace text only in the body or attachment fields (and not From, To, Cc, or Subject).

Quarantine entire message

(Real-time Scan only) Quarantines only the infected content to the quarantine directory and the recipient receives the message without this content.

For Content Filtering, Data Loss Prevention, and Attachment Blocking, moves the entire message to the quarantine directory.

Quarantine message part

(Real-time Scan only) Quarantines only the infected or filtered content to the quarantine directory and the recipient receives the message without this content.

Delete entire message

(Real-time Scan only) Deletes the entire email message. The original recipient will not receive the message.

Pass

Records virus infection of malicious files in the Virus logs, but takes no action. Excluded, encrypted, or password-protected files are delivered to the recipient without updating the logs.

For Content Filtering, delivers the message as-is.

Archive

Moves the message to the archive directory and delivers the message to the original recipient.

Quarantine message to server-side spam folder

Sends the entire message to the Security Server for quarantine.

Quarantine message to user's spam folder

Sends the entire message to the user’s spam folder for quarantine. The folder is located on the server-side of the Information Store.

Tag and deliver

Adds a tag to the header information of the email message that identifies it as spam and then delivers it to the intended recipient.

In addition to these actions, you can also configure the following:

  • Enable action on Mass-mailing behavior: Select from Clean, Replace with Text/File, Delete Entire message, Pass, or Quarantine message part for mass-mailing behavior type of threats.

  • Do this when clean is unsuccessful: Set the secondary action for unsuccessful cleaning attempts. Select from Replace with Text/File, Delete Entire message, Pass, or Quarantine the message part.

ActiveAction

The following table illustrates how ActiveAction handles each type of virus/malware:

Table 2. Trend Micro Recommended Scan Actions Against Viruses and Malware

Virus/Malware Type

Real-time Scan

Manual Scan/Scheduled Scan

First Action

Second Action

First Action

Second Action

Virus

Clean

Delete entire message

Clean

Replace with text/file

Trojan horse program/Worms

Replace with text/file

N/A

Replace with text/file

N/A

Packer

Quarantine message part

N/A

Quarantine message part

N/A

Other malicious code

Clean

Delete entire message

Clean

Replace with text/file

Additional threats

Quarantine message part

N/A

Replace with text/file

N/A

Mass-mailing behavior

Delete entire message

N/A

Replace with text/file

N/A

Scan Action Notifications

Select Notify recipients to set the Messaging Security Agent to notify the intended recipients when taking action against a specific email message. For various reasons, you may want to avoid notifying external mail recipients that a message containing sensitive information was blocked. Select Do not notify external recipients to only send notifications to internal mail recipients. Define internal addresses from Operations > Notification Settings > Internal Mail Definition.

You can also disable sending notifications to spoofing senders’ external recipients.

Advanced Settings (Scan Actions)

Settings

Details

Macros

Macro viruses are application-specific viruses that infect macro utilities that accompany applications. Advanced macro scanning uses heuristic scanning to detect macro viruses or strip all detected macro codes. Heuristic scanning is an evaluative method of detecting viruses that uses pattern recognition and rules-based technologies to search for malicious macro code. This method excels at detecting undiscovered viruses and threats that do not have a known virus signature.

The Messaging Security Agent takes action against malicious macro code depending on the action that you configure.

  • Heuristic level

    • Level 1 uses the most specific criteria, but detects the least macro codes.

    • Level 4 detects the most macro codes, but uses the least specific criteria and may falsely identify safe macro code as harboring malicious macro code.

    Tip:

    Trend Micro recommends a heuristic scan level of 2. This level provides a high detection level for unknown macro viruses, fast scanning speed, and it uses only the necessary rules to check for macro virus strings. Level 2 also has a low level of incorrectly identifying malicious code in safe macro code.

  • Delete all macros detected by advanced macro scan: Strip all of the macro codes detected on scanned files

Unscannable Message Parts

Set the action and notification condition for encrypted and/or password-protected files. For the action, select from Replace with text/file, Quarantine entire message, Delete entire message, Pass, or Quarantine message part.

Excluded Message Parts

Set the action and notification condition for parts of messages that have been excluded. For the action, select from Replace with text/file, Quarantine entire message, Delete entire message, Pass, or Quarantine message part.

Backup Setting

The location to save the backup of infected files before the agent cleaned them.

Replacement Settings

Configure the text and file for replacement text. If the action is replace with text/file, Worry-Free Business Security will replace the threat with this text string and file.