Anti-Malware

The Anti-Malware module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code.

To address threats, Anti-Malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.

A newly installed Vulnerability ProtectionDeep Security Agent cannot provide Anti-Malware protection until it has contacted an update server to download Anti-Malware patterns and updates. Ensure that your Vulnerability ProtectionDeep Security Agents can communicate with a Vulnerability ProtectionDeep Security Relay or the Trend Micro Update Server after installation.

Malware Types

Anti-Malware protects against all kinds of file-based threats, including the following.

Viruses (File Infectors)

Viruses are able to infect normal files by inserting malicious code. Typically, whenever an infected file is opened, the malicious code automatically runs and delivers a payload in addition to infecting other files. Below are some of the more common types of viruses:

COM and EXE infectors infect DOS and Windows executable files, which typically have COM and EXE extensions.
Macro viruses infect Microsoft Office files by inserting malicious macros.
Boot sector viruses infect the section of hard disk drives that contain operating system startup instructions

Anti-Malware uses different technologies to identify and clean infected files. The most traditional method is to detect the actual malicious code that is used to infect files and strip infected files of this code. Other methods include regulating changes to infectable files or backing up such files whenever suspicious modifications are applied to them.

Trojans and Other Non-Infectors

Non-infectors are malware files that do not have the ability to infect other files. This large set includes the following malware types:

Trojans: non-infecting executable malware files that do not have backdoor or worm capabilities.
Backdoors: malicious applications that allow unauthorized remote users to access infected systems. Backdoors are known to connect to communication servers through open ports.
Worms: malware programs that can propagate from system to system are generally referred to as "worms". Worms are known to propagate by taking advantage of social engineering through attractively packaged email messages, instant messages, or shared files. They are also known to copy themselves to accessible network shares and spread to other computers by exploiting vulnerabilities.
Network viruses: worms that are memory-only or packet-only programs (not file-based). Anti-Malware is unable to detect or remove network viruses.
Rootkits: file-based malware that manipulate calls to operating system components. Applications, including monitoring and security software, need to make such calls for very basic functions, such as listing files or identifying running processes. By manipulating these calls, rootkits are able to hide their presence or the presence of other malware.

Spyware/Grayware

Spyware/grayware comprises applications and components that collect information to be transmitted to a separate system or collected by another application. Spyware/grayware detections, although exhibiting potentially malicious behavior, may include applications used for legitimate purposes such as remote monitoring. Spyware/grayware applications that are inherently malicious, including those that are distributed through known malware channels, are typically detected as other Trojans.

Spyware/grayware applications are typically categorized as:

Spyware: software installed on a computer to collect and transmit personal information.
Dialers: malicious dialers are designed to connect through premium-rate numbers causing unexpected charges. Some dialers also transmit personal information and download malicious software.
Hacking tools: programs or sets of programs designed to assist unauthorized access to computer systems.
Adware (advertising-supported software): any software package that automatically plays, displays, or downloads advertising material.
Cookies: text files stored by a Web browser. Cookies contain website-related data such as authentication information and site preferences. Cookies are not executable and cannot be infected; however, they can be used as spyware. Even cookies sent from legitimate websites can be used for malicious purposes.
Keyloggers: software that logs user keystrokes to steal passwords and other private information. Some keyloggers transmit logs to remote systems.

What Is Grayware?

Although they exhibit what can be intrusive behavior, some spyware-like applications are considered legitimate. For example, some commercially available remote control and monitoring applications can track and collect system events and then send information about these events to another system. System administrators and other users may find themselves installing these legitimate applications. These applications are called "grayware".

To provide protection against the illegitimate use of grayware, Anti-Malware detects grayware but provides an option to "approve" detected applications and allow them to run.

Packers

Packers are compressed and/or encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. <Malware protection> checks executable files for compression patterns associated with malware.

Probable Malware

Files detected as probable malware are typically unknown malware components. By default, these detections are logged and files are anonymously sent back to Trend Micro for analysis.

Other Threats

"Other Threats" includes malware not categorized under any of the malware types. This category includes joke programs, which display false notifications or manipulate screen behavior but are generally harmless.

Types of Malware Scans

Vulnerability ProtectionDeep Security performs three kinds of Malware Scans:

Full Scan
Quick Scan
Real-Time Scan

A Full Scan runs a full system scan on all processes and files on computer. Full Scans can be run at scheduled times by creating a Scheduled Task for the purpose, or manually (on-demand).

A Quick Scan only scans a computer's critical system areas for currently active threats. A Quick Scan will look for currently active malware but it will not perform deep file scans to look for dormant or stored infected files. On larger drives it is significantly faster than a Full Scan. Quick Scan is only available on-demand. You cannot schedule a Quick Scan as part of a Scheduled Task.

Real-Time Scanning is the ongoing monitoring of running processes and I/O events.

Basic Configuration

To enable Anti-Malware functionality on a computer:

In the Policy/Computer editor, go to Anti-Malware > General.
In the Anti-Malware section, set Configuration to On (or Inherited On) and then click Save.
In the Real-Time Scan, Manual Scan, or Scheduled Scan sections, set the Malware Scan Configuration and Schedule, or allow those settings to be inherited from the parent policy.
Click Save.

Advanced Configuration

Modifying Malware Scan Configuration

The scope of Malware Scans can be controlled by editing the Malware Scan Configuration that is in effect on a computer. The Malware Scan Configuration determines which files and directories are included or excluded during a scan and which actions are taken if malware is detected on a computer (for example, clean, quarantine, or delete). There are two types of Malware Scan Configurations:

Manual/Scheduled Scan Configurations
Real-Time Scan Configurations

Manual Scan Configurations or Scheduled Scan Configurations are for Full Scans. Real-Time Scan Configurations are for Real-Time Scanning.

Vulnerability ProtectionDeep Security comes with preconfigured default Malware Scan Configurations for each type of scan. These default Malware Scan Configurations are used in Vulnerability ProtectionDeep Security's preconfigured Security Policies.

To change Malware Scan Configurations:

In the Policies page, go to Common Objects > Other > Malware Scan Configurations.
Edit an existing Malware Scan Configuration or create a new one. For details, see "Malware Scan Configurations" in the Deep Security Manager Help.

The following table lists the objects scanned during each type of scan and the sequence in which they are scanned.

Targets	Full Scan	Quick Scan
Drivers	1	1
Trojan	2	2
Process Image	3	3
Memory	4	4
Boot Sector	5	-
Files	6	5
Spyware	7	6

Smart Scan

Smart Scan references threat signatures that are stored on Trend Micro servers. When Smart Scan is enabled, Vulnerability ProtectionDeep Security first scans for security risks locally. If Vulnerability ProtectionDeep Security cannot assess the risk of the file during the scan, try to connect to a local Smart Scan Server. If no local Smart Scan Server is detected, they will attempt to connect to the Trend Micro Global Smart Scan Server.

Smart Scan provides the following features and benefits:

Reduces the overall time it takes to deliver protection against emerging threats
Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates only needs to be delivered to the cloud and not to many computers
Reduces the cost and overhead associated with corporate-wide pattern deployments
Lowers kernel memory consumption on computers. Consumption increases minimally over time
Provides fast, real-time security status lookup capabilities in the cloud

To turn Smart Scan on or off, go to Policy/Computer Editor > Anti-Malware > Smart Protection.

NSX Security Tags

Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.

NSX Security Tags are part of the VMware vSphere NSX environment and are not to be confused with Deep Security Event Tags. For more information on Deep Security Event Tagging, see Event Tagging.

The Anti-Malware and Intrusion Prevention System protection modules can be configured to apply NSX Security Tags.

To configure the Anti-Malware module to apply NSX Security Tags, go to Computer/Policy Editor > Anti-Malware > Advanced > NSX Security Tagging.

You can choose to only apply the NSX Security Tag if the remediation action attempted by the Anti-Malware engine fails. (The remediation action is determined by the Malware Scan Configuration that is in effect. To see which Malware Scan Configuration is in effect, go to the Computer/Policy Editor > Anti-Malware > General tab and check the Real-Time Scan, Manual Scan, and Scheduled Scan areas.)

You can also choose to have the Security Tag removed if a subsequent Malware Scan does not detect any malware. You should only use this setting if all Malware Scans will be of the same kind.