Malware Scan Configurations
Vulnerability ProtectionDeep Security allows you to create a variety of Malware Scan Configurations to automatically handle the way the detection of malware is processed. Configuration options include what files to scan, whether the scanning is done in real time or on a scheduled basis, and what actions to carry out if malware is detected. This page lets you define global Malware Scan Configurations. How, in what combination, and when these configurations are in effect on a computer is set at the Policy and at the computer levels. Also, as with most elements in Vulnerability ProtectionDeep Security, many global settings can be overridden at the Policy and computer levels. (See Policies, Inheritance and Overrides for more information.)
There are two kinds of Malware Scan Configurations: Real-time Scan and Manual/Scheduled Scan. While most actions are available to both types of scans, some actions, like Deny Access are available to Real-time Scans only, and other options, like CPU Usage are available to Manual/Scheduled Scans only.
From the global Malware Scan Configuration page you can:
- Create New (
) Real-time or Manual/Scheduled Scan configurations
- Import (
) an existing Scan Configuration from an XML file. (located under the New menu.) - View the Properties (
) of a Malware Scan Configuration.
- Duplicate (
) (and then modify) existing file configurations. - Delete (
) the highlighted configuration file from the configuration list. - Export (
) the displayed or selected configuration to a XML or CSV file. - Add or Remove Columns (
) from the display. - Search (
) for a particular configuration file.
Properties
General
General Information
- Name and description of the Malware Scan Configuration, and whether this is a Real-Time or a Manual/Scheduled scan type.
Scan Settings
- Directories to scan: Specify which directories to scan for malware. You can scan All directories or select from a defined Directory List.
- Files to scan: Specify which files to scan for malware. Choose between All files, File types scanned by IntelliScan, or choose from a defined File Extension List (which will scan all files with the extensions defined in the list).
IntelliScan only scans file types that are vulnerable to infection (for example, .zip or .exe). IntelliScan does not rely on file extensions to determine file type but instead reads the header and/or content of a file to determine whether it should be scanned. Compared to scanning all files, using IntelliScan provides a performance boost by reducing the total number of files to scan.
Exclusions
Allows you to exclude specific directories, files, and file extensions from being scanned. For example, if you are creating a Malware Scan Configuration for a Microsoft Exchange server, you should exclude the SMEX quarantine folder to avoid re-scanning files that have already been confirmed to be malware.
The following table describes the syntax available for defining Directory List exclusions:
| Exclusion | Format | Description | Examples |
| Directory | DIRECTORY | Excludes all files in the specified directory and all files in all subdirectories. | C:\Program Files\ Excludes all files in the "Program Files" directory and all subdirectories. |
| Directory with wildcard (*) | DIRECTORY\*\ | Excludes any subdirectories with any subdirectory name, but does not exclude the files in the specified directory. | C:\abc\*\ Excludes all files in all subdirectories of "abc" but does not exclude the files in the "abc" directory. C:\abc\wx*z\ Matches: C:\abc\wxz\ C:\abc\wx123z\ Does not match: C:\abc\wxz C:\abc\wx123z C:\abc\*wx\ Matches: C:\abc\wx\ C:\abc\123wx\ Does not match: C:\abc\wx C:\abc\123wx |
| Directory with wildcard (*) | DIRECTORY\* | Excludes any subdirectories with a matching name, but does not exclude the files in that directory and any subdirectories. | C:\abc\* Matches: C:\abc\ C:\abc\1 C:\abc\123 Does not match: C:\abc C:\abc\123\ C:\abc\123\456 C:\abx\ C:\xyz\ C:\abc\*wx Matches: C:\abc\wx C:\abc\123wx Does not match: C:\abc\wx\ C:\abc\123wx\ C:\abc\wx*z Matches: C:\abc\wxz C:\abc\wx123z Does not match: C:\abc\wxz\ C:\abc\wx123z\ C:\abc\wx* Matches: C:\abc\wx C:\abc\wx\ C:\abc\wx12 C:\abc\wx12\345\ C:\abc\wxz\ Does not match: C:\abc\wx123z\ |
| Environment variable | ${ENV VAR} | Excludes all files and subdirectories defined by an environment variable with the format ${ENV VAR}. For a Virtual Appliance, the value pairs for the environment variable must be defined in Policy/Computer Editor > Settings > Computer > Environment Variable Overrides. | ${windir} If the variable resolves to "c:\windows", excludes all the files in "c:\windows" and all its subdirectories. |
| Comments | DIRECTORY #Comment | Allows you to add comments to your exclusion definitions. | c:\abc #Exclude the abc directory |
The following table describes the syntax available for defining File List exclusions:
| Exclusion | Format | Description | Example |
| File | FILE | Excludes all files with the specified file name regardless of its location or directory. | abc.doc Excludes all files named "abc.doc" in all directories. Does not exclude "abc.exe". |
| File path | FILEPATH | Excludes the specific file specified by the file path. | C:\Documents\abc.doc Excludes only the file named "abc.doc" in the "Documents" directory. |
| File with wildcard (*) | FILE* | Excludes all files with a matching pattern in the file name. | abc*.exe Excludes any file that has prefix of "abc" and extension of ".exe". *.db Matches: 123.db abc.db Does not match: 123db 123.abd cbc.dba *db Matches: 123.db 123db ac.db acdb db Does not match: db123 wxy*.db Matches: wxy.db wxy123.db Does not match: wxydb |
| File with wildcard (*) | FILE.EXT* | Excludes all files with a matching pattern in the file extension. | abc.v* Excludes any file that has file name of "abc" and extension beginning with ".v". abc.*pp Matches: abc.pp abc.app Does not match: wxy.app abc.a*p Matches: abc.ap abc.a123p Does not match: abc.pp abc.* Matches: abc.123 abc.xyz Does not match: wxy.123 |
| File with wildcard (*) | FILE*.EXT* | Excludes all files with a matching pattern in the file name and in the extension. | a*c.a*p Matches: ac.ap a123c.ap ac.a456p a123c.a456p Does not match: ad.aa |
| Environment variable | ${ENV VAR} | Excludes files specified by an environment variable with the format ${ENV VAR}. These can be defined or overridden using System Setting > Computers Tab > Environment Variable Overrides. | ${myDBFile} Excludes the file "myDBFile". |
| Comments | FILEPATH #Comment | Allows you to add comments to your exclusion definitions. | C:\Documents\abc.doc #This a comment |
The following table describes the syntax available for defining File Extension List exclusions:
| Exclusion | Format | Description | Example |
| File Extension | EXT | Excludes all files with a matching file extension. | doc Excludes all files with a ".doc" extension in all directories. |
| Comments | EXT #Comment | Allows you to add comments to your exclusion definitions. | doc #This a comment |
The following table describes the syntax available for defining Process Image File List exclusions (Real-Time Scans only):
| Exclusion | Format | Description | Example |
| File path | FILEPATH | Excludes the specific Process Image file specified by the file path. | C:\abc\file.exe Excludes only the file named "file.exe" in the "abc" directory. |
Actions
Recognized Malware
Upon detection
You can instruct Vulnerability ProtectionDeep Security to automatically decide which actions to take upon detecting malware by selecting the Use action determined by ActiveAction option.
The following table lists the actions taken when ActiveAction is selected:
| Malware Type | Real-Time Scan | Manual/Scheduled Scan | Notes |
| Virus | Clean | Clean | Viruses are able to infect normal files by inserting malicious code. Typically, whenever an infected file is opened, the malicious code automatically runs and delivers a payload in addition to infecting other files. Some of the more common types of viruses include COM and EXE infectors, macro viruses, and boot sector viruses. |
| Trojan | Quarantine | Quarantine | Trojans are non-infecting executable malware files that do not have file infection capabilities. |
| Packer | Quarantine | Quarantine | Packers are compressed and/or encrypted executable programs. To evade detection, malware authors often pack existing malware under several layers of compression and encryption. Anti-malware checks executable files for compression patterns associated with malware. |
| Spyware (Grayware) | Quarantine | Quarantine | Although possibly legitimate, grayware exhibit spyware-like behavior and may be unwanted. |
| Possible malware | Pass | Pass | Files detected as possible malware are typically unknown malware components. By default, these detections are logged and files are anonymously sent back to Trend Micro for analysis. |
| Cookies | N/A | Delete | Cookies are text files stored by a Web browser. Cookies contain site-related data such as authentication information and site preferences. Cookies are not executable and cannot be infected; however, they can be used as spyware. Even cookies sent from legitimate websites can be used for malicious purposes. |
| Other Threats | Clean | Clean | The Other Threats category includes joke programs, which display false notifications or manipulate screen behavior, but are generally harmless. |
Alternatively, you can manually specify the actions you want Vulnerability ProtectionDeep Security to take upon detecting malware. There are five possible actions that Vulnerability ProtectionDeep Security can take when it encounters an infected file:
- Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event will still be recorded.)
- Clean: Cleans a cleanable file before allowing full access to the file. (Not available for Possible Malware.)
- Delete: Deletes the infected file.
- Deny Access: This scan action can only be performed during Real-time scans. When Vulnerability ProtectionDeep Security detects an attempt to open or execute an infected file, it immediately blocks the operation. If a Malware Scan Configuration with the "Deny Access" option selected is applied during a Manual or Scheduled scan, a "Pass" action will be applied and an Anti-Malware Event will be recorded.
- Quarantine: Moves the file to the quarantine directory on the computer or Virtual Appliance. (Once quarantined, you can download the file to a location of your choice. See Anti-Malware > Quarantined Files for more information.)
Possible malware
Select an action to take if a file is identified as possible malware. Possible malware is a file that appears suspicious but cannot be classified as a specific malware variant. If you leave this option set to "Default", the action will be what was selected in Upon Detection, above. When possible malware is detected, Trend Micro recommends that you contact your support provider for assistance in further analysis of the file.
Options
General Options
- Enable Spyware/Grayware Scan: The Spyware Scan Engine scans for Spyware/Grayware and performs the actions specified on the Actions tab.
- Scan Compressed Files: Specify under what conditions to scan a file and whether to scan compressed files.
- Maximum levels of compression from which to extract files: A file or group of files can undergo more than one round of compression. This option lets you specify through how many levels of compression you want Vulnerability ProtectionDeep Security to scan.
- Maximum size of individual extracted files: The maximum size of the individual files in a compressed archive to scan.
Scanning large files with multiple layers of compression can affect performance.
- Maximum number of files to extract: The maximum number of files to extract from a compressed archive and scan.
- Scan Embedded Microsoft Office Objects: Certain versions of Microsoft Office use Object Linking and Embedding (OLE) to insert files and other objects into Office files. These embedded objects can contain malicious code. Because embedded objects can contain other objects, there can be multiple layers of embedding within a single Office file. To reduce the impact on performance, you can select to scan only a few layers of embedded
objects within each file.
- Scan for exploit code in Microsoft Office Objects: Exploit Detection heuristically identifies malware by checking Microsoft Office files for exploit code.
The specified number of layers is applicable to both OLE objects and Scan for exploit options. - Enable IntelliTrap (Real-Time only): Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering your network by blocking real-time compressed executable files and pairing them with other malware characteristics. (IntelliTrap only works in Real-Time mode.)
Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting or cleaning) files when you enable IntelliTrap. If users regularly exchange real-time compressed executable files, disable IntelliTrap. IntelliTrap uses the following Anti-Malware components: Virus Scan Engine, IntelliTrap Pattern, IntelliTrap Exception Pattern.
- Enable Network Directory Scan (Real-Time only): To scan files and folders in network shares and mapped network drives, enable this option.
Resources accessed in "~/.gvfs" via GVFS, a virtual filesystem available for the GNOME desktop, will be treated as local resources, not network drives.
- Scan files when (Real-Time only): Choose between scanning files only when they are opened for reading, or when they are opened for both reading and writing.
- CPU Usage (Manual/Scheduled Scan only): Specifies the CPU resources allocated to scanning.
- High: Scans files one after another without pausing
- Medium: Recommended; pauses when overall CPU usage exceeds 50%
- Low: Pauses when overall CPU usage exceeds 20%
Alert
Select whether an Alert is raised if this Malware Scan Configuration triggers an event.
Assigned To
Indicates which Policy(s) and computer(s) are using this particular Malware Scan Configuration.