Views:
When Server & Workload Protection detects malware, it performs a remedial action to handle the file. There are five possible actions that Server & Workload Protection can take when it encounters malware:
  • Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event is still recorded.)
    WARNING
    WARNING
    The remedial action Pass should never be used for a possible virus.
  • Clean: Cleans an infected file before allowing full access to it. If the file can't be cleaned, it is quarantined.
  • Delete: On Linux, the infected file is deleted without a backup.
    On Windows, the infected file is backed up and then deleted. Windows backup files can be viewed and restored in Events & Reports Events Anti-Malware Events Identified Files.
  • Deny Access: This scan action can only be performed during Real-time scans. When Server & Workload Protection detects an attempt to open or execute an infected file, it immediately blocks the operation. The infected file is left unchanged. When the Access Denied action is triggered, the infected files stay in their original location.
    Important
    Important
    Do not use the remedial action Deny Access when Real-Time Scan is set to During Write. When During Write is selected, files are scanned when they are written and the action Deny Access has no effect.
  • Quarantine: Moves the infected file to the quarantine directory on the computer or Virtual Appliance. The quarantined file can be viewed and restored in Events & Reports Events Anti-Malware Events Identified Files.
    Note
    Note
    Malware marked as Quarantined on Linux might be marked as Deleted on Windows, despite the malware being identical on both operating systems. In either case, the file can be viewed and restored in Events & Reports Events Anti-Malware Events Identified Files.
    Note
    Note
    On Windows, infected non-compressed files (for example, .txt files) are quarantined, while infected compressed files (for example, .zip files) are deleted. On Windows, both quarantined or deleted files have a backup that can be viewed and restored in Events & Reports Events Anti-Malware Events Identified Files. On Linux, all infected files (compressed or non-compressed) are quarantined, and can be viewed and restored in Events & Reports Events Anti-Malware Events Identified Files.
The default remediation actions in the malware scan configurations are appropriate for most circumstances. However, you can customize the actions to take when Server & Workload Protection detects malware. You can either use the action that ActiveAction determines, or specify the action for each type of vulnerability.
ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly. (See ActiveAction actions.)
Important
Important
For macOS agents, the supported custom actions are Virus, Trojans, and Spyware.

Procedure

  1. Open the properties of the malware scan configuration.
  2. On the Advanced tab, for Remediation Actions select Custom.
  3. Specify the action to take:
    • To let ActiveAction decide which action to take, select Use action recommended by ActiveAction.
    • To specify an action for each type of vulnerability, select Use custom actions, and then select the actions to use.
  4. Specify the action to take for Possible Malware.
  5. Click OK.