Views:
Configure the following settings for each scan type (Manual Scan, Scheduled Scan, and Real-time Scan):

Target Tab

Select a method:
  • All scannable files: includes all scannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.
    Note
    Note
    This option provides the maximum security possible. However, scanning every file requires a lot of time and resources and might be redundant in some situations. Therefore, you might want to limit the amount of files the agent includes in the scan.
  • IntelliScan uses "true file type" identification: Scans files based on true-file type. See IntelliScan.
  • Scan files with the following extensions: Manually specify the files to scan based on their extensions. Separate multiple entries with commas.
Select a scan trigger:
  • Read: Scans files whose contents are read; files are read when they are opened, executed, copied, or moved.
  • Write: Scans files whose contents are being written; a file’s contents are written when the file is modified, saved, downloaded, or copied from another location.
  • Read or write

Scan Exclusions

The following settings are configurable:
  • Enable or disable exclusions
  • Exclude Trend Micro product directories from scans
  • Exclude other directories from scans
    All subdirectories in the directory path you specify will also be excluded
  • Exclude file names or file names with full path from scans
  • Exclude file extensions
    Wildcard characters, such as “*”, are not accepted for file extensions
Note
Note
(Advanced only) If Microsoft Exchange Server is running on the client, Trend Micro recommends excluding all Microsoft Exchange Server folders from scanning. To exclude scanning of Microsoft Exchange server folders on a global basis, go to AdministrationGlobal Settings Desktop/Server {tab}General Scan Settings, and then select Exclude Microsoft Exchange server folders when installed on Microsoft Exchange server.

Advanced Settings

Scan Type
Option
Real-time Scan
Scan POP3 messages: By default, Mail Scan can only scan new messages sent through port 110 in the Inbox and Junk Mail folders. It does not support secure POP3 (SSL-POP3).
  • Microsoft Outlook 2007, 2010, or 2013
  • Mozilla Thunderbird 1.5 or higher
Mail Scan cannot detect security risks in IMAP messages. Use the Messaging Security Agent (Advanced only) to detect security risks and spam in IMAP messages.
Real-time Scan
Scan floppy disks during system shutdown
Real-time Scan
Enable IntelliTrap: IntelliTrap detects malicious code, such as bots, in compressed files. See IntelliTrap.
Real-time Scan
Quarantine malware variants detected in memory: If Real-time Scan and Behavior Monitoring are enabled and this option is selected, running process memory is scanned for packed malware. Any packed malware that Behavior Monitoring detects is quarantined.
Real-time Scan, Manual Scan, Scheduled Scan
Scan compressed files up to layer __: A compressed file has one layer for each time it has been compressed. If an infected file has been compressed to several layers, it must be scanned through the specified number of layer to detect the infection. Scanning through multiple layers, however, requires more time and resources.
Real-time Scan, Manual Scan, Scheduled Scan
Modify Spyware/Grayware Approved List: This setting cannot be configured from the agent console.
Manual Scan, Scheduled Scan
CPU Usage/Scan Speed: The Security Agent can pause after scanning one file and before scanning the next file.
Select from the following options:
  • High: No pausing between scans
  • Medium: Pause between file scans if CPU consumption is higher than 50%, and do not pause if 50% or lower
  • Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause if 20% or lower
Manual Scan, Scheduled Scan
Run advanced cleanup: The Security Agent stops activities by rogue security software, also known as FakeAV. The agent also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV behavior.
Note
Note
While providing proactive protection, advanced cleanup also results in a high number of false-positives.

Spyware/Grayware Approved List

Certain applications are classified by Trend Micro as spyware/grayware not because they can cause harm to the system on which they are installed, but because they potentially, expose the client or the network to malware or hacker attacks.
Worry-Free Business Security includes a list of potentially risky applications and, by default, prevents these applications from executing on clients.
If clients need to run any application that is classified by Trend Micro as spyware/grayware, you need to add the application name to the spyware/grayware approved list.

Action Tab

The following are the actions that Security Agents can perform against viruses/malware:

Virus/Malware Scan Actions

Action
Description
Delete
Deletes the infected file.
Quarantine
Renames and then moves the infected file to a temporary quarantine directory on the client.
The Security Agents then sends quarantined files to the designated quarantine directory, which is on the Security Server by default.
The Security Agent encrypts quarantined files sent to this directory.
If you need to restore any of the quarantined files, use the VSEncrypt tool.
Clean
Cleans the infected file before allowing full access to the file.
If the file is uncleanable, the Security Agent performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass
This action can be performed on all types of malware except probable virus/malware.
Note
Note
Some files are uncleanable. For details, see Uncleanable Files.
Rename
Changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.
The virus/malware may execute when opening the renamed infected file.
Pass
Only performed during Manual Scan and Scheduled Scan. The Security Agent cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected will allow virus/malware to execute. All the other scan actions can be used during Real-time Scan.
Deny Access
Only performed during Real-time Scan. When the Security Agent detects an attempt to open or execute an infected file, it immediately blocks the operation.
Users can manually delete the infected file.
The scan action the Security Agent performs depends on the scan type that detected the spyware/grayware. While specific actions can be configured for each virus/malware type, only one action can be configured for all types of spyware/grayware. For example, when the Security Agent detects any type of spyware/grayware during Manual Scan (scan type), it cleans (action) the affected system resources.
The following are the actions the Security Agent can perform against spyware/grayware:

Spyware/Grayware Scan Actions

Action
Description
Clean
Terminates processes or deletes registries, files, cookies, and shortcuts.
Pass
Performs no action on detected spyware/grayware components but records the spyware/grayware detection in the logs. This action can only be performed during Manual Scan and Scheduled Scan. During Real-time Scan, the action is "Deny Access".
The Security Agent will not perform any action if the detected spyware/grayware is included in the approved list.
Deny Access
Denies access (copy, open) to the detected spyware/grayware components. This action can only be performed during Real-time Scan. During Manual Scan and Scheduled Scan, the action is "Pass".

ActiveAction

Different types of virus/malware require different scan actions. Customizing scan actions requires knowledge about virus/malware and can be a tedious task. The Security Agent uses AntimalwareScanCore to counter these issues.
AntimalwareScanCore is a set of pre-configured scan actions for viruses/malware. If you are not familiar with scan actions or if you are not sure which scan action is suitable for a certain type of virus/malware, Trend Micro recommends using AntimalwareScanCore.
Using AntimalwareScanCore provides the following benefits:
  • AntimalwareScanCore uses scan actions that are recommended by Trend Micro. You do not have to spend time configuring the scan actions.
  • Virus writers constantly change the way virus/malware attack endpoints. AntimalwareScanCore settings are updated to protect against the latest threats and the latest methods of virus/malware attacks.
The following table illustrates how ActiveAction handles each type of virus/malware:

Trend Micro Recommended Scan Actions Against Viruses and Malware

Virus/Malware Type
Real-time Scan
Manual Scan/Scheduled Scan
First Action
Second Action
First Action
Second Action
Joke program
Quarantine
Delete
Quarantine
Delete
Trojan horse program/Worms
Quarantine
Delete
Quarantine
Delete
Packer
Quarantine
N/A
Quarantine
N/A
Probable virus/malware
Pass
N/A
Pass or user-configured action
N/A
Virus
Clean
Quarantine
Clean
Quarantine
Test virus
Deny Access
N/A
N/A
N/A
Other malware
Clean
Quarantine
Clean
Quarantine
Note
Note
  • Some files are uncleanable. For details, see Uncleanable Files.
  • AntimalwareScanCore is not available for spyware/grayware scan.
  • The default values for these settings can change, when new pattern files become available.

Advanced Settings

Scan Type
Option
Real-time Scan, Scheduled Scan
Display an alert message on the desktop or server when a virus/spyware is detected
Real-time Scan, Scheduled Scan
Display an alert message on the desktop or server when a probable virus/spyware is detected
Manual Scan, Real-time Scan, Scheduled Scan
Run cleanup when probable virus/malware is detected: Only available if you choose ActiveAction and customized the action for probable virus/malware.
Keywords: AntimalwareScanCore,actions,spyware/grayware