Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What to do when suspicious behavior or suspicious files are found in your system

    • Updated:
    • 5 Jan 2021
    • Product/Version:
    • Apex One 2019
    • OfficeScan 11.0
    • OfficeScan XG
    • Platform:
Summary

You may be experiencing any of the following scenario despite having a Trend Micro agent with updated components and patterns:

  • Some Files are encrypted
  • Suspicious files/script running in your environment
  • Machine(s) connecting to unknown IPs
  • Redirection to unknown sites
  • Displaying pop-up messages
Details
Public

If you experience any of the listed unusual system behavior, follow the corresponding recommendations.

  • When encountering encrypted files
    1. Collect a sample of the encrypted file and upload to ID Ransomware.
    2. Once the malware has been identified, you may use Threat Encyclopedia to search for more information about the ransomware and the solution to completely remove it from your system.
    3. If you are not convinced that the malware has been completely removed, run ATTK on affected machines and submit the output to Trend Micro Support.
    4. Use this guide on how to file a case with the logs collected.
  • When suspicious files / PowerShell scripts running in environment
    • Suspicious files:
      1. Open the Task Manager.
      2. Go to Details Tab.
      3. Search for the file’s suspicious process and click Open File Location.
      4. End the suspicious process. Collect the file, and compress it with password: virus.
      5. Use ATTK on the affected machine.
      6. Submit the ATTK log and suspicious file to Trend Micro Support.
    • Suspicious PS Scripts:

      For more information about PowerShell-based malware and how to mitigate them, visit this article.

      Visit this article on how to file a case with the logs collected.

  • When machine(s) connect to unknown IP addresses
    1. Use Global Site Safety to check the reputation of the IP address.
    2. Create an Apex One / OfficeScan Firewall policy to block the connection if IPs are still untested in Global Site Safety.
    3. Use ATTK to collect for suspicious files in the machine and submit to Trend Micro Support.
    4. For detailed steps on how to stop this attack, view this KB article.
    5. Visit this article on how to file a case with the logs collected.
  • When being redirected to unknown/malicious sites
    1. You can check the site's safety using Global Site Safety.
    2. Do not input any information on the redirected site if it is untested or dangerous.
    3. Try connecting to the original site using other machines.
    4. If the same issue persists, the web site may have been compromised. If only few machines are experiencing the issue, check the "hosts" file located in C:\Windows\System32\Drivers\etc for any URL redirection. Remove all suspicious or unknown URL/IP.
    5. Clear the DNS cache via the Command prompt by executing this command:

      C:\>ipconfig /flushdns

    6. If the issue persists, export detection logs in Apex One and OfficeScan and file a case to Trend Micro support.
    7. Visit this article on how to file a case with the logs collected.
  • When pop-up messages are being displayed
    • For Persistent Apex One / OfficeScan detection, refer to this KB article.
    • For web page pop-ups like the image below:

      1. Uninstall any suspicious/unknown programs installed from Control Panel > Add/ Remove Programs.
      2. Remove unknown add-ons from browsers like Google Chrome, Internet Explorer and Mozilla Firefox.
      3. Use ATTK to resolve the issue. If it reoccurs, submit the ATTK logs to Trend Micro Support.
         
        To prevent any malware infection, make sure to apply the recommended on this KB article.
         
      4. Visit this article on ATTK log collection.
      5. Visit this article on how to file a case with the logs collected.
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283515
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.