Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best practice configuration for malware prevention in Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 31 Dec 2021
    • Product/Version:
    • 10.0
    • WFBS-SVC (SMB雲端防毒服務版) 6.5
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:

Learn about the additional layers of security configuration in WFBS/WFBS-SVC to protect you from malware infections.

  1. In the Scan Settings section, select from the following under Files to scan:
    • All scannable files (Recommended): Includes all scannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.
      This option provides the maximum security possible. However, scanning every file requires a lot of time and resources and might be redundant in some situations. Therefore, you might want to limit the amount of files the agent includes in the scan.
    • File types scanned by IntelliScan: Scans files based on true-file type.
    • Files with specified extensions: Manually specify the files to scan based on their extensions. Separate multiple entries with commas.
      Wildcard support for file extensions in scan settings is different from scan exclusion settings. The * character replaces zero to many characters. For example, scanning can still detect the .COM extension when COM* is specified.
  2. In the Scan Settings section, select which file operations trigger scanning under User activity on files.
    • Created, modified, or retrieved (Recommended): Scans all files created, modified, or opened on the endpoint
    • Retrieved: Scans all files opened on the endpoint
    • Created or modified: Scans all files created or modified on the endpoint
  3. In the Advanced Settings section, configure the required settings.

    Module state

  4. Go to the Action tab and set it to Customized actions so that probable malware will be quarantined.

    Module state

  5. Click Save.

Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, software, files and folders. The settings can be enabled or disabled only per group.

To configure:

  1. Go to the Configure Policy screen.
  2. Click the Windows logo.
  3. Click Behavior Monitoring.
  4. Update the following as required:
    • Enable Behavior Monitoring
    • Malware Behavior Blocking: A necessary layer of additional threat protection from programs that exhibit malicious behavior is given upon using this. It observes system events over a period of time. As programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.
      • Enable malware Behavior Blocking for known and potential threats

        Malware Behavior Monitoring provides the following threat-level scanning options:

        Block known threats: Blocks behaviors associated with known malware threats
        Block known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious

    • Ransomware Protection
      • Enable document protection against unauthorized encryption or modification: Protects documents from unauthorized changes. Enabling this option stops processes that rename, modify and delete files, and then quarantines the programs that are running these processes.
      • Enable automatic back up and restore: Automatically backing up files before suspicious programs attempt any modification enables easier file restoration when unauthorized encryption occurs. Enabling this feature however requires an additional storage space of 100 MB.
      • Enable blocking of processes commonly associated with ransomware: Protects endpoints from ransomware attacks by blocking processes commonly associated with hijacking attempts
      • Enable program inspection to detect and block compromised executable files: Protects endpoints from ransomware attacks by increasing the overall detection ratio for compromised executable files and programs that are behaving in an unexpected manner

        Module state

    • Anti-Exploit Protection: Enables termination of programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs
    • Enable Intuit QuickBooks Protection: Protects all Intuit QuickBooks files and folders from unauthorized changes by other programs. Enabling this feature will not affect changes made from within Intuit QuickBooks programs, but will only prevent changes to the files from other unauthorized applications.

      The following products are supported:

      • QuickBooks Simple Start
      • QuickBooks Pro
      • QuickBooks Premier
      • QuickBooks Online
    • Event Monitoring: For a more generic approach to protecting against unauthorized software and malware attacks, Event Monitoring oversees system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

      Module state

      The following table provides a list of monitored system events:

      Duplicated System FileMany malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files.
      Hosts File ModificationThe Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites.
      Suspicious BehaviorSuspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution.
      New Internet Explorer PluginSpyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
      Internet Explorer Setting ModificationMany virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions.
      Security Policy ModificationModifications in Windows Security Policy can allow unwanted applications to run and change system settings.
      Program Library InjectionMany malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts.
      Shell ModificationMany malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications.
      New ServiceWindows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden.
      System File ModificationCertain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior.
      Firewall Policy ModificationThe Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet.
      System Process ModificationMany malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes.
      New Startup ProgramMalicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts.

      When Event Monitoring detects a monitored system event, it performs the action configured for the event.

      The following table lists possible actions that administrators can take on monitored system events.

      Always allowWorry-Free Business Security Services always allows programs associated with an event.
      Ask when necessaryWorry-Free Business Security Services prompts users to allow or deny programs associated with an event and add the programs to the exception list.
      If the user does not respond within a certain time period, Worry-Free Business Security Services automatically allows the program to run. The default time period is 30 seconds.
      This option is not supported for Program Library Injections on 64-bit systems.
      Always blockWorry-Free Business Security Services always blocks programs associated with an event and records this action in the logs.
      When a program is blocked and alerts are enabled, Worry-Free Business Security Services displays an alert on the Worry-Free Business Security Services computer.
    • Exceptions: Approved Program List and a Blocked Program List can be found under Scan Exclusions > Behavior Monitoring. Programs in the Approved Programs List can be started even if they violate a monitored change, while programs in the Blocked Program List can never be started.

      Module state

    • Security Agent Alerts: Enable Security Agent alerts for Behavior Monitoring by going to Privileges and Other Settings > Alerts then checking Behavior Monitoring under Threat Protection.

      Module state

  5. Click Save.

Trend Micro Predictive Machine Learning uses advanced machine learning technology to detect emerging unknown security risks found in low-prevalence suspicious processes or files originating from removable storage, web, or email channels.

  1. Go to the Configure Policy screen.
  2. Click on Windows
  3. Click Predictive Machine Learning.
  4. Select Enable Predictive Machine Learning.
  5. Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.
    • Quarantine: Select to automatically quarantine files that exhibit malware-related features based on the Predictive Machine Learning analysis.
    • Log only: Select to scan unknown files and log the Predictive Machine Learning analysis for further in-house investigation of the threat
    • Terminate: Select to automatically terminate processes that exhibit malware-related behaviors based on the Predictive Machine Learning analysis.
    • Log only: Select to scan unknown processes and log the Predictive Machine Learning analysis for further in-house investigation of the threat.

    Module state

  6. Click Save.

Web Reputation enhances protection against malicious websites. Web Reputation leverages Trend Micro's extensive web security database to check the reputation of URLs that Clients are attempting to access or URLs embedded in email messages that are contacting websites.

To configure:

  1. Go to the Configure Policy screen.
  2. Click on Windows
  3. Click Web Reputation.
  4. Update the setting, Enable Web Reputation.
  5. Update Security Level:
    • High: Blocks the following pages:
      • Dangerous: Verified to be fraudulent or known sources of threats Highly suspicious: Suspected to be fraudulent or possible sources of threats Suspicious: Associated with spam or possibly compromised
    • Medium (Recommended): Blocks the following pages:
      • Dangerous: Verified to be fraudulent or known sources of threats Highly suspicious: Suspected to be fraudulent or possible sources of threats
    • Low: Blocks the following pages:
      • Dangerous: Verified to be fraudulent or known sources of threats
    • Untested URLs
      • Block websites that have not been tested by Trend Micro: While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages.

    To modify Approved/Blocked URLs, go to the Approved Blocked URLs screen under Exception Lists or refer to Configuring the Approved/Blocked URL Lists.

    Enable Browser Exploit Prevention> Block websites containing malicious script to protect against browser exploits containing malicious script
  6. Click Save.
  1. In the CPU Usage section, select from the following:
    • High: No pausing between scans
    • Medium: Pause between file scans if CPU consumption is higher than 50%, and do not pause if 50% or lower
    • Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause if 20% or lower
  2. In the Virus/Malware section, configure the required settings.
    • Clean: Terminates all related processes and deletes associated registry values, files, cookies and shortcuts
    • Pass: Logs the detection but allows the program to execute
      1. Select the type of action that the Security Agent takes after detecting a security threat.

        Module state

      2. Select Back up files before cleaning to create an encrypted copy of the infected file on the endpoint in the \Backup folder.
  3. In the Spyware/Grayware section, select the action the Security Agent takes after detecting spyware or grayware programs.
  1. Go to the Configure Policy screen by performing one of the following:
    • Classic Mode: Go to SECURITY AGENTS and select a group. Click Configure Policy.
    • Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
  2. Click Windows.
  3. Go to Privileges and Other Settings.
  4. Click Other Settings.
  5. Configure the required settings.
    Security Agent Upgrade SettingsUpgrading or deploying hotfixes to a large number of Security Agents simultaneously can significantly increase network traffic. Consider enabling the following settings on several groups so you can stagger the deployment.
    • Postpone major version upgrade: This setting applies when the Security Agent program requires a major version upgrade. Depending on the user's environment, the actual upgrade might occur later than the specified day.
    • Do not apply non-critical hot fixes: Non-critical hotfixes contain minor updates for the Security Agent program.
    Security Agent Self-ProtectionPrevent users or other processes from modifying Trend Micro program files, registries and processes.
    The access permission settings of the Security Agent folders, files, and registry entries are inherited from the Program Files folder (for endpoints running Windows Vista/XP/Server 2003). Therefore, if the permissions settings (security settings in Windows) of the Windows file or Program Files folder are set to allow full read/write access, enabling this setting still allows endpoints full read/write access to the Security Agent folders, files, and registry entries.
  6. Click Save.
  1. Go to POLICIES > Global Security Agent Settings.
  2. Click Security Settings.
  3. Configure the required settings.
    General Scan
    • Enable deferred scanning on file operations: Administrators can configure Worry-Free Services to defer the scanning of files. Worry-Free Services allows the user to copy files and then scans the files after the copy process completes. This deferred scanning improves the performance of the copy and scan processes.
    • Exclude the Microsoft Exchange Server 2003 folders: Prevents Security Agents installed on the Microsoft Exchange server from scanning Microsoft Exchange 2003 folders.

      For information on excluding other versions of Exchange server folders, refer to the Microsoft document, Running Windows antivirus software on Exchange servers.

    • Exclude the Microsoft domain controller folders (Not applicable to Manual and Scheduled spyware/grayware scans): Prevents Agents installed on the domain controller from scanning domain controller folders. These folders store user information, user names, passwords, and other information.
    • Exclude Shadow Copy sections: Shadow Copy or Volume Snapshot Services takes manual or automatic backup copies or snapshots of a file or folder on a specific volume.
    • Resume a missed scheduled scan at the same time next day: Indicates whether a missed weekly or monthly scan should resume the next day. When this option is enabled, if an Agent is unavailable when the scan is scheduled to start, the scan will run at the same time the next day the Agent is available. However, if the Scheduled Scan has started and is canceled or aborted by the user (for example, by shutting down the computer), the Agent will not resume the Scheduled Scan.
    Virus Scan
    • Configure scan settings for large compressed files: Specify the maximum size of the extracted file and the number of files in the compressed file the Agent should scan.
    • Clean compressed files: Agents will try to clean infected files within a compressed file.
    • Scan up to {} OLE layer(s): Agents will scan the specified number of Object Linking and Embedding (OLE) layers. OLE allows users to create objects with one application and then link or embed them in a second application. For example, an .xls file embedded in a .doc file.
    • Add Manual Scan to the Windows shortcut menu on endpoints: With this, users can right-click a file or folder (on the Desktop or in Windows Explorer) and manually scan the file or folder.
    Spyware/Grayware Scan
    • Scan for cookies: Agents will scan for and remove tracking cookies downloaded to clients by visiting websites. Detected tracking cookies are added to the spyware/grayware counter on the Live Status screen.
    • Add cookie detections to the spyware/grayware log: Adds each detected spyware cookie to the spyware log.
    Behavior Monitoring
    • Enable warning messages for low-risk changes or other monitored actions: Agents warn users of low-risk changes or monitored actions.
    • Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded): After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.
    HTTPS Web Threat Protection
    • Enable HTTPS checking for Web Reputation and URL Filtering on Chrome, Firefox and Microsoft Edge: HTTPS checking does not require additional add-ons for the Chrome, Firefox, or Microsoft Edge browsers and supports the HTTP/2 protocol.
      HTTPS checking support for Internet Explorer is enabled by default in Web Reputation policies and requires an additional browser add-on.
  4. Click Save.
Configure; Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.