Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Controlling infections during a virus outbreak in OfficeScan

    • Updated:
    • 2 May 2019
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Standard Server Edition
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 2012 Enterprise
    • Windows 7 32-bit
    • Windows Vista 32-bit
    • Windows XP Professional
Summary

Know the recommended steps to control malware infections during a virus outbreak.

Details
Public

To control the malware infection:

  1. Update the Officescan server and clients/agents with the latest scan engine, virus pattern and Damage Cleanup Template (DCT). To know more about the correct Virus Pattern, Scan Engine, and other tools that can be used to control a particular malware, visit the Virus and Threat Help page and use the Search for Malware Information section.
  2. If you have Windows XP clients/agents, disable the System Restore option.
  3. Delete all the Temporary Internet Files.
  4. Make sure that all Officescan clients/agents and servers have the latest Microsoft Security Patches.
  5. Deploy the OfficeScan Outbreak Prevention Policy (OPP) to deny the creation of known dropped files by viruses. To know more about Outbreak Prevention configuration, refer to the product documentation.
  6. During outbreak scenarios, block the following filenames. These are commonly used by most malware and their dropped files:
    • desktop_.ini
    • _desktop.ini
    • autorun.inf
    • gamesetup.exe
    • new folder.exe
    • regsvr.exe
    • scvhost.exe
    • spoolsvc.exe
    • blastclnnn.exe
    • killdog.exe
    • scvshosts.exe
  7. Deploying the OPP protects your program files. You may also deny write access to the following folders:
    • C:\program files\internet explorer (Protection from - browser hijacker)
    • C:\windows\system32\drivers (Protection from - Root kits)
    • C:\windows\system32\drivers\host (Protected from - DNS poisoning / browser redirection)
    • C:\WINDOWS\Downloaded Program Files (Protection from - plug-in)

    This will prevent the write capability of the malware but you can still open and run the programs properly since they use only read mode. Please test this with the application used in your network. This will work for your applications as long as the data is not being saved at the same folder as the application.

  8. Using OPP on the OfficeScan console, block Ports commonly used by Trojan program.
  9. You may choose to delete some ports to block by selecting them in this list if blocking any of them hampers any genuine application running on your systems.
  10. Lock down the OfficeScan client/agent by setting Clients/Agents Security to High. This will prevent users without admin privileges from writing to the OfficeScan program folder and hence, prevent the OfficeScan client/agent from getting infected.

    For OfficeScan 10.6 and below:

    1. On the OfficeScan web console go to Client management > Privileges and Other Settings > Other Settings.
    2. Under Client Security Settings, select High and then click Apply to All Clients. Note: You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
    3. Restart the OfficeScan master service for the changes to take effect.

    For OfficeScan 11.0/XG:

    1. Go to Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings.
    2. Under OfficeScan Agent Security Settings, select High and click Apply to All Agents.
       
      You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
    3. Restart the OfficeScan master service for the changes to take effect.
  11. Enable the Web Reputation feature on gateways (IWSS) and desktop (OfficeScan) products to prevent access to known / suspected malicious websites.
  12. Enable URL filtering on the gateway (IWSS) to prevent users from visiting unproductive websites that can potentially host malicious files.
  13. Enable Intellitrap on gateway (IMSS) and desktop (OfficeScan) products to enable generic detection of packers used by malicious files.
  14. Enable IDS through OfficeScan firewall settings.
  15. Enable mapped drive scanning specially during outbreaks of malware that spread using shared/mapped folders.
  16. Enable the All scannable files option for Real-time scan. You may select the Intelliscan option for Manual and Scheduled Scan.
 
Remove Intrusion Defense Firewall (IDF) setting for OSCE XG because it does not support IDF Plug-in Service (PLS).

For additional assistance, contact Trend Micro Technical Support.

Premium
Test Now
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1053673
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.