Controlling infections during a virus outbreak in OfficeScan (OSCE)

To control the malware infection:

1. Update the Officescan server and clients/agents with the latest scan engine, virus pattern and Damage Cleanup Template (DCT). To know more about the correct Virus Pattern, Scan Engine, and other tools that can be used to control a particular malware, visit the Virus and Threat Help page and use the Search for Malware Information section.
2. If you have Windows XP clients/agents, disable the System Restore option.
3. Delete all the Temporary Internet Files.
4. Make sure that all Officescan clients/agents and servers have the latest Microsoft Security Patches.
5. Deploy the OfficeScan Outbreak Prevention Policy (OPP) to deny the creation of known dropped files by viruses. To know more about Outbreak Prevention configuration, refer to the product documentation.
6. During outbreak scenarios, block the following filenames. These are commonly used by most malware and their dropped files:
   • desktop_.ini
   • _desktop.ini
   • autorun.inf
   • gamesetup.exe
   • new folder.exe
   • regsvr.exe
   • scvhost.exe
   • spoolsvc.exe
   • blastclnnn.exe
   • killdog.exe
   • scvshosts.exe
7. Deploying the OPP protects your program files. You may also deny write access to the following folders:
   • C:\program files\internet explorer (Protection from - browser hijacker)
   • C:\windows\system32\drivers (Protection from - Root kits)
   • C:\windows\system32\drivers\host (Protected from - DNS poisoning / browser redirection)
   • C:\WINDOWS\Downloaded Program Files (Protection from - plug-in)

   This will prevent the write capability of the malware but you can still open and run the programs properly since they use only read mode. Please test this with the application used in your network. This will work for your applications as long as the data is not being saved at the same folder as the application.

8. Using OPP on the OfficeScan console, block Ports commonly used by Trojan program.
9. You may choose to delete some ports to block by selecting them in this list if blocking any of them hampers any genuine application running on your systems.
10. Lock down the OfficeScan client/agent by setting Clients/Agents Security to High. This will prevent users without admin privileges from writing to the OfficeScan program folder and hence, prevent the OfficeScan client/agent from getting infected.

    For OfficeScan 10.6 and below:

    1. On the OfficeScan web console go to Client management > Privileges and Other Settings > Other Settings.
    2. Under Client Security Settings, select High and then click Apply to All Clients. Note: You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
    3. Restart the OfficeScan master service for the changes to take effect.

    For OfficeScan 11.0/XG:

    1. Go to Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings.
    2. Under OfficeScan Agent Security Settings, select High and click Apply to All Agents.
        

       You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
    3. Restart the OfficeScan master service for the changes to take effect.
11. Enable the Web Reputation feature on gateways (IWSS) and desktop (OfficeScan) products to prevent access to known / suspected malicious websites.
12. Enable URL filtering on the gateway (IWSS) to prevent users from visiting unproductive websites that can potentially host malicious files.
13. Enable Intellitrap on gateway (IMSS) and desktop (OfficeScan) products to enable generic detection of packers used by malicious files.
14. Enable IDS through OfficeScan firewall settings.
15. Enable mapped drive scanning specially during outbreaks of malware that spread using shared/mapped folders.
16. Enable the All scannable files option for Real-time scan. You may select the Intelliscan option for Manual and Scheduled Scan.
17. Make sure that Enhanced GeneriClean is enabled on the OfficeScan server. Generic Clean incorporates referential cleaning for registry entries and processes which reference detected malware files. To enable this, do the following:
    1. Go to the OfficeScan server.
    2. Delete the \PCCSRV\Download\hotfixnt.txt file.
    3. Rename the tsc.ini file to "tsc.ini_old".
    4. Modify the tsc.ini file and add the following parameters at the bottom:

       DisableTaskMgr=1
       DisableRegistryTools=1
       NoRun=1
       NoCloseKey=1
       NoFind=1
       DisallowRun=1
       FirewallDisableNotify=0
       UpdatesDisableNotify=0
       AntiVirusDisableNotify=0
       FirewallOverride=0
       AntiVirusOverride=0
       NoAutoUpdate=0
       AUOptions=1
       EnableFirewall=0

    5. Save and close the file. Check the timestamp of the file. It should reflect the date today.
    6. Open the PCCSRV\Autopcc.cfg\apnt.ini file.
    7. Look for the "admin\Tsc.ini" line. If it does not exist, add it.
    8. Save and close the file.
    9. Wait for 2-3 minutes and the hotfixnt.txt will be automatically generated.
    10. The OfficeScan server will now notify the OfficeScan clients and deploy the tsc.ini file.
    11. If hotfixnt.txt was not automatically generated, restart the OfficeScan master service.
18. Set an action for malware detected using Generic Detection.
    1. On the OfficeScan installation directory, open the /PCCSRV/ofcscan.ini file using a text editor.
    2. Under the Global Setting section, add the following keys and assign the values of <x> and <y> with the scan action value you want to use:

       [Global Setting]
       1stActForGenericVirus=<x>
       2ndActForGenericVirus=<y>

       Here are the scan action values:

       1 - Rename
       2 - Move
       3 - Clean
       4 - Delete
       5 - Pass (temporary)

    3. Save and close the file.
    4. Log on to the OfficeScan management console.
    5. Go to Global Client/Agent Settings.
    6. Click Save to deploy the settings to all clients.

For additional assistance, contact Trend Micro Technical Support.