Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Controlling infections during a virus outbreak in OfficeScan (OSCE)

    • Updated:
    • 3 Nov 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Standard Server Edition
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 2012 Enterprise
    • Windows 7 32-bit
    • Windows Vista 32-bit
    • Windows XP Professional
Summary

Know the recommended steps to control malware infections during a virus outbreak.

Details
Public

To control the malware infection:

  1. Update the Officescan server and clients/agents with the latest scan engine, virus pattern and Damage Cleanup Template (DCT). To know more about the correct Virus Pattern, Scan Engine, and other tools that can be used to control a particular malware, visit the Virus and Threat Help page and use the Search for Malware Information section.
  2. If you have Windows XP clients/agents, disable the System Restore option.
  3. Delete all the Temporary Internet Files.
  4. Make sure that all Officescan clients/agents and servers have the latest Microsoft Security Patches.
  5. Deploy the OfficeScan Outbreak Prevention Policy (OPP) to deny the creation of known dropped files by viruses. To know more about Outbreak Prevention configuration, refer to the product documentation.
  6. During outbreak scenarios, block the following filenames. These are commonly used by most malware and their dropped files:
    • desktop_.ini
    • _desktop.ini
    • autorun.inf
    • gamesetup.exe
    • new folder.exe
    • regsvr.exe
    • scvhost.exe
    • spoolsvc.exe
    • blastclnnn.exe
    • killdog.exe
    • scvshosts.exe
  7. Deploying the OPP protects your program files. You may also deny write access to the following folders:
    • C:\program files\internet explorer (Protection from - browser hijacker)
    • C:\windows\system32\drivers (Protection from - Root kits)
    • C:\windows\system32\drivers\host (Protected from - DNS poisoning / browser redirection)
    • C:\WINDOWS\Downloaded Program Files (Protection from - plug-in)

    This will prevent the write capability of the malware but you can still open and run the programs properly since they use only read mode. Please test this with the application used in your network. This will work for your applications as long as the data is not being saved at the same folder as the application.

  8. Using OPP on the OfficeScan console, block Ports commonly used by Trojan program.
  9. You may choose to delete some ports to block by selecting them in this list if blocking any of them hampers any genuine application running on your systems.
  10. Lock down the OfficeScan client/agent by setting Clients/Agents Security to High. This will prevent users without admin privileges from writing to the OfficeScan program folder and hence, prevent the OfficeScan client/agent from getting infected.

    For OfficeScan 10.6 and below:

    1. On the OfficeScan web console go to Client management > Privileges and Other Settings > Other Settings.
    2. Under Client Security Settings, select High and then click Apply to All Clients. Note: You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
    3. Restart the OfficeScan master service for the changes to take effect.

    For OfficeScan 11.0/XG:

    1. Go to Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings.
    2. Under OfficeScan Agent Security Settings, select High and click Apply to All Agents.
       
      You may also set the "Client_Security" parameter to "1" in the ofcscan.ini file in the OfficeScan server.
    3. Restart the OfficeScan master service for the changes to take effect.
  11. Enable the Web Reputation feature on gateways (IWSS) and desktop (OfficeScan) products to prevent access to known / suspected malicious websites.
  12. Enable URL filtering on the gateway (IWSS) to prevent users from visiting unproductive websites that can potentially host malicious files.
  13. Enable Intellitrap on gateway (IMSS) and desktop (OfficeScan) products to enable generic detection of packers used by malicious files.
  14. Enable IDS through OfficeScan firewall settings.
  15. Enable mapped drive scanning specially during outbreaks of malware that spread using shared/mapped folders.
  16. Enable the All scannable files option for Real-time scan. You may select the Intelliscan option for Manual and Scheduled Scan.
  17. Make sure that Enhanced GeneriClean is enabled on the OfficeScan server. Generic Clean incorporates referential cleaning for registry entries and processes which reference detected malware files. To enable this, do the following:
    1. Go to the OfficeScan server.
    2. Delete the \PCCSRV\Download\hotfixnt.txt file.
    3. Rename the tsc.ini file to "tsc.ini_old".
    4. Modify the tsc.ini file and add the following parameters at the bottom:

      DisableTaskMgr=1
      DisableRegistryTools=1
      NoRun=1
      NoCloseKey=1
      NoFind=1
      DisallowRun=1
      FirewallDisableNotify=0
      UpdatesDisableNotify=0
      AntiVirusDisableNotify=0
      FirewallOverride=0
      AntiVirusOverride=0
      NoAutoUpdate=0
      AUOptions=1
      EnableFirewall=0

    5. Save and close the file. Check the timestamp of the file. It should reflect the date today.
    6. Open the PCCSRV\Autopcc.cfg\apnt.ini file.
    7. Look for the "admin\Tsc.ini" line. If it does not exist, add it.
    8. Save and close the file.
    9. Wait for 2-3 minutes and the hotfixnt.txt will be automatically generated.
    10. The OfficeScan server will now notify the OfficeScan clients and deploy the tsc.ini file.
    11. If hotfixnt.txt was not automatically generated, restart the OfficeScan master service.
  18. Set an action for malware detected using Generic Detection.
    1. On the OfficeScan installation directory, open the /PCCSRV/ofcscan.ini file using a text editor.
    2. Under the Global Setting section, add the following keys and assign the values of <x> and <y> with the scan action value you want to use:

      [Global Setting]
      1stActForGenericVirus=<x>
      2ndActForGenericVirus=<y>

      Here are the scan action values:

      1 - Rename
      2 - Move
      3 - Clean
      4 - Delete
      5 - Pass (temporary)

    3. Save and close the file.
    4. Log on to the OfficeScan management console.
    5. Go to Global Client/Agent Settings.
    6. Click Save to deploy the settings to all clients.
 
OfficeScan client users with the privilege to configure scan actions must set the action to "Custom Action" instead of "ActiveAction". This will ensure that the scan action that you configured is deployed to the client. "ActiveAction" has a higher priority and overrides "Custom Action".
 
Remove Intrusion Defense Firewall (IDF) setting for OSCE XG because it does not support IDF Plug-in Service (PLS).

For additional assistance, contact Trend Micro Technical Support.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1053673
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.