Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Information about Generic Detection (Possible_, CRYP_, Mal_) in Trend Micro Products

    • Updated:
    • 8 Oct 2015
    • Product/Version:
    • InterScan Messaging Security Suite 7.1 Linux
    • InterScan Messaging Security Suite 7.1 Windows
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan VirusWall 7.0
    • InterScan Web Security Suite 3.1 Linux
    • InterScan Web Security Suite 3.1 Solaris
    • InterScan Web Security Suite 3.1 Windows
    • InterScan Web Security Virtual Appliance 5.5
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.All
    • OfficeScan 10.6
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 11.0
    • ScanMail for IBM Domino 5.6 Linux
    • ScanMail for IBM Domino 5.6 Windows
    • ServerProtect for Linux 3.0
    • ServerProtect for Microsoft Windows/Novell Netware 5.8
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Platform:
    • Linux - Red Hat RHEL 3 32-bit
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - SuSE version 10
    • Linux - SuSE version 9
    • Unix - Solaris (Sun) version 10 (SunOS 5.10)
    • Unix - Solaris (Sun) version 8 (SunOS 5.8)
    • Unix - Solaris (Sun) version 9 (SunOS 5.9)
    • Windows 2000 Professional
    • Windows 2003 Compute Cluster Server
    • Windows 2003 Datacenter Server
    • Windows 2003 Datacenter Server Edition 64-bit
    • Windows 2003 Enterprise Server
    • Windows 2003 Home Server
    • Windows 2003 Small Business Server
    • Windows 2003 Standard Server Edition
    • Windows 2003 Standard Server Edition 64-bit
    • Windows 2003 Storage Server
    • Windows 2003 Web Server Edition
    • Windows Vista 32-bit
    • Windows XP Home
Summary

This article describes Generic Detections (Possible_, CRYP_, Mal_) in Trend Micro Products and how to manage them.

Details
Public

Generic detection makes use of a heuristic pattern that is capable of detecting multiple variants of the same family of malware. The heuristic pattern can supplement the existing virus pattern file by detecting unknown variants of malware.

Trend Micro follows a lifecycle for Generic Detections. This lifecycle allows for immediate release for improved malware detection, as well as the minimizing of effects on the system caused by false alarms.

Trend Micro actively collects possibly new virus samples, which are analyzed and classified accordingly. Based on this analysis, a heuristic pattern is created. To minimize the occurrence of false alarms, detections are separated into two levels.

The first level aims to verify the threat of a file. Suspicious files are identified by attaching a prefix or suffix to the detection name. To minimize system interruptions due to false alarms, the recommended action for these files is "Pass". Detections in the first level which give no false alarms for 14 days are moved to the second level.

The second level aims to prevent the damage caused by a malicious file. A prefix or suffix is also attached to the detection name. To minimize the damage caused by the file, Trend Micro sets a more stringent action (First action: Clean, second action: Quarantine) for this level.

When a file is detected by Generic Detection, a prefix or suffix is attached to the detection name, which allows you to identify the level to which it is classified.

The virus family name or a general identifier is given after the prefix.

First Level Generic Detection Name

Similar variants of a virus family: Possible_ (e.g. Possible_ZLO, possible_hifrm-5)

Encrypted variants: CRYP_ (e.g. CRYP_TA, Cryp_Otorun-12, cryp_krap, cryp_krap-5, cryp_mangled, Cryp_Xed-12, cryp_Neb-2)

Files with filenames used by viruses: SUSPICIOUS_FILE

Second Level Generic Detection Name

MAL_ (e.g. MAL_VUND, mal_hifrm, MAL_OTORUN1)

Trend Micro's recommended action or ActiveAction is a set of scan actions based on the malware type (Example: virus, spyware and others). To automatically deal with generic detections, we recommend enabling ActiveAction on your Trend Micro product. ActiveAction can be enabled on the following products:

  • OfficeScan 10.5/10.6
  • Trend Micro Titanium 2013/2014
  • Worry-Free Business Security
  • ServerProtect for Windows/NetWare 5.8
  • ServerProtect for Linux 3.0
  • ScanMail for Domino 5.6
  • ScanMail for Microsoft Exchange 10.2/11
  • InterScan Messaging Security Suite 7.1
  • Interscan Messaging Security Virtual Appliance 8.2/8.5

Files detected through Generic Detection are classified as the Generic type. ActiveAction uses the following actions for the Generic type:

TypeExampleFirst ActionSecond Action
GenericWORM_AGOBOT.GENPass -
TrojanWORM_AGOBOT.AQuarantineDelete

Since Generic Detection uses heuristic scanning, some detections may be false alarms. Because of this, the first action for the Generic type is set to Pass for a fixed period of time.

If ActiveAction is not enabled or cannot be enabled, the action for Generic Detections depends on the action configured for the specific malware type in the product, as shown below:

ProductVersionMalware Type
OfficeScan10.5/10.6 Generic
Trend Micro Internet Security  2013/2014 Virus
Worry-Free Business Security7.0/8.0 Generic
ServerProtect for Windows/Netware 5.8 Virus
Server Protect for Linux 3.0 Virus
ScanMail for Lotus Notes 2.6 (Action for uncleanable virus)
ScanMail for Domino 5.6 (Action for uncleanable virus)
ScanMail for Microsoft Exchange 10.2/11 Virus
InterScan Web Security Suite/Virtual Appliance 3.1/5.5/5.6/6.0 6.0
InterScan Messaging Security Suite /Virtual Appliance 7.1/8.2/8.5 Virus
InterScan VirusWall for SMB 7 Virus

Q: Is the heuristic pattern a new separate pattern file?
A: The heuristic pattern is not a new separate pattern file. It is a set of signatures added to the virus pattern file in order to supplement its detection capability.

Q: Is there anything I need in order to use the heuristic pattern?
A: You will need the latest scan engine in order to use the heuristic pattern. You can get the latest scan engine by updating your product or by downloading it from the Update Center.

Q: Do I need to configure my product to use ActiveAction?
A: Configuring your product to use ActiveAction is not required, but we strongly recommend doing so. By using ActiveAction and setting automatic actions on Generic Detections, you can decrease the workload of the system administrator.

Q: What happens when the action taken in "Pass"?
A: When the action taken on a file is "Pass", detected malware that are running as a process in the memory are normally terminated. However, for Generic Detections with ActiveAction, detected processes are not terminated. Aside from this, no action (e.g. clean, quarantine, change extension) is taken on the file.

Q: Can I specify the action taken for Generic Detections?
A: You can specify the action taken for Generic Detections in OfficeScan and Client Server Messaging Security. On the Scan Actions screen in the product console, select the action you want for the "Generic" type.

Q: The file detected and quarantined was a non-malicous program or file. How do I restore the file?
A: For security purposes, quarantined files are encrypted. Because of this, you will need to use a tool to restore non-malicious quarantined files. 

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1055147
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.