This article describes Generic Detections (Possible_, CRYP_, Mal_) in Trend Micro Products and how to manage them.
Generic detection makes use of a heuristic pattern that is capable of detecting multiple variants of the same family of malware. The heuristic pattern can supplement the existing virus pattern file by detecting unknown variants of malware.
Trend Micro follows a lifecycle for Generic Detections. This lifecycle allows for immediate release for improved malware detection, as well as the minimizing of effects on the system caused by false alarms.
Trend Micro actively collects possibly new virus samples, which are analyzed and classified accordingly. Based on this analysis, a heuristic pattern is created. To minimize the occurrence of false alarms, detections are separated into two levels.
The first level aims to verify the threat of a file. Suspicious files are identified by attaching a prefix or suffix to the detection name. To minimize system interruptions due to false alarms, the recommended action for these files is "Pass". Detections in the first level which give no false alarms for 14 days are moved to the second level.
The second level aims to prevent the damage caused by a malicious file. A prefix or suffix is also attached to the detection name. To minimize the damage caused by the file, Trend Micro sets a more stringent action (First action: Clean, second action: Quarantine) for this level.
When a file is detected by Generic Detection, a prefix or suffix is attached to the detection name, which allows you to identify the level to which it is classified.
The virus family name or a general identifier is given after the prefix.
First Level Generic Detection Name
Similar variants of a virus family: Possible_ (e.g. Possible_ZLO, possible_hifrm-5)
Encrypted variants: CRYP_ (e.g. CRYP_TA, Cryp_Otorun-12, cryp_krap, cryp_krap-5, cryp_mangled, Cryp_Xed-12, cryp_Neb-2)
Files with filenames used by viruses: SUSPICIOUS_FILE
Second Level Generic Detection Name
MAL_ (e.g. MAL_VUND, mal_hifrm, MAL_OTORUN1)
Trend Micro's recommended action or ActiveAction is a set of scan actions based on the malware type (Example: virus, spyware and others). To automatically deal with generic detections, we recommend enabling ActiveAction on your Trend Micro product. ActiveAction can be enabled on the following products:
- OfficeScan 10.5/10.6
- Trend Micro Titanium 2013/2014
- Worry-Free Business Security
- ServerProtect for Windows/NetWare 5.8
- ServerProtect for Linux 3.0
- ScanMail for Domino 5.6
- ScanMail for Microsoft Exchange 10.2/11
- InterScan Messaging Security Suite 7.1
- Interscan Messaging Security Virtual Appliance 8.2/8.5
Files detected through Generic Detection are classified as the Generic type. ActiveAction uses the following actions for the Generic type:
| Type | Example | First Action | Second Action |
|---|---|---|---|
| Generic | WORM_AGOBOT.GEN | Pass | - |
| Trojan | WORM_AGOBOT.A | Quarantine | Delete |
Since Generic Detection uses heuristic scanning, some detections may be false alarms. Because of this, the first action for the Generic type is set to Pass for a fixed period of time.
If ActiveAction is not enabled or cannot be enabled, the action for Generic Detections depends on the action configured for the specific malware type in the product, as shown below:
| Product | Version | Malware Type |
|---|---|---|
| OfficeScan | 10.5/10.6 | Generic |
| Trend Micro Internet Security | 2013/2014 | Virus |
| Worry-Free Business Security | 7.0/8.0 | Generic |
| ServerProtect for Windows/Netware | 5.8 | Virus |
| Server Protect for Linux | 3.0 | Virus |
| ScanMail for Lotus Notes | 2.6 | (Action for uncleanable virus) |
| ScanMail for Domino | 5.6 | (Action for uncleanable virus) |
| ScanMail for Microsoft Exchange | 10.2/11 | Virus |
| InterScan Web Security Suite/Virtual Appliance | 3.1/5.5/5.6/6.0 | 6.0 |
| InterScan Messaging Security Suite /Virtual Appliance | 7.1/8.2/8.5 | Virus |
| InterScan VirusWall for SMB | 7 | Virus |
Q: Is the heuristic pattern a new separate pattern file?
A: The heuristic pattern is not a new separate pattern file. It is a set of signatures added to the virus pattern file in order to supplement its detection capability.
Q: Is there anything I need in order to use the heuristic pattern?
A: You will need the latest scan engine in order to use the heuristic pattern. You can get the latest scan engine by updating your product or by downloading it from the Update Center.
Q: Do I need to configure my product to use ActiveAction?
A: Configuring your product to use ActiveAction is not required, but we strongly recommend doing so. By using ActiveAction and setting automatic actions on Generic Detections, you can decrease the workload of the system administrator.
Q: What happens when the action taken in "Pass"?
A: When the action taken on a file is "Pass", detected malware that are running as a process in the memory are normally terminated. However, for Generic Detections with ActiveAction, detected processes are not terminated. Aside from this, no action (e.g. clean, quarantine, change extension) is taken on the file.
Q: Can I specify the action taken for Generic Detections?
A: You can specify the action taken for Generic Detections in OfficeScan and Client Server Messaging Security. On the Scan Actions screen in the product console, select the action you want for the "Generic" type.
Q: The file detected and quarantined was a non-malicous program or file. How do I restore the file?
A: For security purposes, quarantined files are encrypted. Because of this, you will need to use a tool to restore non-malicious quarantined files.
