Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Global Scan Settings in OfficeScan XG Service Pack 1 (SP1)

    • Updated:
    • 12 Apr 2019
    • Product/Version:
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

There are a number of ways global scan settings get applied to agents:

  • A particular scan setting can apply to all agents that the server manages or only to agents with certain scan privileges. For example, if you configure the postpone Scheduled Scan duration, only agents with the privilege to postpone Scheduled Scan will use the setting.
  • A particular scan setting can apply to all or only to a particular scan type. For example, on endpoints with both the OfficeScan server and OfficeScan agent installed, you can exclude the OfficeScan server database from scanning. However, this setting applies only during Real-time Scan.
  • A particular scan setting can apply when scanning for either virus/malware or spyware/grayware, or both. For example, assessment mode only applies during spyware/grayware scanning.
Details
Public

To configure Global Scan Settings:

  1. Go to Agents > Global Agent Settings.
  2. Click the Security Settings tab and configure the Global Scan Settings in each of the available sections:

    The Scan Settings section of the Global Agent Settings screen allows administrators to configure the following:

    If the OfficeScan agent and OfficeScan server exist on the same endpoint, the OfficeScan agent will not scan the server database for virus/malware and spyware/grayware during Real-time Scan.

     
    Enable this setting to prevent database corruption that may occur during scanning.

    If the OfficeScan agent and a Microsoft Exchange 2000/2003 server exist on the same endpoint, OfficeScan will not scan the following Microsoft Exchange folders and files for virus/malware and spyware/grayware during Manual Scan, Real-time Scan, Scheduled Scan and Scan Now:

    • The following folders in \Exchsrvr\Mailroot\vsi 1: Queue, PickUp, and BadMail
    • \Exchsrvr\mdbdata, including these files: priv1.stm, priv1.edb, pub1.stm, and pub1.edb
    • \Exchsrvr\Storage Group

    For Microsoft Exchange 2007 or later folders, you need to manually add the folders to the scan exclusion list. For scan exclusion details, refer to the following article: Running Windows antivirus software on Exchange servers.

    Configure scan exclusions to increase the scanning performance and skip scanning files causing false alarms. When a particular scan type runs, OfficeScan checks the scan exclusion list to determine which files on the endpoint will be excluded from both virus/malware and spyware/grayware scanning.

    When you enable scan exclusion, OfficeScan will not scan a file under the following conditions:

    • The file is found under a specific directory (or any of its sub-directories).
    • The file name matches any of the names in the exclusion list.
    • The file extension matches any of the extensions in the exclusion list.
     
    For a list of products that Trend Micro recommends excluding from Real-Time scans, go to: Recommended scan exclusion list for Trend Micro Endpoint products.

    Administrators can configure OfficeScan to defer the scanning of files. OfficeScan allows the user to copy files and then scans the files after the copy process completes. This deferred scanning improves the performance of the copy and scan processes.

     

    Deferred scanning requires that the Virus Scan Engine (VSAPI) be version 9.713 or later. To manually update the components on the OfficeScan server after installing or upgrading the server and whenever there is an outbreak:

    1. Go to Updates > Server > Manual Update.
    2. Select the components to update.
    3. Click Update.

      The server downloads the updated components.

    OfficeScan supports the Early Launch Anti-Malware (ELAM) feature as part of the Secure Boot standard to provide boot time protection on endpoints. Administrators can enable this feature to start OfficeScan agents before other third-party software drivers when endpoints start up. This feature enables OfficeScan agents to detect malware during the operating system boot process.

    After scanning all third-party software drivers, the OfficeScan agent reports the driver classification information to the system kernel. Administrators can define actions based on the driver classifications in Group Policy in Windows and view scan results using Event Viewer on endpoints.

     
    ELAM is supported only on Windows 8, Windows Server 2012, or later versions.

    When all agents managed by the server detect virus/malware within compressed files during Manual Scan, Real-time Scan, Scheduled Scan and Scan Now, and the following conditions are met, agents clean or delete the infected files.

    • "Clean" or "Delete" is the action OfficeScan is set to perform. Check the action OfficeScan performs on infected files by going to Agents > Agent Management > Settings > Scan Settings > {Scan Type} > Action tab.
    • You enable this setting. Enabling this setting may increase endpoint resource usage during scanning and scanning may take longer to complete. This is because OfficeScan needs to decompress the compressed file, clean/delete infected files within the compressed file, and then re-compress the file.
    • The compressed file format is supported. OfficeScan only supports certain compressed file formats, including ZIP and Office Open XML, which uses ZIP compression technologies. Office Open XML is the default format for Microsoft Office 2007 applications such as Excel, PowerPoint, and Word.
     
    Contact your support provider for a complete list of supported compressed file formats.

    For example, Real-time Scan is set to delete files infected with a virus. After Real-time Scan decompresses a compressed file named abc.zip and detects an infected file 123.doc within the compressed file, OfficeScan deletes 123.doc and then re-compresses abc.zip, which is now safe to access.

    The following table describes what happens if any of the conditions is not met.

    Status of "Clean/ Delete infected files within compressed files"Action OfficeScan is set to performCompressed file formatResult
    EnabledClean or DeleteNot supported
    Example: def.rar contains an infected file 123.doc.
    OfficeScan encrypts def.rar but does not clean, delete, or perform any other action on 123.doc.
    DisabledClean or DeleteSupported/Not supported
    Example: abc.zip contains an infected file 123.doc.
    OfficeScan does not clean, delete, or perform any other action on both abc.zip and 123.doc.
    Enabled/ DisabledNot Clean or Delete (in other words, any of the following: Rename, Quarantine, Deny Access or Pass)Supported/Not supported
    Example: abc.zip contains an infected file 123.doc.
    OfficeScan performs the configured action (Rename, Quarantine, Deny Access or Pass) on abc.zip, not 123.doc.
    If the action is:
    • Rename: OfficeScan renames abc.zip to abc.vir, but does not rename 123.doc.
    • Quarantine: OfficeScan quarantines abc.zip (123.doc and all non-infected files are quarantined).
    • Pass: OfficeScan performs no action on both abc.zip and 123.doc but logs the virus detection.
    • Deny Access: OfficeScan denies access to abc.zip when it is opened (123.doc and all non-infected files cannot be opened).

    When in assessment mode, all agents managed by the server will log spyware/grayware detected during Manual Scan, Scheduled Scan, Real-time Scan, and Scan Now but will not clean spyware/grayware components. Cleaning terminates processes or deletes registries, files, cookies, and shortcuts.

    Trend Micro provides assessment mode to allow you to evaluate items that Trend Micro detects as spyware/grayware and then take appropriate action based on your evaluation. For example, detected spyware/grayware that you do not consider a security risk can be added to the spyware/grayware approved list.

    When in assessment mode, OfficeScan performs the following scan actions:

    • Pass: During Manual Scan, Scheduled Scan and Scan Now
    • Deny Access: During Real-time Scan
     
    Assessment mode overrides any user-configured scan action. For example, even if you choose "Clean" as the scan action during Manual Scan, "Pass" remains as the scan action when the agent is on assessment mode.

    Select this option if you consider cookies as potential security risks. When selected, all agents managed by the server will scan cookies for spyware/grayware during Manual Scan, Scheduled Scan, Real-time Scan, and Scan Now.

    Only agents set to run Scheduled Scan will use the following settings. Scheduled Scan can scan for virus/malware and spyware/grayware.

    The Scheduled Scan Settings section of the Global Scan Settings allows administrators to configure the following:

    OfficeScan displays a notification message minutes before scanning runs to remind users of the scan schedule (date and time) and any Scheduled Scan privilege you grant them.

    The notification message can be enabled/disabled from Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings (tab) > Scheduled Scan Settings. If disabled, no reminder displays.

    Only users with the “Postpone Scheduled Scan” privilege can perform the following actions:

    • Postpone Scheduled Scan before it runs and then specify the postpone duration.
    • If Scheduled Scan is in progress, users can stop scanning and restart it later. Users then specify the amount of time that should elapse before scanning restarts. When scanning restarts, all previously scanned files are scanned again.

      The maximum postpone duration/elapsed time users can specify is 12 hours and 45 minutes, which you can reduce by specifying the number of hour(s) and/or minute(s) in the fields provided.

    OfficeScan stops scanning when the specified amount of time is exceeded and scanning is not yet complete. OfficeScan immediately notifies users of any security risk detected during scanning.

    OfficeScan immediately skips scanning when Scheduled Scan launches if it detects that a wireless endpoint's battery life is running low and its AC adapter is not connected to any power source. If battery life is low but the AC adapter is connected to a power source, scanning proceeds.

    When Scheduled Scan did not launch because OfficeScan is not running on the day and time of Scheduled Scan or if the user interrupts Scheduled Scan (for example, turns off the endpoint after the scan begins), you can specify when OfficeScan resumes scanning.

    • Specify which Scheduled Scan to restart:
      Resume an interrupted Scheduled ScanResumes Scheduled Scans that the user interrupted by turning off the endpoint
      Resume a missed Scheduled ScanResumes Scheduled Scans missed because the endpoint was not running
    • Specify when to resume scanning:
      Same time next dayIf OfficeScan is running at the exact same time the next day, scanning is resumed
      __ minutes after the endpoint startsOfficeScan resumes scanning a number of minutes after the user turns on the endpoint. The number of minutes is between 10 and 120
     
    Users can postpone or skip a resumed Scheduled Scan if the administrator enabled this privilege. If Scheduled Scan is set to run on the agent, users can postpone and skip/stop Scheduled Scan.
  3. Click the System tab.
  4. In the Certified Safe Software Service Settings section, configure the "Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and Antivirus Scans" setting.

    The Certified Safe Software Service queries Trend Micro datacenters to verify the safety of a program detected by Malware Behavior Blocking, Event Monitoring, Firewall, or antivirus scans. Enable Certified Safe Software Service to reduce the likelihood of false positive detections.

     

    Ensure that OfficeScan agents have the correct proxy settings (for details, see OfficeScan Agent Proxy Settings) before enabling Certified Safe Software Service. Incorrect proxy settings, along with an intermittent Internet connection, can result in delays or failure to receive a response from Trend Micro datacenters, causing monitored programs to appear unresponsive.

    In addition, pure IPv6 OfficeScan agents cannot query directly from Trend Micro datacenters. A dual-stack proxy server that can convert IP addresses, such as DeleGate, is required to allow the OfficeScan agents to connect to the Trend Micro datacenters.

  5. Click the Network tab.
  6. In the Virus/Malware Log Bandwidth Settings section, configure the "Enable the OfficeScan agent to create a single virus/malware log entry for recurring detections of the same virus/malware within an hour" setting.

    OfficeScan consolidates virus log entries when detecting multiple infections from the same virus/malware over a short period of time. OfficeScan may detect a single virus/malware multiple times, quickly filling the virus/malware log and consuming network bandwidth when the OfficeScan agent sends log information to the server.

    Enabling this feature helps reduce both the number of virus/malware log entries made and the amount of network bandwidth OfficeScan agents consume when they report virus log information to the server.

  7. Click the Agent Control tab.
  8. In the General Settings section, configure the "Add Manual Scan to the Windows shortcut menu on endpoints" setting.

    When this setting is enabled, all OfficeScan agents managed by the server add a Scan with OfficeScan option to the right-click menu in Windows Explorer. When users right-click a file or folder on the Windows desktop or in Windows Explorer and select the option, Manual Scan scans the file or folder for virus/malware and spyware/grayware.

  9. Click Save.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1122432
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.