Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

General guidelines in cleaning virus outbreaks (PE_) using OfficeScan

    • 更新於:
    • 13 Mar 2020
    • 產品/版本:
    • 作業系統:
    • N/A N/A

Biological viruses operate by attaching themselves to healthy cells (hosts) and using them to propagate. Computer viruses do the same, only that it involves files in your computer. When an infected file is executed, the virus code is also executed infecting other files and sometimes delivering additional payload. This is the reason why viruses spread fast.

These are the most common virus families detected by Trend Micro:

  • PE_Chir

Target files vary from one virus family to another. For example, PE_RAMNIT.DEN-O infects .exe and .dll files while PE_SALITY.RL-O infects .exe and .scr files.

Learn what to do in the event that a virus outbreak occurs in your network.


Apply the recommended settings

Applying the recommended settings offers the best protection against malware. Please refer to the KB article on the best practices in configuring OfficeScan for malware protection.

Temporarily disable the scan exclusion until the outbreak is stopped

There’s a high possibility that scan exclusion maybe preventing OfficeScan from cleaning infected files. Temporarily disable the scan exclusion to ensure that OfficeScan will be able to scan and clean all files/directories including itself.
  1. Log on to the OfficeScan management console.
  2. Go to Agents > Agent Management.
  3. In the Agent Tree, select the OfficeScan Server/Domain/Computer.
  4. Go to Settings > Scan Settings > Real-time Scan Settings.
  5. Uncheck Enable scan exclusion.

    scan exclusion

  6. Do the same for the other scan types:
    • Manual Scan Settings
    • Scheduled Scan Settings
    • Scan Now Settings
  7. Click Save.

Identify and clean the infection sources

Change the file extension of ATTK from .exe to .com. This will prevent certain viruses like PE_SALITY from infecting it.
    1. Export the Virus/Malware Logs.
    2. Check for infection sources under the Infection Source column.


    3. Clean the infection sources using ATTK and ensure that they have OfficeScan Agent installed
Should you need additional recommendation, submit the Virus/Malware Logs to Trend Micro Technical Support for analysis.

Check for Unmanaged Endpoints

Computers that do not have antivirus software installed are prone to infection. They could potentially compromise other computers in the network.

The Unmanaged Endpoints in OfficeScan can be found under Assessment > Unmanaged Endpoints. It can display computers with the following status:

  • Managed by another OfficeScan server
  • No OfficeScan agent installed
  • Unreachable
  • Unresolved Active Directory assessment

security status

Run a regular security assessment to check for Unmanaged Endpoints and install OfficeScan agent on unprotected computers.

What to do when OfficeScan fails to clean an infected file

  1. Ensure that you are using specific scan action for Virus. The recommended scan actions are:
    • 1st scan action: Clean
    • 2nd scan action: Quarantine
    Unlike Trojans or Worms which can immediately be deleted or quarantined, the the 1st scan action for Virus should be Clean - OfficeScan will attempt to remove the virus code that was injected into the file. If the 1st scan action is different, ex. delete, then you will not be able to recover the file which may be critical to your system/application.
  2. A bandage pattern maybe required for the cleanup. Submit the infected file to Trend Micro Technical Support for analysis.
Remove a Malware / Virus



若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.