Enterprise Service Cloud - Docs

Malware Protection

To ensure malware protection a software agent is installed on the system. The communication between the agent installed on the system and the management application takes place in the background. This includes updates of both the malware signatures and the agent application.

Functions/Configuration options

PropertiesDescription
Scan-Detection-MethodThe scan detection method used is scan on read and write.
Full ScanCurrently, full scans are not scheduled and cannot be triggered manually.
Event handlingThe malware protection software can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats. Which action is taken depends on the type of threat.
Event LogsOn Windows, event logs are stored in this location: C:\Program Data\Trend Micro\Deep Security Agent\Diag. On Linux, event logs are stored here: /var/opt/ds_agent/diag
ExclusionsThe customer can request for specific folders, files or processes to be excluded from the realtime malware scan by issuing a Change Request.
QuarantineDetected files are sent to a central quarantine and can be restored by the provider if requested.
RestrictionsThe agent used on the system may not be manually deinstalled or reconfigured.

Event Log

Following information is logged for every malware detection:

  • Time: Time the event took place on the computer.
  • Infected File(s): The location and name of the infected file.
  • Malware: The name of the malware that was found.
  • Action Taken: Displays the results of the actions specified in the malware scan configuration associated with the event.
    • Cleaned: Successfully terminated processes or deleted registries, files, cookies, or shortcuts, depending on the type of malware.
    • Clean Failed: Malware could not be cleaned for a variety of possible reasons.
    • Deleted: An infected file was deleted.
    • Delete Failed: An infected file could not be deleted for a variety of possible reasons.
    • Quarantined: An infected file was quarantined.
    • Quarantine Failed: An infected file could not be quarantined for a variety of possible reasons.
    • Access Denied: Prevented the infected file from being accessed without removing the file from the system.
    • Passed: Did not take any action but logged the detection of the malware.
  • Scan Type: The type of scan that found the malware (Real-Time, Scheduled, or Manual).
  • Event Origin: Indicates from which part of the Deep Security system the event originated.
  • Reason: The malware scan configuration that was in effect when the malware was detected.
  • Major Virus Type: The type of malware detected. Possible values are: Joke, Trojan, Virus, Test, Spyware, Packer, Generic, or Other.
  • Target(s): The file, process, or registry key (if any) that the malware was trying to affect.
  • Target Type: The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry.
  • File MD5: The MD5 hash of the file.

Handling of Malware Alerts

Malware alerts which could not be resolved automatically by the Anti-Malware system are logged centrally and the alerts are analyzed by security experts to take further actions. All actions will be logged.

Default Policy (Windows)

The default Windows policy excludes the following items from the scans:

Paths (incl. subfolders):

  • C:\os\softwaredistribution\datastore\
  • C:\os\System32\GroupPolicy\
  • C:\os\system32\spool\
  • C:\Windows\SoftwareDistribution\DataStore\
  • C:\Windows\System32\GroupPolicy\
  • C:\Windows\system32\spool\
  • C:\Windows\SysWOW64\GroupPolicy\
  • C:\Windows\syswow64\spool\
  • D:\spool\
  • C:\os\softwaredistribution\download\
  • C:\Windows\SoftwareDistribution\Download\
  • C:\ProgramData\chocolatey\
  • C:\ProgramData\Puppetlabs\Puppet\
  • C:\Program Files\BMC Software\Patrol*\
  • C:\Program Files\Common Files\VMware\
  • C:\Program Files (x86)\Vmware\
  • C:\Program Files\SplunkUniversalForwarder\
  • C:\Program Files\BigFix Enterprise\BES Client\
  • C:\vrmguestagent\

Files:

  • C:\Windows\System32\DHCP*.mdb
  • C:\Windows\System32\DHCP*.pat
  • C:\Windows\System32\Dns*.dns
  • C:\Windows\System32\Dns*.mdb
  • C:\Windows\System32\Wins*.mdb
  • Ntds.dit
  • Ntds.pat
  • NTUser.pol
  • hiberfil.sys
  • pagefile.sys
  • Wsusscan.cab
  • Wsusscn2.cab

File extensions:

  • ADM
  • BAK
  • CHK
  • DAT
  • EDB
  • JRS
  • LDF
  • LOG
  • MDF
  • NDF
  • POL
  • PST
  • SDB
  • TM
  • TMP
  • TRN
  • VHD
  • VSV
  • VUD

Processes:

  • C:\Program Files\BMC Software\Patrol3\bin\PatrolAgent.exe
  • C:\Program Files\BMC Software\Patrol3\lib\psl\psx_server.xpc
  • C:\Program Files\BMC Software\Patrol7\bin\PatrolAgent.exe
  • C:\Program Files\EMC NetWorker\nsr\bin\nsrexecd.exe
  • C:\Program Files\EMC NetWorker\nsr\bin\nsrnmmra.exe
  • C:\Program Files\EMC NetWorker\nsr\bin\WinClient.exe
  • C:\Program Files\EMC NetWorker\nsr\bin\winworkr.exe
  • C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
  • C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
  • C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
  • C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe
  • C:\Program Files\Veritas\NetBackup\bin\bpbackup.exe
  • C:\Program Files\Veritas\NetBackup\bin\bpbkar32.exe
  • C:\Program Files\Veritas\NetBackup\bin\bpcd.exe
  • C:\Program Files\Veritas\NetBackup\bin\bpfis.exe
  • C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
  • C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe
  • C:\Program Files\Veritas\NetBackup\bin\nbftclnt.exe
  • C:\Program Files\Veritas\NetBackup\bin\nbostpxy.exe
  • C:\Program Files\Veritas\NetBackup\bin\nbsl.exe
  • C:\Program Files\Veritas\NetBackup\bin\vnetd.exe
  • C:\Program Files\Veritas\NetBackup\online_util\fi_cntl
  • C:\Program Files\Veritas\pdde\mtstrmd.exe
  • C:\Program Files\Veritas\Volmgr\bin\vmd.exe
  • C:\Program Files\VMware\ep-agent\wrapper\sbin\wrapper-windows-x86-32.exe
  • C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  • C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
  • C:\Program Files (x86)\Veritas\NetBackup\bin\bpbackup.exe
  • C:\Program Files (x86)\Veritas\VxPBX\bin\monitor_server.exe
  • C:\Program Files (x86)\Veritas\VxPBX\bin\pbx_exchange.exe
  • C:\Program Files (x86)\VMware\Log Insight Agent\liwinsvc.exe

Default Policy (MS SQL 2014)

The default policy for MS SQL inherits all exclusions of the Windows policy and has following additional ones:

Paths (incl. subfolders):

  • *:\SQL_Server\Default\
  • *:\SQL_Server\NM01\
  • *:\SQL_Server\NM02\
  • *:\SQL_Server\NM03\
  • *:\SQL_Server\OLAP\

Default Policy (Linux)

The default Linux policy excludes the following items from the scans:

Paths (incl. subfolders):

  • /proc/
  • /sys/
Last Updated: