Table of contents

Enhanced Anti-Malware and ransomware scanning with behavior monitoring

Workload Security provides security settings that you can apply to Windows and Linux machines that are protected by an agent to enhance your malware and ransomware detection and clean rate. These settings enable you to go beyond malware pattern matching and identify suspicious files that could potentially contain emerging malware that hasn’t yet been added to the anti-malware patterns (known as a zero-day attack).

For an overview of the Anti-Malware module, see Protect against malware.

For macOS agents, behavior monitoring is not supported.

Enhanced scanning protection

Threat detection: To avoid detection, some types of malware attempt to modify system files or files related to known installed software. These types of changes often go unnoticed because the malware takes the place of legitimate files. Workload Security can monitor system files and installed software for unauthorized changes to detect and prevent these changes from occurring.

Anti-exploit: Malware writers can use malicious code to hook in to user mode processes in order to gain privileged access to trusted processes and to hide the malicious activity. Malware writers inject code into user processes through DLL injection, which calls an API with escalated privilege. They can also trigger an attack on a software exploit by feeding a malicious payload to trigger code execution in memory. In Workload Security, the anti-exploit functionality monitors for processes that may be performing actions that are not typically performed by a given process. Using a number of mechanisms, including Data Execution Prevention (DEP), Structured Exception Handling Overwrite Protection (SEHOP), and heap spray prevention, Workload Security can determine whether a process has been compromised and then terminate the process to prevent further infection.

Extended ransomware protection: Recently, ransomware has become more sophisticated and targeted. Most organizations have a security policy that includes anti-malware protection on their endpoints, which offers a level of protection against known ransomware variants; however, it may not be sufficient to detect and prevent an outbreak for new variants. The ransomware protection offered by Workload Security can protect documents against unauthorized encryption or modification. Workload Security has also incorporated a data recovery engine that can optionally create copies of files being encrypted to offer users an added chance of recovering files that may have been encrypted by a ransomware process.

Enable enhanced scanning

Enhanced scanning is configured as part of the Anti-Malware settings that are applied to a policy or individual computer. For general information on configuring Anti-Malware protection, see Enable and configure Anti-Malware.

These settings can only be applied to Windows and Linux machines that are protected by an agent.

Enhanced scanning may have a performance impact on agent computers running applications with heavy loads. You should review Performance tips for Anti-Malware before deploying agents with enhanced scanning enabled.

The first step is to enable enhanced scanning in a real-time malware scan configuration:

  1. In the Workload Security console, go to Policies > Common Objects > Other > Malware Scan Configurations.
  2. Double-click an existing real-time scan configuration to edit it (for details on malware scan configurations, see Configure malware scans).
  3. On the General tab, under Behavior Monitoring, select Enable Behavior Monitoring. In the Action to take list, choose the remediation action that you want Workload Security to take when it detects malware:
    • ActiveAction (recommended): Use the action that ActiveAction determines. ActiveAction is a predefined group of cleanup actions that are optimized for each malware category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual detections are handled properly (see ActiveAction actions).
    • Pass: Allows full access to the infected file without doing anything to the file. An Anti-Malware Event is still recorded.
  4. Optionally, select Back up and restore ransomware-encrypted files. When this option is selected, Workload Security will create backup copies of files that are being encrypted, in case they are being encrypted by a ransomware process. This option applies only to computers running Windows.
  5. Click OK.

By default, real-time scans are set to scan all directories. If you change the scan settings to scan a directory list, the enhanced scanning may not work as expected. For example, if you set Directories to scan to scan "Folder1" and ransomware occurs in Folder1, it may not be detected if the encryption associated with the ransomware happens to files outside of Folder1.

Next, apply the malware scan configuration to a policy or an individual computer:

  1. In the Computer or Policy editor, go to Anti-Malware > General.
  2. Ensure that the Anti-Malware State is On or Inherited (On).
  3. The General tab contains sections for Real-Time Scan, Manual Scan, and Scheduled Scan. In the appropriate sections, use the Malware Scan Configuration list to select the scan configuration that you created.
  4. Click Save.

What happens when enhanced scanning finds a problem?

When Workload Security discovers activity or files that match the enhanced scan settings you have enabled, it logs an event (go to Events & Reports > Events > Anti-Malware Events to see a list of events). The event is identified as "Suspicious activity" or "Unauthorized change" in the Major Virus Type column and details are displayed in the Target(s) and TargetType columns.

Workload Security performs many types of checks related to the enhanced scan settings, and the actions that it takes depend on the type of check that finds an issue. Workload Security may Deny Access, Terminate, or Clean a suspicious object. These actions are determined by Workload Security and are not configurable, with the exception of the Clean action:

  • Deny Access: When Workload Security detects an attempt to open or execute a suspicious file, it immediately blocks the operation and records an Anti-Malware event.
  • Terminate: Workload Security terminates the process that performed the suspicious operation and records an Anti-Malware event.
  • Clean: Workload Security checks the Malware Scan Configuration and performs the action specified for Trojans on the Actions tab. One or more additional events will be generated relating to the action performed on the Trojan files.

Anti-Malware Events page

Double-click an event to see details:

Event details

Events related to ransomware have an additional Targeted Files tab:

Event details

Event details

If you investigate and find that an identified file is not harmful, you can right-click the event and click Allow to add the file to a scan exclusion list for the computer or policy. You can check the scan exclusion list in the policy or computer editor, under Anti-Malware > Advanced > Behavior Monitoring Protection Exceptions.