InfoTech Tuesday Articles
- K-State antivirus tips
- Learn more about malware when it infects your computer
- Trend Micro stats for Oct. 22-Nov. 21, 2006
- Who has to run Trend Micro antivirus software?
- Don't install Microsoft Windows Defender for now
- Know thy security software
- Network access blocked for Windows PCs still running Symantec AntiVirus
- SIRT antivirus recommendations for Linux computers
- Trend Micro stats for Sept. 4 - 11, 2006
- Use multiple anti-spyware/adware tools
- Trend Micro software available for system administrators
- Virustotal.com, a useful virus-checking tool
- Think before you click
- Trend Micro presentation now online
- K-State switching to Trend Micro for antivirus software
Trend Micro's quarantine process
When Trend Micro security software finds malware on your computer that it cannot repair, it removes the malicious file from your computer to eliminate the danger and "quarantines" it on your departmental, college, or central OfficeScan management server. When this happens, Trend Micro alerts you with a pop-up window on your computer similar to this:
It is very important that you pay attention to this alert because the information about the action taken, as well as the quarantined file itself, are only retained for a relatively short period of time, depending on how your antivirus administrator configured your OfficeScan client and server. For example, the central OfficeScan servers only retain quarantined files for 30 days.
Keep in mind that files quarantined by Trend Micro are almost always malicious code -- and not Word documents, Excel spreadsheets, or other useful documents. In the rare instance that a Word or Excel file is infected with malware, Trend Micro typically repairs the file and leaves the clean file intact on your computer. It is extremely rare that a useful file will get quarantined.
Also, Trend Micro quarantining a file on your computer will be a very rare event if you follow good security practices (see Basic IT security practices). Prevention is still the best form of protection!
When a file is quarantined, it is moved to the server, renamed with a cryptic file name, and encrypted to render it benign. The new file name has no resemblance to the original file name on your computer, so you have to use the information in the pop-up window shown above, or the log files described below, to identify the file and determine if it is something you need to recover.
- You should not count on recovering the file from the quarantine because the fact that it was quarantined normally means Trend Micro could not repair the file to remove the malicious code. If you tried to put the file back on your computer, it would just get quarantined again.
- You will need to recover the file from your backups, which underscores the importance of backing up your data regularly (see the Nov. 21 security tip).
Log files
When Trend Micro detects malware, it records its action in a log file that you can view for up to 15 days after the event. To view the log file:
- Move your mouse pointer to the blue OfficeScan symbol
in the system-tray section of your taskbar (usually the lower right corner of your screen). - Press the right mouse button and select OfficeScan Main to get the OfficeScan client window.
- Select the Log Report tab. Make sure View virus logs is checked and that the appropriate date range listed.
- Press View Logs to review the information about the action taken by OfficeScan to deal with the malware threat.
The Log Maintenance section of the Log Report tab also indicates how long log entries are retained before OfficeScan deletes them. SIRT recommends setting this value to the maximum allowed of 15 days, which can be done by selecting the Options button.
The log information is also copied to your OfficeScan server, but those log entries are likewise only retained for a short period of time. For example, the central OfficeScan servers only retain log records for 90 days. Again, it is important that you act quickly to record the name of the quarantined file from the pop-up window warning from Trend Micro or from your local log file before it is deleted. However, if you do need to see an entry from the server logs, contact your IT support person or the IT Help Desk. The server logs can be searched using the name of your computer, its IP address, or its MAC address.
Keep in mind that Trend Micro only records events in the log file when it finds malware on your computer. If you view the virus log and find it empty, that does not mean Trend Micro is not working properly. It just means you are following good security practices by keeping your computer patched and not clicking on suspicious e-mail attachments or visiting malicious websites.
Files stored on a server
The process described above explains what happens when Trend Micro OfficeScan software finds malware on your desktop or laptop workstation. However, it is best from a security perspective to store important files on a supported server rather than your workstation. What happens, then, when a file stored on a server gets infected?
First of all, it is relatively rare for a file stored on a server to get infected. The vast majority of the files on a file server are actually created on, or otherwise pass through, a personal workstation before they are stored on the server, so the antivirus software running on the workstation normally catches the malware before the file ever makes it to the server.
K-State's experience with Trend Micro software confirms this -- the number of malware instances detected on workstations is an order of magnitude higher than the number detected on servers.
Nonetheless, an infected file does occasionally find its way onto a server, so K-State servers are required to run antivirus software just like the workstations. The Trend Micro security software for servers running Microsoft Windows, Novell NetWare, or Linux is called ServerProtect. It functions much like OfficeScan in that it detects and cleans or quarantines malware in real time before it ever reaches the hard drives, or catches it during a scheduled or manual scan.
Who gets notified when a server file is infected?
When ServerProtect detects malware, it logs the event and notifies the system administrator responsible for managing the antivirus software on the server, who is normally not the owner of the infected file. It is therefore critical that system administrators pay attention to the notifications and monitor the log files to determine if the owner of an infected file needs to be notified.
It should be standard procedure to notify the owner any time a file on a server is quarantined or otherwise made unavailable by the server's security software, since this is the only way the owner will know what happened to their file. Furthermore, the owner should be notified immediately so they have an opportunity to recover the file from backups that may only be retained for a short period of time. This once again underscores the importance of making sure your files are regularly and reliably backed up.