Skip to the content

Kansas State University

IT Help Desk
Kansas State University
214 Hale Library
Manhattan, KS 66506
785-532-7722
800-865-6143 (toll-free)
helpdesk@k-state.edu
Facebook Twitter

Trend Micro Warnings: How to respond

There are a variety of reason's why you may see a pop-up from Trend Micro during every day computer use. The most common of them is the discovery of a "bad" website or the discovery of a piece of malicious software. Here we'll talk about what you can do if you get one of these notifications from Trend.

"Bad" Websites

As part of the Trend Micro package you are protected from websites that are believed to be malicious or those that are simply not confirmed to be "good." The software is designed to keep users away from websites that may automatically infect them with a virus or sites that ask for personal information like passwords and social security numbers.

Unfortunately, sometimes this process leads perfectly safe sites to be blocked that should not be. You can help to cut down on these false positives, by reporting them directly to Trend Micro. Simply go to the Trend Micro Web Reputation Query - Online System and enter the website in the provided form.

If you need to access a site that is being blocked more immediately, you can contact your departmental security contact.

Malware Discovered

Trend Micro's quarantine process

When Trend Micro security software finds malware on your computer that it cannot repair, it removes the malicious file from your computer to eliminate the danger and "quarantines" it on your departmental, college, or central OfficeScan management server. When this happens, Trend Micro alerts you with a pop-up window on your computer similar to this:

image of OfficeScan pop-up warning window

It is very important that you pay attention to this alert because the information about the action taken, as well as the quarantined file itself, are only retained for a relatively short period of time, depending on how your antivirus administrator configured your OfficeScan client and server. For example, the central OfficeScan servers only retain quarantined files for 30 days.

Keep in mind that files quarantined by Trend Micro are almost always malicious code -- and not Word documents, Excel spreadsheets, or other useful documents. In the rare instance that a Word or Excel file is infected with malware, Trend Micro typically repairs the file and leaves the clean file intact on your computer. It is extremely rare that a useful file will get quarantined.

Also, Trend Micro quarantining a file on your computer will be a very rare event. The most effective way of protecting your computer is to follow Basic IT security practices.

When a file is quarantined, it is moved to the server, renamed with a cryptic file name, and encrypted to render it benign. The new file name has no resemblance to the original file name on your computer, so you have to use the information in the pop-up window shown above, or the log files described below, to identify the file and determine if it is something you need to recover.

  1. You should not count on recovering the file from the quarantine because the fact that it was quarantined normally means Trend Micro could not repair the file to remove the malicious code. If you tried to put the file back on your computer, it would just get quarantined again.
  2. You will need to recover the file from your backups, which underscores the importance of backing up your data regularly (see the Nov. 21 security tip).
Log files

When Trend Micro detects malware, it records its action in a log file that you can view for up to 15 days after the event. To view the log file:

  1. Move your mouse pointer to the blue OfficeScan symbol in the system-tray section of your taskbar (The lower right corner of your screen in Windows, the upper right corner in Mac OS X).
  2. Right click and select OfficeScan Console on the drop down menu to get the OfficeScan client window.
  3. Select the Logs tab. Make sure Virus/Malware Logs is selected at the top and that the appropriate date range listed.
  4. Press View Logs to review the information about the action taken by OfficeScan to deal with the malware threat.

The Log Maintenance section of the Logs tab also indicates how long log entries are retained before OfficeScan deletes them. SIRT recommends setting this value to the maximum allowed of 15 days, which can be done by selecting the Options button.

image of OfficeScan window that contains the Options button

The log information is also copied to your OfficeScan server, but those log entries are likewise only retained for a short period of time. For example, the central OfficeScan servers only retain log records for 90 days. Again, it is important that you act quickly to record the name of the quarantined file from the pop-up window warning from Trend Micro or from your local log file before it is deleted. However, if you do need to see an entry from the server logs, contact your IT support person or the IT Help Desk. The server logs can be searched using the name of your computer, its IP address, or its MAC address.

Keep in mind that Trend Micro only records events in the log file when it finds malware on your computer. If you view the virus log and find it empty, that does not mean Trend Micro is not working properly. It just means you are following good security practices by keeping your computer patched and not clicking on suspicious e-mail attachments or visiting malicious websites.

Files stored on a server

The process described above explains what happens when Trend Micro OfficeScan software finds malware on your desktop or laptop workstation. However, it is best from a security perspective to store important files on a supported server rather than your workstation. What happens, then, when a file stored on a server gets infected?

First of all, it is relatively rare for a file stored on a server to get infected. The vast majority of the files on a file server are actually created on, or otherwise pass through, a personal workstation before they are stored on the server, so the antivirus software running on the workstation normally catches the malware before the file ever makes it to the server.

K-State's experience with Trend Micro software confirms this -- the number of malware instances detected on workstations is an order of magnitude higher than the number detected on servers.

Nonetheless, an infected file does occasionally find its way onto a server, so K-State servers are required to run antivirus software just like the workstations. The Trend Micro security software for servers running Microsoft Windows, Novell NetWare, or Linux is called ServerProtect. It functions much like OfficeScan in that it detects and cleans or quarantines malware in real time before it ever reaches the hard drives, or catches it during a scheduled or manual scan.

Who gets notified when a server file is infected?

When ServerProtect detects malware, it logs the event and notifies the system administrator responsible for managing the antivirus software on the server, who is normally not the owner of the infected file. It is therefore critical that system administrators pay attention to the notifications and monitor the log files to determine if the owner of an infected file needs to be notified.

It should be standard procedure to notify the owner any time a file on a server is quarantined or otherwise made unavailable by the server's security software, since this is the only way the owner will know what happened to their file. Furthermore, the owner should be notified immediately so they have an opportunity to recover the file from backups that may only be retained for a short period of time. This once again underscores the importance of making sure your files are regularly and reliably backed up.