Available Virus/Malware Scan Actions

Delete

CPM deletes the infected file.

Quarantine

CPM renames and then moves infected files to the following, non-configurable, directory on the client’s computer:

C:\Program Files\Trend Micro\Core Protection Module\Quarantine

If you need to access any of the quarantined files, you can access the directory using system administrator credentials and restore it using the VSEncrpyt tool (see Scan Action Results for Compressed Files).

Clean

CPM cleans the infected file before allowing full access to the file. If the file is uncleanable, CPM performs a second action, which can be one of the following actions: Quarantine (typical), Delete, Rename or Pass.

Rename

CPM changes the infected file's extension to "vir". Users cannot open the renamed file initially, but can do so if they associate the file with a certain application.

Pass

CPM performs no action on the infected file but records the virus/malware detection in the logs. The file stays where it is located.

CPM cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected allows virus/malware to execute. All the other scan actions can be used during Real-time Scan.

For the "probable virus/malware" type, CPM always performs no action on detected files (regardless of the scan type) to mitigate false positives. If further analysis confirms that the probable virus/malware is indeed a security risk, a new pattern will be released to allow CPM to take the appropriate scan action. If actually harmless, the probable virus/malware will no longer be detected.

Deny Access

This scan action can only be performed during Real-time Scan. When CPM detects an attempt to open or execute an infected file, it immediately blocks the operation. Users receive no CPM-specific notification of the action, only a message from the operating system. Users can manually delete the infected file.