Default Real-Time Scan Settings

(imported topic written by pmiller23)

OK, I have configured the “Run Scheduled Scan” correctly as I see my logs being updated, also within the BigFix client dashboard I see the “Last On-demand Scan” timestamp change. But I do not see my “Last RealTime Scan” being updated on a regular basis – the timestamp shown in the BigFix client dashboard is the time that CPM was installed.

The reason that I am think that I have an issue with Real-Time Scan is that I know that I have a system that is infected and yet the logs show nothing unless I do a on-demand scan.

I am assuming that I made a configuration error when creating the action. There are no constraints and under the behavior section I have set:

On failure, retry 99 times – waiting 15mins between attempts

Reapply on action – do I need to reapply while relevant? Even thought the settings never change?

Here is a copy of my Real-Time Settings:

delete realtime.ini

delete “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”

createfile until __DONE

Real Time Scan Configuration

Enable = 1

ScanIncoming = 1

ScanOutgoing = 1

ScanAllFiles = 1

IntelliScan = 1

ExtList =

ScanShutdown = 0

ScanNetwork = 0

ScanCompressed = 1

CompressedLayer = 2

IntelliTrap = 1

EnableExclusion = 1

ActiveAction = 0

EnableUniAct = 1

CustAction = Universe-5-2,Joke-2-2,Trojan-2-2,Virus-5-2,Test_Virus-2-1,Spyware-4-2,Packer-2-1,Generic-25-1,Other-5-2

BkUpIfClean = 0

MoveDir = {value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string}\Quarantine

CleanFailedMoveDir = {value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string}\Quarantine

Spyware Real Time Scan Configuration

Enable = 1

ActionType = 1

Real Time Scan Configuration Ex

ExcludeTrendProduct = 1

ExcludedFolder = C:\Program Files\BigFix Enterprise{(concatenation “|” of ("" ; (if (exists regapp “besclient.exe”) then (pathname of parent folder of regapp “besclient.exe” as string) else nothing) ; (if (exists regapp “besrelay.exe”) then (pathname of parent folder of regapp “besrelay.exe” as string) else nothing) ; (if (exists value “EnterpriseServerFolder” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server” of registry) then (value “EnterpriseServerFolder” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server” of registry as string) else nothing)))}

ExcludedFile =

ExcludedExt =

__DONE

copy __createfile “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”

waithidden “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\TMCPMCLI.exe” CONFIG -i “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM

" “SetCPMRealTimeSettingsActionID”="{id of active action}"

Thank you,

Patrick

(imported comment written by jessewk)

Hi Patrick,

The “Last Real Time Scan” property is poorly named. It really means the most recent time a virus was detected by the real-time scanner. I’ll file a bug to rename the property.

The reason you are not seeing the real time property update even though a virus is detected by the on-demand scanner is that most likely that the virus already existed on the machine prior to activation of real-time scanning. Real-time scanning will only scan files as they are read/written from/to disk. In this case the infected file is not being opened or written so the real-time engine won’t catch it.

This is why we recommend periodically running on-demand scans to remove any resident viruses. You should also activate real-time scanning to protect your machines from initial infection and from accessing infected files.

Regards,

Jesse