Understanding TruScan proactive threat detections

Article:HOWTO27054  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27054
Article Type
How To


Understanding TruScan proactive threat detections

When a TruScan proactive threat scan detects processes that it flags as potentially malicious, typically some of the processes are legitimate processes. Some detections do not provide enough information to be categorized as a threat or a false positive; these processes are considered "unknown."

A proactive threat scan looks at the behavior of active processes at the time that the scan runs. The scan engine looks for behavior such as opening ports or capturing keystrokes. If a process involves enough of these types of behaviors, the scan flags the process as a potential threat. The scan does not flag the process if the process does not exhibit suspicious behavior during the scan.

By default, proactive threat scans detect the processes that behave like Trojan horses and worms or processes that behave like keyloggers. You can enable or disable these types of detections in an Antivirus and Antispyware Policy.

Proactive threat scan settings have no effect on antivirus and antispyware scans, which use signatures to detect known risks. The client detects known risks first.

See Specifying the types of processes that TruScan proactive threat scans detect.

The client uses Symantec default settings to determine what action to take on the detected items. If the scan engine determines that the item does not need to be remediated, the client logs the detection. If the scan engine determines that the item should be remediated, the client quarantines the item.

The Scan for trojans and worms and the Scan for keyloggers options are currently not supported on Windows server operating systems or 64-bit Windows XP Professional. The Scan for keyloggers option is also not supported on Windows 7. You can modify the options in the Antivirus and Antispyware Policy for the clients that run on server operating systems, but the scans do not run. In the client user interface on server operating systems, the scanning options appear unavailable. If you enable the scanning options in the policy, the options are checked and unavailable.

Symantec default settings are also used to determine the sensitivity of the proactive threat scan. When the sensitivity level is higher, more processes are flagged. When the sensitivity level is lower, fewer processes are flagged. The sensitivity level does not indicate the level of certainty about the detection. It also does not affect the rate of false positive detections. The higher the sensitivity level, the more false positives and true positives the scan detects.

You should use the Symantec default settings to help minimize the number of false positives that you detect.

You can disable the Symantec-defined default settings. When you disable the Symantec default settings, you can configure actions and the sensitivity level for the detection of Trojan horses, worms, or keyloggers. In the client user interface, the default settings that appear do not reflect the Symantec default settings. They reflect the default settings that are used when you manually manage detections.

For commercial applications, you can specify the action that the client takes when a proactive threat scan makes a detection. You can specify separate actions for the detection of a commercial keylogger and the detection of a commercial remote control application.

See Specifying the actions and sensitivity levels for detecting Trojan horses, worms, and keyloggers.

See Specifying actions for commercial application detections.

Users on client computers can modify the proactive threat scan settings if the settings are unlocked in the Antivirus and Antispyware Policy. On the client computer, the TruScan proactive threat scan settings appear under Proactive Threat Protection.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO27054

Terms of use for this information are found in Legal Notices