Antivirus Components



Virus Scan Engine 32/64-bit

At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of viruses and malware. The scan engine also detects controlled viruses that are developed and used for research.

Rather than scanning every byte of every file, the engine and pattern file work together to identify the following:

  • Tell-tale characteristics of the virus code

  • The precise location within a file where the virus resides

Virus Pattern

The Virus Pattern contains information that helps OfficeScan agents identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.

Virus Scan Driver

The Virus Scan Driver monitors user operations on files. Operations include opening or closing a file, and executing an application. There are two versions for this driver. These are TmXPFlt.sys and TmPreFlt.sys. TmXPFlt.sys is used for real-time configuration of the Virus Scan Engine and TmPreFlt.sys for monitoring user operations.


This component does not display on the console. To check its version, go to <Server installation folder>\PCCSRV\Pccnt\Drv. Right-click the .sys file, select Properties, and go to the Version tab.

Smart Scan Pattern

When in smart scan mode, OfficeScan agents use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns.

The Smart Scan Pattern contains majority of the pattern definitions. The Smart Scan Agent Pattern contains all the other pattern definitions not found on the Smart Scan Pattern.

The OfficeScan agent scans for security threats using the Smart Scan Agent Pattern. OfficeScan agents that cannot determine the risk of the file during the scan verify the risk by sending a scan query to the Scan Server, a service hosted on the prod_server_name. The Scan Server verifies the risk using the Smart Scan Pattern. The OfficeScan agent "caches" the scan query result provided by the Scan Server to improve the scan performance.

Smart Scan Agent Pattern

IntelliTrap Pattern

The IntelliTrap Pattern detects real-time compression files packed as executable files.

For details, see IntelliTrap.

IntelliTrap Exception Pattern

The IntelliTrap Exception Pattern contains a list of "approved" compression files.

Memory Inspection Pattern

Real-Time Scan uses the Memory Inspection Pattern to evaluate executable compressed files identified by Behavior Monitoring. Real-Time Scan performs the following actions on executable compressed files:

  1. Creates a mapping file in memory after verifying the process image path.


    The Scan Exclusion list overrides the file scanning.

  2. Sends the process ID to the Advanced Protection Service which then:

    1. Uses the Virus Scan Engine to perform the memory scanning.

    2. Filters the process through global Approved lists for Windows system files, digitally signed files from reputable sources, and Trend Micro-tested files. After verifying that a file is known to be safe, OfficeScan does not perform any action on the file.

  3. After processing the memory scan, the Advanced Protection Service sends the results to Real-Time Scan.

  4. Real-Time Scan then quarantines any detected malware threat and terminates the process.

Contextual Intelligence Engine 32/64-bit

The Contextual Intelligence Engine monitors processes executed by low prevalence files and extracts behavioral features that the Contextual Intelligence Query Handler sends to the Predictive Machine Learning engine for analysis.

Contextual Intelligence Pattern

The Contextual Intelligence Pattern contains a list of "approved" behaviors that are not relevant to any known threats.

Contextual Intelligence Query Handler 32/64-bit

The Contextual Intelligence Query Handler processes the behaviors identified by the Contextual Intelligence Engine and sends the report to the Predictive Machine Learning engine.

Advanced Threat Scan Engine 32/64-bit

The Advanced Threat Scan Engine extracts file features from low prevalence files and sends the the information to the Predictive Machine Learning engine.

Advanced Threat Correlation Pattern

The Advanced Threat Correlation Pattern contains a list of file features that are not relevant to any known threats.