Antivirus_Components

Antivirus Components

Virus Patterns

The virus pattern available on a client computer depends on the scan method the client is using. For information about scan methods, see Scan Methods.

Conventional Scan

The pattern used during conventional scan, called Virus Pattern, contains information that helps OfficeScan identify the latest virus/malware and Mixed Threat Attack. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.

Download the Virus Pattern and other OfficeScan pattern files from the following Web site, where you can also find the current version, release date, and a list of all the new virus definitions included in the file:

http://www.trendmicro.com/download/pattern.asp

Smart Scan

When in smart scan mode, OfficeScan clients use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns.

A Smart Scan Server hosts the Smart Scan Pattern. This pattern is updated hourly and contains majority of the pattern definitions. Smart scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the Smart Scan Server.

The client update source (OfficeScan server or Customized Update Source) hosts the Smart Scan Agent Pattern. This pattern is updated daily and contains all the other pattern definitions not found on the Smart Scan Pattern. Clients download this pattern from the update source using the same methods for downloading other OfficeScan components.

The OfficeScan client, using the Smart Scan Agent Pattern and advanced filtering technology, can verify whether a file is infected without sending scan queries to the Smart Scan Server. The client only sends scan queries if it cannot determine the risk of the file during scanning. A client that cannot verify a file’s risk locally and is unable to connect to a Smart Scan Server after several attempts:

When connection to a Smart Scan Server is restored, all the files that have been flagged are re-scanned. The appropriate scan action is then performed on files that have been confirmed as infected.

Virus Scan Engine

At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based computer viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of Viruses and Malware. The scan engine also detects controlled viruses that are developed and used for research.

Rather than scanning every byte of every file, the engine and pattern file work together to identify the following:

OfficeScan removes virus/malware upon detection and restores the integrity of the file.

Updating the Scan Engine

By storing the most time-sensitive virus/malware information in the virus patterns, Trend Micro minimizes the number of scan engine updates while keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new scan engine versions available. Trend Micro releases new engines under the following circumstances:

Virus Scan Driver

The Virus Scan Drive monitors user operations on files. Operations include opening or closing a file, and executing an application. There are three versions for this driver. One version is for Windows 2000 and its name is TmFilter.sys. The other two versions, TmXPFlt.sys and TmPreFlt.sys, are for operating systems other than Windows 2000. TmXPFlt.sys is used for real-time configuration of the Virus Scan Engine and TmPreFlt.sys for monitoring user operations.

IntelliTrap Pattern

The IntelliTrap Pattern detects real-time compression files packed as executable files.

IntelliTrap Exception Pattern

The IntelliTrap Exception Pattern contains a list of "approved" compression files.

See also: