Antivirus_Components
The virus pattern available on a client computer depends on the scan method the client is using. For information about scan methods, see Scan Methods.
Conventional Scan
The pattern used during conventional scan, called Virus Pattern, contains information that helps OfficeScan identify the latest virus/malware and Mixed Threat Attack. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.
Trend Micro recommends scheduling automatic updates at least hourly, which is the default setting for all shipped products.
Download the Virus Pattern and other OfficeScan pattern files from the following Web site, where you can also find the current version, release date, and a list of all the new virus definitions included in the file:
http://www.trendmicro.com/download/pattern.asp
Smart Scan
When in smart scan mode, OfficeScan clients use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns.
A Smart Protection Server hosts the Smart Scan Pattern. This pattern is updated hourly and contains majority of the pattern definitions. Smart scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the Smart Protection Server.
The client update source (OfficeScan server or Customized Update Source) hosts the Smart Scan Agent Pattern. This pattern is updated daily and contains all the other pattern definitions not found on the Smart Scan Pattern. Clients download this pattern from the update source using the same methods for downloading other OfficeScan components.
The OfficeScan client, using the Smart Scan Agent Pattern and advanced filtering technology, can verify whether a file is infected without sending scan queries to the Smart Protection Server. The client only sends scan queries if it cannot determine the risk of the file during scanning. A client that cannot verify a file’s risk locally and is unable to connect to a Smart Protection Server after several attempts:
Flags the file for verification
Temporarily allows access to the file
When connection to a Smart Protection Server is restored, all the files that have been flagged are re-scanned. The appropriate scan action is then performed on files that have been confirmed as infected.
At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based computer viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of Viruses and Malware. The scan engine also detects controlled viruses that are developed and used for research.
Rather than scanning every byte of every file, the engine and pattern file work together to identify the following:
Tell-tale characteristics of the virus code
The precise location within a file where the virus resides
OfficeScan removes virus/malware upon detection and restores the integrity of the file.
Updating the Scan Engine
By storing the most time-sensitive virus/malware information in the virus patterns, Trend Micro minimizes the number of scan engine updates while keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new scan engine versions available. Trend Micro releases new engines under the following circumstances:
Incorporation of new scanning and detection technologies into the software
Discovery of a new, potentially harmful virus/malware that the scan engine cannot handle
Enhancement of the scanning performance
Addition of file formats, scripting languages, encoding, and/or compression formats
The Virus Scan Drive monitors user operations on files. Operations include opening or closing a file, and executing an application. There are two versions for this driver. These are TmXPFlt.sys and TmPreFlt.sys. TmXPFlt.sys is used for real-time configuration of the Virus Scan Engine and TmPreFlt.sys for monitoring user operations.
This component does not display on the console. To check its version, navigate to <Server installation folder>\PCCSRV\Pccnt\Drv. Right-click the .sys file, select Properties, and go to the Version tab.
The IntelliTrap Pattern detects real-time compression files packed as executable files.
The IntelliTrap Exception Pattern contains a list of "approved" compression files.
See also: