Threat information received from data sources (such as Threat Discovery Appliance and OfficeScan client) prompts Threat Mitigator to issue mitigation tasks to the affected endpoints. Most mitigation tasks are carried out by Threat Management Agent, a program installed on an endpoint and managed by Threat Mitigator.
Threat mitigation tasks include:
Threat Mitigator notifies Threat Management Agent to assess the endpoint after receiving a mitigation request from its data source. During assessment, the agent checks specific objects, processes, and network behavior connected to suspicious activity. Threat Mitigation then uses the Pattern-free Mitigation Engine and Template to stop suspicious processes, and disable and remove the targeted objects.
If the assessment confirms the presence of threats in the endpoint, Threat Management Agent runs post-assessment cleanup to eliminate threats. During cleanup, the agent leverages Trend Micro smart scan technology by using a lightweight pattern called Smart Scan Agent Pattern. This pattern is downloaded from Threat Mitigator. If the pattern is unable to determine the risk of a file, the agent sends a scan query to a Smart Scan Server.
A Smart Scan Server hosts the Smart Scan Pattern, which contains signatures not found in the Smart Scan Agent Pattern and checks whether the file is safe to access. A Smart Scan Server downloads the Smart Scan Pattern from the Trend Micro ActiveUpdate server.
Note: Set up a local Smart Scan Server to which agents send scan queries. If an agent cannot connect to the local scan server, it connects to the Global Smart Scan Server, a Trend Micro hosted service.
Threat Management Agent reports the cleanup results to Threat Mitigator. The results are stored in the threat event logs, which you can view from the product console.
Threat Mitigator integrates with Threat Management Services, a portal through which TrendLabs security experts monitor endpoints that require further mitigation.
When threats are not completely removed from the endpoint after running post-assessment cleanup, Threat Management Agent collects information about the threat and the infected endpoint and sends the information to Threat Mitigator. This prompts a security expert at TrendLabs to inform you about the threat and the infected endpoint, and to ask you to submit a case so that the threat can be analyzed. TrendLabs then issues a custom pattern through Threat Management Services to eliminate the threat.
Threat Mitigator downloads a custom pattern from Threat Management Services, deploys the pattern to the endpoint, and then notifies Threat Management Agent to run custom cleanup using the custom pattern. The agent reports the cleanup results back to Threat Mitigator.