IntelliTrap is a Trend Micro heuristic technology used to discover threats that use real-time compression paired with other malware characteristics like Packers. This covers virus/malware, worms, trojans, backdoors and bots. Virus writers often attempt to circumvent virus/malware filtering by using different file compression schemes. IntelliTrap is a real-time, rule-based, and pattern recognition scan engine technology that detects and removes known virus/malware in files compressed up to six layers deep using any of 16 popular compression types.
IntelliTrap uses the same scan engine as virus scanning. As a result, the file handling and scanning rules for IntelliTrap are the same as administrator-defined rules for virus scanning.
Agents write bot and other malware detections to the IntelliTrap log. You can export the contents of the IntelliTrap log for inclusion in reports.
IntelliTrap uses the following components when checking for bots and other malicious programs:
Virus Scan Engine
IntelliTrap Pattern
IntelliTrap Exception Pattern
True File Type
When set to scan the “true file type”, the scan engine examines the file header, rather than the file name, to ascertain the actual file type. For example, if the scan engine is set to scan all executable files and it encounters a file named “family.gif”, it does not assume the file is a graphic file. Instead, the scan engine opens the file header and examines the internally registered data type to determine whether the file is indeed a graphic file or an executable that someone named to avoid detection.
True file type scanning works in conjunction with IntelliScan to scan only those file types known to be potentially dangerous. These technologies can reduce, by as much as two-thirds, the number of files the scan engine examines; this file-scanning reduction also creates some risk that a harmful file might be allowed onto the network.
For example, .gif files make up a large volume of all web traffic, but they are unlikely to harbor viruses/malware, launch executable code, or carry out any known or theoretical exploits. However, this does not mean they are entirely safe. It is possible for a malicious hacker to give a harmful file a “safe” file name to smuggle it past the scan engine and onto the network. This file could cause damage if someone renamed it and ran it.
For the highest level of security, Trend Micro recommends scanning all files.