Real-Time Scan uses the Memory Inspection Pattern to evaluate executable compressed files identified by Behavior Monitoring. Real-Time Scan performs the following actions on executable compressed files:
Creates a mapping file in memory after verifying the process image path.
The Scan Exclusion list overrides the file scanning.
Sends the process ID to the Advanced Protection Service which then:
Uses the Virus Scan Engine to perform the memory scanning.
Filters the process through global Approved lists for Windows system files, digitally signed files from reputable sources, and Trend Micro-tested files. After verifying that a file is known to be safe, OfficeScan does not perform any action on the file.
After processing the memory scan, the Advanced Protection Service sends the results to Real-Time Scan.
Real-Time Scan then quarantines any detected malware threat and terminates the process.