Memory Inspection Pattern

Real-Time Scan uses the Memory Inspection Pattern to evaluate executable compressed files identified by Behavior Monitoring. Real-Time Scan performs the following actions on executable compressed files:

  1. Creates a mapping file in memory after verifying the process image path.

    Note:

    The Scan Exclusion list overrides the file scanning.

  2. Sends the process ID to the Advanced Protection Service which then:

    1. Uses the Virus Scan Engine to perform the memory scanning.

    2. Filters the process through global Approved lists for Windows system files, digitally signed files from reputable sources, and Trend Micro-tested files. After verifying that a file is known to be safe, OfficeScan does not perform any action on the file.

  3. After processing the memory scan, the Advanced Protection Service sends the results to Real-Time Scan.

  4. Real-Time Scan then quarantines any detected malware threat and terminates the process.