To prevent other programs and even the user from modifying or deleting OfficeScan agent files, OfficeScan provides several enhanced protection capabilities.
After enabling Protect files in the OfficeScan agent installation folder, OfficeScan locks the following files in the root <Agent installation folder>:
All digitally-signed files with .exe, .dll, and .sys extensions
Some files without digital signatures, including:
After enabling Protect files in the OfficeScan agent installation folder and Real-time Scan for virus/malware threats, OfficeScan performs the following actions:
File integrity checking before launching .exe files in the installation folder
During ActiveUpdate updates, OfficeScan verifies that the issuer of the file triggering the update is Trend Micro. If the issuer is not recognized as Trend Micro and ActiveUpdate cannot replace the incorrect file, OfficeScan logs the incident in the Windows event logs and blocks the update.
Prevents DLL hijacking
Some malware writers copy dynamic link library files to the OfficeScan agent installation folder or the Behavior Monitoring folder with the purpose of loading these files before the agent loads. These files attempt to disrupt the protection offered by OfficeScan. To prevent the copying of hijacked files to the OfficeScan agent folders, OfficeScan prevents the copying of files to the installation folder and Behavior Monitoring folder.
Prevents the locking of files using the "SHARE:NONE" setting in Windows