When PortalProtect is set to scan true file types, the scan engine examines the file header rather than the file name to ascertain the actual file type. For example, if the scan engine is set to scan all executable files and it encounters a file named family.gif, the scan continues even though the file extension shows it to be a graphic. During scanning, the scan engine opens the file header and examines the internally registered data type to determine whether the file is indeed a graphic file, or, for example, an executable that someone renamed to avoid detection.

True file type scanning works in conjunction with Trend Micro IntelliScan, to scan only those file types known to pose a danger. These technologies reduce the overall number of files that the scan engine examines—perhaps as much as a two-thirds—but may create a greater risk.

For example, .gif and .jpg files make up a large volume of all Web traffic, but they cannot harbor viruses, launch executable code, or carry out any known or theoretical exploits. Therefore, does this mean they are safe? Not entirely. It is possible for a malicious hacker to give a harmful file a safe file name to smuggle it past the scan engine and onto the network. This file could cause damage if someone renamed it and ran it.