Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Decoding the Trend Micro Components and Protection Model
Message
<blockquote data-quote="Trident" data-source="post: 1092338" data-attributes="member: 99014"><p>Further to the interest to Trend Micro after [USER=92939]@Shadowra[/USER] review, this post will be a deep dive into the TM components and protection model which may not be very well understood by everyone.</p><p></p><p>The components - these are updated on when-needed basis, independent of the programme version</p><p>[SPOILER="Components"]</p><table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>Virus Scan Engine 32/64-bit</td><td>OfficeScan agents</td><td>At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of viruses and malware. The scan engine also detects controlled viruses that are developed and used for research.<br /> Rather than scanning every byte of every file, the engine and pattern file work together to identify the following:<br /> <ul> <li data-xf-list-type="ul">Tell-tale characteristics of the virus code</li> <li data-xf-list-type="ul">The precise location within a file where the virus resides</li> </ul> </td></tr><tr><td>Smart Scan Pattern</td><td>Not distributed to OfficeScan agents. This pattern stays in theOfficeScan serverand is used when responding to scan queries received from OfficeScan agents.</td><td>When in smart scan mode, OfficeScan agents use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns.<br /> The Smart Scan Pattern contains majority of the pattern definitions. The Smart Scan Agent Pattern contains all the other pattern definitions not found on the Smart Scan Pattern.<br /> The OfficeScan agent scans for security threats using the Smart Scan Agent Pattern. OfficeScan agents that cannot determine the risk of the file during the scan verify the risk by sending a scan query to the Scan Server, a service hosted on the OfficeScan server. The Scan Server verifies the risk using the Smart Scan Pattern. The OfficeScan agent "caches" the scan query result provided by the Scan Server to improve the scan performance.</td></tr><tr><td>Smart Scan Agent Pattern</td><td>OfficeScan agentsusing smart scan</td><td></td></tr><tr><td>Virus Pattern</td><td>OfficeScan agentsusing conventional scan</td><td>The Virus Pattern contains information that helps OfficeScan agents identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.</td></tr><tr><td>IntelliTrap Exception Pattern</td><td>OfficeScan agents</td><td>The IntelliTrap Exception Pattern contains a list of "approved" compression files.</td></tr><tr><td>IntelliTrap Pattern</td><td>OfficeScan agents</td><td>The IntelliTrap Pattern detects real-time compression files packed as executable files.<br /> For details, see <a href="https://docs.trendmicro.com/all/ent/officescan/v12.0/en-us/osce_12.0_agent_olh/IntelliTrap.html#GUID-FCE2D882-C1EC-4048-822A-A6214C8834F2" target="_blank">IntelliTrap</a>.</td></tr><tr><td>Memory Inspection Pattern</td><td>OfficeScan agents</td><td>This technology provides enhanced virus scanning for polymorphic and mutation viruses, and augments virus-pattern-based scans by emulating file execution. The results are then analyzed in a controlled environment for evidence of malicious intent with little impact on system performance.</td></tr><tr><td>Early Launch Anti-Malware Pattern 32/64-bit</td><td>OfficeScan agents</td><td>OfficeScan supports the Early Launch Anti-Malware (ELAM) feature as part of the Secure Boot standard to provide boot time protection on endpoints. This feature enables OfficeScan agents to detect malware during the operating system boot process.</td></tr><tr><td>Contextual Intelligence Engine 32/64-bit</td><td>OfficeScan agents</td><td>The Contextual Intelligence Engine monitors processes executed by low prevalence files and extracts behavioral features that the Contextual Intelligence Query Handler sends to the Predictive Machine Learning engine for analysis.</td></tr><tr><td>Contextual Intelligence Pattern</td><td>OfficeScan agents</td><td>The Contextual Intelligence Pattern contains a list of "approved" behaviors that are not relevant to any known threats.</td></tr><tr><td>Contextual Intelligence Query Handler 32/64-bit</td><td>OfficeScan agents</td><td>The Contextual Intelligence Query Handler processes the behaviors identified by the Contextual Intelligence Engine and sends the report to the Predictive Machine Learning engine.</td></tr><tr><td>Advanced Threat Scan Engine 32/64-bit</td><td>OfficeScan agents</td><td>The Advanced Threat Scan Engine extracts file features from low prevalence files and sends the the information to the Predictive Machine Learning engine.</td></tr><tr><td>Advanced Threat Correlation Pattern</td><td>OfficeScan agents</td><td>The Advanced Threat Correlation Pattern contains a list of file features that are not relevant to any known threats.</td></tr></table><h4>Anti-spyware</h4> <table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>Spyware/Grayware Scan Engine 32/64-bit</td><td>OfficeScan agents</td><td>The Spyware/Grayware Scan Engine scans for and performs the appropriate scan action on spyware/grayware.</td></tr><tr><td>Spyware/Grayware Pattern</td><td>OfficeScan agents</td><td>The Spyware/Grayware Pattern identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts.</td></tr><tr><td>Spyware Active-monitoring Pattern</td><td>OfficeScan agentsusing conventional scan</td><td>The Spyware Active-monitoring Pattern is used for real-time spyware/grayware scanning. Only conventional scan agentsuse this pattern.</td></tr></table><h4>Damage Cleanup Services</h4> <table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>Damage Cleanup Engine 32/64-bit</td><td>OfficeScan agents</td><td>The Damage Cleanup Engine scans for and removes Trojans and Trojan processes.</td></tr><tr><td>Damage Cleanup Template</td><td>OfficeScan agents</td><td>The Damage Cleanup Template is used by the Damage Cleanup Engine to identify Trojan files and processes so the engine can eliminate them.</td></tr><tr><td>Early Boot Cleanup Driver 32/64-bit</td><td>OfficeScan agents</td><td>The Trend Micro Early Boot Cleanup Driver loads before the operating system drivers which enables the detection and blocking of boot-type rootkits. After the OfficeScan agent loads, Trend Micro Early Boot Cleanup Driver calls Damage Cleanup Services to clean the rootkit.</td></tr></table><h4>Web Reputation</h4> <table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>URL Filtering Engine</td><td>OfficeScan agents</td><td>The URL Filtering Engine facilitates communication between OfficeScan and the Trend Micro URL Filtering Service. The URL Filtering Service is a system that rates URLs and provides rating information to OfficeScan.</td></tr></table><h4>Firewall</h4> <table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>Common Firewall Driver 32/64-bit</td><td>OfficeScan agents</td><td>The Common Firewall Driver is used with the Common Firewall Pattern to scan agentendpoints for network viruses. This driver supports 32-bit and 64-bit platforms.</td></tr><tr><td>Common Firewall Pattern</td><td>OfficeScan agents</td><td>Like the Virus Pattern, the Common Firewall Pattern helps agents identify virus signatures, unique patterns of bits and bytes that signal the presence of a network virus.</td></tr></table><h4>Behavior Monitoring and Device Control</h4> <table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>Behavior Monitoring Detection Pattern 32/64-bit</td><td>OfficeScan agents</td><td>This pattern contains the rules for detecting suspicious threat behavior.</td></tr><tr><td>Behavior Monitoring Core Driver 32/64-bit</td><td>OfficeScan agents</td><td>This kernel mode driver monitors system events and passes them to the Behavior Monitoring Core Service for policy enforcement.</td></tr><tr><td>Behavior Monitoring Core Service 32/64-bit</td><td>OfficeScan agents</td><td>This user mode service has the following functions:<br /> <ul> <li data-xf-list-type="ul">Provides rootkit detection</li> <li data-xf-list-type="ul">Regulates access to external devices</li> <li data-xf-list-type="ul">Protects files, registry keys, and services</li> </ul> </td></tr><tr><td>Behavior Monitoring Configuration Pattern</td><td>OfficeScan agents</td><td>The Behavior Monitoring Driver uses this pattern to identify normal system events and exclude them from policy enforcement.</td></tr><tr><td>Policy Enforcement Pattern</td><td>OfficeScan agents</td><td>The Behavior Monitoring Core Service checks system events against the policies in this pattern.</td></tr><tr><td>Digital Signature Pattern</td><td>OfficeScan agents</td><td>This pattern contains a list of valid digital signatures that are used by the Behavior Monitoring Core Service to determine whether a program responsible for a system event is safe.</td></tr><tr><td>Memory Scan Trigger Pattern (32/64-bit)</td><td>OfficeScan agents</td><td>The Memory Scan Trigger service executes other scan engines when it detects the process in memory is unpacked.</td></tr><tr><td>Program Inspection Monitoring Pattern</td><td>OfficeScan agents</td><td>The Program Inspection Monitoring Pattern monitors and stores inspection points that are used for Behavior Monitoring.</td></tr><tr><td>Damage Recovery Pattern</td><td>OfficeScan agents</td><td>The Damage Recovery Pattern contains policies that are used for monitoring suspicious threat behavior.</td></tr></table><h4>Browser Exploits</h4> <table style='width: 100%'><tr><th>Component</th><th>Distributed To</th><th>Description</th></tr><tr><td>Browser Exploit Prevention Pattern</td><td>OfficeScan agents</td><td>This pattern identifies the latest web browser exploits and prevents the exploits from being used to compromise the web browser.</td></tr><tr><td>Script Analyzer Unified Pattern</td><td>OfficeScan agents</td><td>This pattern analyzes script in web</td></tr></table><p></p><p>[/SPOILER]</p><p>Note: not all components are listed there, some components such as wrappers around the engine that should prevent Trend Micro from being exploited by malware writers, are not mentioned.</p><p></p><p><strong>The model:</strong></p><p>It uses minimalistic pattern file (40 MB) and is more similar to the signature-less products.</p><p>The local pattern determines files which are confirmed safe and suspicious (which will be subjected to check using the full malware pattern available on TM servers).</p><p><strong>My guess is that these pattern files contain hashes/fuzzy hashes and heuristics, similarly to what Panda Cloud Antivirus uses for local protection.</strong></p><p><strong>[URL unfurl="true"]https://help.hcltechsw.com/bigfix/9.2/cprot/Core_Protection/CPM_Admin_Guide/tm_patterns_engine.html[/URL]</strong></p><p></p><p>This makes it look like the pattern only contains <strong>damaging (active) </strong>malware<strong>.</strong></p><p></p><p>According to the modules description above and what I will post below, Trend Micro reserves patterns (definitions) only for malware that <strong>actively</strong> causes damage. Once it no longer causes damage, it will be removed from the local pattern file as it has to stay small. This is one of the reasons that may be causing the high number of undetected samples on the AVC malware protection test, yet TM nails the real world protection. Files no longer causing damage will only be detected by Predictive Machine Learning once it’s been retained with these samples, behavioural blocking (eventually) and not by anything else (they will be a miss). Such files will most probably be bots, RATs and infostealers with dead C&Cs (ransomware can always cause damage).</p><p></p><p>Trend Micro frequently drops a lot of detections, for example the latest update drops 285.</p><p>[URL unfurl="true"]https://www.trendmicro.com/ftp/products/aupattern/consumer_smart_scan_pattern/whatsnew_Smart_Scan_Pattern.txt?_ga=2.213296407.2062391929.1720225342-2127287817.1720225342&_gac=1.247269936.1720238204.EAIaIQobChMIpvi2i8SRhwMVCZdQBh0Luww3EAAYASAAEgILRPD_BwE[/URL]</p><p>[SPOILER="Dropped"]</p><p>Adware.Win32.MULTIPLUG.USBLCF24</p><p>Backdoor.Linux.MIRAI.USBLCG24</p><p>Backdoor.MSIL.ASYNCRAT.USBLCF24</p><p>Backdoor.MSIL.BLADABINDI.USBLCF24</p><p>Backdoor.Win32.CERBER.USBLCE24</p><p>Backdoor.Win32.DOINA.USBLCF24</p><p>Backdoor.Win32.GEPYS.USBLCL24</p><p>Backdoor.Win32.HAVOC.USBLCI24</p><p>Backdoor.Win32.IRCBOT.USBLCE24</p><p>Backdoor.Win32.KRYPTIK.USBLCL24</p><p>Backdoor.Win32.PINCAV.USBLCE24</p><p>Backdoor.Win32.QUKART.USBLCF24</p><p>Backdoor.Win32.RAMMSTN.USBLCE24</p><p>Backdoor.Win32.SCAR.USBLCF24</p><p>Backdoor.Win32.SHIZ.USBLCF24</p><p>Backdoor.Win32.SNOJAN.USBLCE24</p><p>Backdoor.Win32.SWRORT.YXECPZ</p><p>Backdoor.Win32.TINY.USBLCF24</p><p>Backdoor.Win32.WARZONE.YXECPZ</p><p>Backdoor.Win32.XWORM.YXECPZ</p><p>Backdoor.Win64.ASYNCRAT.YXECPZ</p><p>Backdoor.Win64.BLADABINDI.USBLCH24</p><p>Backdoor.Win64.COBEACON.YXECOZ</p><p>Backdoor.Win64.SILVER.YXECOZ</p><p>Ransom.Win32.BARYS.USBLCE24</p><p>Ransom.Win32.JUICYPOTATO.USBLCE24</p><p>Ransom.Win32.QQPASS.USBLCF24</p><p>Ransom.Win32.SELFMOD.USBLCF24</p><p>Ransom.Win32.STAPCORE.USBLCM24</p><p>Ransom_Blocker.R06CC0CCL24</p><p>Ransom_Blocker.R06CC0DCF24</p><p>Ransom_Cerber.R002C0DCE24</p><p>Ransom_Cobra.R002C0DCE24</p><p>Ransom_ContiCrypt.R002C0CCE24</p><p>Ransom_ContiCrypt.R002C0CCF24</p><p>Ransom_ContiCrypt.R002C0DCE24</p><p>Ransom_CryFile.R002C0DCF24</p><p>Ransom_Cryptodef.R002C0DCF24</p><p>Ransom_Cryptodef.R03BC0DCM24</p><p>Ransom_Crysis.R002C0DCE24</p><p>Ransom_Fasem.R06CC0OCE24</p><p>Ransom_Foreign.R002C0GCE24</p><p>Ransom_GandCrab.R002C0DCF24</p><p>Ransom_Gen.R002C0XCK24</p><p>Ransom_Gen.R03BC0XCK24</p><p>Ransom_GenericCryptor.R002C0CCF24</p><p>Ransom_GenericCryptor.R002C0CCL24</p><p>Ransom_GenericCryptor.R002C0DCM24</p><p>Ransom_GenericCryptor.R023C0CCE24</p><p>Ransom_Petya.R002C0DCE24</p><p>Ransom_Phny.R002C0DCE24</p><p>Ransom_PolyRansom.R023C0GCE24</p><p>Ransom_PolyRansom.R023C0XCE24</p><p>Ransom_PornoAsset.R002C0CCF24</p><p>Ransom_PornoAsset.R002C0DCF24</p><p>Ransom_PornoAsset.R03BC0DCM24</p><p>Ransom_PornoAsset.R049C0DCE24</p><p>Ransom_Rakhni.R002C0PCE24</p><p>Ransom_Rantest.R06CC0CCE24</p><p>Ransom_Samas.R06CC0DCE24</p><p>Ransom_StopCrypt.R002C0DCL24</p><p>TROJ_GEN.R011C0CCF24</p><p>TROJ_GEN.R011C0GCF24</p><p>TROJ_GEN.R011C0WCK24</p><p>TROJ_GEN.R011H0CKG23</p><p>TROJ_GEN.R023C0OCL24</p><p>TROJ_GEN.R023C0WCL24</p><p>TROJ_GEN.R03BC0GCL24</p><p>TROJ_GEN.R03BC0WCV24</p><p>TROJ_GEN.R03FC0CCM24</p><p>TROJ_GEN.R049C0CCE24</p><p>TROJ_GEN.R049C0DCK24</p><p>TROJ_GEN.R049C0DCL24</p><p>TROJ_GEN.R049C0OCE24</p><p>TROJ_GEN.R049C0RCE24</p><p>TROJ_GEN.R049C0WCE24</p><p>TROJ_GEN.R053C0OCM24</p><p>TROJ_GEN.R06BC0XCL24</p><p>TROJ_GEN.R06CC0GCE24</p><p>TROJ_GEN.R06CC0WCL24</p><p>TROJ_GEN.R06FC0DCF24</p><p>Trojan.HTML.XWORM.YXECNZ</p><p>Trojan.JS.ASYNCRAT.YXECOZ</p><p>Trojan.JS.SOCGHOLISH.YXECOZ</p><p>Trojan.Linux.CVE.USBLCG24</p><p>Trojan.MSIL.BLADABINDI.USBLCF24</p><p>Trojan.MSIL.DCRAT.USBLCF24</p><p>Trojan.MSIL.DNOPER.USBLCE24</p><p>Trojan.MSIL.DNOPER.USBLCF24</p><p>Trojan.MSIL.INJECTOR.USBLCF24</p><p>Trojan.MSIL.KRYPTIK.USBLCE24</p><p>Trojan.MSIL.MSILKRYPT.USBLCF24</p><p>Trojan.MSIL.POWERSHELL.USBLCE24</p><p>Trojan.MSIL.REDLINE.USBLCK24</p><p>Trojan.MSIL.REDLINE.USBLCO24</p><p>Trojan.MSIL.REDLINE.USBLCU24</p><p>Trojan.MSIL.ROZENA.USBLCE24</p><p>Trojan.MSIL.ROZENA.USBLCG24</p><p>Trojan.MSIL.SONBOKLI.USBLCG24</p><p>Trojan.MSIL.XMRIG.USBLCM24</p><p>Trojan.MSIL.XMRIG.USBLCN24</p><p>Trojan.MSIL.ZEGOST.USBLCJ24</p><p>Trojan.MSIL.ZNYONM.USBLCE24</p><p>Trojan.VBS.DARKGATE.YXECOZ</p><p>Trojan.W97M.CVE.USBLCE24</p><p>Trojan.W97M.OBFUS.USBLCE24</p><p>Trojan.Win32.AGENTSMALL.USBLCE24</p><p>Trojan.Win32.AGENTSMALL.USBLCF24</p><p>Trojan.Win32.ANDROM.USBLCL24</p><p>Trojan.Win32.AUTOIT.USBLCE24</p><p>Trojan.Win32.AUTOITGENOME.USBLCE24</p><p>Trojan.Win32.AUTOITINJECT.USBLCE24</p><p>Trojan.Win32.AUTORUN.USBLCE24</p><p>Trojan.Win32.AUTORUN.USBLCJ24</p><p>Trojan.Win32.AZORULT.USBLCP24</p><p>Trojan.Win32.BANLOAD.USBLCM24</p><p>Trojan.Win32.BARYS.USBLCM24</p><p>Trojan.Win32.BLACKMOON.USBLCF24</p><p>Trojan.Win32.BLACKMOON.USBLCL24</p><p>Trojan.Win32.BLIHAN.USBLCF24</p><p>Trojan.Win32.BLOCKER.USBLCF24</p><p>Trojan.Win32.CAYNAMER.USBLCF24</p><p>Trojan.Win32.CERBER.USBLCM24</p><p>Trojan.Win32.CODBOT.USBLCF24</p><p>Trojan.Win32.COMETER.USBLCE24</p><p>Trojan.Win32.CONVAGENT.USBLCI24</p><p>Trojan.Win32.COREWARRIOR.USBLCF24</p><p>Trojan.Win32.COREWARRIOR.USBLCL24</p><p>Trojan.Win32.CRYPT.USBLCJ24</p><p>Trojan.Win32.CYNS.USBLCF24</p><p>Trojan.Win32.DACIC.USBLCL24</p><p>Trojan.Win32.DANABOT.YXECOZ</p><p>Trojan.Win32.DAWS.USBLCF24</p><p>Trojan.Win32.DELF.USBLCF24</p><p>Trojan.Win32.DIBIK.USBLCE24</p><p>Trojan.Win32.DINWOD.USBLCL24</p><p>Trojan.Win32.DISCO.USBLCF24</p><p>Trojan.Win32.DISIN.USBLCF24</p><p>Trojan.Win32.DISIN.USBLCG24</p><p>Trojan.Win32.DISKWRITER.USBLCF24</p><p>Trojan.Win32.DISS.USBLCE24</p><p>Trojan.Win32.DORIFEL.USBLCF24</p><p>Trojan.Win32.DROLNUX.USBLCE24</p><p>Trojan.Win32.DROPPER.USBLCF24</p><p>Trojan.Win32.EKSTAK.USBLCK24</p><p>Trojan.Win32.EMDUP.USBLCM24</p><p>Trojan.Win32.ESTIWIR.USBLCE24</p><p>Trojan.Win32.FAKEALERT.USBLCE24</p><p>Trojan.Win32.FAKEALERT.USBLCF24</p><p>Trojan.Win32.FARFLI.USBLCF24</p><p>Trojan.Win32.FERO.USBLCF24</p><p>Trojan.Win32.FILEINFECTOR.USBLCL24</p><p>Trojan.Win32.FLYSTUD.USBLCE24</p><p>Trojan.Win32.FORMBOOK.YXECOZ</p><p>Trojan.Win32.GAMARUE.USBLCF24</p><p>Trojan.Win32.GAMUP.USBLCF24</p><p>Trojan.Win32.GANELP.USBLCF24</p><p>Trojan.Win32.GCLEANER.USBLCG24</p><p>Trojan.Win32.GCLEANER.YXECOZ</p><p>Trojan.Win32.GENERICKD.USBLCE24</p><p>Trojan.Win32.GENKRYPTIK.USBLCF24</p><p>Trojan.Win32.GUPBOOT.USBLCF24</p><p>Trojan.Win32.HUPIGON.USBLCF24</p><p>Trojan.Win32.INJECT.USBLCF24</p><p>Trojan.Win32.INJECTS.USBLCE24</p><p>Trojan.Win32.INJECTS.USBLCF24</p><p>Trojan.Win32.IPAMOR.USBLCF24</p><p>Trojan.Win32.IRCBRUTE.USBLCE24</p><p>Trojan.Win32.IRCFLOOD.USBLCF24</p><p>Trojan.Win32.IYECLORE.USBLCF24</p><p>Trojan.Win32.JAIK.USBLCF24</p><p>Trojan.Win32.JUCHED.USBLCE24</p><p>Trojan.Win32.KHALESI.USBLCF24</p><p>Trojan.Win32.KOCEG.USBLCF24</p><p>Trojan.Win32.KRAP.USBLCF24</p><p>Trojan.Win32.LAMER.USBLCF24</p><p>Trojan.Win32.LDPINCH.USBLCE24</p><p>Trojan.Win32.LDPINCH.USBLCF24</p><p>Trojan.Win32.LINEAGE.USBLCE24</p><p>Trojan.Win32.LOAN.USBLCF24</p><p>Trojan.Win32.LOAN.USBLCL24</p><p>Trojan.Win32.LUNA.USBLCF24</p><p>Trojan.Win32.MAGANIA.USBLCF24</p><p>Trojan.Win32.MANSABO.USBLCE24</p><p>Trojan.Win32.MEKOTIO.USBLCI24</p><p>Trojan.Win32.METASPLOIT.USBLCF24</p><p>Trojan.Win32.MIRA.USBLCL24</p><p>Trojan.Win32.MULDROP.USBLCM24</p><p>Trojan.Win32.MULTIPLUG.USBLCF24</p><p>Trojan.Win32.MYDOOM.USBLCF24</p><p>Trojan.Win32.NEMUCOD.USBLCF24</p><p>Trojan.Win32.NEMUCOD.USBLCM24</p><p>Trojan.Win32.NESHTA.USBLCE24</p><p>Trojan.Win32.NEVEREG.USBLCF24</p><p>Trojan.Win32.NEWDOTNET.USBLCG24</p><p>Trojan.Win32.NITOL.USBLCM24</p><p>Trojan.Win32.NOOBYPROTECT.USBLCK24</p><p>Trojan.Win32.OBFUS.USBLCF24</p><p>Trojan.Win32.OPERALOADER.YXECOZ</p><p>Trojan.Win32.PARIHAM.USBLCF24</p><p>Trojan.Win32.PCCLIENT.USBLCF24</p><p>Trojan.Win32.PIKABOT.YXECRZ</p><p>Trojan.Win32.PIKABOT.YXECZZ</p><p>Trojan.Win32.PISTOLAR.USBLCF24</p><p>Trojan.Win32.PLITE.USBLCL24</p><p>Trojan.Win32.POWERSHELL.USBLCF24</p><p>Trojan.Win32.PROTUX.USBLCF24</p><p>Trojan.Win32.PURORA.USBLCE24</p><p>Trojan.Win32.PYTR.USBLCE24</p><p>Trojan.Win32.QQPASS.USBLCF24</p><p>Trojan.Win32.QUKART.USBLCM24</p><p>Trojan.Win32.RACCOON.USBLCF24</p><p>Trojan.Win32.REMCOS.USBLCF24</p><p>Trojan.Win32.REMHEAD.USBLCF24</p><p>Trojan.Win32.REVERSESHELL.USBLCG24</p><p>Trojan.Win32.SAKUREL.USBLCF24</p><p>Trojan.Win32.SCAR.USBLCG24</p><p>Trojan.Win32.SFONE.USBLCF24</p><p>Trojan.Win32.SILENTCRYPTOMINER.USBLCE24</p><p>Trojan.Win32.SMOKELOADER.USBLCE24</p><p>Trojan.Win32.SOUL.USBLCE24</p><p>Trojan.Win32.STAPCORE.USBLCG24</p><p>Trojan.Win32.STAPCORE.USBLCI24</p><p>Trojan.Win32.STEALC.USBLCK24</p><p>Trojan.Win32.SYSTEMBC.USBLCF24</p><p>Trojan.Win32.TINBA.USBLCF24</p><p>Trojan.Win32.TINY.USBLCF24</p><p>Trojan.Win32.TRICKBOT.USBLCG24</p><p>Trojan.Win32.UNRUY.USBLCF24</p><p>Trojan.Win32.UPATRE.USBLCM24</p><p>Trojan.Win32.URELAS.USBLCI24</p><p>Trojan.Win32.VILSEL.USBLCF24</p><p>Trojan.Win32.VMPROTECT.USBLCO24</p><p>Trojan.Win32.VUNDO.USBLCF24</p><p>Trojan.Win32.WAJAM.USBLCF24</p><p>Trojan.Win32.XPACK.USBLCF24</p><p>Trojan.Win32.ZAPCHAST.USBLCE24</p><p>Trojan.Win32.ZLOAD.USBLCE24</p><p>Trojan.Win32.ZLOADER.USBLCE24</p><p>Trojan.Win32.ZLOB.USBLCL24</p><p>Trojan.Win32.ZOMBIE.USBLCM24</p><p>Trojan.Win64.BUMBLELOADER.YXECOZ</p><p>Trojan.Win64.DCRAT.USBLCF24</p><p>Trojan.Win64.GENKRYPTIK.USBLCF24</p><p>Trojan.Win64.INJEXA.USBLCF24</p><p>Trojan.Win64.LAZY.USBLCF24</p><p>Trojan.Win64.LUNA.USBLCF24</p><p>Trojan.Win64.LUNA.USBLCH24</p><p>Trojan.Win64.LUNALOGGER.USBLCK24</p><p>Trojan.Win64.OPERALOADER.YXECOZ</p><p>Trojan.Win64.ROZENA.USBLCE24</p><p>Trojan.Win64.SPYLOADER.USBLCK24</p><p>Trojan.Win64.STEALER.USBLCF24</p><p>Trojan.Win64.STEALER.USBLCG24</p><p>Trojan.Win64.STEALER.USBLCH24</p><p>Trojan.Win64.STEALER.USBLCI24</p><p>Trojan.Win64.STEALER.USBLCO24</p><p>Trojan.Win64.STRELA.USBLCE24</p><p>Trojan.Win64.STRELA.USBLCF24</p><p>Trojan.Win64.STRELA.USBLCH24</p><p>Trojan.Win64.STRELA.USBLCI24</p><p>Trojan.Win64.STRELASTEALER.USBLCJ24</p><p>Trojan.Win64.STRELASTEALER.USBLCK24</p><p>Trojan.X97M.CVE.USBLCE24</p><p>Trojan.X97M.CVE.USBLCF24</p><p>TrojanSpy.MSIL.KRYPTIK.USBLCE24</p><p>TrojanSpy.MSIL.STEALERC.USBLCE24</p><p>TrojanSpy.Win32.CARDSPY.USBLCF24</p><p>TrojanSpy.Win32.FASONG.USBLCG24</p><p>TrojanSpy.Win32.QUKART.USBLCF24</p><p>TrojanSpy.Win32.REDLINE.USBLCF24</p><p>TrojanSpy.Win32.SNOJAN.USBLCE24</p><p>TrojanSpy.Win32.STEALC.USBLCM24</p><p>TrojanSpy.Win32.URSNIF.YXECOZ</p><p>TrojanSpy.Win32.ZPEVDO.USBLCF24</p><p>TrojanSpy.Win64.EXPIRO.USBLCE24</p><p>TrojanSpy.Win64.REDLINE.YXECOZ</p><p>TrojanSpy.Win64.STEALER.USBLCG24</p><p>TrojanSpy.Win64.STEALER.USBLCI24</p><p>Worm.Win32.DELF.USBLCF24</p><p>Worm.Win32.KOCEG.USBLCF24</p><p>Worm.Win32.LUDBARUMA.USBLCF24</p><p>Worm.Win32.RAMNIT.USBLCG24</p><p>Worm.Win32.SILENTALL.USBLCE24</p><p>Worm.Win32.VMPROTECT.USBLCG24</p><p></p><p></p><p>[/SPOILER]</p><p></p><p></p><p>Trend Micro uses Advanced Threat Scan Engine which is fully cloud-based to scan files without a good reputation.</p><p>ATSE can block malware and identify the malware family (which can make it look like it’s definitions-based).</p><p>[SPOILER="ATSE 1"]</p><h3>Detect emerging threats using Predictive Machine Learning</h3><p>Use Predictive Machine Learning to detect unknown or low-prevalence malware. (For more information, see <a href="https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware.html#machine" target="_blank">Predictive Machine Learning</a>.)</p><p></p><p>Predictive Machine Learning uses the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the Predictive Machine Learning engine on the Trend Micro Smart Protection Network. To enable Predictive Machine Learning, perform the following:</p><p></p><ol> <li data-xf-list-type="ol"><a href="https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html#proxy" target="_blank">Ensure Internet connectivity</a></li> <li data-xf-list-type="ol"><a href="https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html#enable" target="_blank">Enable Predictive Machine Learning</a></li> </ol><p>As with all detected malware, Predictive Machine Learning logs an event when it detects malware. (See <a href="https://help.deepsecurity.trendmicro.com/feature-releases/events.html" target="_blank">About Deep Security event logging</a>.) You can also create an exception for any false positives. (See <a href="https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-exceptions.html" target="_blank">Create anti-malware exceptions</a>.)</p><p></p><h3>Ensure Internet connectivity</h3><p>Predictive Machine Learning requires access to the Global Census Service, Good File Reputation Service, and Predictive Machine Learning Service. These services are hosted in the Trend Micro Smart Protection Network. If your Deep Security Agents or Virtual Appliance cannot access the Internet directly, see <a href="https://help.deepsecurity.trendmicro.com/feature-releases/agent-airgapped.html" target="_blank">Configure agents that have no internet access</a> for workarounds.</p><p></p><h3><a href="https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html" target="_blank">Detect emerging threats using Predictive Machine Learning | Deep Security</a></h3><p></p><p>[/SPOILER]</p><p>[SPOILER="ATSE 2"]</p><h2>Predictive Machine Learning <a href="https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/A-New-Solution.html#GUID-C2529BC7-5F14-4020-BE25-56E49A96E643" target="_blank"><img src="https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/resources/parent.png" alt="Parent topic" class="fr-fic fr-dii fr-draggable " style="" /></a></h2><p>Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features. Predictive Machine Learning also performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.</p><p>Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks.</p><p>After detecting an unknown or low-prevalence file, Deep Discovery Web Inspector scans the file using the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the Predictive Machine Learning engine, hosted on the Trend Micro Smart Protection Network. Through use of malware modeling, Predictive Machine Learning compares the sample to the malware model, assigns a probability score, and determines the probable malware type that the file contains.</p><p>Depending on how you configure your policies, Deep Discovery Web Inspector can block the object to prevent the threat from continuing to spread across your network. Alternatively, you can configure the policy to monitor and log information about the object without blocking it.</p><p></p><p><a href="https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/Predictive-Machine-L.html" target="_blank">https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/Predictive-Machine-L.html</a></p><p>[/SPOILER]</p><p>[SPOILER="Smart Scan"]</p><p>Smart Protection Network integration is available for your computers and workloads through Anti-Malware and Web Reputation modules. Smart Feedback, which is set at the system level, allows you to provide continuous feedback to the Smart Protection Network.</p><p></p><p>For more about Trend Micro's Smart Protection Network, see <a href="https://www.trendmicro.com/en_us/business/technologies/smart-protection-network.html" target="_blank">Smart Protection Network</a>.</p><p></p><p>If you are operating in a FedRAMP (Federal Risk and Authorization Management Program) environment, you cannot use Smart Feedback. If you have already enabled Smart Feedback, you must disable it.</p><p></p><p>In this topic:</p><p></p><ul> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Anti-Mal" target="_blank">Anti-Malware and Smart Protection</a></li> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Web" target="_blank">Web Reputation and Smart Protection</a></li> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Smart3" target="_blank">Smart Feedback</a></li> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#disable" target="_blank">Disable Smart Feedback</a></li> </ul><p>See also <a href="https://docs.trendmicro.com/en-us/enterprise/smart-protection-server.aspx" target="_blank">Smart Protection Server documentation</a>for instructions on manually deploying the server.</p><p></p><h2>Anti-Malware and Smart Protection</h2> <ul> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Benefits" target="_blank">Benefits of Smart Scan</a></li> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Smart" target="_blank">Enable Smart Scan</a></li> <li data-xf-list-type="ul"><a href="https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Smart2" target="_blank">Smart Protection Server for File Reputation Service</a></li> </ul><h3>Benefits of Smart Scan</h3><p>Smart Scan provides the following features and benefits:</p><p></p><ul> <li data-xf-list-type="ul">Provides fast, real-time security status lookup capabilities in the cloud.</li> <li data-xf-list-type="ul">Reduces the overall time it takes to deliver protection against emerging threats.</li> <li data-xf-list-type="ul">Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates only needs to be delivered to the cloud, not to many endpoints.</li> <li data-xf-list-type="ul">Reduces the cost and overhead associated with corporate-wide pattern deployments.</li> </ul><h3>Enable Smart Scan</h3><p>Smart Scan is available in the Anti-Malware module. It leverages Trend Micro's <a href="https://www.trendmicro.com/en_us/business/technologies/smart-protection-network.htmlindex.html" target="_blank">Smart Protection Network</a> to allow local pattern files to be small and reduces the size and number of updates required by agents and Appliances. When Smart Scan is enabled, the agent downloads a small version of the much larger full malware pattern from a Smart Protection Server. This smaller pattern can quickly identify files as either confirmed safe or possibly dangerous. Possibly dangerous files are compared against the larger complete pattern files stored on Trend Micro Smart Protection Servers to determine with certainty whether they pose a danger or not.</p><p></p><p>Without Smart Scan enabled, your relay agents must download the full malware pattern from a Smart Protection Server to be used locally on the agent. The pattern is only updated as scheduled security updates are processed. The pattern is typically updated once per day for your agents to download and is around 120 MB.</p><p></p><p>Verify that the computer can reliably connect to the global Trend Micro Smart Protection Network URLs (see <a href="https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip" target="_blank">Port numbers</a> for a list of URLs). If connectivity is blocked by a firewall, proxy, or AWS security group or if the connection is unreliable, it reduces Anti-Malware performance.</p><p></p><p></p><h3><a href="https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html" target="_blank">Detect emerging threats using Predictive Machine Learning | Deep Security</a></h3><p></p><p>Client scanning can be performed in two methods:</p><p></p><ul> <li data-xf-list-type="ul">Conventional Scan<br /> A scan method used in all earlier WFBS versions. A Conventional Scan client stores all Security Agent components on the client computer and scans all files locally.</li> <li data-xf-list-type="ul">Smart Scan<br /> Smart Scan leverages threat signatures that are stored in the cloud. When in Smart Scan mode, the WFBS agent first scans for security risks locally. If the client cannot determine the risk of the file during the scan, the client connects to the local Smart Scan Server. If the clients cannot connect to it, they will attempt to connect to the Trend Micro Global Smart Scan Server.<br /> Smart Scan provides the following features and benefits:<ul> <li data-xf-list-type="ul">Provides fast, real-time security status lookup capabilities in the cloud.</li> <li data-xf-list-type="ul">Reduces the overall time it takes to deliver protection against emerging threats.</li> <li data-xf-list-type="ul">Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates only needs to be delivered to the cloud and not to many endpoints.</li> <li data-xf-list-type="ul">Reduces the cost and overhead associated with corporate-wide pattern deployments.</li> <li data-xf-list-type="ul">Lowers kernel memory consumption on endpoints. Consumption increases minimally over time.</li> </ul></li> </ul><p>Trend Micro strongly recommends switching from Conventional Scanning to Smart Scanning:</p><p></p><ul> <li data-xf-list-type="ul">Recent statistics shows that the Smart Scan Agent pattern (OTH, which is stored locally on the actual agent that uses Smart Scanning) covers 80% of the total threats, and that the Smart Scan pattern (TBL, stored on the Scan Server) covers the other 20%.</li> <li data-xf-list-type="ul">Aside from Smart Scan Agent pattern (icrc$oth.xxx), a local cache is used to reduce about 80% of outgoing queries. CRC cache works as a partial Smart Scan Pattern replica so that previously obtained CRC can be reused later.</li> </ul><p>In other words, the CRCs are ready to be used to protect an endpoint user and are effective on malware that have been previously detected. However, the date may vary among individual users according to their usage behavior.</p><p></p><p>[URL unfurl="true"]https://success.trendmicro.com/dcx/s/solution/1053817-difference-between-the-conventional-scan-and-smart-scan-functions-of-worry-free-business-security?language=en_US[/URL]</p><p>[/SPOILER]</p><p>[SPOILER="Virus Scan API and ATSE Release Notes"]</p><p>The release notes for the scan engine are <a href="https://success.trendmicro.com/dcx/s/solution/000148744?language=ja" target="_blank">here</a> (only in Japanese):</p><p></p><p>VSAPI 22.610 / ATSE 22.610~23.570 Release date 2023.08.23</p><p>■New features of VSAPI 22.610 / ATSE 22.610~23.570</p><p></p><ul> <li data-xf-list-type="ul">Added search function using machine learning</li> <li data-xf-list-type="ul">(This is a local model type search function that is included inside the search engine.)</li> <li data-xf-list-type="ul">Added and improved detection functions for new threats</li> <li data-xf-list-type="ul">Supports identification of Lzip file types</li> <li data-xf-list-type="ul">Improved identification function for MP3 file types</li> <li data-xf-list-type="ul">Fixes for various bugs</li> </ul><p>The version number of the engine (second part of it) is calculated by multiplying the release month by 10 and adding 500. Example, december = 12*10 + 500 = 620.</p><p>[/SPOILER]</p><p>[SPOILER="Potential Cons"]</p><p>Whilst I do not have evidence that the Trend Micro approach is in any way insufficient, there are few key issues which I see here and worth considering:</p><ul> <li data-xf-list-type="ul">Machine learning (ATSE) and behavioural blocking heavily focused on files/processes with low prevalence (read above). Trusted files and processes can be abused (Trend Micro may have found a way to handle this).</li> <li data-xf-list-type="ul">Very cloud-based, offline protection poor (which shouldn't be that big of a deal)</li> <li data-xf-list-type="ul">Business-focused, many programmes could have unfavourable reputation as they are not used on business environments and Trend Micro does not have sheer number of home users</li> <li data-xf-list-type="ul">Dropping detections on malware that is not damaging anymore may be great for performance but I am unsure why hashes are not kept on the cloud; leaves a rather sour taste.</li> <li data-xf-list-type="ul">Not enough information what files Predictive Machine Learning handles (apart from executables and documents) and what files are subjected to reputation checks.</li> </ul><p>[/SPOILER]</p><p>[SPOILER="Naming Convention"]</p><p>Starting July 2018, Trend Micro will apply a new Threat Detection Naming Scheme in order to align more closely with the rest of the industries in regards to the naming convention for threats and other malicious files.</p><p>Moving forward, Trend Micro will start to name malware and other threat detection patterns in alignment with the Computer Antivirus Research Organization (CARO) Malware Naming Scheme, follows the format as described below:</p><p><strong><Threat Type>.<Platform>.<Malware Family>.<Variant>.<Other info*></strong></p><p><em>*Optional</em></p><p>Below is a more detailed breakdown of the new format:</p><p><a href="https://powerbox-na-file.trend.org/SFDC/DownloadFile_iv.php?jsonInfo=%7B%22Query%22%3A%22kfiR6s%2Ft8EZDIrGSqdLugnAisPNJxrCahlcSQv2%2FywkncJOlfx%2B3YZj%2FKh5DDinl%2BFsh4JgM003zyFwXp%2BAdbQZWwqkZrcKWwMHB4iA6Wu8oyIWX9qiLy0pki%2Fm37C5lIm1NIGs0DRsr1Gd6WYj8HeZPNaOj03iqg5drLoDqU2tliTP0m9h7jYy5PWjEy9HLKiRlgxfXVatk3T9Bcte%2BpK39VQQv1IxKr1vLCdvVzw%2BJQ%2FXv4eBi4FLCqQJAItgp%22%2C%22iv%22%3A%2210ba0bdf2287d461c3544bf116adda1c%22%7D" target="_blank"><img src="https://powerbox-na-file.trend.org/SFDC/DownloadFile_iv.php?jsonInfo=%7B%22Query%22%3A%22kfiR6s%2Ft8EZDIrGSqdLugnAisPNJxrCahlcSQv2%2FywkncJOlfx%2B3YZj%2FKh5DDinl%2BFsh4JgM003zyFwXp%2BAdbQZWwqkZrcKWwMHB4iA6Wu8oyIWX9qiLy0pki%2Fm37C5lIm1NIGs0DRsr1Gd6WYj8HeZPNaOj03iqg5drLoDqU2tliTP0m9h7jYy5PWjEy9HLKiRlgxfXVatk3T9Bcte%2BpK39VQQv1IxKr1vLCdvVzw%2BJQ%2FXv4eBi4FLCqQJAItgp%22%2C%22iv%22%3A%2210ba0bdf2287d461c3544bf116adda1c%22%7D" alt="Ransom.Win32.Locky.A.dldr" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p></p><h2>Threat Type</h2><p>The Threat Type represents the main threat category that describes what the main behavior of the threat is.</p><ul> <li data-xf-list-type="ul">For malware: Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor are the most common threat types that we use.</li> <li data-xf-list-type="ul">For grayware: Adware, Spyware, and PUA are the most common threat types.</li> </ul><h2>Platform</h2><p>Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint).</p><h2>Family</h2><p>Threats with similar behavior are grouped together and referred to as a family. Each family is named based on the behavior it manifests.</p><h2>Variant</h2><p>To identify different strains of malware under one family, letters are used in a sequential manner and referred to as the Variant.</p><h2>Other Information <em>(Optional)</em></h2><p>Information deemed useful in providing further insight for some complex threats can make use of this optional section of the naming scheme. For example, dldr means downloader. Therefore, the detection name Ransom.Win32.Locky.A.dldr provides information that this threat is a downloader for the Locky Ransomware.</p><p>Trend Micro plans to implement this new detection naming scheme in a phased approach. The initial focus will be on customer submitted samples and noteworthy threats, and eventually will encompass all channels including bulk submissions and other sourcing methods.</p><p>We believe that aligning more closely with the CARO standards is beneficial for customers, especially those who use a mixed-vendor security environment and require cross-checking of threats.</p><p>We apologize in advance for any inconvenience this may cause, and encourage customers to contact their authorized Trend Micro support representative for any questions or concerns with the new naming scheme.</p><p>[URL unfurl="true"]https://success.trendmicro.com/dcx/s/solution/1119738-new-threat-detection-naming-scheme-in-trend-micro?language=en_US&sfdcIFrameOrigin=null[/URL]</p><p>[/SPOILER]</p><p></p><p>P.S. We need a few more TM tests, any users willing to participate, apart from [USER=92939]@Shadowra[/USER] who can retest at one point?</p></blockquote><p></p>
[QUOTE="Trident, post: 1092338, member: 99014"] Further to the interest to Trend Micro after [USER=92939]@Shadowra[/USER] review, this post will be a deep dive into the TM components and protection model which may not be very well understood by everyone. The components - these are updated on when-needed basis, independent of the programme version [SPOILER="Components"] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]Virus Scan Engine 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of viruses and malware. The scan engine also detects controlled viruses that are developed and used for research. Rather than scanning every byte of every file, the engine and pattern file work together to identify the following: [LIST] [*]Tell-tale characteristics of the virus code [*]The precise location within a file where the virus resides [/LIST][/TD] [/TR] [TR] [TD]Smart Scan Pattern[/TD] [TD]Not distributed to OfficeScan agents. This pattern stays in theOfficeScan serverand is used when responding to scan queries received from OfficeScan agents.[/TD] [TD]When in smart scan mode, OfficeScan agents use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns. The Smart Scan Pattern contains majority of the pattern definitions. The Smart Scan Agent Pattern contains all the other pattern definitions not found on the Smart Scan Pattern. The OfficeScan agent scans for security threats using the Smart Scan Agent Pattern. OfficeScan agents that cannot determine the risk of the file during the scan verify the risk by sending a scan query to the Scan Server, a service hosted on the OfficeScan server. The Scan Server verifies the risk using the Smart Scan Pattern. The OfficeScan agent "caches" the scan query result provided by the Scan Server to improve the scan performance.[/TD] [/TR] [TR] [TD]Smart Scan Agent Pattern[/TD] [TD]OfficeScan agentsusing smart scan[/TD] [TD][/TD] [/TR] [TR] [TD]Virus Pattern[/TD] [TD]OfficeScan agentsusing conventional scan[/TD] [TD]The Virus Pattern contains information that helps OfficeScan agents identify the latest virus/malware and mixed threat attacks. Trend Micro creates and releases new versions of the Virus Pattern several times a week, and any time after the discovery of a particularly damaging virus/malware.[/TD] [/TR] [TR] [TD]IntelliTrap Exception Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The IntelliTrap Exception Pattern contains a list of "approved" compression files.[/TD] [/TR] [TR] [TD]IntelliTrap Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The IntelliTrap Pattern detects real-time compression files packed as executable files. For details, see [URL='https://docs.trendmicro.com/all/ent/officescan/v12.0/en-us/osce_12.0_agent_olh/IntelliTrap.html#GUID-FCE2D882-C1EC-4048-822A-A6214C8834F2']IntelliTrap[/URL].[/TD] [/TR] [TR] [TD]Memory Inspection Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]This technology provides enhanced virus scanning for polymorphic and mutation viruses, and augments virus-pattern-based scans by emulating file execution. The results are then analyzed in a controlled environment for evidence of malicious intent with little impact on system performance.[/TD] [/TR] [TR] [TD]Early Launch Anti-Malware Pattern 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]OfficeScan supports the Early Launch Anti-Malware (ELAM) feature as part of the Secure Boot standard to provide boot time protection on endpoints. This feature enables OfficeScan agents to detect malware during the operating system boot process.[/TD] [/TR] [TR] [TD]Contextual Intelligence Engine 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Contextual Intelligence Engine monitors processes executed by low prevalence files and extracts behavioral features that the Contextual Intelligence Query Handler sends to the Predictive Machine Learning engine for analysis.[/TD] [/TR] [TR] [TD]Contextual Intelligence Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Contextual Intelligence Pattern contains a list of "approved" behaviors that are not relevant to any known threats.[/TD] [/TR] [TR] [TD]Contextual Intelligence Query Handler 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Contextual Intelligence Query Handler processes the behaviors identified by the Contextual Intelligence Engine and sends the report to the Predictive Machine Learning engine.[/TD] [/TR] [TR] [TD]Advanced Threat Scan Engine 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Advanced Threat Scan Engine extracts file features from low prevalence files and sends the the information to the Predictive Machine Learning engine.[/TD] [/TR] [TR] [TD]Advanced Threat Correlation Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Advanced Threat Correlation Pattern contains a list of file features that are not relevant to any known threats.[/TD] [/TR] [/TABLE] [HEADING=3]Anti-spyware[/HEADING] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]Spyware/Grayware Scan Engine 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Spyware/Grayware Scan Engine scans for and performs the appropriate scan action on spyware/grayware.[/TD] [/TR] [TR] [TD]Spyware/Grayware Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Spyware/Grayware Pattern identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts.[/TD] [/TR] [TR] [TD]Spyware Active-monitoring Pattern[/TD] [TD]OfficeScan agentsusing conventional scan[/TD] [TD]The Spyware Active-monitoring Pattern is used for real-time spyware/grayware scanning. Only conventional scan agentsuse this pattern.[/TD] [/TR] [/TABLE] [HEADING=3]Damage Cleanup Services[/HEADING] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]Damage Cleanup Engine 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Damage Cleanup Engine scans for and removes Trojans and Trojan processes.[/TD] [/TR] [TR] [TD]Damage Cleanup Template[/TD] [TD]OfficeScan agents[/TD] [TD]The Damage Cleanup Template is used by the Damage Cleanup Engine to identify Trojan files and processes so the engine can eliminate them.[/TD] [/TR] [TR] [TD]Early Boot Cleanup Driver 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Trend Micro Early Boot Cleanup Driver loads before the operating system drivers which enables the detection and blocking of boot-type rootkits. After the OfficeScan agent loads, Trend Micro Early Boot Cleanup Driver calls Damage Cleanup Services to clean the rootkit.[/TD] [/TR] [/TABLE] [HEADING=3]Web Reputation[/HEADING] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]URL Filtering Engine[/TD] [TD]OfficeScan agents[/TD] [TD]The URL Filtering Engine facilitates communication between OfficeScan and the Trend Micro URL Filtering Service. The URL Filtering Service is a system that rates URLs and provides rating information to OfficeScan.[/TD] [/TR] [/TABLE] [HEADING=3]Firewall[/HEADING] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]Common Firewall Driver 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]The Common Firewall Driver is used with the Common Firewall Pattern to scan agentendpoints for network viruses. This driver supports 32-bit and 64-bit platforms.[/TD] [/TR] [TR] [TD]Common Firewall Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]Like the Virus Pattern, the Common Firewall Pattern helps agents identify virus signatures, unique patterns of bits and bytes that signal the presence of a network virus.[/TD] [/TR] [/TABLE] [HEADING=3]Behavior Monitoring and Device Control[/HEADING] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]Behavior Monitoring Detection Pattern 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]This pattern contains the rules for detecting suspicious threat behavior.[/TD] [/TR] [TR] [TD]Behavior Monitoring Core Driver 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]This kernel mode driver monitors system events and passes them to the Behavior Monitoring Core Service for policy enforcement.[/TD] [/TR] [TR] [TD]Behavior Monitoring Core Service 32/64-bit[/TD] [TD]OfficeScan agents[/TD] [TD]This user mode service has the following functions: [LIST] [*]Provides rootkit detection [*]Regulates access to external devices [*]Protects files, registry keys, and services [/LIST][/TD] [/TR] [TR] [TD]Behavior Monitoring Configuration Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Behavior Monitoring Driver uses this pattern to identify normal system events and exclude them from policy enforcement.[/TD] [/TR] [TR] [TD]Policy Enforcement Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Behavior Monitoring Core Service checks system events against the policies in this pattern.[/TD] [/TR] [TR] [TD]Digital Signature Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]This pattern contains a list of valid digital signatures that are used by the Behavior Monitoring Core Service to determine whether a program responsible for a system event is safe.[/TD] [/TR] [TR] [TD]Memory Scan Trigger Pattern (32/64-bit)[/TD] [TD]OfficeScan agents[/TD] [TD]The Memory Scan Trigger service executes other scan engines when it detects the process in memory is unpacked.[/TD] [/TR] [TR] [TD]Program Inspection Monitoring Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Program Inspection Monitoring Pattern monitors and stores inspection points that are used for Behavior Monitoring.[/TD] [/TR] [TR] [TD]Damage Recovery Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]The Damage Recovery Pattern contains policies that are used for monitoring suspicious threat behavior.[/TD] [/TR] [/TABLE] [HEADING=3]Browser Exploits[/HEADING] [TABLE] [TR] [TH]Component[/TH] [TH]Distributed To[/TH] [TH]Description[/TH] [/TR] [TR] [TD]Browser Exploit Prevention Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]This pattern identifies the latest web browser exploits and prevents the exploits from being used to compromise the web browser.[/TD] [/TR] [TR] [TD]Script Analyzer Unified Pattern[/TD] [TD]OfficeScan agents[/TD] [TD]This pattern analyzes script in web[/TD] [/TR] [/TABLE] [/SPOILER] Note: not all components are listed there, some components such as wrappers around the engine that should prevent Trend Micro from being exploited by malware writers, are not mentioned. [B]The model:[/B] It uses minimalistic pattern file (40 MB) and is more similar to the signature-less products. The local pattern determines files which are confirmed safe and suspicious (which will be subjected to check using the full malware pattern available on TM servers). [B]My guess is that these pattern files contain hashes/fuzzy hashes and heuristics, similarly to what Panda Cloud Antivirus uses for local protection. [URL unfurl="true"]https://help.hcltechsw.com/bigfix/9.2/cprot/Core_Protection/CPM_Admin_Guide/tm_patterns_engine.html[/URL][/B] This makes it look like the pattern only contains [B]damaging (active) [/B]malware[B].[/B] According to the modules description above and what I will post below, Trend Micro reserves patterns (definitions) only for malware that [B]actively[/B] causes damage. Once it no longer causes damage, it will be removed from the local pattern file as it has to stay small. This is one of the reasons that may be causing the high number of undetected samples on the AVC malware protection test, yet TM nails the real world protection. Files no longer causing damage will only be detected by Predictive Machine Learning once it’s been retained with these samples, behavioural blocking (eventually) and not by anything else (they will be a miss). Such files will most probably be bots, RATs and infostealers with dead C&Cs (ransomware can always cause damage). Trend Micro frequently drops a lot of detections, for example the latest update drops 285. [URL unfurl="true"]https://www.trendmicro.com/ftp/products/aupattern/consumer_smart_scan_pattern/whatsnew_Smart_Scan_Pattern.txt?_ga=2.213296407.2062391929.1720225342-2127287817.1720225342&_gac=1.247269936.1720238204.EAIaIQobChMIpvi2i8SRhwMVCZdQBh0Luww3EAAYASAAEgILRPD_BwE[/URL] [SPOILER="Dropped"] Adware.Win32.MULTIPLUG.USBLCF24 Backdoor.Linux.MIRAI.USBLCG24 Backdoor.MSIL.ASYNCRAT.USBLCF24 Backdoor.MSIL.BLADABINDI.USBLCF24 Backdoor.Win32.CERBER.USBLCE24 Backdoor.Win32.DOINA.USBLCF24 Backdoor.Win32.GEPYS.USBLCL24 Backdoor.Win32.HAVOC.USBLCI24 Backdoor.Win32.IRCBOT.USBLCE24 Backdoor.Win32.KRYPTIK.USBLCL24 Backdoor.Win32.PINCAV.USBLCE24 Backdoor.Win32.QUKART.USBLCF24 Backdoor.Win32.RAMMSTN.USBLCE24 Backdoor.Win32.SCAR.USBLCF24 Backdoor.Win32.SHIZ.USBLCF24 Backdoor.Win32.SNOJAN.USBLCE24 Backdoor.Win32.SWRORT.YXECPZ Backdoor.Win32.TINY.USBLCF24 Backdoor.Win32.WARZONE.YXECPZ Backdoor.Win32.XWORM.YXECPZ Backdoor.Win64.ASYNCRAT.YXECPZ Backdoor.Win64.BLADABINDI.USBLCH24 Backdoor.Win64.COBEACON.YXECOZ Backdoor.Win64.SILVER.YXECOZ Ransom.Win32.BARYS.USBLCE24 Ransom.Win32.JUICYPOTATO.USBLCE24 Ransom.Win32.QQPASS.USBLCF24 Ransom.Win32.SELFMOD.USBLCF24 Ransom.Win32.STAPCORE.USBLCM24 Ransom_Blocker.R06CC0CCL24 Ransom_Blocker.R06CC0DCF24 Ransom_Cerber.R002C0DCE24 Ransom_Cobra.R002C0DCE24 Ransom_ContiCrypt.R002C0CCE24 Ransom_ContiCrypt.R002C0CCF24 Ransom_ContiCrypt.R002C0DCE24 Ransom_CryFile.R002C0DCF24 Ransom_Cryptodef.R002C0DCF24 Ransom_Cryptodef.R03BC0DCM24 Ransom_Crysis.R002C0DCE24 Ransom_Fasem.R06CC0OCE24 Ransom_Foreign.R002C0GCE24 Ransom_GandCrab.R002C0DCF24 Ransom_Gen.R002C0XCK24 Ransom_Gen.R03BC0XCK24 Ransom_GenericCryptor.R002C0CCF24 Ransom_GenericCryptor.R002C0CCL24 Ransom_GenericCryptor.R002C0DCM24 Ransom_GenericCryptor.R023C0CCE24 Ransom_Petya.R002C0DCE24 Ransom_Phny.R002C0DCE24 Ransom_PolyRansom.R023C0GCE24 Ransom_PolyRansom.R023C0XCE24 Ransom_PornoAsset.R002C0CCF24 Ransom_PornoAsset.R002C0DCF24 Ransom_PornoAsset.R03BC0DCM24 Ransom_PornoAsset.R049C0DCE24 Ransom_Rakhni.R002C0PCE24 Ransom_Rantest.R06CC0CCE24 Ransom_Samas.R06CC0DCE24 Ransom_StopCrypt.R002C0DCL24 TROJ_GEN.R011C0CCF24 TROJ_GEN.R011C0GCF24 TROJ_GEN.R011C0WCK24 TROJ_GEN.R011H0CKG23 TROJ_GEN.R023C0OCL24 TROJ_GEN.R023C0WCL24 TROJ_GEN.R03BC0GCL24 TROJ_GEN.R03BC0WCV24 TROJ_GEN.R03FC0CCM24 TROJ_GEN.R049C0CCE24 TROJ_GEN.R049C0DCK24 TROJ_GEN.R049C0DCL24 TROJ_GEN.R049C0OCE24 TROJ_GEN.R049C0RCE24 TROJ_GEN.R049C0WCE24 TROJ_GEN.R053C0OCM24 TROJ_GEN.R06BC0XCL24 TROJ_GEN.R06CC0GCE24 TROJ_GEN.R06CC0WCL24 TROJ_GEN.R06FC0DCF24 Trojan.HTML.XWORM.YXECNZ Trojan.JS.ASYNCRAT.YXECOZ Trojan.JS.SOCGHOLISH.YXECOZ Trojan.Linux.CVE.USBLCG24 Trojan.MSIL.BLADABINDI.USBLCF24 Trojan.MSIL.DCRAT.USBLCF24 Trojan.MSIL.DNOPER.USBLCE24 Trojan.MSIL.DNOPER.USBLCF24 Trojan.MSIL.INJECTOR.USBLCF24 Trojan.MSIL.KRYPTIK.USBLCE24 Trojan.MSIL.MSILKRYPT.USBLCF24 Trojan.MSIL.POWERSHELL.USBLCE24 Trojan.MSIL.REDLINE.USBLCK24 Trojan.MSIL.REDLINE.USBLCO24 Trojan.MSIL.REDLINE.USBLCU24 Trojan.MSIL.ROZENA.USBLCE24 Trojan.MSIL.ROZENA.USBLCG24 Trojan.MSIL.SONBOKLI.USBLCG24 Trojan.MSIL.XMRIG.USBLCM24 Trojan.MSIL.XMRIG.USBLCN24 Trojan.MSIL.ZEGOST.USBLCJ24 Trojan.MSIL.ZNYONM.USBLCE24 Trojan.VBS.DARKGATE.YXECOZ Trojan.W97M.CVE.USBLCE24 Trojan.W97M.OBFUS.USBLCE24 Trojan.Win32.AGENTSMALL.USBLCE24 Trojan.Win32.AGENTSMALL.USBLCF24 Trojan.Win32.ANDROM.USBLCL24 Trojan.Win32.AUTOIT.USBLCE24 Trojan.Win32.AUTOITGENOME.USBLCE24 Trojan.Win32.AUTOITINJECT.USBLCE24 Trojan.Win32.AUTORUN.USBLCE24 Trojan.Win32.AUTORUN.USBLCJ24 Trojan.Win32.AZORULT.USBLCP24 Trojan.Win32.BANLOAD.USBLCM24 Trojan.Win32.BARYS.USBLCM24 Trojan.Win32.BLACKMOON.USBLCF24 Trojan.Win32.BLACKMOON.USBLCL24 Trojan.Win32.BLIHAN.USBLCF24 Trojan.Win32.BLOCKER.USBLCF24 Trojan.Win32.CAYNAMER.USBLCF24 Trojan.Win32.CERBER.USBLCM24 Trojan.Win32.CODBOT.USBLCF24 Trojan.Win32.COMETER.USBLCE24 Trojan.Win32.CONVAGENT.USBLCI24 Trojan.Win32.COREWARRIOR.USBLCF24 Trojan.Win32.COREWARRIOR.USBLCL24 Trojan.Win32.CRYPT.USBLCJ24 Trojan.Win32.CYNS.USBLCF24 Trojan.Win32.DACIC.USBLCL24 Trojan.Win32.DANABOT.YXECOZ Trojan.Win32.DAWS.USBLCF24 Trojan.Win32.DELF.USBLCF24 Trojan.Win32.DIBIK.USBLCE24 Trojan.Win32.DINWOD.USBLCL24 Trojan.Win32.DISCO.USBLCF24 Trojan.Win32.DISIN.USBLCF24 Trojan.Win32.DISIN.USBLCG24 Trojan.Win32.DISKWRITER.USBLCF24 Trojan.Win32.DISS.USBLCE24 Trojan.Win32.DORIFEL.USBLCF24 Trojan.Win32.DROLNUX.USBLCE24 Trojan.Win32.DROPPER.USBLCF24 Trojan.Win32.EKSTAK.USBLCK24 Trojan.Win32.EMDUP.USBLCM24 Trojan.Win32.ESTIWIR.USBLCE24 Trojan.Win32.FAKEALERT.USBLCE24 Trojan.Win32.FAKEALERT.USBLCF24 Trojan.Win32.FARFLI.USBLCF24 Trojan.Win32.FERO.USBLCF24 Trojan.Win32.FILEINFECTOR.USBLCL24 Trojan.Win32.FLYSTUD.USBLCE24 Trojan.Win32.FORMBOOK.YXECOZ Trojan.Win32.GAMARUE.USBLCF24 Trojan.Win32.GAMUP.USBLCF24 Trojan.Win32.GANELP.USBLCF24 Trojan.Win32.GCLEANER.USBLCG24 Trojan.Win32.GCLEANER.YXECOZ Trojan.Win32.GENERICKD.USBLCE24 Trojan.Win32.GENKRYPTIK.USBLCF24 Trojan.Win32.GUPBOOT.USBLCF24 Trojan.Win32.HUPIGON.USBLCF24 Trojan.Win32.INJECT.USBLCF24 Trojan.Win32.INJECTS.USBLCE24 Trojan.Win32.INJECTS.USBLCF24 Trojan.Win32.IPAMOR.USBLCF24 Trojan.Win32.IRCBRUTE.USBLCE24 Trojan.Win32.IRCFLOOD.USBLCF24 Trojan.Win32.IYECLORE.USBLCF24 Trojan.Win32.JAIK.USBLCF24 Trojan.Win32.JUCHED.USBLCE24 Trojan.Win32.KHALESI.USBLCF24 Trojan.Win32.KOCEG.USBLCF24 Trojan.Win32.KRAP.USBLCF24 Trojan.Win32.LAMER.USBLCF24 Trojan.Win32.LDPINCH.USBLCE24 Trojan.Win32.LDPINCH.USBLCF24 Trojan.Win32.LINEAGE.USBLCE24 Trojan.Win32.LOAN.USBLCF24 Trojan.Win32.LOAN.USBLCL24 Trojan.Win32.LUNA.USBLCF24 Trojan.Win32.MAGANIA.USBLCF24 Trojan.Win32.MANSABO.USBLCE24 Trojan.Win32.MEKOTIO.USBLCI24 Trojan.Win32.METASPLOIT.USBLCF24 Trojan.Win32.MIRA.USBLCL24 Trojan.Win32.MULDROP.USBLCM24 Trojan.Win32.MULTIPLUG.USBLCF24 Trojan.Win32.MYDOOM.USBLCF24 Trojan.Win32.NEMUCOD.USBLCF24 Trojan.Win32.NEMUCOD.USBLCM24 Trojan.Win32.NESHTA.USBLCE24 Trojan.Win32.NEVEREG.USBLCF24 Trojan.Win32.NEWDOTNET.USBLCG24 Trojan.Win32.NITOL.USBLCM24 Trojan.Win32.NOOBYPROTECT.USBLCK24 Trojan.Win32.OBFUS.USBLCF24 Trojan.Win32.OPERALOADER.YXECOZ Trojan.Win32.PARIHAM.USBLCF24 Trojan.Win32.PCCLIENT.USBLCF24 Trojan.Win32.PIKABOT.YXECRZ Trojan.Win32.PIKABOT.YXECZZ Trojan.Win32.PISTOLAR.USBLCF24 Trojan.Win32.PLITE.USBLCL24 Trojan.Win32.POWERSHELL.USBLCF24 Trojan.Win32.PROTUX.USBLCF24 Trojan.Win32.PURORA.USBLCE24 Trojan.Win32.PYTR.USBLCE24 Trojan.Win32.QQPASS.USBLCF24 Trojan.Win32.QUKART.USBLCM24 Trojan.Win32.RACCOON.USBLCF24 Trojan.Win32.REMCOS.USBLCF24 Trojan.Win32.REMHEAD.USBLCF24 Trojan.Win32.REVERSESHELL.USBLCG24 Trojan.Win32.SAKUREL.USBLCF24 Trojan.Win32.SCAR.USBLCG24 Trojan.Win32.SFONE.USBLCF24 Trojan.Win32.SILENTCRYPTOMINER.USBLCE24 Trojan.Win32.SMOKELOADER.USBLCE24 Trojan.Win32.SOUL.USBLCE24 Trojan.Win32.STAPCORE.USBLCG24 Trojan.Win32.STAPCORE.USBLCI24 Trojan.Win32.STEALC.USBLCK24 Trojan.Win32.SYSTEMBC.USBLCF24 Trojan.Win32.TINBA.USBLCF24 Trojan.Win32.TINY.USBLCF24 Trojan.Win32.TRICKBOT.USBLCG24 Trojan.Win32.UNRUY.USBLCF24 Trojan.Win32.UPATRE.USBLCM24 Trojan.Win32.URELAS.USBLCI24 Trojan.Win32.VILSEL.USBLCF24 Trojan.Win32.VMPROTECT.USBLCO24 Trojan.Win32.VUNDO.USBLCF24 Trojan.Win32.WAJAM.USBLCF24 Trojan.Win32.XPACK.USBLCF24 Trojan.Win32.ZAPCHAST.USBLCE24 Trojan.Win32.ZLOAD.USBLCE24 Trojan.Win32.ZLOADER.USBLCE24 Trojan.Win32.ZLOB.USBLCL24 Trojan.Win32.ZOMBIE.USBLCM24 Trojan.Win64.BUMBLELOADER.YXECOZ Trojan.Win64.DCRAT.USBLCF24 Trojan.Win64.GENKRYPTIK.USBLCF24 Trojan.Win64.INJEXA.USBLCF24 Trojan.Win64.LAZY.USBLCF24 Trojan.Win64.LUNA.USBLCF24 Trojan.Win64.LUNA.USBLCH24 Trojan.Win64.LUNALOGGER.USBLCK24 Trojan.Win64.OPERALOADER.YXECOZ Trojan.Win64.ROZENA.USBLCE24 Trojan.Win64.SPYLOADER.USBLCK24 Trojan.Win64.STEALER.USBLCF24 Trojan.Win64.STEALER.USBLCG24 Trojan.Win64.STEALER.USBLCH24 Trojan.Win64.STEALER.USBLCI24 Trojan.Win64.STEALER.USBLCO24 Trojan.Win64.STRELA.USBLCE24 Trojan.Win64.STRELA.USBLCF24 Trojan.Win64.STRELA.USBLCH24 Trojan.Win64.STRELA.USBLCI24 Trojan.Win64.STRELASTEALER.USBLCJ24 Trojan.Win64.STRELASTEALER.USBLCK24 Trojan.X97M.CVE.USBLCE24 Trojan.X97M.CVE.USBLCF24 TrojanSpy.MSIL.KRYPTIK.USBLCE24 TrojanSpy.MSIL.STEALERC.USBLCE24 TrojanSpy.Win32.CARDSPY.USBLCF24 TrojanSpy.Win32.FASONG.USBLCG24 TrojanSpy.Win32.QUKART.USBLCF24 TrojanSpy.Win32.REDLINE.USBLCF24 TrojanSpy.Win32.SNOJAN.USBLCE24 TrojanSpy.Win32.STEALC.USBLCM24 TrojanSpy.Win32.URSNIF.YXECOZ TrojanSpy.Win32.ZPEVDO.USBLCF24 TrojanSpy.Win64.EXPIRO.USBLCE24 TrojanSpy.Win64.REDLINE.YXECOZ TrojanSpy.Win64.STEALER.USBLCG24 TrojanSpy.Win64.STEALER.USBLCI24 Worm.Win32.DELF.USBLCF24 Worm.Win32.KOCEG.USBLCF24 Worm.Win32.LUDBARUMA.USBLCF24 Worm.Win32.RAMNIT.USBLCG24 Worm.Win32.SILENTALL.USBLCE24 Worm.Win32.VMPROTECT.USBLCG24 [/SPOILER] Trend Micro uses Advanced Threat Scan Engine which is fully cloud-based to scan files without a good reputation. ATSE can block malware and identify the malware family (which can make it look like it’s definitions-based). [SPOILER="ATSE 1"] [HEADING=2]Detect emerging threats using Predictive Machine Learning[/HEADING] Use Predictive Machine Learning to detect unknown or low-prevalence malware. (For more information, see [URL='https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware.html#machine']Predictive Machine Learning[/URL].) Predictive Machine Learning uses the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the Predictive Machine Learning engine on the Trend Micro Smart Protection Network. To enable Predictive Machine Learning, perform the following: [LIST=1] [*][URL='https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html#proxy']Ensure Internet connectivity[/URL] [*][URL='https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html#enable']Enable Predictive Machine Learning[/URL] [/LIST] As with all detected malware, Predictive Machine Learning logs an event when it detects malware. (See [URL='https://help.deepsecurity.trendmicro.com/feature-releases/events.html']About Deep Security event logging[/URL].) You can also create an exception for any false positives. (See [URL='https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-exceptions.html']Create anti-malware exceptions[/URL].) [HEADING=2]Ensure Internet connectivity[/HEADING] Predictive Machine Learning requires access to the Global Census Service, Good File Reputation Service, and Predictive Machine Learning Service. These services are hosted in the Trend Micro Smart Protection Network. If your Deep Security Agents or Virtual Appliance cannot access the Internet directly, see [URL='https://help.deepsecurity.trendmicro.com/feature-releases/agent-airgapped.html']Configure agents that have no internet access[/URL] for workarounds. [HEADING=2][URL='https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html']Detect emerging threats using Predictive Machine Learning | Deep Security[/URL][/HEADING] [/SPOILER] [SPOILER="ATSE 2"] [HEADING=1]Predictive Machine Learning [URL='https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/A-New-Solution.html#GUID-C2529BC7-5F14-4020-BE25-56E49A96E643'][IMG alt="Parent topic"]https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/resources/parent.png[/IMG][/URL][/HEADING] Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features. Predictive Machine Learning also performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network. Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. After detecting an unknown or low-prevalence file, Deep Discovery Web Inspector scans the file using the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the Predictive Machine Learning engine, hosted on the Trend Micro Smart Protection Network. Through use of malware modeling, Predictive Machine Learning compares the sample to the malware model, assigns a probability score, and determines the probable malware type that the file contains. Depending on how you configure your policies, Deep Discovery Web Inspector can block the object to prevent the threat from continuing to spread across your network. Alternatively, you can configure the policy to monitor and log information about the object without blocking it. [URL]https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/Predictive-Machine-L.html[/URL] [/SPOILER] [SPOILER="Smart Scan"] Smart Protection Network integration is available for your computers and workloads through Anti-Malware and Web Reputation modules. Smart Feedback, which is set at the system level, allows you to provide continuous feedback to the Smart Protection Network. For more about Trend Micro's Smart Protection Network, see [URL='https://www.trendmicro.com/en_us/business/technologies/smart-protection-network.html']Smart Protection Network[/URL]. If you are operating in a FedRAMP (Federal Risk and Authorization Management Program) environment, you cannot use Smart Feedback. If you have already enabled Smart Feedback, you must disable it. In this topic: [LIST] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Anti-Mal']Anti-Malware and Smart Protection[/URL] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Web']Web Reputation and Smart Protection[/URL] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Smart3']Smart Feedback[/URL] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#disable']Disable Smart Feedback[/URL] [/LIST] See also [URL='https://docs.trendmicro.com/en-us/enterprise/smart-protection-server.aspx']Smart Protection Server documentation[/URL]for instructions on manually deploying the server. [HEADING=1]Anti-Malware and Smart Protection[/HEADING] [LIST] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Benefits']Benefits of Smart Scan[/URL] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Smart']Enable Smart Scan[/URL] [*][URL='https://cloudone.trendmicro.com/docs/workload-security/smart-protection/#Smart2']Smart Protection Server for File Reputation Service[/URL] [/LIST] [HEADING=2]Benefits of Smart Scan[/HEADING] Smart Scan provides the following features and benefits: [LIST] [*]Provides fast, real-time security status lookup capabilities in the cloud. [*]Reduces the overall time it takes to deliver protection against emerging threats. [*]Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates only needs to be delivered to the cloud, not to many endpoints. [*]Reduces the cost and overhead associated with corporate-wide pattern deployments. [/LIST] [HEADING=2]Enable Smart Scan[/HEADING] Smart Scan is available in the Anti-Malware module. It leverages Trend Micro's [URL='https://www.trendmicro.com/en_us/business/technologies/smart-protection-network.htmlindex.html']Smart Protection Network[/URL] to allow local pattern files to be small and reduces the size and number of updates required by agents and Appliances. When Smart Scan is enabled, the agent downloads a small version of the much larger full malware pattern from a Smart Protection Server. This smaller pattern can quickly identify files as either confirmed safe or possibly dangerous. Possibly dangerous files are compared against the larger complete pattern files stored on Trend Micro Smart Protection Servers to determine with certainty whether they pose a danger or not. Without Smart Scan enabled, your relay agents must download the full malware pattern from a Smart Protection Server to be used locally on the agent. The pattern is only updated as scheduled security updates are processed. The pattern is typically updated once per day for your agents to download and is around 120 MB. Verify that the computer can reliably connect to the global Trend Micro Smart Protection Network URLs (see [URL='https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip']Port numbers[/URL] for a list of URLs). If connectivity is blocked by a firewall, proxy, or AWS security group or if the connection is unreliable, it reduces Anti-Malware performance. [HEADING=2][URL='https://help.deepsecurity.trendmicro.com/feature-releases/anti-malware-predictive-machine-learning.html']Detect emerging threats using Predictive Machine Learning | Deep Security[/URL][/HEADING] Client scanning can be performed in two methods: [LIST] [*]Conventional Scan A scan method used in all earlier WFBS versions. A Conventional Scan client stores all Security Agent components on the client computer and scans all files locally. [*]Smart Scan Smart Scan leverages threat signatures that are stored in the cloud. When in Smart Scan mode, the WFBS agent first scans for security risks locally. If the client cannot determine the risk of the file during the scan, the client connects to the local Smart Scan Server. If the clients cannot connect to it, they will attempt to connect to the Trend Micro Global Smart Scan Server. Smart Scan provides the following features and benefits: [LIST] [*]Provides fast, real-time security status lookup capabilities in the cloud. [*]Reduces the overall time it takes to deliver protection against emerging threats. [*]Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates only needs to be delivered to the cloud and not to many endpoints. [*]Reduces the cost and overhead associated with corporate-wide pattern deployments. [*]Lowers kernel memory consumption on endpoints. Consumption increases minimally over time. [/LIST] [/LIST] Trend Micro strongly recommends switching from Conventional Scanning to Smart Scanning: [LIST] [*]Recent statistics shows that the Smart Scan Agent pattern (OTH, which is stored locally on the actual agent that uses Smart Scanning) covers 80% of the total threats, and that the Smart Scan pattern (TBL, stored on the Scan Server) covers the other 20%. [*]Aside from Smart Scan Agent pattern (icrc$oth.xxx), a local cache is used to reduce about 80% of outgoing queries. CRC cache works as a partial Smart Scan Pattern replica so that previously obtained CRC can be reused later. [/LIST] In other words, the CRCs are ready to be used to protect an endpoint user and are effective on malware that have been previously detected. However, the date may vary among individual users according to their usage behavior. [URL unfurl="true"]https://success.trendmicro.com/dcx/s/solution/1053817-difference-between-the-conventional-scan-and-smart-scan-functions-of-worry-free-business-security?language=en_US[/URL] [/SPOILER] [SPOILER="Virus Scan API and ATSE Release Notes"] The release notes for the scan engine are [URL='https://success.trendmicro.com/dcx/s/solution/000148744?language=ja']here[/URL] (only in Japanese): VSAPI 22.610 / ATSE 22.610~23.570 Release date 2023.08.23 ■New features of VSAPI 22.610 / ATSE 22.610~23.570 [LIST] [*]Added search function using machine learning [*](This is a local model type search function that is included inside the search engine.) [*]Added and improved detection functions for new threats [*]Supports identification of Lzip file types [*]Improved identification function for MP3 file types [*]Fixes for various bugs [/LIST] The version number of the engine (second part of it) is calculated by multiplying the release month by 10 and adding 500. Example, december = 12*10 + 500 = 620. [/SPOILER] [SPOILER="Potential Cons"] Whilst I do not have evidence that the Trend Micro approach is in any way insufficient, there are few key issues which I see here and worth considering: [LIST] [*]Machine learning (ATSE) and behavioural blocking heavily focused on files/processes with low prevalence (read above). Trusted files and processes can be abused (Trend Micro may have found a way to handle this). [*]Very cloud-based, offline protection poor (which shouldn't be that big of a deal) [*]Business-focused, many programmes could have unfavourable reputation as they are not used on business environments and Trend Micro does not have sheer number of home users [*]Dropping detections on malware that is not damaging anymore may be great for performance but I am unsure why hashes are not kept on the cloud; leaves a rather sour taste. [*]Not enough information what files Predictive Machine Learning handles (apart from executables and documents) and what files are subjected to reputation checks. [/LIST] [/SPOILER] [SPOILER="Naming Convention"] Starting July 2018, Trend Micro will apply a new Threat Detection Naming Scheme in order to align more closely with the rest of the industries in regards to the naming convention for threats and other malicious files. Moving forward, Trend Micro will start to name malware and other threat detection patterns in alignment with the Computer Antivirus Research Organization (CARO) Malware Naming Scheme, follows the format as described below: [B]<Threat Type>.<Platform>.<Malware Family>.<Variant>.<Other info*>[/B] [I]*Optional[/I] Below is a more detailed breakdown of the new format: [URL='https://powerbox-na-file.trend.org/SFDC/DownloadFile_iv.php?jsonInfo=%7B%22Query%22%3A%22kfiR6s%2Ft8EZDIrGSqdLugnAisPNJxrCahlcSQv2%2FywkncJOlfx%2B3YZj%2FKh5DDinl%2BFsh4JgM003zyFwXp%2BAdbQZWwqkZrcKWwMHB4iA6Wu8oyIWX9qiLy0pki%2Fm37C5lIm1NIGs0DRsr1Gd6WYj8HeZPNaOj03iqg5drLoDqU2tliTP0m9h7jYy5PWjEy9HLKiRlgxfXVatk3T9Bcte%2BpK39VQQv1IxKr1vLCdvVzw%2BJQ%2FXv4eBi4FLCqQJAItgp%22%2C%22iv%22%3A%2210ba0bdf2287d461c3544bf116adda1c%22%7D'][IMG alt="Ransom.Win32.Locky.A.dldr"]https://powerbox-na-file.trend.org/SFDC/DownloadFile_iv.php?jsonInfo=%7B%22Query%22%3A%22kfiR6s%2Ft8EZDIrGSqdLugnAisPNJxrCahlcSQv2%2FywkncJOlfx%2B3YZj%2FKh5DDinl%2BFsh4JgM003zyFwXp%2BAdbQZWwqkZrcKWwMHB4iA6Wu8oyIWX9qiLy0pki%2Fm37C5lIm1NIGs0DRsr1Gd6WYj8HeZPNaOj03iqg5drLoDqU2tliTP0m9h7jYy5PWjEy9HLKiRlgxfXVatk3T9Bcte%2BpK39VQQv1IxKr1vLCdvVzw%2BJQ%2FXv4eBi4FLCqQJAItgp%22%2C%22iv%22%3A%2210ba0bdf2287d461c3544bf116adda1c%22%7D[/IMG][/URL] [HEADING=1]Threat Type[/HEADING] The Threat Type represents the main threat category that describes what the main behavior of the threat is. [LIST] [*]For malware: Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor are the most common threat types that we use. [*]For grayware: Adware, Spyware, and PUA are the most common threat types. [/LIST] [HEADING=1]Platform[/HEADING] Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint). [HEADING=1]Family[/HEADING] Threats with similar behavior are grouped together and referred to as a family. Each family is named based on the behavior it manifests. [HEADING=1]Variant[/HEADING] To identify different strains of malware under one family, letters are used in a sequential manner and referred to as the Variant. [HEADING=1]Other Information [I](Optional)[/I][/HEADING] Information deemed useful in providing further insight for some complex threats can make use of this optional section of the naming scheme. For example, dldr means downloader. Therefore, the detection name Ransom.Win32.Locky.A.dldr provides information that this threat is a downloader for the Locky Ransomware. Trend Micro plans to implement this new detection naming scheme in a phased approach. The initial focus will be on customer submitted samples and noteworthy threats, and eventually will encompass all channels including bulk submissions and other sourcing methods. We believe that aligning more closely with the CARO standards is beneficial for customers, especially those who use a mixed-vendor security environment and require cross-checking of threats. We apologize in advance for any inconvenience this may cause, and encourage customers to contact their authorized Trend Micro support representative for any questions or concerns with the new naming scheme. [URL unfurl="true"]https://success.trendmicro.com/dcx/s/solution/1119738-new-threat-detection-naming-scheme-in-trend-micro?language=en_US&sfdcIFrameOrigin=null[/URL] [/SPOILER] P.S. We need a few more TM tests, any users willing to participate, apart from [USER=92939]@Shadowra[/USER] who can retest at one point? [/QUOTE]
Insert quotes…
Verification
Post reply
Top
