- Feb 7, 2023
- 2,396
Trend Micro uses 2 different engines:
VSAPI is a standard antivirus engine, ATSE is Next-Gen Antivirus.
I asked Gemini 2.5 Pro to deep research both and extract versions history, which otherwise are difficult to find/track.
An Analysis of Trend Micro's VSAPI and ATSE: Release History and Modus Operandi
1. Executive Summary
This report provides a detailed technical analysis of Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE), two core components underpinning the company's extensive suite of security products. VSAPI has long served as the foundational file scanning engine, responsible for initial threat classification. ATSE, conversely, represents a more sophisticated layer, engineered to detect and counter advanced threats, including zero-day exploits and targeted attacks. This document will explore their respective operational mechanisms, trace their chronological development through key release milestones, and examine their intertwined evolutionary paths. A significant aspect of this evolution includes the introduction of technologies such as Advanced File Information (AFI), which has enhanced both the security and analytical capabilities of these engines. The report aims to elucidate the distinct roles and synergistic functions of VSAPI and ATSE, their adaptation to the evolving threat landscape, and their current standing within Trend Micro's comprehensive security architecture.
2. Trend Micro Virus Scan API (VSAPI): Foundation of Detection
The Virus Scan API (VSAPI) has been a cornerstone of Trend Micro's threat detection capabilities for many years. This section details its core definition, architectural underpinnings, primary operational mechanisms, and a chronological overview of its development, highlighting significant updates and enhancements that have shaped its role in cybersecurity.
2.1. Core Definition, Purpose, and Architecture
The Virus Scan API (VSAPI) is fundamentally Trend Micro's primary File Scanning Engine. It serves as a core technology module integrated into the majority of Trend Micro Security Products. Its principal function is the processing of file objects and their subsequent classification as malicious, suspected, or non-malicious. This positions VSAPI as a critical first line of defense against file-based threats, forming a foundational layer upon which more advanced detection strategies are often constructed or integrated.
VSAPI's architecture is not that of a standalone module; rather, it is deeply interwoven with Trend Micro's broader threat intelligence infrastructure, utilizing various detection patterns. A notable update to the Threat Detection Naming Scheme, implemented from July 2, 2018, applies to all products that leverage VSAPI. This change impacts specific detection patterns, namely the Conventional Virus Scan Pattern, the Smart Scan Agent Pattern, and the Smart Scan Cloud Query Pattern. This reliance on diverse pattern types, including cloud-integrated patterns, underscores VSAPI's core methodology of pattern matching and its continuous connection to the Smart Protection Network, a feature highlighted as early as the VSAPI 9.0 release. The integration ensures VSAPI benefits from up-to-date intelligence for identifying known threats.
The operational efficacy of VSAPI is maintained through a centralized distribution mechanism for its components, such as virus pattern files (e.g., vsapi.zip). Platforms like Trend Micro Apex Central manage and disseminate these updates. Apex Central utilizes a configured web server address, stored within the SystemConfiguration.xml file, to notify agents about available updates. For instance, the vsapi.zip pattern file is distributed from a designated folder (e.g., Control Manager\WebUI\download\activeupdate\pattern) on the Apex Central server. This system ensures that endpoints consistently receive the latest protection definitions.
The consistent designation of VSAPI as the "core" or "File Scanning Engine" , coupled with its extensive history (with versions like 9.0 released in 2009 ) and significant updates over time—including changes to naming conventions and versioning formats —points to its role as an evolvable platform. Its ability to integrate with various pattern types, including cloud-based ones , and the mention of "ATSE Monthly Release Merge" in a VSAPI readme suggest that VSAPI may function as a foundational framework that incorporates advancements from, or operates in conjunction with, other specialized engines such as ATSE. Thus, VSAPI is not merely a legacy system but a dynamic and critical component of Trend Micro's detection strategy, adapting by potentially integrating newer, more specialized modules while reliably handling known threats.
2.2. Modus Operandi: Key Mechanisms
VSAPI employs several key mechanisms to identify and classify threats, extending beyond simple signature matching.
A significant capability, introduced in VSAPI version 9.77 and maintained in subsequent versions, is Packer-Identification. This feature is specifically designed to analyze Portable Executable (PE) files that have been "packed." Packing is a technique used legitimately by software developers to reduce file size or protect binaries through obfuscation; however, it is also widely adopted by malware authors to evade detection by traditional antivirus software. The Packer-Identification mechanism aims to counter malware that leverages common packers such as UPX, Themida, and ASPack. Detections made by this feature are systematically named using formats like $PACP_XXX.STD$ for standard packer types and $PACP_XXX.CM$ for customized packer types, where XXX signifies the specific packer identified (e.g., $PACK_ASPACK_001.STD$). For enterprise customers, Trend Micro provides a "Packer-Identification Policy Scan." Within products like OfficeScan, administrators can configure policies to "Deny access to executable compressed files" and maintain an approved list of packer types to minimize false positives from legitimate packed software. This functionality demonstrates VSAPI's capacity to inspect file characteristics indicative of evasion tactics.
The general scanning process of VSAPI relies on the synergy between the scan engine and virus pattern files to execute pattern matching. Instead of exhaustively scanning every byte of every file, the engine intelligently identifies tell-tale characteristics of viral code and common locations within a file where malware typically resides. Furthermore, VSAPI is equipped to handle various file manipulations; it can decrypt all major encryption formats, including MIME and BinHex, and is capable of scanning common compression formats such as.Zip,.Arj, and.Cab, even when nested up to multiple layers. This describes the fundamental operational method of VSAPI for detecting known threats through signature-based analysis while also managing common forms of file obfuscation and compression.
2.3. Release History and Key Evolutionary Milestones
VSAPI has undergone numerous updates throughout its lifecycle, reflecting Trend Micro's commitment to adapting its core scanning technology to the evolving threat landscape.
One of the pivotal releases was VSAPI 9.0, officially launched on October 26, 2009, with version number 9.000.1003. This version introduced significant improvements, including an enhanced cleaning mechanism, advancements in Smart Protection Network integration, support for wildcards in scan exclusion lists, compatibility with additional file types, and notably, improved detection capabilities for PDF exploits, shellcode, and vulnerabilities within Microsoft Office products. At the time, Trend Micro strongly urged customers to upgrade to version 9.0 due to the escalating volume of malware samples and the increasing size of malware pattern files, concurrently announcing the discontinuation of support for prior versions. This release marked a significant step in VSAPI's evolution, emphasizing its adaptation to a more complex threat environment and deeper integration with cloud-based threat intelligence.
Later, VSAPI 9.77 introduced the Packer-Identification Policy Scan, though a specific release date is not provided in the available materials. This added a specialized capability to address malware obfuscation techniques.
On May 5, 2017, VSAPI 9.950 was released. This version extended support to a wide range of platforms including Windows NTKD (32/64-bit), Windows DLL (32/64-bit), Linux (32/64-bit), Linux CIFS, and macOS (32/64-bit). Key new features included an obfuscated JavaScript scan targeting ransomware, support for base64 decoding on PE files also for ransomware detection, the ability for heuristic rules to be disabled by pattern, and support for .crx (Google Chrome extension) file decompression. These enhancements demonstrated VSAPI's continued adaptation to new threat categories like ransomware, new file formats, and provided more granular control over its heuristic detection.
A significant joint release, VSAPI / ATSE 11.0, occurred with components dated around October 12, 2018 (readme date) and an availability date of December 4, 2018. Both VSAPI (version 11.000-1006) and ATSE (version 11.000-1006) were part of this update. Shared features included support for Windows 10 RS5, TTF (TrueType Font) and ISO (Disk Image) file identification, UPX 64-bit decompression support, and OneNote embedded file extraction support. The VSAPI 11.000-1006 readme further detailed features such as scanning of registry keys, scheduled tasks, WMI, and BITS; MIP3 support for fileless memory-resident threats; TrendX support for ELF, Office macros, and local models; and importantly, an "ATSE Monthly Release Merge". This release is a key indicator of VSAPI and ATSE being updated and distributed in tandem, with VSAPI acting as a vehicle for ATSE's ongoing monthly updates. It highlights a strategy of continuous enhancement and a broadening scope of detection, including sophisticated fileless threats and support for newer operating systems and file types.
A public beta for VSAPI 12.0 ran from August 19, 2019, to September 27, 2019. This version focused on enlarging the Machine Learning scope for potentially high-risk file types such as JAR, InnoSetup, and XML Word Document Macro Extraction. It also included enhanced identification support for ALZip and InnoSetup 5.5.9 packers, and new platform support for Windows 19H1 and macOS x64 SDK 10.x. This signaled a deeper integration of machine learning capabilities directly into VSAPI's development trajectory.
To accommodate a more rapid response to the latest threats, Trend Micro implemented a new versioning format for VSAPI (and ATSE) for releases after 2021. The format changed to Year.Month.Build (e.g., 21.550.1001 signifies a release from May 2021). This structural change reflects a strategic shift towards more agile and frequent updates.
The ongoing maintenance and incremental updates of VSAPI are also evident in patches for specific Trend Micro products. For example, Worry-Free Business Security (WFBS) 10.0 SP1 patches included several VSAPI engine updates:
The development trajectory of VSAPI has been consistently driven by the evolving threat landscape and operational requirements. The urgent recommendation to upgrade to VSAPI 9.0 was a direct response to the "dramatic rise of malware samples". Subsequent versions like 9.950 added specific defenses against ransomware and new file types. VSAPI 11.0 expanded support for modern Windows versions and file types like ISO and TTF, while also enhancing capabilities against fileless threats through TrendX. The VSAPI 12.0 Beta program's focus on broadening Machine Learning application , and the post-2021 versioning change aimed at enabling "increased release frequency to address latest threats" , further illustrate this adaptive strategy. VSAPI's evolution demonstrates a continuous effort to incorporate new detection technologies, expand file type support, and respond effectively to emerging threat categories.
The following table summarizes key VSAPI version milestones:
Table 1: Key VSAPI Version Milestones
3. Trend Micro Advanced Threat Scan Engine (ATSE): Evolving Threat Defense
The Advanced Threat Scan Engine (ATSE) represents a more specialized tier in Trend Micro's detection arsenal, designed to address the complexities of modern, sophisticated cyber threats. This section examines ATSE's core definition, its strategic importance in combating advanced attacks, its operational methodologies including advanced scanning techniques, and its release history as observed through its progressive integration into various Trend Micro products.
3.1. Core Definition, Purpose, and Strategic Importance
The Advanced Threat Scan Engine (ATSE) is specifically engineered by Trend Micro to detect document exploits and other types of threats that are commonly employed in targeted attacks. Its primary focus is the identification of advanced threats that might successfully circumvent traditional signature-based detection mechanisms. This positions ATSE as a critical component in Trend Micro's strategy against more sophisticated cyber adversaries.
ATSE's major capabilities are central to its strategic importance. These include the detection of zero-day threats, which are vulnerabilities unknown to software vendors or without available patches; the identification of embedded exploit code within seemingly benign files; adherence to specific detection rules tailored for known vulnerabilities; and the use of enhanced parsers capable of handling file deformities often used by malware to evade detection. These features enable ATSE to address both known and, crucially, unknown advanced threats, particularly those that leverage software exploits or employ complex file structures to conceal malicious payloads.
Reflecting its significance, ATSE is frequently enabled by default for virus scanning policies in Trend Micro products where it is integrated. This default enablement underscores Trend Micro's confidence in ATSE's advanced detection capabilities and its role as a standard, rather than optional, layer of defense in applicable products.
However, the aggressive nature of ATSE's detection methodologies comes with a caveat. Trend Micro explicitly notes that because ATSE is designed to identify both known and unknown advanced threats, its use may increase the likelihood of legitimate files being incorrectly flagged as malicious (false positives). To mitigate this, it is often recommended that files detected by ATSE be sent to a controlled virtual environment, such as Trend Micro's Virtual Analyzer, for further, more in-depth analysis to confirm their maliciousness. This highlights the delicate balance between detection efficacy and accuracy when dealing with advanced heuristic and behavioral analysis, and emphasizes the importance of a verification step like sandboxing.
3.2. Modus Operandi: Advanced Scanning and Analysis Techniques
ATSE's operational methodology is characterized by a multi-faceted approach to threat detection, combining its own advanced scanning techniques with close integration with other Trend Micro analysis platforms.
At its core, ATSE employs a hybrid scanning approach, utilizing a combination of traditional pattern-based scanning and more advanced heuristic scanning techniques. Further documentation elaborates on this, describing ATSE's methods as encompassing "signature-based, behavior-based, and aggressive heuristic detection". This dual strategy allows ATSE to efficiently identify known threats through established signatures while leveraging sophisticated heuristics and behavioral analysis to uncover novel, unknown, or polymorphic threats that do not match existing patterns.
A critical aspect of ATSE's modus operandi is its interaction with Trend Micro's Virtual Analyzer. ATSE plays a key role in determining which suspicious messages or files warrant deeper, sandboxed analysis within the Virtual Analyzer. ATSE detections that trigger this escalation are often identifiable by specific prefixes in their detection names, such as HEUR (heuristic), EXPL (exploit), and AFI MACRO (Advanced File Information macro detection). When a detection name includes one of these prefixes, the host product (for example, InterScan Messaging Security Virtual Appliance - IMSVA) is designed to send the entire message or file, including attachments, to the Virtual Analyzer for comprehensive examination. The Virtual Analyzer then assigns a risk level to the analyzed item. Based on this risk level and the security settings configured within the product, a final determination is made on how to classify and handle the item (e.g., as clean, a probable advanced threat, or an analyzed advanced threat). This multi-layered analysis process, with ATSE acting as an intelligent filter for sandboxing, is vital for effectively handling potential zero-day threats and other sophisticated attacks.
ATSE's capabilities are further extended through its synergy with Predictive Machine Learning (PML). In Trend Micro products such as Worry-Free Business Security, ATSE collaborates with the PML engine. When an unknown or low-prevalence file is encountered, the Security Agent utilizes ATSE to scan the file and extract key file features. This feature report is then transmitted to the PML engine, which is typically hosted on the Trend Micro Smart Protection Network. The PML engine employs malware modeling techniques to compare the submitted sample's features against its models, assigns a probability score, and determines the likely type of malware, if any. This demonstrates that ATSE's role is not limited to its internal scanning logic; it also serves as a critical data provider, performing feature extraction that fuels more advanced predictive capabilities against emerging and unknown threats within a broader machine learning framework.
Complementing ATSE's file-centric feature extraction, the Contextual Intelligence Engine handles unknown or low-prevalence processes. It monitors the behavior of these processes and sends a behavioral report to the PML engine for analysis and classification. While distinct from ATSE, this engine works in concert with PML, providing another layer of advanced analysis that complements ATSE's focus on file-based threats within the broader Trend Micro threat detection ecosystem.
Furthermore, Advanced File Information (AFI), discussed in detail in Section 4.2, operates as a feature within ATSE. AFI enhances ATSE's ability to detect specific file formats and is particularly used to identify macros within documents. Files containing macros detected via AFI can then be escalated to Deep Discovery Analyzer (DDAn) for detailed analysis. This functionality typically requires the integration of DDAn for its full effect. AFI thus augments ATSE's capacity to target and scrutinize potentially malicious components embedded within documents.
The operational design of ATSE positions it not merely as a standalone scanner but as an orchestrator of advanced analysis. It leverages its own pattern-based, heuristic, and behavioral detection capabilities , intelligently determines which items necessitate further scrutiny in a sandbox environment like Virtual Analyzer , extracts crucial file features for Predictive Machine Learning models , and utilizes specialized sub-components like AFI for targeted detection of high-risk content such as macros, which can then be escalated to platforms like DDAn. In essence, ATSE functions as a sophisticated triage system, applying its own advanced analytics and feeding other specialized analysis components within Trend Micro's comprehensive security architecture.
3.3. Release History and Integration into Products
Unlike VSAPI, which has a more clearly delineated version history in some documents, ATSE's evolution is primarily observed through its integration and updates within various Trend Micro products and through joint "VSAPI/ATSE" release announcements. A standalone, detailed public changelog specifically for ATSE is less common in the provided materials.
ATSE is frequently mentioned as a core component in advanced threat protection products. For instance, it is integral to the Deep Discovery Web Inspector, where it works in conjunction with Predictive Machine Learning and Virtual Analyzer to provide advanced detection capabilities. Similarly, ATSE is a key element in the ATP Analyzer, where it is integrated with the traditional Virus Scan Engine and employs its signature-based, behavior-based, and aggressive heuristic detection methodologies.
A significant indicator of ATSE's strategic importance is the transition in scan engine usage within Trend Micro agents. Documentation concerning SAP NetWeaver integration shows a clear shift:
The VSAPI / ATSE 11.0 joint release (with ATSE version 11.000-1006), available from December 4, 2018, brought features such as Windows 10 RS5 support and enhanced file identification capabilities. For endpoint products, ATSE 11.000-1006 specifically supported WinDLL (32/64-bit), Linux (32/64-bit), and Solaris (64-bit) platforms. The corresponding VSAPI 11.0 readme also noted an "ATSE Monthly Release Merge," implying that ATSE might undergo more frequent internal updates which are then consolidated into these major combined releases.
Updates to ATSE are frequently documented within the release notes of Deep Security Agent (DSA), now part of Cloud One - Workload Security. These updates are typically listed under "Enhancements" or "Resolved Issues" but seldom provide detailed specifics about the detection improvements brought by each ATSE version increment. Examples include:
ATSE is also deployed in Trend Micro Apex One (Mac).
An operational detail from OfficeScan/Apex One history includes a hotfix for OfficeScan XG SP1 (Hotfix 5180, referenced in Critical Patch 5294, January 2019). This hotfix addressed an issue where the ATSE minor version number was displayed incorrectly (e.g., 10.2.1006 instead of the correct 10.200.1006) on the agent console after updates from the ActiveUpdate (AU) Server. This confirms ATSE's presence in OfficeScan and its update mechanism via ActiveUpdate.
Similar to VSAPI, ATSE adopted the Year.Month.Build versioning format after 2021 to facilitate more frequent updates in response to the rapidly evolving threat landscape.
The evolution of ATSE appears tightly coupled with product-specific requirements and Trend Micro's broader scan engine strategy. Its versions are often cited within the context of updates to particular products like Deep Security Agent or Apex One (Mac). The clear transition from VSAPI to ATSE in certain agent generations indicates a strategic decision to leverage ATSE's more advanced capabilities in newer product iterations. Furthermore, the joint "VSAPI/ATSE" releases and the concept of an "ATSE Monthly Release Merge" suggest that ATSE's specialized development feeds back into the main scan engine pipeline. This implies that ATSE is not developed in isolation; its enhancements are driven by the demands of the products it integrates with and by an overarching strategy to continually upgrade Trend Micro's core detection technologies. The general lack of highly detailed, public ATSE-specific changelogs (beyond version numbers in product release notes) might suggest that its specific improvements are often communicated as part of the overall product enhancements rather than as standalone engine updates.
The following table tracks ATSE's appearances and updates across various Trend Micro products:
Table 2: Key ATSE Version Milestones and Product Integration
4. Synergies, Evolution, and the Emergence of Advanced File Information (AFI)
The relationship between VSAPI and ATSE is not one of simple succession but rather a dynamic interplay characterized by co-evolution, shared components, and a strategic layering of capabilities. This section explores this relationship, instances of shared updates or vulnerabilities, and critically examines the introduction of Advanced File Information (AFI) as a significant technological advancement within Trend Micro's scanning architecture.
4.1. VSAPI and ATSE: Relationship and Co-evolution
Evidence points to a close and evolving relationship between VSAPI and ATSE, rather than ATSE simply replacing VSAPI entirely across all products. They appear to be part of an integrated scan engine strategy.
A key indicator of their interconnectedness is their susceptibility to shared vulnerabilities and their concurrent patching. For example, a security bulletin addressing a memory exhaustion vulnerability (CVE-2021-25252) explicitly stated that "Trend Micro's scan engines - Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) – are vulnerable". Consequently, patches were released for a wide range of Trend Micro products, irrespective of whether they primarily utilized VSAPI or ATSE. This suggests that despite their potentially distinct primary roles (VSAPI as foundational, ATSE for advanced threats), they may share underlying code libraries, architectural components, or dependencies that can lead to common vulnerabilities. It also underscores that both engines are actively maintained and updated.
Joint release announcements and update mechanisms further solidify the notion of their co-evolution. The "VSAPI / ATSE 11.0" release, where both engines received the version number 11.000-1006, is a prime example. Furthermore, the VSAPI 11.000-1006 readme's mention of an "ATSE Monthly Release Merge" as an enhancement strongly implies a close developmental relationship. This suggests that ATSE might undergo more frequent, specialized development cycles, with its advancements and updates being periodically integrated into the broader VSAPI framework or released in conjunction with major VSAPI updates. This points towards a modular architecture where ATSE could function as an advanced component or module whose innovations are harmonized within the main scan engine ecosystem.
The transition in scan engine usage within specific Trend Micro agent lines provides compelling evidence of ATSE's growing prominence. As detailed for agents integrating with SAP NetWeaver, older versions (e.g., agent version 9.6) relied on VSAPI (specifically VSAPI 9.85), while newer versions (e.g., agent version 10.0 and later) explicitly utilize ATSE, with ATSE versions progressing from 9.861 to 10.000 and 11.0.000 in subsequent agent releases. This clear trend indicates a strategic decision by Trend Micro to deploy ATSE in newer product iterations or for integrations requiring more sophisticated threat detection capabilities, suggesting ATSE is either succeeding VSAPI in these contexts or is the preferred engine for new deployments.
Despite this transition in some areas, there is also evidence of coexistence in product descriptions. For instance, documentation for Trend Micro Apex One (Mac) Patch 2 lists both the "Advanced Threat Scan Engine (64-bit)" and the "Virus Scan Engine (32-bit/64-bit)" (which is VSAPI) as distinct components. In these descriptions, ATSE is characterized by its "signature-based, behavior-based, and aggressive heuristic detection," while the Virus Scan Engine is described as the core engine responsible for detecting a broader range of security risks, including spyware and research viruses. This suggests that in some products, particularly those with a layered security approach, both engines might operate concurrently, fulfilling different but complementary roles. VSAPI would handle the detection of a wide array of known threats, while ATSE would focus on more complex, unknown, or exploit-based attacks.
This body of evidence suggests that ATSE functions as an advanced, iteratively integrated layer within a broader scan engine framework, which may still be generally referred to or built upon the VSAPI foundation. Newer agents and products designed for advanced threat protection explicitly leverage ATSE due to its sophisticated heuristic and behavioral detection capabilities. The "ATSE Monthly Release Merge" into VSAPI releases indicates that ATSE's specialized updates are regularly incorporated into the main scan engine release cycle, ensuring the entire ecosystem benefits from its advancements. The shared vulnerabilities point to common underlying architectural elements. The fact that some products list both engines with distinct roles further supports a layered approach. Trend Micro's strategy appears to involve the continuous enhancement of its core scanning capabilities (historically anchored by VSAPI) through the integration of more specialized and advanced engines like ATSE. ATSE spearheads the defense against sophisticated threats, and its developments are then harmonized within the overall scan engine ecosystem. This allows Trend Micro to maintain robust protection against common malware via VSAPI's mature capabilities while rapidly evolving its defenses against advanced and emerging threats through ATSE.
The following table illustrates scan engine usage across different Trend Micro products and versions:
Table 3: Scan Engine Usage in Trend Micro Agents and Products (Illustrative Examples)
4.2. Advanced File Information (AFI): A New Layer of Analysis
A significant development in Trend Micro's scan engine technology is the introduction of Advanced File Information (AFI). This component represents a refinement in how files are pre-processed and analyzed, particularly for certain types of threats.
The most notable context for AFI's introduction is its replacement of the "VSAPI/ATSE API (VSDecompress)" in ScanMail for Domino version 5.0 Service Pack 1. The explicitly stated reason for this architectural change was "to resolve a potential vulnerability" associated with the older VSDecompress API. While the specific nature of this vulnerability is not detailed in the provided documentation, decompression libraries are a known area where security software can be susceptible to exploits if not meticulously implemented. This replacement thus signifies a proactive measure by Trend Micro to harden this critical component of the scanning process.
AFI is not merely a standalone API replacement; it is described as a feature integrated within the Advanced Threat Scan Engine (ATSE). For example, in InterScan Messaging Security Virtual Appliance (IMSVA), ATSE, when enabled with AFI, gains the capability to detect the format of a file and, more specifically, to identify the presence of macros within documents. This demonstrates that AFI enhances ATSE's advanced detection capabilities by providing more granular insight into file composition.
The functionality of AFI extends to the detection of specific high-risk file types:
The explicit replacement of the "VSAPI/ATSE API (VSDecompress)" by AFI in ScanMail for Domino 5.0 SP1 is a critical data point. It underscores a deliberate architectural shift. This change suggests a modernization of how Trend Micro engines handle file decomposition and initial analysis. By replacing an older decompression API, which was apparently shared by both VSAPI and ATSE, Trend Micro not only aimed to improve the security posture of the core engine itself but also leveraged this new component (AFI) to provide more refined detection capabilities within ATSE. This is particularly evident in its enhanced ability to identify and escalate script-based and macro-based threats, which are common vectors for sophisticated attacks. This evolution reflects a continuous improvement cycle focusing on both the security robustness and the detection efficacy of their scanning technologies.
The following table provides an overview of Advanced File Information (AFI):
Table 4: Advanced File Information (AFI) - Overview
5. Operational Context and Current Standing
VSAPI and ATSE, along with the more recent Advanced File Information (AFI) component, are not standalone technologies but are deeply embedded within Trend Micro's broader product ecosystem. Their current relevance is defined by their ability to address contemporary cyber threats through this integrated approach.
5.1. Integration within Trend Micro's Product Ecosystem
The pervasive deployment of VSAPI and ATSE across Trend Micro's product portfolio underscores their fundamental importance. A security bulletin addressing a memory exhaustion vulnerability (CVE-2021-25252) listed a wide array of affected products that utilize either VSAPI or ATSE. These include enterprise solutions like Apex Central and Apex One, gateway products such as Cloud Edge and InterScan Messaging Security, advanced threat detection platforms like the Deep Discovery suite (Analyzer, Email Inspector, Inspector), server protection products (ServerProtect), endpoint security for various segments (OfficeScan, Worry-Free Business Security), and specialized solutions like ScanMail and PortalProtect. This broad integration highlights their role as core scanning and detection engines across diverse security layers.
Within the Deep Discovery suite, ATSE is a cornerstone. Deep Discovery Inspector leverages ATSE for analyzing network traffic to identify threats , while Deep Discovery Analyzer uses ATSE as part of its process for sandbox analysis submissions. This integration allows for the detection of threats in transit and detailed analysis of suspicious files in a controlled environment.
For endpoint products such as Apex One (including its Mac version) and the historically significant OfficeScan, ATSE provides advanced threat detection capabilities directly on user devices. VSAPI has traditionally been the core engine for products like OfficeScan.
In the realm of Cloud One - Workload Security (which evolved from Deep Security), newer agent versions have explicitly adopted ATSE. The release notes for Deep Security Agent frequently document ATSE version updates, indicating its ongoing development and maintenance within this cloud and server security solution.
Messaging security solutions like InterScan Messaging Security Virtual Appliance (IMSVA) and ScanMail also incorporate these engines. IMSVA utilizes ATSE, enhanced with AFI, for detecting macros in email attachments and interacting with Deep Discovery Analyzer (DDAn) for further analysis. ScanMail for Domino notably saw the replacement of the older VSAPI/ATSE API (VSDecompress) with the more secure and capable AFI component.
While direct documentation explicitly detailing VSAPI/ATSE control over Trend Vision One is limited in the provided materials, Vision One, as Trend Micro's XDR platform, logically ingests and correlates detection data from all products containing these underlying engines. For instance, the Version Control Policy in Deep Security Agent allows Trend Vision One to manage updates for agents and their components, including scan engines. The API documentation for Trend Vision One describes how external systems can interact with the platform, which would naturally include accessing and acting upon threat intelligence generated by VSAPI and ATSE within connected products.
The way these engines are deployed and interact suggests a tiered defense strategy employed by Trend Micro. VSAPI provides broad, foundational file scanning capabilities, effective against a wide range of known threats. ATSE offers a more advanced layer, incorporating heuristic and behavioral detection mechanisms specifically designed for complex and evasive threats. Advanced File Information (AFI) further refines this by enhancing the pre-processing and specialized detection of high-risk file types like macros and scripts within ATSE. When these engines encounter highly suspicious items, they often escalate them to platforms like Virtual Analyzer or Deep Discovery Analyzer for in-depth sandboxing. Finally, the detection data and telemetry from these distributed engines are centralized and correlated in management and XDR platforms like Apex Central and Trend Vision One , enabling a holistic view of the threat landscape and coordinated response. This multi-layered approach creates a comprehensive threat detection and response ecosystem.
5.2. Current Role in Addressing Modern Cyber Threats
VSAPI, ATSE, and AFI continue to play crucial roles in Trend Micro's strategy for addressing the complexities of the modern cyber threat landscape. Their ongoing development and integration underscore their relevance.
ATSE's specific design focus on combating advanced threats—including zero-day vulnerabilities, embedded exploits, and files employing deformities to evade detection—makes it indispensable. Its heuristic and behavior-based analysis capabilities are critical for identifying sophisticated attacks that bypass traditional signature-based defenses.
The engines have also adapted to address prevalent modern threats like ransomware and fileless attacks. VSAPI version 9.950, for example, introduced features such as obfuscated JavaScript scans tailored for ransomware and base64 decoding support on PE files, also aimed at ransomware detection. Subsequently, VSAPI 11.0 included MIP3 support specifically for fileless memory-resident threats. These enhancements demonstrate a direct response to evolving attacker methodologies.
The integration with Machine Learning (ML) further solidifies their current standing. The VSAPI 12.0 Beta program aimed to enlarge the scope of ML application , and ATSE's function in extracting file features for Predictive Machine Learning (PML) systems highlights how these engines are key contributors to Trend Micro's AI-driven threat detection strategies.
The development and deployment of Advanced File Information (AFI), particularly its role in replacing the VSDecompress API , signals a continuous effort to harden core engine components against potential vulnerabilities while simultaneously enhancing specialized analysis of potentially malicious file structures, such as macros and scripts.
Finally, the adoption of a new versioning scheme post-2021 for both VSAPI and ATSE was explicitly to support an "increased release frequency to address latest threats". This agile update cadence is essential for keeping pace with the rapid evolution of cyber threats in the current environment.
Neither VSAPI nor ATSE appears to be obsolete; instead, they fulfill distinct but complementary functions. VSAPI continues to provide broad and reliable scanning for a wide range of threats, as evidenced by its ongoing updates within products like Worry-Free Business Security , and it serves as the foundational scanning technology in many Trend Micro offerings. ATSE, on the other hand, is the preferred engine for advanced threat detection in newer agent versions and specialized security products. The development of AFI demonstrates further specialization within ATSE to handle complex file types and to bolster the security of the analysis process itself. The continued relevance of both engines is ensured by these ongoing updates, increasing specialization (like AFI within ATSE), and their deep integration into Trend Micro's multi-layered security architecture, which leverages cloud intelligence (Smart Protection Network), machine learning (PML), and sandboxing (Virtual Analyzer/DDAn). They are evolving from potentially standalone engines into critical, interconnected components of a larger, more sophisticated defense system designed to address the multifaceted nature of modern cyber threats.
6. Conclusion
The Virus Scan API (VSAPI) and the Advanced Threat Scan Engine (ATSE) are pivotal to Trend Micro's cybersecurity offerings, representing a multi-layered and evolving approach to threat detection. VSAPI has served as the long-standing foundational file scanning engine, providing broad protection through pattern matching and evolving capabilities like packer identification. ATSE has emerged as a specialized engine, focusing on advanced threats such as zero-day exploits and targeted attacks, utilizing a combination of pattern-based, heuristic, and behavior-based scanning.
Their development is not entirely separate; evidence points to a close co-evolution, with shared vulnerabilities being addressed concurrently and ATSE updates often being merged into broader VSAPI release cycles. This suggests a modular architecture where ATSE's advanced capabilities augment or are integrated within the larger scan engine framework. The strategic transition towards deploying ATSE in newer Trend Micro products and agent versions underscores its importance in tackling contemporary, sophisticated threats.
A significant architectural refinement has been the introduction of Advanced File Information (AFI), which replaced the older VSAPI/ATSE API (VSDecompress) to resolve a potential vulnerability. AFI, operating as a feature within ATSE, has also enhanced the engine's ability to perform granular analysis of high-risk file types like macros and scripts, facilitating their escalation to sandboxing environments like Deep Discovery Analyzer.
Collectively, VSAPI, ATSE, and AFI contribute to a defense-in-depth strategy. They operate in concert with Trend Micro's broader technological ecosystem, including the Smart Protection Network for cloud-based intelligence, Predictive Machine Learning for proactive threat identification, and Virtual Analyzer for dynamic sandboxed analysis. The continuous updates to these engines, highlighted by a more agile versioning scheme post-2021 and ongoing integration into the latest Trend Micro products (including the Trend Vision One XDR platform via telemetry from underlying products), demonstrate their enduring relevance. By adapting to new threat vectors such as ransomware and fileless attacks, and by hardening core components while specializing detection techniques, Trend Micro ensures that VSAPI and ATSE remain critical assets in its mission to provide robust and adaptive cybersecurity solutions against an ever-evolving threat landscape.
VSAPI is a standard antivirus engine, ATSE is Next-Gen Antivirus.
I asked Gemini 2.5 Pro to deep research both and extract versions history, which otherwise are difficult to find/track.
An Analysis of Trend Micro's VSAPI and ATSE: Release History and Modus Operandi
1. Executive Summary
This report provides a detailed technical analysis of Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE), two core components underpinning the company's extensive suite of security products. VSAPI has long served as the foundational file scanning engine, responsible for initial threat classification. ATSE, conversely, represents a more sophisticated layer, engineered to detect and counter advanced threats, including zero-day exploits and targeted attacks. This document will explore their respective operational mechanisms, trace their chronological development through key release milestones, and examine their intertwined evolutionary paths. A significant aspect of this evolution includes the introduction of technologies such as Advanced File Information (AFI), which has enhanced both the security and analytical capabilities of these engines. The report aims to elucidate the distinct roles and synergistic functions of VSAPI and ATSE, their adaptation to the evolving threat landscape, and their current standing within Trend Micro's comprehensive security architecture.
2. Trend Micro Virus Scan API (VSAPI): Foundation of Detection
The Virus Scan API (VSAPI) has been a cornerstone of Trend Micro's threat detection capabilities for many years. This section details its core definition, architectural underpinnings, primary operational mechanisms, and a chronological overview of its development, highlighting significant updates and enhancements that have shaped its role in cybersecurity.
2.1. Core Definition, Purpose, and Architecture
The Virus Scan API (VSAPI) is fundamentally Trend Micro's primary File Scanning Engine. It serves as a core technology module integrated into the majority of Trend Micro Security Products. Its principal function is the processing of file objects and their subsequent classification as malicious, suspected, or non-malicious. This positions VSAPI as a critical first line of defense against file-based threats, forming a foundational layer upon which more advanced detection strategies are often constructed or integrated.
VSAPI's architecture is not that of a standalone module; rather, it is deeply interwoven with Trend Micro's broader threat intelligence infrastructure, utilizing various detection patterns. A notable update to the Threat Detection Naming Scheme, implemented from July 2, 2018, applies to all products that leverage VSAPI. This change impacts specific detection patterns, namely the Conventional Virus Scan Pattern, the Smart Scan Agent Pattern, and the Smart Scan Cloud Query Pattern. This reliance on diverse pattern types, including cloud-integrated patterns, underscores VSAPI's core methodology of pattern matching and its continuous connection to the Smart Protection Network, a feature highlighted as early as the VSAPI 9.0 release. The integration ensures VSAPI benefits from up-to-date intelligence for identifying known threats.
The operational efficacy of VSAPI is maintained through a centralized distribution mechanism for its components, such as virus pattern files (e.g., vsapi.zip). Platforms like Trend Micro Apex Central manage and disseminate these updates. Apex Central utilizes a configured web server address, stored within the SystemConfiguration.xml file, to notify agents about available updates. For instance, the vsapi.zip pattern file is distributed from a designated folder (e.g., Control Manager\WebUI\download\activeupdate\pattern) on the Apex Central server. This system ensures that endpoints consistently receive the latest protection definitions.
The consistent designation of VSAPI as the "core" or "File Scanning Engine" , coupled with its extensive history (with versions like 9.0 released in 2009 ) and significant updates over time—including changes to naming conventions and versioning formats —points to its role as an evolvable platform. Its ability to integrate with various pattern types, including cloud-based ones , and the mention of "ATSE Monthly Release Merge" in a VSAPI readme suggest that VSAPI may function as a foundational framework that incorporates advancements from, or operates in conjunction with, other specialized engines such as ATSE. Thus, VSAPI is not merely a legacy system but a dynamic and critical component of Trend Micro's detection strategy, adapting by potentially integrating newer, more specialized modules while reliably handling known threats.
2.2. Modus Operandi: Key Mechanisms
VSAPI employs several key mechanisms to identify and classify threats, extending beyond simple signature matching.
A significant capability, introduced in VSAPI version 9.77 and maintained in subsequent versions, is Packer-Identification. This feature is specifically designed to analyze Portable Executable (PE) files that have been "packed." Packing is a technique used legitimately by software developers to reduce file size or protect binaries through obfuscation; however, it is also widely adopted by malware authors to evade detection by traditional antivirus software. The Packer-Identification mechanism aims to counter malware that leverages common packers such as UPX, Themida, and ASPack. Detections made by this feature are systematically named using formats like $PACP_XXX.STD$ for standard packer types and $PACP_XXX.CM$ for customized packer types, where XXX signifies the specific packer identified (e.g., $PACK_ASPACK_001.STD$). For enterprise customers, Trend Micro provides a "Packer-Identification Policy Scan." Within products like OfficeScan, administrators can configure policies to "Deny access to executable compressed files" and maintain an approved list of packer types to minimize false positives from legitimate packed software. This functionality demonstrates VSAPI's capacity to inspect file characteristics indicative of evasion tactics.
The general scanning process of VSAPI relies on the synergy between the scan engine and virus pattern files to execute pattern matching. Instead of exhaustively scanning every byte of every file, the engine intelligently identifies tell-tale characteristics of viral code and common locations within a file where malware typically resides. Furthermore, VSAPI is equipped to handle various file manipulations; it can decrypt all major encryption formats, including MIME and BinHex, and is capable of scanning common compression formats such as.Zip,.Arj, and.Cab, even when nested up to multiple layers. This describes the fundamental operational method of VSAPI for detecting known threats through signature-based analysis while also managing common forms of file obfuscation and compression.
2.3. Release History and Key Evolutionary Milestones
VSAPI has undergone numerous updates throughout its lifecycle, reflecting Trend Micro's commitment to adapting its core scanning technology to the evolving threat landscape.
One of the pivotal releases was VSAPI 9.0, officially launched on October 26, 2009, with version number 9.000.1003. This version introduced significant improvements, including an enhanced cleaning mechanism, advancements in Smart Protection Network integration, support for wildcards in scan exclusion lists, compatibility with additional file types, and notably, improved detection capabilities for PDF exploits, shellcode, and vulnerabilities within Microsoft Office products. At the time, Trend Micro strongly urged customers to upgrade to version 9.0 due to the escalating volume of malware samples and the increasing size of malware pattern files, concurrently announcing the discontinuation of support for prior versions. This release marked a significant step in VSAPI's evolution, emphasizing its adaptation to a more complex threat environment and deeper integration with cloud-based threat intelligence.
Later, VSAPI 9.77 introduced the Packer-Identification Policy Scan, though a specific release date is not provided in the available materials. This added a specialized capability to address malware obfuscation techniques.
On May 5, 2017, VSAPI 9.950 was released. This version extended support to a wide range of platforms including Windows NTKD (32/64-bit), Windows DLL (32/64-bit), Linux (32/64-bit), Linux CIFS, and macOS (32/64-bit). Key new features included an obfuscated JavaScript scan targeting ransomware, support for base64 decoding on PE files also for ransomware detection, the ability for heuristic rules to be disabled by pattern, and support for .crx (Google Chrome extension) file decompression. These enhancements demonstrated VSAPI's continued adaptation to new threat categories like ransomware, new file formats, and provided more granular control over its heuristic detection.
A significant joint release, VSAPI / ATSE 11.0, occurred with components dated around October 12, 2018 (readme date) and an availability date of December 4, 2018. Both VSAPI (version 11.000-1006) and ATSE (version 11.000-1006) were part of this update. Shared features included support for Windows 10 RS5, TTF (TrueType Font) and ISO (Disk Image) file identification, UPX 64-bit decompression support, and OneNote embedded file extraction support. The VSAPI 11.000-1006 readme further detailed features such as scanning of registry keys, scheduled tasks, WMI, and BITS; MIP3 support for fileless memory-resident threats; TrendX support for ELF, Office macros, and local models; and importantly, an "ATSE Monthly Release Merge". This release is a key indicator of VSAPI and ATSE being updated and distributed in tandem, with VSAPI acting as a vehicle for ATSE's ongoing monthly updates. It highlights a strategy of continuous enhancement and a broadening scope of detection, including sophisticated fileless threats and support for newer operating systems and file types.
A public beta for VSAPI 12.0 ran from August 19, 2019, to September 27, 2019. This version focused on enlarging the Machine Learning scope for potentially high-risk file types such as JAR, InnoSetup, and XML Word Document Macro Extraction. It also included enhanced identification support for ALZip and InnoSetup 5.5.9 packers, and new platform support for Windows 19H1 and macOS x64 SDK 10.x. This signaled a deeper integration of machine learning capabilities directly into VSAPI's development trajectory.
To accommodate a more rapid response to the latest threats, Trend Micro implemented a new versioning format for VSAPI (and ATSE) for releases after 2021. The format changed to Year.Month.Build (e.g., 21.550.1001 signifies a release from May 2021). This structural change reflects a strategic shift towards more agile and frequent updates.
The ongoing maintenance and incremental updates of VSAPI are also evident in patches for specific Trend Micro products. For example, Worry-Free Business Security (WFBS) 10.0 SP1 patches included several VSAPI engine updates:
- Patch 2495 (released in 2023) updated VSAPI to version 22.610.1017.
- Patch 2497 (spanning 2023/2024) updated VSAPI to version 23.580.1004.
- Patch 2500 (released in 2024) updated VSAPI to version 23.602.1001.
The development trajectory of VSAPI has been consistently driven by the evolving threat landscape and operational requirements. The urgent recommendation to upgrade to VSAPI 9.0 was a direct response to the "dramatic rise of malware samples". Subsequent versions like 9.950 added specific defenses against ransomware and new file types. VSAPI 11.0 expanded support for modern Windows versions and file types like ISO and TTF, while also enhancing capabilities against fileless threats through TrendX. The VSAPI 12.0 Beta program's focus on broadening Machine Learning application , and the post-2021 versioning change aimed at enabling "increased release frequency to address latest threats" , further illustrate this adaptive strategy. VSAPI's evolution demonstrates a continuous effort to incorporate new detection technologies, expand file type support, and respond effectively to emerging threat categories.
The following table summarizes key VSAPI version milestones:
Table 1: Key VSAPI Version Milestones
| VSAPI Version (Build) | Approximate Release Date/Announcement | Key Features/Enhancements | Notable Products Utilizing/Context |
| 9.0 (9.000.1003) | October 26, 2009 | Enhanced cleaning, Smart Protection Network enhancement, wildcard for exclusions, more file types, PDF/shellcode/MS Office exploit detection. End of support for prior versions. | All products; recommended for urgent upgrade, especially Windows endpoints. |
| 9.77 | Not Specified | Packer-Identification Policy Scan introduced. | Enterprise products like OfficeScan. |
| 9.950 | May 5, 2017 | Obfuscated JavaScript scan (ransomware), PE base64 decode (ransomware), heuristic rules disable-able by pattern, *.crx Decompress support. | Supported Windows NTKD, DLL, Linux, Linux CIFS, macOS. |
| 11.0 (11.000-1006) | December 4, 2018 | Windows 10 RS5 support, TTF/ISO File ID, UPX 64-bit decompress, OneNote embedded file extraction. Registry/task/WMI/BITS scan, MIP3 (fileless), TrendX (ELF, Office macro, local model). | Joint release with ATSE 11.0. VSAPI readme notes "ATSE Monthly Release Merge". |
| 12.0 Beta | Aug 19 - Sep 27, 2019 | Enlarged Machine Learning scope (JAR, InnoSetup, XML Word Macro Extraction), enhanced ALZip/InnoSetup 5.5.9 ID, Windows 19H1/Mac x64 SDK 10.x support. | Beta program for upcoming VSAPI version. |
| Post-2021 Versioning (e.g., 21.550.1001) | From 2021 onwards | New version format: Year.Month.Build (e.g., 21.550.1001 for May 2021). | Applied to VSAPI and ATSE to support increased release frequency. |
| 22.610.1017 | 2023 (via WFBS Patch 2495) | Incremental update. | Worry-Free Business Security 10.0 SP1. |
| 23.580.1004 | 2023/2024 (via WFBS Patch 2497) | Incremental update. | Worry-Free Business Security 10.0 SP1. |
| 23.602.1001 | 2024 (via WFBS Patch 2500) | Incremental update. | Worry-Free Business Security 10.0 SP1. |
3. Trend Micro Advanced Threat Scan Engine (ATSE): Evolving Threat Defense
The Advanced Threat Scan Engine (ATSE) represents a more specialized tier in Trend Micro's detection arsenal, designed to address the complexities of modern, sophisticated cyber threats. This section examines ATSE's core definition, its strategic importance in combating advanced attacks, its operational methodologies including advanced scanning techniques, and its release history as observed through its progressive integration into various Trend Micro products.
3.1. Core Definition, Purpose, and Strategic Importance
The Advanced Threat Scan Engine (ATSE) is specifically engineered by Trend Micro to detect document exploits and other types of threats that are commonly employed in targeted attacks. Its primary focus is the identification of advanced threats that might successfully circumvent traditional signature-based detection mechanisms. This positions ATSE as a critical component in Trend Micro's strategy against more sophisticated cyber adversaries.
ATSE's major capabilities are central to its strategic importance. These include the detection of zero-day threats, which are vulnerabilities unknown to software vendors or without available patches; the identification of embedded exploit code within seemingly benign files; adherence to specific detection rules tailored for known vulnerabilities; and the use of enhanced parsers capable of handling file deformities often used by malware to evade detection. These features enable ATSE to address both known and, crucially, unknown advanced threats, particularly those that leverage software exploits or employ complex file structures to conceal malicious payloads.
Reflecting its significance, ATSE is frequently enabled by default for virus scanning policies in Trend Micro products where it is integrated. This default enablement underscores Trend Micro's confidence in ATSE's advanced detection capabilities and its role as a standard, rather than optional, layer of defense in applicable products.
However, the aggressive nature of ATSE's detection methodologies comes with a caveat. Trend Micro explicitly notes that because ATSE is designed to identify both known and unknown advanced threats, its use may increase the likelihood of legitimate files being incorrectly flagged as malicious (false positives). To mitigate this, it is often recommended that files detected by ATSE be sent to a controlled virtual environment, such as Trend Micro's Virtual Analyzer, for further, more in-depth analysis to confirm their maliciousness. This highlights the delicate balance between detection efficacy and accuracy when dealing with advanced heuristic and behavioral analysis, and emphasizes the importance of a verification step like sandboxing.
3.2. Modus Operandi: Advanced Scanning and Analysis Techniques
ATSE's operational methodology is characterized by a multi-faceted approach to threat detection, combining its own advanced scanning techniques with close integration with other Trend Micro analysis platforms.
At its core, ATSE employs a hybrid scanning approach, utilizing a combination of traditional pattern-based scanning and more advanced heuristic scanning techniques. Further documentation elaborates on this, describing ATSE's methods as encompassing "signature-based, behavior-based, and aggressive heuristic detection". This dual strategy allows ATSE to efficiently identify known threats through established signatures while leveraging sophisticated heuristics and behavioral analysis to uncover novel, unknown, or polymorphic threats that do not match existing patterns.
A critical aspect of ATSE's modus operandi is its interaction with Trend Micro's Virtual Analyzer. ATSE plays a key role in determining which suspicious messages or files warrant deeper, sandboxed analysis within the Virtual Analyzer. ATSE detections that trigger this escalation are often identifiable by specific prefixes in their detection names, such as HEUR (heuristic), EXPL (exploit), and AFI MACRO (Advanced File Information macro detection). When a detection name includes one of these prefixes, the host product (for example, InterScan Messaging Security Virtual Appliance - IMSVA) is designed to send the entire message or file, including attachments, to the Virtual Analyzer for comprehensive examination. The Virtual Analyzer then assigns a risk level to the analyzed item. Based on this risk level and the security settings configured within the product, a final determination is made on how to classify and handle the item (e.g., as clean, a probable advanced threat, or an analyzed advanced threat). This multi-layered analysis process, with ATSE acting as an intelligent filter for sandboxing, is vital for effectively handling potential zero-day threats and other sophisticated attacks.
ATSE's capabilities are further extended through its synergy with Predictive Machine Learning (PML). In Trend Micro products such as Worry-Free Business Security, ATSE collaborates with the PML engine. When an unknown or low-prevalence file is encountered, the Security Agent utilizes ATSE to scan the file and extract key file features. This feature report is then transmitted to the PML engine, which is typically hosted on the Trend Micro Smart Protection Network. The PML engine employs malware modeling techniques to compare the submitted sample's features against its models, assigns a probability score, and determines the likely type of malware, if any. This demonstrates that ATSE's role is not limited to its internal scanning logic; it also serves as a critical data provider, performing feature extraction that fuels more advanced predictive capabilities against emerging and unknown threats within a broader machine learning framework.
Complementing ATSE's file-centric feature extraction, the Contextual Intelligence Engine handles unknown or low-prevalence processes. It monitors the behavior of these processes and sends a behavioral report to the PML engine for analysis and classification. While distinct from ATSE, this engine works in concert with PML, providing another layer of advanced analysis that complements ATSE's focus on file-based threats within the broader Trend Micro threat detection ecosystem.
Furthermore, Advanced File Information (AFI), discussed in detail in Section 4.2, operates as a feature within ATSE. AFI enhances ATSE's ability to detect specific file formats and is particularly used to identify macros within documents. Files containing macros detected via AFI can then be escalated to Deep Discovery Analyzer (DDAn) for detailed analysis. This functionality typically requires the integration of DDAn for its full effect. AFI thus augments ATSE's capacity to target and scrutinize potentially malicious components embedded within documents.
The operational design of ATSE positions it not merely as a standalone scanner but as an orchestrator of advanced analysis. It leverages its own pattern-based, heuristic, and behavioral detection capabilities , intelligently determines which items necessitate further scrutiny in a sandbox environment like Virtual Analyzer , extracts crucial file features for Predictive Machine Learning models , and utilizes specialized sub-components like AFI for targeted detection of high-risk content such as macros, which can then be escalated to platforms like DDAn. In essence, ATSE functions as a sophisticated triage system, applying its own advanced analytics and feeding other specialized analysis components within Trend Micro's comprehensive security architecture.
3.3. Release History and Integration into Products
Unlike VSAPI, which has a more clearly delineated version history in some documents, ATSE's evolution is primarily observed through its integration and updates within various Trend Micro products and through joint "VSAPI/ATSE" release announcements. A standalone, detailed public changelog specifically for ATSE is less common in the provided materials.
ATSE is frequently mentioned as a core component in advanced threat protection products. For instance, it is integral to the Deep Discovery Web Inspector, where it works in conjunction with Predictive Machine Learning and Virtual Analyzer to provide advanced detection capabilities. Similarly, ATSE is a key element in the ATP Analyzer, where it is integrated with the traditional Virus Scan Engine and employs its signature-based, behavior-based, and aggressive heuristic detection methodologies.
A significant indicator of ATSE's strategic importance is the transition in scan engine usage within Trend Micro agents. Documentation concerning SAP NetWeaver integration shows a clear shift:
- Agent version 9.6 utilized VSAPI 9.85.
- Agent version 10.0 transitioned to using ATSE 9.861.
- Agent version 10.1 employed ATSE 9.862.
- Agent versions 10.2, 10.3, 11.0, 11.1, and 11.2 used ATSE 10.000.
- Agent version 11.3 and later adopted ATSE 11.0.000. This progression strongly suggests a deliberate strategy to deploy ATSE in newer agent versions, likely due to its superior capabilities in addressing contemporary and advanced threats.
The VSAPI / ATSE 11.0 joint release (with ATSE version 11.000-1006), available from December 4, 2018, brought features such as Windows 10 RS5 support and enhanced file identification capabilities. For endpoint products, ATSE 11.000-1006 specifically supported WinDLL (32/64-bit), Linux (32/64-bit), and Solaris (64-bit) platforms. The corresponding VSAPI 11.0 readme also noted an "ATSE Monthly Release Merge," implying that ATSE might undergo more frequent internal updates which are then consolidated into these major combined releases.
Updates to ATSE are frequently documented within the release notes of Deep Security Agent (DSA), now part of Cloud One - Workload Security. These updates are typically listed under "Enhancements" or "Resolved Issues" but seldom provide detailed specifics about the detection improvements brought by each ATSE version increment. Examples include:
- DSA 20.0.0-6313 (January 2023, Unix) was updated to support ATSE 21.600 for AIX platforms.
- DSA 20.0.0-7719 (August 2023, Linux/Unix) saw ATSE updated to version 22.6.
- DSA 20.0.1-21510 (October 2024, Linux) featured an ATSE update to version 24.5.
- DSA 20.0.1-17380 (August 2024, Windows) included an ATSE update to version 24.550.
ATSE is also deployed in Trend Micro Apex One (Mac).
- A Hotfix for Apex One (Mac) as a Service, released in April 2022, integrated ATSE engine version 21.600.1005.
- The component list for Apex One (Mac) Patch 2 describes ATSE (Universal) as employing "signature-based, behavior-based, and aggressive heuristic detection".
An operational detail from OfficeScan/Apex One history includes a hotfix for OfficeScan XG SP1 (Hotfix 5180, referenced in Critical Patch 5294, January 2019). This hotfix addressed an issue where the ATSE minor version number was displayed incorrectly (e.g., 10.2.1006 instead of the correct 10.200.1006) on the agent console after updates from the ActiveUpdate (AU) Server. This confirms ATSE's presence in OfficeScan and its update mechanism via ActiveUpdate.
Similar to VSAPI, ATSE adopted the Year.Month.Build versioning format after 2021 to facilitate more frequent updates in response to the rapidly evolving threat landscape.
The evolution of ATSE appears tightly coupled with product-specific requirements and Trend Micro's broader scan engine strategy. Its versions are often cited within the context of updates to particular products like Deep Security Agent or Apex One (Mac). The clear transition from VSAPI to ATSE in certain agent generations indicates a strategic decision to leverage ATSE's more advanced capabilities in newer product iterations. Furthermore, the joint "VSAPI/ATSE" releases and the concept of an "ATSE Monthly Release Merge" suggest that ATSE's specialized development feeds back into the main scan engine pipeline. This implies that ATSE is not developed in isolation; its enhancements are driven by the demands of the products it integrates with and by an overarching strategy to continually upgrade Trend Micro's core detection technologies. The general lack of highly detailed, public ATSE-specific changelogs (beyond version numbers in product release notes) might suggest that its specific improvements are often communicated as part of the overall product enhancements rather than as standalone engine updates.
The following table tracks ATSE's appearances and updates across various Trend Micro products:
Table 2: Key ATSE Version Milestones and Product Integration
| ATSE Version | Associated Product/Agent & Version | Approximate Release Date/Context | Key Features/Enhancements or Role Noted |
| 9.861 | Agent version 10.0 (for SAP integration) | Not Specified | Transition from VSAPI in earlier agent versions. |
| 9.862 | Agent version 10.1 (for SAP integration) | Not Specified | Continued use of ATSE. |
| 10.000 | Agent versions 10.2, 10.3, 11.0, 11.1, 11.2 (for SAP integration) | Not Specified | Standard ATSE version for these agent releases. |
| 10.200.1006 | OfficeScan XG SP1 (via AU update) | Referenced Jan 2019 (Hotfix 5180 / CP 5294) | Version display accuracy fix; confirms ATSE updates via ActiveUpdate. |
| 11.0.000 | Agent version 11.3+ (for SAP integration) | Not Specified | ATSE version for later agent releases. |
| 11.000-1006 | VSAPI / ATSE 11.0 Release | Dec 4, 2018 | Joint release. Features: Win 10 RS5 support, TTF/ISO ID, etc. ATSE supported WinDLL, Linux, Solaris endpoints. "ATSE Monthly Release Merge" noted. |
| 21.600 | Deep Security Agent 20.0.0-6313 (Unix) | Jan 2023 | Support for AIX platforms. |
| 21.600.1005 | Apex One (Mac) as a Service | Apr 2022 (Hotfix) | Integrated into Apex One (Mac) agent. |
| 22.6 | Deep Security Agent 20.0.0-7719 (Linux/Unix) | Aug 2023 | General ATSE update. |
| 24.5 | Deep Security Agent 20.0.1-21510 (Linux) | Oct 2024 | General ATSE update. |
| 24.550 | Deep Security Agent 20.0.1-17380 (Windows) | Aug 2024 | General ATSE update. |
| Not Specified | Deep Discovery Web Inspector, ATP Analyzer | Various versions | Core component for advanced threat detection, heuristic/behavioral analysis. |
4. Synergies, Evolution, and the Emergence of Advanced File Information (AFI)
The relationship between VSAPI and ATSE is not one of simple succession but rather a dynamic interplay characterized by co-evolution, shared components, and a strategic layering of capabilities. This section explores this relationship, instances of shared updates or vulnerabilities, and critically examines the introduction of Advanced File Information (AFI) as a significant technological advancement within Trend Micro's scanning architecture.
4.1. VSAPI and ATSE: Relationship and Co-evolution
Evidence points to a close and evolving relationship between VSAPI and ATSE, rather than ATSE simply replacing VSAPI entirely across all products. They appear to be part of an integrated scan engine strategy.
A key indicator of their interconnectedness is their susceptibility to shared vulnerabilities and their concurrent patching. For example, a security bulletin addressing a memory exhaustion vulnerability (CVE-2021-25252) explicitly stated that "Trend Micro's scan engines - Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) – are vulnerable". Consequently, patches were released for a wide range of Trend Micro products, irrespective of whether they primarily utilized VSAPI or ATSE. This suggests that despite their potentially distinct primary roles (VSAPI as foundational, ATSE for advanced threats), they may share underlying code libraries, architectural components, or dependencies that can lead to common vulnerabilities. It also underscores that both engines are actively maintained and updated.
Joint release announcements and update mechanisms further solidify the notion of their co-evolution. The "VSAPI / ATSE 11.0" release, where both engines received the version number 11.000-1006, is a prime example. Furthermore, the VSAPI 11.000-1006 readme's mention of an "ATSE Monthly Release Merge" as an enhancement strongly implies a close developmental relationship. This suggests that ATSE might undergo more frequent, specialized development cycles, with its advancements and updates being periodically integrated into the broader VSAPI framework or released in conjunction with major VSAPI updates. This points towards a modular architecture where ATSE could function as an advanced component or module whose innovations are harmonized within the main scan engine ecosystem.
The transition in scan engine usage within specific Trend Micro agent lines provides compelling evidence of ATSE's growing prominence. As detailed for agents integrating with SAP NetWeaver, older versions (e.g., agent version 9.6) relied on VSAPI (specifically VSAPI 9.85), while newer versions (e.g., agent version 10.0 and later) explicitly utilize ATSE, with ATSE versions progressing from 9.861 to 10.000 and 11.0.000 in subsequent agent releases. This clear trend indicates a strategic decision by Trend Micro to deploy ATSE in newer product iterations or for integrations requiring more sophisticated threat detection capabilities, suggesting ATSE is either succeeding VSAPI in these contexts or is the preferred engine for new deployments.
Despite this transition in some areas, there is also evidence of coexistence in product descriptions. For instance, documentation for Trend Micro Apex One (Mac) Patch 2 lists both the "Advanced Threat Scan Engine (64-bit)" and the "Virus Scan Engine (32-bit/64-bit)" (which is VSAPI) as distinct components. In these descriptions, ATSE is characterized by its "signature-based, behavior-based, and aggressive heuristic detection," while the Virus Scan Engine is described as the core engine responsible for detecting a broader range of security risks, including spyware and research viruses. This suggests that in some products, particularly those with a layered security approach, both engines might operate concurrently, fulfilling different but complementary roles. VSAPI would handle the detection of a wide array of known threats, while ATSE would focus on more complex, unknown, or exploit-based attacks.
This body of evidence suggests that ATSE functions as an advanced, iteratively integrated layer within a broader scan engine framework, which may still be generally referred to or built upon the VSAPI foundation. Newer agents and products designed for advanced threat protection explicitly leverage ATSE due to its sophisticated heuristic and behavioral detection capabilities. The "ATSE Monthly Release Merge" into VSAPI releases indicates that ATSE's specialized updates are regularly incorporated into the main scan engine release cycle, ensuring the entire ecosystem benefits from its advancements. The shared vulnerabilities point to common underlying architectural elements. The fact that some products list both engines with distinct roles further supports a layered approach. Trend Micro's strategy appears to involve the continuous enhancement of its core scanning capabilities (historically anchored by VSAPI) through the integration of more specialized and advanced engines like ATSE. ATSE spearheads the defense against sophisticated threats, and its developments are then harmonized within the overall scan engine ecosystem. This allows Trend Micro to maintain robust protection against common malware via VSAPI's mature capabilities while rapidly evolving its defenses against advanced and emerging threats through ATSE.
The following table illustrates scan engine usage across different Trend Micro products and versions:
Table 3: Scan Engine Usage in Trend Micro Agents and Products (Illustrative Examples)
| Agent Product & Version | Scan Engine Utilized | Engine Version (if specified) | Source Snippet(s) |
| Agent for SAP NetWeaver v9.6 | VSAPI | 9.85 | |
| Agent for SAP NetWeaver v10.0 | ATSE | 9.861 | |
| Agent for SAP NetWeaver v11.3+ | ATSE | 11.0.000 | |
| Deep Security Agent 20.0.0-6313 (Unix) | ATSE | 21.600 (support for AIX) | |
| Deep Security Agent 20.0.1-17380 (Windows) | ATSE | 24.550 | |
| Apex One (Mac) as a Service (Hotfix Apr 2022) | ATSE | 21.600.1005 | |
| Apex One (Mac) Patch 2 | ATSE & Virus Scan Engine (VSAPI) | ATSE (Universal), Virus Scan Engine (Universal) - no specific version numbers listed for these in this context | |
| OfficeScan XG SP1 (Critical Patch 5294 referencing Hotfix 5180) | VSAPI (core), ATSE (updates) | ATSE e.g., 10.200.1006 (minor version display fix) |
4.2. Advanced File Information (AFI): A New Layer of Analysis
A significant development in Trend Micro's scan engine technology is the introduction of Advanced File Information (AFI). This component represents a refinement in how files are pre-processed and analyzed, particularly for certain types of threats.
The most notable context for AFI's introduction is its replacement of the "VSAPI/ATSE API (VSDecompress)" in ScanMail for Domino version 5.0 Service Pack 1. The explicitly stated reason for this architectural change was "to resolve a potential vulnerability" associated with the older VSDecompress API. While the specific nature of this vulnerability is not detailed in the provided documentation, decompression libraries are a known area where security software can be susceptible to exploits if not meticulously implemented. This replacement thus signifies a proactive measure by Trend Micro to harden this critical component of the scanning process.
AFI is not merely a standalone API replacement; it is described as a feature integrated within the Advanced Threat Scan Engine (ATSE). For example, in InterScan Messaging Security Virtual Appliance (IMSVA), ATSE, when enabled with AFI, gains the capability to detect the format of a file and, more specifically, to identify the presence of macros within documents. This demonstrates that AFI enhances ATSE's advanced detection capabilities by providing more granular insight into file composition.
The functionality of AFI extends to the detection of specific high-risk file types:
- Macros: When AFI is enabled (e.g., via the imss.ini configuration atse_afi_macro_detect=1 in IMSVA), ATSE can detect documents containing macros. These files can then be automatically sent to Deep Discovery Analyzer (DDAn) for in-depth sandboxed analysis, provided DDAn is integrated with the product. If DDAn is not integrated, IMSVA will typically only log the detection information.
- Executable Files and Script Files: Japanese Trend Micro documentation further clarifies that AFI (referred to as ATSE Advanced File Information) is utilized to obtain file information for executable files, various script files (including VBE, VBS, JS, JSE, WSF, PS1), and macro files, particularly those that might not be scanned by the traditional "anti-virus engine" (implying signature-based scanning). These files, once identified by AFI, can also be submitted to Deep Discovery Advisor for analysis. Configuration for this functionality in certain products is managed through settings in smconf.nsf.
The explicit replacement of the "VSAPI/ATSE API (VSDecompress)" by AFI in ScanMail for Domino 5.0 SP1 is a critical data point. It underscores a deliberate architectural shift. This change suggests a modernization of how Trend Micro engines handle file decomposition and initial analysis. By replacing an older decompression API, which was apparently shared by both VSAPI and ATSE, Trend Micro not only aimed to improve the security posture of the core engine itself but also leveraged this new component (AFI) to provide more refined detection capabilities within ATSE. This is particularly evident in its enhanced ability to identify and escalate script-based and macro-based threats, which are common vectors for sophisticated attacks. This evolution reflects a continuous improvement cycle focusing on both the security robustness and the detection efficacy of their scanning technologies.
The following table provides an overview of Advanced File Information (AFI):
Table 4: Advanced File Information (AFI) - Overview
| Aspect | Description | Source Snippet(s) |
| Purpose | To resolve a potential vulnerability in the previous decompression API; enhance file analysis capabilities within ATSE. | |
| Replaced Component | VSAPI/ATSE API (VSDecompress) | |
| Key Functionality | Detects file formats; specifically identifies macros, executable files, and script files (VBE, VBS, JS, JSE, WSF, PS1). | |
| Integration | Operates as a feature within ATSE. Facilitates sending detected files to Deep Discovery Analyzer (DDAn) / Deep Discovery Advisor for further analysis. | |
| Configuration Notes | Enabled in IMSVA via imss.ini (atse_afi_macro_detect=1). Configured in other products via smconf.nsf for specific file type detection. | |
| Products Mentioned | ScanMail for Domino 5.0 SP1, InterScan Messaging Security Virtual Appliance (IMSVA). |
5. Operational Context and Current Standing
VSAPI and ATSE, along with the more recent Advanced File Information (AFI) component, are not standalone technologies but are deeply embedded within Trend Micro's broader product ecosystem. Their current relevance is defined by their ability to address contemporary cyber threats through this integrated approach.
5.1. Integration within Trend Micro's Product Ecosystem
The pervasive deployment of VSAPI and ATSE across Trend Micro's product portfolio underscores their fundamental importance. A security bulletin addressing a memory exhaustion vulnerability (CVE-2021-25252) listed a wide array of affected products that utilize either VSAPI or ATSE. These include enterprise solutions like Apex Central and Apex One, gateway products such as Cloud Edge and InterScan Messaging Security, advanced threat detection platforms like the Deep Discovery suite (Analyzer, Email Inspector, Inspector), server protection products (ServerProtect), endpoint security for various segments (OfficeScan, Worry-Free Business Security), and specialized solutions like ScanMail and PortalProtect. This broad integration highlights their role as core scanning and detection engines across diverse security layers.
Within the Deep Discovery suite, ATSE is a cornerstone. Deep Discovery Inspector leverages ATSE for analyzing network traffic to identify threats , while Deep Discovery Analyzer uses ATSE as part of its process for sandbox analysis submissions. This integration allows for the detection of threats in transit and detailed analysis of suspicious files in a controlled environment.
For endpoint products such as Apex One (including its Mac version) and the historically significant OfficeScan, ATSE provides advanced threat detection capabilities directly on user devices. VSAPI has traditionally been the core engine for products like OfficeScan.
In the realm of Cloud One - Workload Security (which evolved from Deep Security), newer agent versions have explicitly adopted ATSE. The release notes for Deep Security Agent frequently document ATSE version updates, indicating its ongoing development and maintenance within this cloud and server security solution.
Messaging security solutions like InterScan Messaging Security Virtual Appliance (IMSVA) and ScanMail also incorporate these engines. IMSVA utilizes ATSE, enhanced with AFI, for detecting macros in email attachments and interacting with Deep Discovery Analyzer (DDAn) for further analysis. ScanMail for Domino notably saw the replacement of the older VSAPI/ATSE API (VSDecompress) with the more secure and capable AFI component.
While direct documentation explicitly detailing VSAPI/ATSE control over Trend Vision One is limited in the provided materials, Vision One, as Trend Micro's XDR platform, logically ingests and correlates detection data from all products containing these underlying engines. For instance, the Version Control Policy in Deep Security Agent allows Trend Vision One to manage updates for agents and their components, including scan engines. The API documentation for Trend Vision One describes how external systems can interact with the platform, which would naturally include accessing and acting upon threat intelligence generated by VSAPI and ATSE within connected products.
The way these engines are deployed and interact suggests a tiered defense strategy employed by Trend Micro. VSAPI provides broad, foundational file scanning capabilities, effective against a wide range of known threats. ATSE offers a more advanced layer, incorporating heuristic and behavioral detection mechanisms specifically designed for complex and evasive threats. Advanced File Information (AFI) further refines this by enhancing the pre-processing and specialized detection of high-risk file types like macros and scripts within ATSE. When these engines encounter highly suspicious items, they often escalate them to platforms like Virtual Analyzer or Deep Discovery Analyzer for in-depth sandboxing. Finally, the detection data and telemetry from these distributed engines are centralized and correlated in management and XDR platforms like Apex Central and Trend Vision One , enabling a holistic view of the threat landscape and coordinated response. This multi-layered approach creates a comprehensive threat detection and response ecosystem.
5.2. Current Role in Addressing Modern Cyber Threats
VSAPI, ATSE, and AFI continue to play crucial roles in Trend Micro's strategy for addressing the complexities of the modern cyber threat landscape. Their ongoing development and integration underscore their relevance.
ATSE's specific design focus on combating advanced threats—including zero-day vulnerabilities, embedded exploits, and files employing deformities to evade detection—makes it indispensable. Its heuristic and behavior-based analysis capabilities are critical for identifying sophisticated attacks that bypass traditional signature-based defenses.
The engines have also adapted to address prevalent modern threats like ransomware and fileless attacks. VSAPI version 9.950, for example, introduced features such as obfuscated JavaScript scans tailored for ransomware and base64 decoding support on PE files, also aimed at ransomware detection. Subsequently, VSAPI 11.0 included MIP3 support specifically for fileless memory-resident threats. These enhancements demonstrate a direct response to evolving attacker methodologies.
The integration with Machine Learning (ML) further solidifies their current standing. The VSAPI 12.0 Beta program aimed to enlarge the scope of ML application , and ATSE's function in extracting file features for Predictive Machine Learning (PML) systems highlights how these engines are key contributors to Trend Micro's AI-driven threat detection strategies.
The development and deployment of Advanced File Information (AFI), particularly its role in replacing the VSDecompress API , signals a continuous effort to harden core engine components against potential vulnerabilities while simultaneously enhancing specialized analysis of potentially malicious file structures, such as macros and scripts.
Finally, the adoption of a new versioning scheme post-2021 for both VSAPI and ATSE was explicitly to support an "increased release frequency to address latest threats". This agile update cadence is essential for keeping pace with the rapid evolution of cyber threats in the current environment.
Neither VSAPI nor ATSE appears to be obsolete; instead, they fulfill distinct but complementary functions. VSAPI continues to provide broad and reliable scanning for a wide range of threats, as evidenced by its ongoing updates within products like Worry-Free Business Security , and it serves as the foundational scanning technology in many Trend Micro offerings. ATSE, on the other hand, is the preferred engine for advanced threat detection in newer agent versions and specialized security products. The development of AFI demonstrates further specialization within ATSE to handle complex file types and to bolster the security of the analysis process itself. The continued relevance of both engines is ensured by these ongoing updates, increasing specialization (like AFI within ATSE), and their deep integration into Trend Micro's multi-layered security architecture, which leverages cloud intelligence (Smart Protection Network), machine learning (PML), and sandboxing (Virtual Analyzer/DDAn). They are evolving from potentially standalone engines into critical, interconnected components of a larger, more sophisticated defense system designed to address the multifaceted nature of modern cyber threats.
6. Conclusion
The Virus Scan API (VSAPI) and the Advanced Threat Scan Engine (ATSE) are pivotal to Trend Micro's cybersecurity offerings, representing a multi-layered and evolving approach to threat detection. VSAPI has served as the long-standing foundational file scanning engine, providing broad protection through pattern matching and evolving capabilities like packer identification. ATSE has emerged as a specialized engine, focusing on advanced threats such as zero-day exploits and targeted attacks, utilizing a combination of pattern-based, heuristic, and behavior-based scanning.
Their development is not entirely separate; evidence points to a close co-evolution, with shared vulnerabilities being addressed concurrently and ATSE updates often being merged into broader VSAPI release cycles. This suggests a modular architecture where ATSE's advanced capabilities augment or are integrated within the larger scan engine framework. The strategic transition towards deploying ATSE in newer Trend Micro products and agent versions underscores its importance in tackling contemporary, sophisticated threats.
A significant architectural refinement has been the introduction of Advanced File Information (AFI), which replaced the older VSAPI/ATSE API (VSDecompress) to resolve a potential vulnerability. AFI, operating as a feature within ATSE, has also enhanced the engine's ability to perform granular analysis of high-risk file types like macros and scripts, facilitating their escalation to sandboxing environments like Deep Discovery Analyzer.
Collectively, VSAPI, ATSE, and AFI contribute to a defense-in-depth strategy. They operate in concert with Trend Micro's broader technological ecosystem, including the Smart Protection Network for cloud-based intelligence, Predictive Machine Learning for proactive threat identification, and Virtual Analyzer for dynamic sandboxed analysis. The continuous updates to these engines, highlighted by a more agile versioning scheme post-2021 and ongoing integration into the latest Trend Micro products (including the Trend Vision One XDR platform via telemetry from underlying products), demonstrate their enduring relevance. By adapting to new threat vectors such as ransomware and fileless attacks, and by hardening core components while specializing detection techniques, Trend Micro ensures that VSAPI and ATSE remain critical assets in its mission to provide robust and adaptive cybersecurity solutions against an ever-evolving threat landscape.
1. FAQs on Scan Engine (VSAPI) 9.0, Frequently Asked Questions (FAQs) about Scan Engine (VSAPI) 9.0. 2. Trend Micro Virus Scan API | Overview, Specs, Details | SHI Government Solutions, https://texas.gs.shi.com/product/38700648/Trend-Micro-Virus-Scan-API 3. New VSAPI naming scheme for threat detection - Trend Micro, Trend Micro's new VSAPI Threat Detection naming conventions starting July 2018 4. FAQs on Scan Engine (VSAPI) 9.0 - Trend Micro Business Success Portal, Frequently Asked Questions (FAQs) about Scan Engine (VSAPI) 9.0 5. Web Server Plan | Trend Micro Service Central, Web Server Plan | Trend Micro Service Central 6. VSAPI and ATSE version format update - Trend Micro Business Success Portal, Trend Micro Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) Version Format Changes 7. files.trendmicro.com, http://files.trendmicro.com/documentation/readme/VSAPI11.000-1006_Readme.txt 8. Introduction to Virus Scan Engine (VSAPI) Packer-Identification in ..., Introduction to Virus Scan Engine (VSAPI) Packer-Identification in OfficeScan 9. About the Trend Micro Scan Engine | Trend Micro Service Central, About the Trend Micro Scan Engine | Trend Micro Service Central 10. Trend Micro Pattern Files and Scan Engine - Product Documentation, Trend Micro Pattern Files and Scan Engine 11. The Trend Micro Pattern Files and Scan Engine - Product Documentation, The Trend Micro Pattern Files and Scan Engine 12. Scan Engine (VSAPI) 9.950 Availability - Trend Micro Business Success Portal, Virus Scan Engine (VSAPI) 9.950 is now available 13. Scan Engine (VSAPI) 11.0 is now available - Trend Micro Business Success Portal, Scan Engine (VSAPI) 11.0 is now available 14. Virus Scan API (VSAPI) Engine 12.0 Beta Testing - Trend Micro Business Success Portal, Virus Scan API (VSAPI) Engine 12.0 Beta Testing 15. List of patch updates - Worry-Free Business Security 10.0 SP1, Worry-Free Business Security (WFBS) 10.0 Service Pack 1 (SP1) list of patch updates 16. About Advanced Threat Scan Engine | Trend Micro Service Central - Online Help Center, About Advanced Threat Scan Engine | Trend Micro Service Central 17. About Advanced Threat Scan Engine, https://docs.trendmicro.com/all/ent/imsva/v9.1/en-us/imsva_9.1_olh/atse-about.html 18. About Advanced Threat Scan Engine | Trend Micro Service Central, About Advanced Threat Scan Engine | Trend Micro Service Central 19. Advanced Threat Scan Engine - Online Help Center - Trend Micro, https://docs.trendmicro.com/all/ent/ddi/v6.5/en-us/ddi_6.5_olh/advanced-threat-scan.html 20. Advanced Threat Scan Engine | Trend Micro Service Central - Online Help Center, Advanced Threat Scan Engine | Trend Micro Service Central 21. Components - Online Help Center - Trend Micro, https://docs.trendmicro.com/all/ent...analyzer_5.5_olh/components_atp_analyzer.html 22. Components | Trend Micro Service Central - Online Help Center, Components | Trend Micro Service Central 23. ATSE Detections and Virtual Analyzer, https://docs.trendmicro.com/all/ent/imsva/v9.1/en-us/imsva_9.1_olh/atse-det_dda.html 24. Predictive Machine Learning | Trend Micro Service Central, Predictive Machine Learning | Trend Micro Service Central 25. Macro file scanning - InterScan Messaging Security Virtual Appliance, Macro file scanning option in InterScan Messaging Security Virtual Appliance (IMSVA) 26. Integrate with SAP NetWeaver - Workload Security - Trend Cloud One™, Integrate with SAP NetWeaver - Workload Security | Trend Micro Cloud One™ Documentation 27. What's new in Deep Security Agent? | Deep Security, What's new in Deep Security Agent? | Deep Security 28. Trend Micro Apex One™ as a Service Readme, Trend Micro Apex One™ as a Service Readme 29. OfficeScan XG - Service Pack 1 Readme - Trend Micro, OfficeScan XG - Service Pack 1 Readme 30. SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability, SECURITY BULLETIN: Trend Micro Scan Engine Memory Exhaustion Denial-of-Service Vulnerability 31. JVNVU#93009588: Memory Exhaustion Denial-of-Service (DoS) vulnerability in Trend Micro Scan Engine, JVNVU#93009588: Memory Exhaustion Denial-of-Service (DoS) vulnerability in Trend Micro Scan Engine 32. ohc.blob.core.windows.net, https://ohc.blob.core.windows.net/o...cb9-40de-a121-a893659ad9da/smd_5.0_sp1_ag.pdf 33. txt - NET, https://ohc.blob.core.windows.net/o...b-a959-76539ff2d898/smd_5.0sp1_readme_aix.txt 34. InterScan for IBM Domino 5.6 Windows版 Service Pack 1 Patch 2 ..., InterScan for IBM Domino 5.6 Windows版 Service Pack 1 Patch 2(build_4775) の概要および適用方法 35. About Deep Discovery Inspector | Trend Micro Service Central, About Deep Discovery Inspector | Trend Micro Service Central 36. Adding a File Submission Rule - Online Help Center - Trend Micro, https://docs.trendmicro.com/all/ent/ddi/v6.0/en-us/ddi_6.0_olh/adding-a-file-submis.html 37. DEEP DISCOVERY™ FAMILY - Zones, https://media.zones.com/images/pdf/sb-advance-threat-protection.pdf 38. About Anti-Malware | Trend Micro Service Central, https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-anti-malware 39. Release Notes | Trend Micro Service Central - Online Help Center, Release Notes | Trend Micro Service Central 40. Trend Micro Vision One Workbench - Sekoia.io Documentation, Trend Micro Vision One Workbench - Sekoia.io Documentation 41. API documentation - Trend Vision One Automation Center, Trend Vision One Automation Center
Last edited:
