McMcbrad
Level 23
- Oct 16, 2020
- 1,252
When navigating to About -> Components in the Trend Micro main console a bunch of components can be seen, divided in three groups: Program, Engine and Pattern.
Many of these components are self-explanatory, but some of them sound rather cryptic.
This post will provide a bit more details over Trend Micro core architecture and is based on the following two official Trend Micro posts:
I've simply compared them to the home version, as these articles cover business products and have filtered out not-related modules.
Many of these components are self-explanatory, but some of them sound rather cryptic.
This post will provide a bit more details over Trend Micro core architecture and is based on the following two official Trend Micro posts:
I've simply compared them to the home version, as these articles cover business products and have filtered out not-related modules.
| IntelliTrap Pattern | Security Agents | The IntelliTrap Pattern detects real-time compression files packed as executable files. For details, see IntelliTrap. |
| IntelliTrap Exception Pattern | Security Agents | The IntelliTrap Exception Pattern contains a list of "approved" compression files. |
IntelliTrap is a Trend Micro heuristic technology used to discover threats that use real-time compression paired with other malware characteristics like Packers. This covers virus/malware, worms, trojans, backdoors and bots. Virus writers often attempt to circumvent virus/malware filtering by using different file compression schemes. IntelliTrap is a real-time, rule-based, and pattern recognition scan engine technology that detects and removes known virus/malware in files compressed up to 17 layers deep using any of 16 popular compression types.
Note:
IntelliTrap uses the same scan engine as virus scanning. As a result, the file handling and scanning rules for IntelliTrap are the same as administrator-defined rules for virus scanning.
Agents write bot and other malware detections to the IntelliTrap log. You can export the contents of the IntelliTrap log for inclusion in reports.
IntelliTrap uses the following components when checking for bots and other malicious programs:
Note:
IntelliTrap uses the same scan engine as virus scanning. As a result, the file handling and scanning rules for IntelliTrap are the same as administrator-defined rules for virus scanning.
Agents write bot and other malware detections to the IntelliTrap log. You can export the contents of the IntelliTrap log for inclusion in reports.
IntelliTrap uses the following components when checking for bots and other malicious programs:
- Virus Scan Engine
- IntelliTrap Pattern
- IntelliTrap Exception Pattern
| Virus Scan Engine 32/64-bit | Security Agents | At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of viruses and malware. The scan engine also detects controlled viruses that are developed and used for research. Rather than scanning every byte of every file, the engine and pattern file work together to identify the following:
|
| Smart Scan Pattern | Not distributed to Security Agents. This pattern stays in theSecurity Server and is used when responding to scan queries received from Security Agents. | When in smart scan mode, Security Agents use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns. The Smart Scan Pattern contains majority of the pattern definitions. The Smart Scan Agent Pattern contains all the other pattern definitions not found on the Smart Scan Pattern. The Security Agent scans for security threats using the Smart Scan Agent Pattern. Security Agents that cannot determine the risk of the file during the scan verify the risk by sending a scan query to the Scan Server, a service hosted on the Security Server. The Scan Server verifies the risk using the Smart Scan Pattern. The Security Agent "caches" the scan query result provided by the Scan Server to improve the scan performance. |
| Smart Scan Agent Pattern | Security Agents using smart scan | Smart Scan Agent pattern is the one used in home products: Detections added to the pattern daily can be seen here: https://www.trendmicro.com/ftp/prod...pattern/whatsnew_Smart_Scan_Agent_Pattern.txt Information about generic detections can be obtained here: Frequently Asked Questions (FAQs) on Generic Detection |
| Damage Cleanup Template | Security Agents | The Damage Cleanup Template is used by the Damage Cleanup Engine to identify Trojan files and processes so the engine can eliminate them. Not from Trend Micro, but my personal assumption: This engine and template have a rather poor explanation, but I believe they serve as a correlator and CTRL+Z on the malware actions. E.g. trojan_fareit_abc is known to drop hello.exe in %userprofile%\AppData It is also known to disable task manager. This engine will remove the related file and will re-enable task manager. This assumption is based on a Damage Cleanup Log I saw saved in Trend Micro folder. |
| Damage Cleanup Engine 32/64-bit | Security Agents | The Damage Cleanup Engine scans for and removes Trojans and Trojan processes. |
| Memory Inspection Pattern | Security Agents | This technology provides enhanced virus scanning for polymorphic and mutation viruses, and augments virus-pattern-based scans by emulating file execution. The results are then analyzed in a controlled environment for evidence of malicious intent with little impact on system performance. |
| Contextual Intelligence Engine 32/64-bit | Security Agents | The Contextual Intelligence Engine monitors processes executed by low prevalence files and extracts behavioral features that the Contextual Intelligence Query Handler sends to the Predictive Machine Learning engine for analysis. |
| Contextual Intelligence Pattern | Security Agents | The Contextual Intelligence Pattern contains a list of "approved" behaviors that are not relevant to any known threats. |
| Contextual Intelligence Query Handler 32/64-bit | Security Agents | The Contextual Intelligence Query Handler processes the behaviors identified by the Contextual Intelligence Engine and sends the report to the Predictive Machine Learning engine. |
| Advanced Threat Scan Engine 32/64-bit | Security Agents | The Advanced Threat Scan Engine extracts file features from low prevalence files and sends the the information to the Predictive Machine Learning engine. Advanced Threat Scan Engine uses a combination of signature file-based scanning and heuristic rule-based scanning to detect and document exploits and other threats used in targeted attacks. Major features include the following:
|
| Advanced Threat Correlation Pattern | Security Agents | The Advanced Threat Correlation Pattern contains a list of file features that are not relevant to any known threats. |
| Early Boot Cleanup Driver 32/64-bit | Security Agents | The Trend Micro Early Boot Cleanup Driver loads before the operating system drivers which enables the detection and blocking of boot-type rootkits. After the Security Agent loads, Trend Micro Early Boot Cleanup Driver calls Damage Cleanup Services to clean the rootkit. |
Real-Time Scan uses the Memory Inspection Pattern to evaluate executable compressed files identified by Behavior Monitoring. Real-Time Scan performs the following actions on executable compressed files:
- Creates a mapping file in memory after verifying the process image path.
Note
The Scan Exclusion list overrides the file scanning. - Sends the process ID to the Advanced Protection Service which then:
- Uses the Virus Scan Engine to perform the memory scanning.
- Filters the process through global Approved lists for Windows system files, digitally signed files from reputable sources, and Trend Micro-tested files. After verifying that a file is known to be safe, OfficeScan does not perform any action on the file.
- After processing the memory scan, the Advanced Protection Service sends the results to Real-Time Scan.
- Real-Time Scan then quarantines any detected malware threat and terminates the process.
| Spyware/Grayware Pattern v.6 | Security Agents | The Spyware/Grayware Pattern identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts. |
| Behavior Monitoring Detection Pattern 32/64-bit | Security Agents | This pattern contains the rules for detecting suspicious threat behavior. |
| Behavior Monitoring Core Driver 32/64-bit | Security Agents | This kernel mode driver monitors system events and passes them to the Behavior Monitoring Core Service for policy enforcement. |
| Behavior Monitoring Core Service 32/64-bit | Security Agents | This user mode service has the following functions:
|
| Behavior Monitoring Configuration Pattern | Security Agents | The Behavior Monitoring Driver uses this pattern to identify normal system events and exclude them from policy enforcement. |
| Damage Recovery Pattern | Security Agents | The Damage Recovery Pattern contains policies that are used for monitoring suspicious threat behavior. |
| Digital Signature Pattern | Security Agents | This pattern contains a list of valid digital signatures that are used by the Behavior Monitoring Core Service to determine whether a program responsible for a system event is safe. |
| Policy Enforcement Pattern | Security Agents | The Behavior Monitoring Core Service checks system events against the policies in this pattern. |
| Memory Scan Trigger Pattern (32/64-bit) | Security Agents | The Memory Scan Trigger service executes other scan engines when it detects the process in memory is unpacked. Behavior Monitoring uses the Memory Scan Trigger Pattern to identify possible threats after detecting the following operations:
For details about the Real-time Scan operations, see Memory Inspection Pattern. |
| Program Inspection Monitoring Pattern | Security Agents | The Program Inspection Monitoring Pattern monitors and stores inspection points that are used for Behavior Monitoring. |
| Threat Tracing Pattern 32/64-bit | Security Agents | The Threat Tracing Pattern identifies fileless malware attacks. |
| Browser Exploit Prevention Pattern | Security Agents | This pattern identifies the latest web browser exploits and prevents the exploits from being used to compromise the web browser. |
| Script Analyzer Unified Pattern | Security Agents | This pattern analyzes script in web pages and identifies malicious script. |
Last edited:
