Updates Information for Geeks: Trend Micro Components Explained


Level 23
Oct 16, 2020
When navigating to About -> Components in the Trend Micro main console a bunch of components can be seen, divided in three groups: Program, Engine and Pattern.


Many of these components are self-explanatory, but some of them sound rather cryptic.
This post will provide a bit more details over Trend Micro core architecture and is based on the following two official Trend Micro posts:

I've simply compared them to the home version, as these articles cover business products and have filtered out not-related modules.

IntelliTrap PatternSecurity AgentsThe IntelliTrap Pattern detects real-time compression files packed as executable files.
For details, see IntelliTrap.
IntelliTrap Exception PatternSecurity AgentsThe IntelliTrap Exception Pattern contains a list of "approved" compression files.

IntelliTrap is a Trend Micro heuristic technology used to discover threats that use real-time compression paired with other malware characteristics like Packers. This covers virus/malware, worms, trojans, backdoors and bots. Virus writers often attempt to circumvent virus/malware filtering by using different file compression schemes. IntelliTrap is a real-time, rule-based, and pattern recognition scan engine technology that detects and removes known virus/malware in files compressed up to 17 layers deep using any of 16 popular compression types.

IntelliTrap uses the same scan engine as virus scanning. As a result, the file handling and scanning rules for IntelliTrap are the same as administrator-defined rules for virus scanning.

Agents write bot and other malware detections to the IntelliTrap log. You can export the contents of the IntelliTrap log for inclusion in reports.

IntelliTrap uses the following components when checking for bots and other malicious programs:
  • Virus Scan Engine
  • IntelliTrap Pattern
  • IntelliTrap Exception Pattern
Virus Scan Engine 32/64-bitSecurity AgentsAt the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of viruses and malware. The scan engine also detects controlled viruses that are developed and used for research.
Rather than scanning every byte of every file, the engine and pattern file work together to identify the following:
  • Tell-tale characteristics of the virus code
  • The precise location within a file where the virus resides
Smart Scan PatternNot distributed to Security Agents. This pattern stays in theSecurity Server and is used when responding to scan queries received from Security Agents.When in smart scan mode, Security Agents use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns.
The Smart Scan Pattern contains majority of the pattern definitions. The Smart Scan Agent Pattern contains all the other pattern definitions not found on the Smart Scan Pattern.
The Security Agent scans for security threats using the Smart Scan Agent Pattern. Security Agents that cannot determine the risk of the file during the scan verify the risk by sending a scan query to the Scan Server, a service hosted on the Security Server. The Scan Server verifies the risk using the Smart Scan Pattern. The Security Agent "caches" the scan query result provided by the Scan Server to improve the scan performance.
Smart Scan Agent PatternSecurity Agents using smart scanSmart Scan Agent pattern is the one used in home products:
Detections added to the pattern daily can be seen here: https://www.trendmicro.com/ftp/prod...pattern/whatsnew_Smart_Scan_Agent_Pattern.txt

Information about generic detections can be obtained here: Frequently Asked Questions (FAQs) on Generic Detection
Damage Cleanup TemplateSecurity AgentsThe Damage Cleanup Template is used by the Damage Cleanup Engine to identify Trojan files and processes so the engine can eliminate them.

Not from Trend Micro, but my personal assumption:
This engine and template have a rather poor explanation, but I believe they serve as a correlator and CTRL+Z on the malware actions. E.g. trojan_fareit_abc is known to drop hello.exe in %userprofile%\AppData
It is also known to disable task manager.
This engine will remove the related file and will re-enable task manager.
This assumption is based on a Damage Cleanup Log I saw saved in Trend Micro folder.
Damage Cleanup Engine 32/64-bitSecurity AgentsThe Damage Cleanup Engine scans for and removes Trojans and Trojan processes.
Memory Inspection PatternSecurity AgentsThis technology provides enhanced virus scanning for polymorphic and mutation viruses, and augments virus-pattern-based scans by emulating file execution. The results are then analyzed in a controlled environment for evidence of malicious intent with little impact on system performance.
Contextual Intelligence Engine 32/64-bitSecurity AgentsThe Contextual Intelligence Engine monitors processes executed by low prevalence files and extracts behavioral features that the Contextual Intelligence Query Handler sends to the Predictive Machine Learning engine for analysis.
Contextual Intelligence PatternSecurity AgentsThe Contextual Intelligence Pattern contains a list of "approved" behaviors that are not relevant to any known threats.
Contextual Intelligence Query Handler 32/64-bitSecurity AgentsThe Contextual Intelligence Query Handler processes the behaviors identified by the Contextual Intelligence Engine and sends the report to the Predictive Machine Learning engine.
Advanced Threat Scan Engine 32/64-bitSecurity AgentsThe Advanced Threat Scan Engine extracts file features from low prevalence files and sends the the information to the Predictive Machine Learning engine.

Advanced Threat Scan Engine uses a combination of signature file-based scanning and heuristic rule-based scanning to detect and document exploits and other threats used in targeted attacks.
Major features include the following:
  • Detection of zero-day threats
  • Detection of embedded exploit code
  • Detection rules for known vulnerabilities
  • Enhanced parsers for handling file deformities
Advanced Threat Correlation PatternSecurity AgentsThe Advanced Threat Correlation Pattern contains a list of file features that are not relevant to any known threats.
Early Boot Cleanup Driver 32/64-bitSecurity AgentsThe Trend Micro Early Boot Cleanup Driver loads before the operating system drivers which enables the detection and blocking of boot-type rootkits. After the Security Agent loads, Trend Micro Early Boot Cleanup Driver calls Damage Cleanup Services to clean the rootkit.

Real-Time Scan uses the Memory Inspection Pattern to evaluate executable compressed files identified by Behavior Monitoring. Real-Time Scan performs the following actions on executable compressed files:
  1. Creates a mapping file in memory after verifying the process image path.


    The Scan Exclusion list overrides the file scanning.
  2. Sends the process ID to the Advanced Protection Service which then:
    1. Uses the Virus Scan Engine to perform the memory scanning.
    2. Filters the process through global Approved lists for Windows system files, digitally signed files from reputable sources, and Trend Micro-tested files. After verifying that a file is known to be safe, OfficeScan does not perform any action on the file.
  3. After processing the memory scan, the Advanced Protection Service sends the results to Real-Time Scan.
  4. Real-Time Scan then quarantines any detected malware threat and terminates the process.
Spyware/Grayware Pattern v.6Security AgentsThe Spyware/Grayware Pattern identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts.
Behavior Monitoring Detection Pattern 32/64-bitSecurity AgentsThis pattern contains the rules for detecting suspicious threat behavior.
Behavior Monitoring Core Driver 32/64-bitSecurity AgentsThis kernel mode driver monitors system events and passes them to the Behavior Monitoring Core Service for policy enforcement.
Behavior Monitoring Core Service 32/64-bitSecurity AgentsThis user mode service has the following functions:
  • Provides rootkit detection
  • Regulates access to external devices
  • Protects files, registry keys, and services
Behavior Monitoring Configuration PatternSecurity AgentsThe Behavior Monitoring Driver uses this pattern to identify normal system events and exclude them from policy enforcement.
Damage Recovery PatternSecurity AgentsThe Damage Recovery Pattern contains policies that are used for monitoring suspicious threat behavior.
Digital Signature PatternSecurity AgentsThis pattern contains a list of valid digital signatures that are used by the Behavior Monitoring Core Service to determine whether a program responsible for a system event is safe.
Policy Enforcement PatternSecurity AgentsThe Behavior Monitoring Core Service checks system events against the policies in this pattern.
Memory Scan Trigger Pattern (32/64-bit)Security AgentsThe Memory Scan Trigger service executes other scan engines when it detects the process in memory is unpacked.

Behavior Monitoring uses the Memory Scan Trigger Pattern to identify possible threats after detecting the following operations:
  • File write action
  • Registry write action
  • New process creation
After identifying one of these operations, Behavior Monitoring calls Real-time Scan's Memory Inspection Pattern to check for security risks.
For details about the Real-time Scan operations, see Memory Inspection Pattern.
Program Inspection Monitoring PatternSecurity AgentsThe Program Inspection Monitoring Pattern monitors and stores inspection points that are used for Behavior Monitoring.
Threat Tracing Pattern 32/64-bitSecurity AgentsThe Threat Tracing Pattern identifies fileless malware attacks.
Browser Exploit Prevention PatternSecurity AgentsThis pattern identifies the latest web browser exploits and prevents the exploits from being used to compromise the web browser.
Script Analyzer Unified PatternSecurity AgentsThis pattern analyzes script in web pages and identifies malicious script.
Last edited:


Level 23
Malware Hunter
Jan 8, 2017
What I can say so far with it installed on the system is that it has a great performance, I can't even feel it, both in games when browsing the web, nothing gets in the way or delay, really good, much lighter now than when I was with GDATA, and look that GDATA is light. Another good surprise is the support, I did some tests and saw that they are very quick in response, forum, email, chat, I liked it.


Level 23
Oct 16, 2020
What I can say so far with it installed on the system is that it has a great performance, I can't even feel it, both in games when browsing the web, nothing gets in the way or delay, really good, much lighter now than when I was with GDATA, and look that GDATA is light. Another good surprise is the support, I did some tests and saw that they are very quick in response, forum, email, chat, I liked it.
I love how simple they've made everything, so installing Trend Micro on someone's computer with hyper-sensitive mode and aggressive web filtering ensures good security, without me having to deal with any side effects. Malware removal is also a very simple process with no unnecessary stress. Novice users may panic when they see "malware detected" alerts, specially if they are few and come in a sequence, so this information needs to be presented in a careful way.
Last edited:


Level 23
Oct 16, 2020
How thorough and advanced do you think the infrastructure of Trend Micro, compared to others? Besides the protection detection and performance, I wonder how clever and goodly written this product is under its UI.
Speaking with pentesters, they all have said that the design of Trend Micro is one of the most secure they've seen. I can't comment on all products, as there are products I am truly not interested in, but from my analyses, I like this design. It allows for easy updates with no reboots and security downtime. The way it detects and processes threats is also very thorough and smart. For example if IPS detects something, it will issue a remediation, where Norton will just advise you to run Power Eraser. When it removes threats, it reverses almost everything they've done.
This design is similar to their business products.