Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Processes owned by Worry-Free Business Security (WFBS)

    • Updated:
    • 5 Sep 2017
    • Product/Version:
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • Windows 2003 Datacenter Server
    • Windows 2003 Enterprise Server
    • Windows 2003 Home Server
    • Windows 2003 Small Business Server
    • Windows 2003 Standard Server Edition
    • Windows 2003 Storage Server
    • Windows 2003 Web Server Edition
    • Windows 2008 Datacenter Server
    • Windows 2008 Enterprise Server
    • Windows 2008 Essential Business Server
    • Windows 2008 Small Business Server
    • Windows 2008 Standard Server Edition
    • Windows 2008 Storage Server
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
Identify the processes owned by WFBS and know what they are for.
Common Client Solution Framework
For WFBS 9.0 only.
This service is responsible for Browser Exploit Solution (BES) and Ravage (Memory Scan for real-time scan) functionality.
SA Monitor

This component is responsible for interfacing with the client user.

It is responsible for:

  • Starting the CSA Console (PccNT.exe)
  • Displaying the client icon on the system tray
  • Sending quarantine files to the server
  • Displaying alerts
  • Detecting Internet Explorer proxy settings

This is done as part of auto-proxy detection functionality. IE settings can be used for Internet connectivity for Web Reputation Service and Active Update functionality.

SA Console
This is the CSA Console program. PccNTMon.exe calls this process to display the CSA information in the Security Dashboard and execute modified user settings on client computers.
Plug-in Manager
AosUImanager.exe is responsible for interfacing with the server-side Plugin Manager component.
Trend Micro Security
Agent Listener

This service is responsible for receiving commands and notifications from the server. TmListen, as the service is sometimes called, is responsible for the following functionality:

  • Client-server communication
  • Update
  • Component startup
  • Log delivery
Trend Micro Security Agent Real-time Scan

This service is responsible for Manual, Scheduled, and Real-time scan function. NTRtScan performs scan in the following order:

  1. antivirus
  2. antispyware
  3. DCS
Trend Micro Security
Agent Proxy Service

This service is responsible for Web threat security and POP3 scan functionalities. TmProxy is responsible for receiving HTTP connections that the Trend Micro TDI driver intercepts as part of Web threat functionality.

Upon receiving information about the connection, TmProxy uses the URL filtering engine to obtain a credibility rating, from Trend Micro, for the Web site that is being accessed. Depending on the rating that is returned, TmProxy can block or permit access to the site.

Trend Micro Security
Agent Firewall
This service is responsible for client firewall functionality.
Trend Micro Unauthorized Change
Prevention Service
This service is responsible for the AEGIS module.

Security Server


The Master Service, or OfcService.exe, is the central management component of WFBS network.

It processes commands to and from the agents and the console. Through this service, the following functionalities are provided for the MSA and CSA:

  • Storage for agent configuration settings
  • Agent logs consolidation
  • Default source for update components (example: patterns, engine, etc.)

This process is the only WFBS component that interfaces with the database.

When the Security Server receives information from the CSA, such as the version of its update components, it sends this information to Dbserver.exe. The Dbserver.exe then modifies the client record on the database in order to reflect the updated component information for the client.

iCRCService.exeThe Smart Scan Service, or iCRCService.exe, is the master service for the Integrated Smart Scan Server. It handles communication between a client's iCRCHandler and the server's activities. Stopping the Security Server Master Service simultaneously stops iCRCService.exe.
OfcAoSMgr.exeThe Plug-in Manager Service prepares token-value pair, enumerates plug-in information, and specifies the user interface control.

Client/Server Security Agent (CSA)


AMSP_LogServer.exe generates logs about framework functionality and internal AMSP components. It complements the debugging mechanisms that are built into the individual core technology modules. It relies on three INI files to determine the amount of information that it will record for the different AMSP components:

  • AmspConfig.ini - General debugging behavior of the AMSP framework
  • AmspLogFilter.ini - Filtering level applied for each component (example: registry and network configuration)
  • AmspLogList.ini - Paths and file names of the log files generated for each AMSP module

Aside from communicating with coreServiceShell.exe, coreFrameworkHost.exe also acts like a watchdog process for coreServiceShell.exe. When the latter terminates abnormally, coreFrameworkHost.exe will perform the following recovery tasks:

  1. Take a snapshot of the current AMSP setup (settings and components)
  2. Restore the last known working setup
  3. Restart coreServiceShell.exe

Aside from being the interface for the Service Control Manager, coreServiceShell.exe also serves as the entry point for the whole AMSP framework.

It is responsible for the overall management of the framework's components, including core modules and plug-ins. It also determines which AMSP modules to load by referring to the encrypted configuration file component_info.cfg, which is stored in %ProgramFiles%\Trend Micro\AMSP by default.


This process is responsible for the following functionalities:

  • Client-server communication
  • Log delivery

A component of UniClient, uiSeAgent.exe is also referred to as the Session Agent. It is the process for the Security Agent's task tray application and is responsible for the following tray properties: icon, tooltips (including balloon tooltips), and menus. Upon receiving a right-click event, uiSeAgent.exe provides the user with a menu that includes options to:

  • Open the main Security Agent console (uiWinMgr.exe)
  • Run an on-demand scan
  • Disable real-time scanning of files and folders
  • Exit the program (terminate uiSeAgent.exe and stop the Security Agent's service as well)

The Session Agent also monitors certain event changes for a user's session including:

  • Changes to the Internet Explorer's proxy settings if the Security Agent is configured to use them
  • Applications running in full screen mode, which temporarily stops a scheduled update

Note: The status of uiSeAgent.exe, whether running or not, does not affect the protection status of Security Agent.


Another component of UniClient, uiWatchDog.exe is mainly responsible for ensuring that the uiSeAgent.exe process is always running.

The watchdog monitors the exit code of the Session Agent. In the event that the latter process terminates with an exit code not equal to 0 (an indication of an abnormal termination), uiWatchDog.exe will attempt to reload uiSeAgent.exe.

uiWinMgr.exeThe client main console uiWinMgr.exe runs whenever the user console is launched.

Messaging Security Agent (MSA)

SMEX_Master.exeThis is the main component of MSA, which handles all the major processing inside the product.
SMEX_RemoteConfig.exeThis provides the user identity and the mechanism for configuration replication between MSA systems.
SMEX_SystemWatcher.exeThis acts as a watchdog program for monitoring the status of ScanMail system. SMEX_SystemWatcher.exe is the process level equivalent for this service.
(Not available in Junk Email Integration)
The End User Quarantine (EUQ) is a Trend Micro module responsible for moving spam messages to a user's spam folder.
Solution Id:
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.