Since the release of Windows 7 and Windows 2008 R2, there have been multiple changes in the NTFS architecture to improve performance. One of these changes include "opportunistic locks" (oplocks). For more information on oplocks, refer to this Microsoft article: What's New in NTFS
Due to the current limitations in VMware vShield Endpoint and AMSP 2.1, this new NTFS architecture means that we cannot scan in real-time files coming from SMB share that are copied over to Windows 7 and Windows 2008 R2 computers. Manual scan and scheduled scan however are not affected by this limitation.
Who are affected
These three conditions need to be met to be affected by the oplocks issue:
Windows 7 and Windows 2008 R2 computers
Deep Security 8.0 Agent-Less or Agent Based Anti-Malware Protection feature is being used.
Anti-Malware Real-Time Scan is configured in write-only mode.
Workaround for Agent-based protection
Trend Micro is currently working on a permanent solution. For the meantime, change the Anti-Malware Real-Time Scan mode from Write-only to Read/Write to address the problem.
Solution for Agent-less protection
DS 8.0 SP2 DSVA release now includes the functionality to detect malware under the above conditions. Please contact VMWare and ask for End Point driver version 22.214.171.124-8225062. Without the correct VMWare driver the Trend Micro Agentless appliance will continue to function normally but will not detect viruses written to those shares in some cases when write only mode is used. Note that this issue does not apply when read or read/write modes are used because the virus will always be detected when it is accessed.