The Real-Time Scan uses the Memory Inspection Pattern to evaluate the executable compressed files identified by Behavior Monitoring. Below is the procedure:
- A mapping file in memory is created after verifying the process image path.
- The process ID is sent to the Advanced Protection Service which performs the following:
- It uses the Virus Scan Engine to perform the memory scanning.
- It filters the process through global Approved lists for Windows system files, digitally signed files from reputable sources, and Trend Micro-tested files. After verifying that a file is known to be safe, OfficeScan does not perform any action on the file.
- After processing the memory scan, the Advanced Protection Service sends the results to Real-Time Scan.
- The Real-Time Scan then quarantines any detected malware threat and terminates the process.
When the Memory Inspection Pattern fails to update, it is shown as outdated in the OfficeScan (OSCE) management console.
Click image to enlarge.
The following settings should be configured in the OSCE management console for the Memory Inspection Pattern:
- Quarantine malware variants detected in memory
- On the management console, go Agents > Agent Management > OfficeScan Server.
- Navigate to Settings > Scan Settings > Real-time Scan Settings.
- Click Target.
- Enable the Quarantine malware variants detected in memory option.
- Additional Service Settings
- On the management console, go to Agents > Agent Management > OfficeScan Server.
- Navigate to Settings > Additional Service Settings.
- Enable the Additional Service Settings option.
- Advanced Protection Service
- On the management console, go to Agents > Agent Management > OfficeScan Server.
- Navigate to Settings > Additional Service Settings.
- Enable the Advanced Protection Service option.