Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Introduction to Virus Scan Engine (VSAPI) Packer-Identification in OfficeScan

    • Updated:
    • 2 Jan 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2000 Advanced Server
    • Windows 2000 Professional
    • Windows 2000 Server
    • Windows 2003 32-Bit
    • Windows 2003 64-Bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server Core
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012
    • Windows 2012 Datacenter
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Server R2
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 2016
    • Windows 2016 Server Core
    • Windows 2016 Server Datacenter
    • Windows 2016 Server Standard
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

This article provides information on VSAPI packer identification. This function was introduced in VSAPI version 9.77 and is also available in later versions.

Details
Public

The VSAPI packer is used to pack PE files in order to reduce their file size and protect the binaries. This technique can also be used by malware to evade anti-virus. There are lots of types of packers, such as UPX, Themida, ASPack, etc. Some are often used by companies and some may be mostly used by malwares.

To block the malware that leverages the packer, scan engine provides a Packer-Identification Policy Scan for enterprise customers. The detection name for packer policy is defined by the following formats:

  • PACP_XXX.STD (standard packer types)
  • PACP_XXX.CM (customized packer types)

The type of packer is included in XXX (e.g. “PACK_ASPACK_001.STD” or “PACK_ASPACK_002.CM” for “ASPACK” packer).

You can choose to enable this policy scan if you have knowledge of an attack by packed malwares. When the policy scan is enabled, any matched packer policy will be reported by default. Additionally, when you receive a detection report, you can select and add approved packer types to avoid any related policy detection.

Taking OfficeScan as an example, admins can configure packer handling behavior via the following steps:

  1. In the web console, go to Agents > Outbreak Prevention and specify the scope of the policy in the client tree.

    VSAPI packer

  2. Tick the "Deny access to executable compressed files" checkbox and then click the link to edit details.

    VSAPI packer

  3. Add the approved packer types to the righ column.

    VSAPI packer

  4. Save and exit.
Premium
Internal
Rating:
Category:
SPEC
Solution Id:
1119135
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.