@kotilainenseppo​ 

malformed PE header is not detected by behavioural blocking, this is static analysis’ job. 

When you go to the logs, you can see which rule exactly triggered the block in some cases. More information is displayed in business products but to home users it is irrelevant. 

I have a question here as well, just to understand Trend Micro better. Although I could ask in the business part of the community too, but here the subject is already initiated.

I could also find the Smart Scan patent on Justia and read in depth :-)

So, the poor detection rate certainly has got something to do with the Smart Scan (using 2 seperate patterns). It looks like Smart Scan Agent Pattern needs to flag something suspicious and at that point the full definition will be retrieved from the server. Is that how it works?

Also, how do you decide which malware to drop? Because ransomware can wreak havoc even when it is very old. Infostealers may have dead C&Cs, but a lot of them possess an update function. Do you check these C&Cs using an automated system? Or do you just automatically clean up everything >6 months of age? I am very curious how the cleanup decision is taken (though I understand you may wish not to disclose).

Why some sort of hash-based detection is not still maintained on TM smart protection network?

Malicious files, even when old, should have reputation different than "safe". In that case, ATSE should be called on these files. Is PML not getting trained to detect these samples?

I understand that pattern needs to be minimalistic and requires maintenance, but why other layers don't cover these threats, such as behavioural analysis and policy enforcement?

Hello everyone, I am back!

Quick intro (although I am known here), I've established my own business as VAR (almost MSSP) and looking forward to work with TM as well.

I'm willing to join as an affiliate to home products too.

Now for the questions, they will be highly technical.

I've been reading yet again the list of components, engines and even patents Trend Micro owns.

I understand from business products documentation that Trend Micro uses a cloud-based static analysis engine called ATSE (linked to Predictive Machine Learning).

Business documentation states that ATSE scans only files without a favourable repuation.

So:

• Does the same apply to downloads as well, as many products are more aggressive towards downloads?
• Does the same apply when Hypersensitive mode is on? Will Trend Micro call ATSE on all files in this mode?
• Does Hypersensitive mode modify PML confidence levels which range from -1 to 4, again according to documentation? What is the default ATSE aggressiveness level in home products?
• That aggressive scan automatically launched when certain number of threats are found, does it trigger a more aggressive ATSE? Is that where the additional aggressiveness comes from?
• What file types are supported by ATSE, apart from PE and Office Documents?

And now question about behavioural monitoring/policy enforcement, which also seems to be linked to PML in the cloud.

• I see that behavioural monitoring as well, is heavily focused on "untrusted" processes. Is it the same in hypersensitive mode? How will Trend Micro deal with code abuse (signed malware) and LOLBin abuse if signed processes are automatically excluded?

Question about features:

I see that business products now have the capability to scan memory content (not to be confused with getting the images and executables paths from memory and scanning on disk). 

Will this make its way to home products too?

Does Trend Micro now support Intel TDT as well?