APEX ONE CERTIFIED PROFESIONAL 2023 ACTUAL EXAM 2 LATEST VERSIONS COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS(VERIFIED ANSWERS)|AGRADE

Network Defense Products
Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and
either ransom or steal sensitive data, communications, and intellectual property. Trend Micro
Network Defense detects and prevents breaches anywhere on the network to protect critical
data and reputation. Rapidly detect, analyze, and respond to targeted attacks on your network.
Stop targeted email attacks, and detect advanced malware and ransomware with custom
sandbox analysis, before damage is done

Hybrid Cloud Security Products
The Trend Micro Hybrid Cloud Security solution protects enterprise workloads in the data center
and the cloud from critical new threats, like ransomware, that can cause significant business
disruptions, while helping to accelerate regulatory compliance.
Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and
virtualized environments with effective server protection that maximizes their operational and
economic benefits.
Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend
Micro provides the advanced server security you need with the Trend Micro Deep Security
platform.

User Protection Products
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users’ activity on any
application, any device, anywhere.

Trend Micro Smart Protection Network Products
The Trend Micro Smart Protection Network mines data around the clock and across the globe to
ensure up-to-the-second threat intelligence to immediately stamp out attacks before they can
harm valuable enterprise data assets.

Visibility and Control Products
Whether your endpoints are internal or external, you can manage a comprehensive set of
security capabilities from one single management console providing a strong level of visibility
and control. In addition, suspicious objects discovered by different applications can be
consolidated into a single list and distributed within the entire environment.

Important when you have multiple TM products in your organization.

Trend Micro XGen™ Security
Trend Micro’s endpoint protection solution, powered by XGen, delivers a blend of cross-generational
threat defense techniques that are smart, optimized, and connected to protect endpoint computers
across the enterprise – all while preventing business disruptions and helping with regulatory compliance.

Trend Micro Apex One
Apex One is the next evolution of the Trend Micro enterprise endpoint security solution and replaces
OfficeScan as Trend Micro’s flagship endpoint security product. Apex One can be installed as a new
product in the enterprise or you can upgrade an installation of OfficeScan XG to Apex One.
Apex One protects endpoint computers from malware, network viruses, Web-based threats, spyware, and
mixed threat attacks (both known and unknown). It uses a client/server architecture that consists of a
Security Agent program that resides on the endpoint and a server program that manages all Agents. The Apex One Server is capable of providing real-time, bidirectional communication between the Server
and Security Agents using Hypertext Transfer Protocol (HTTPS). The Apex Central Web Management
console makes it easy for administrators to set coordinated security policies and deploy updates to every
endpoint Agent. In addition, different users access roles can be set up for specific administrative tasks
such as policy configuration, log query, and report generation.

Trend Micro Apex One Deployment Methods: On-Premise
In an on-premise deployment, the Apex One Server is installed as a standalone server within your
environment. The database and other components also reside within your network. Apex Central
can be installed as an optional component to simplify policy distribution and provide additional
security capabilities. The Apex One Web Management Console is the main management interface
into the system. Any software updates to the servers in an on-premise deployment must be
manually applied by administrators.

Trend Micro Apex One Deployment Methods: Software as a Service Deployment
Apex One as a Service is a subscription-based cloud implementation of Apex One. Trend Micro
hosts the database, Apex One Server and Apex Central Server components on Microsoft Azure
virtual machines. The Apex Central Web Management console is the main management interface
for the service offering. Any software updates to the servers are applied automatically by Trend
Micro.

Key Features of Trend Micro Apex One
-Malware Protection
Endpoint protection is the primary focus of Apex One. Apex One protects endpoint computers
from security risks by scanning files for malware and then performing a specific action for each
security risk detected.

-Ransomware Protection
Enhanced scan features can identify and block ransomware programs that target documents on
endpoint computers by identifying common behaviors and blocking processes commonly
associated with ransomware programs.

-Predictive Machine Learning
Predictive Machine Learning can protect your network from new, previously unidentified, or
unknown threats through advanced file feature analysis and heuristic process monitoring.

-Behavior Monitoring
Behavior Monitoring constantly monitors and protects Agents from unusual and unauthorized
modifications to the operating system or installed software.

-Sandbox Analysis
Connected Threat Defense is a collective feature of Trend Micro products to maximize network
protection.

-Web Threat Protection
Web Reputation technology protects Agent computers within or outside the corporate network
from malicious and potentially dangerous Web sites.

-Firewall Protection
The Apex One firewall protects endpoint computers on the network using stateful inspection.
Rules can be created to filter connections by application, IP address, port number and protocol,
and then applied to different groups of users.

-Data Loss Prevention
Data Loss Prevention safeguards an organization’s digital assets against accidental or deliberate
leakage.

-Device Control
Device Control regulates access to external storage devices and network resources connected to
computers.

-Outbreak Control
Apex One Outbreak Prevention Services shut down infection vectors and rapidly deploys attack
specific security policies to prevent or contain outbreaks before pattern files are available.

-Application Control
Application Control enhances defense against malware or targeted attacks by preventing
unwanted and unknown application from executing on endpoints.

-Virtual Patching
Vulnerability Protection protects endpoints from being exploited by operating system
vulnerability attacks.

-Endpoint Detection and Response
Apex One provides actionable insights, expanded investigative capabilities, and centralized
visibility across the network through an advanced Endpoint Detection and Response (EDR)
toolset.

-Endpoint Encryption
Endpoint Encryption encrypts data on a wide range of devices including laptops and desktops,
USB drives, and other removable media, providing full disk, file/folder, and removable media
encryption to prevent unauthorized access and use of private information

-Cloud-Based Intelligence
Apex One benefits from a global cloud-based repository of threat data through the Trend Micro
Smart Protection Network.

-Automated Updates
Apex One Agents benefit regular, automated updates to malware signatures and patterns

-Multi-Platform Support
Apex One provides endpoint protection features for both Windows and Mac operating systems.
Not all Apex One functionality is currently available on Mac endpoint computers. Linux systems
are also supported for Endpoint Sensor ONLY.

-Simplified Administration
The Apex Central Web Management console can coordinate automatic deployment of security
policies, pattern files, and software updates on every Agent and server.

-Unified Agent
Apex One provides a wide breadth of capabilities through a single unified agent.

Trend Micro Apex One as a Service Components
Apex One Server
Apex Central Server
Security Agents
Reference Servers
Trend Micro ActiveUpdate Server
Update Agents
Trend Micro Endpoint Encryption
Cloud Sandbox
Microsoft Active Directory

Apex One Server
The Apex One Server is the central repository for all Agent configurations, security risk logs, and
updates. The server performs two important functions:

Monitors and manages Security Agents on Windows and Mac endpoints
Downloads most of the components needed by Agents

Apex Central Server
The Apex Central Server (previously known as Control Manager) provides a single unified
interface to manage, monitor, and report across multiple layers of security and deployment
models. Customizable data displays allow administrators to rapidly assess status, identify threats,
and respond to incidents.
User-based visibility shows what is happening across all endpoints, enabling administrators to
review policy status and make changes across all user devices. Direct links to Trend Micro Threat Connect database provides access to actionable threat
intelligence. Apex Central is responsible for compiling the Suspicious Objects for use in Connected Threat
Defense.

Security Agents
A Security Agent on each endpoint protects Windows and Mac computers from security risks.
The Agent reports to the parent Apex One Server from which it was installed and sends security
events and status information to the Server in real time. Security Agents can be installed on
endpoints computer within and outside the corporate network

Reference Servers
Security Agents determine which policy to use by checking its connection status to a reference
server. If a Security Agent can connect to the defined reference server, it is considered to be
internal to the network and applies the internal policy. If it cannot connect to the reference
server, it is considered external and applies the external policy.

Trend Micro ActiveUpdate Server
Trend Micro ActiveUpdate Server serves as the default download source for pattern file and
program updates. Other sources, including Apex Central or Update Agents can be used as the
download location instead of the ActiveUpdate Server.

Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents
within an Apex One network. Update Agents serve as local ActiveUpdate sites.

Trend Micro Endpoint Encryption
Trend Micro Endpoint Encryption encrypts data on a wide range of devices — both PCs and Macs,
laptops and desktops, USB drives, and other removable media. This solution combines
enterprise-wide full disk, file/folder, and removable media encryption to prevent unauthorized
access and use of private information. Endpoint Encryption is an optional, standalone product,
but can be incorporated into policies distributed through Apex Central.

Cloud Sandbox
The separately licensed Cloud Sandbox allows for the observation of file and network behavior
without any risk of compromising the network.
This service performs static analysis and behavior simulation to identify potentially malicious
characteristics. During analysis, the service rates the characteristics in context and then assigns
a risk level to the sample based on the accumulated ratings which is then forwarded to Apex
Central to build the Suspicious Objects List.

Microsoft Active Directory
Apex Central integrates with Microsoft™ Active Directory™ to allow administrators to create user
accounts for Web Management console access based on Active Directory users or groups. It can
also map the User/Endpoint Directory according to your existing organizational structure and
integrates endpoint information (such as threat detections and policy statuses) with Active
Directory user information (such as login history and contact details)

Detecting Threats at the Entry Point
-Web Reputation: Web reputation blocks connections to malicious Web sites. This is done at
the kernel level,

-Operating System Vulnerability Protection: Apex One block exploits of operating system
vulnerabilities by applying a virtual patch.

-Browser Exploits: Malicious behavior can also be captured within the Web browser based on
script inspection and site behavior.

-Device Control: Apex One can block unknown removable media devices, making it less likely
for the endpoint to be infected with malware

Detecting Threats Pre-execution
Detection methods used in the pre-execution phase capture and block threats as they are written
to disk or to memory.

-Packer Detection: Apex One identifies packed malware as it unpacks prior to execution,
blocking threats attempting to hide themselves in memory.

-Predictive Machine Learning: File-based threats can be evaluated against a cloud-based
model before they are run to predict if the file is malicious. Apex One can take advantage of
an offline model in cases where the endpoint is not connected to the network

-Application Control: Application control prevents unrecognized software from executing.

-Variant Protection: Variant protection detects mutations of malicious samples by recognizing
known fragments of malware code

-File-based Signatures: The majority of threats still arrive at the endpoint as file-based attacks.
File-based signatures provide an effective technique for detecting known malicious items.

Detecting Threats at Runtime
While many threats can be detected as they are written to disk, there are some threats that won’t
be detected until they execute

-Predictive Machine Learning: Run-time machine learning techniques monitor anything that is
executing and evaluates it against a separate run-time machine learning model.

-behavior analysis techniques provide a clear indication if an
attack is taking place based on file behavior. This provides an effective mechanism for
detecting ransomware and file-less malware.

In-memory Runtime Analysis: Some malware executes only in memory. In-memory runtime
analysis can monitor for malicious script behavior or code injections in memory and stop
them once they start running.

Detecting Threats at the Exit Point
Methods in this phase can detect and block attempts to forward data from the endpoint.

Web Reputation: At this phase, Web reputation protection can block connections to malicious
Web sites, such as Command & Control sites.
Host Intrusion Prevention: Host intrusion prevention detects and blocks malware lateral
movement behavior.
Data Exfiltration Detection: Data Leak Prevention techniques can detect sensitive data
leaving the endpoint and block its movement.
Device Control: Unknown removable media devices can be blocked to prevent data leaving the
endpoint

Managing Apex One as a
Service
Apex One as a Service uses two server components to deliver its functionality.
Apex Central Server and Apex One Server

Apex Central Server responsibilities
The Apex Central Server is responsible for the following operations as part of the service:

Policy management
Visibility across managed products
User/Endpoint Directory
Logs
Event notifications:
Reports
Component updates
Connected Threat Defense
Role-based administration
Command tracking
License management
Threat investigation
Security Agent installation

Apex One Server responsibilities
The Apex One Server is responsible for the following operations as part of the service:

Security risk protection
Firewall
Data loss prevention
Device control
Global Agent settings

Logging into the Apex Central Web Management
Console
The credentials used by the default administrator, including account name and password, are assigned
during the service account setup process.

Upon first login, it is the responsibility of the default administrator to define user roles and set up user
accounts to allow other administrative users to access the Apex Central Web Management console with
their own login credentials.

Web Console Auto Refresh: The Web Management console can be configured to automatically
refresh the display of data at the specified frequency (in seconds).
Web Console Timeout: This value logs off users after a specified period of inactivity (in
minutes).
Security Settings: This option locks accounts after a specified numbers of incorrect login
attempts.
Concurrent Session Limitation: This option enforces administrators to one console session
per account.

Active Directory Integration
Integrating Apex Central with a Microsoft Active Directory server enables the following capabilities:

Allows administrators to create user accounts for Web Management console access based on Active
Directory users or groups.
Maps the User/Endpoint Directory according to your existing organizational structure and integrate
endpoint information (such as threat detections and policy statuses) with Active Directory user
information (such as login history and contact details).
Use the site location and reporting line information in Active Directory to gain greater insight into
your network protection status on the Operation Center tab.
Create user-based application control rules based on Active Directory users and groups.

Syncing With Active Directory
Apex Central supports synchronization with multiple Active Directory forests. Adding an Active
Directory domain automatically synchronizes all domains from the same forest.

Active Directory Synchronization Tool
Synchronize endpoint and user information from Active Directory servers by using the Agent
synchronization tool.

save the Apex_Central_ADSyncAgent_*.zip file.

Note: Ensure that .NET Framework 4.6.1 is installed on the Active Directory server before executing the
tool.

Administrative Accounts
In addition to the default administrative account created during the account setup process, additional
administrative accounts can be added through the Apex Central Web Management console.
Administrative accounts grant and control access to the Apex Central Web Management console. Each administrative user is assigned a specific role. A role defines the level of access to the Web
Management console.

Defining User Roles
Define and assign user roles to limit the access specific user accounts have to certain Web
Management console screens. You can define user roles to completely hide Web Management
console screens, limit access to read only, or grant full configuration rights.

Predefined Roles
There are several predefined roles that are part of an Apex Central as a Service deployment:

Administrator (DLP Compliance Officer): This role can perform all actions on all menu items
and can monitor, review, and investigate DLP incidents triggered by any Active Directory user.
Administrator: This role can pan perform all actions on all menu items but cannot monitor,
review, or investigate DLP incidents triggered by any Active Directory user.
DLP Compliance Officer: This role can pan perform all actions on the Dashboard and can
monitor, review, and investigate DLP incidents triggered by any Active Directory user. This
user role is only available to Active Directory users or groups.
DLP Incident Reviewer: This role can perform all actions on the Dashboard and can only
monitor, review, and investigate DLP incidents triggered by Active Directory users that report
to the DLP Incident Reviewer. This user role is only available to Active Directory users or
groups.
Operator: This role can perform all actions on all the Dashboard and Directories menu items
and can perform log queries, view reports generated and sent by other users, and update user
account information. This role can only view information on the Policy Management screen
and cannot monitor, review, or investigate DLP incidents triggered by any Active Directory
user
Power User: This role can perform all actions on all the Dashboard and Directories menu
items and can perform log queries, maintain logs, generate and maintain reports, and update
user account information. This role can only view information on the Policy Management
screen and cannot monitor, review, or investigate DLP incidents triggered by any Active
Directory user.
Read-only User: This role can view information on all menu items and update user account
information and can perform all actions on the Dashboard, perform log queries, generate
reports, create custom report templates, search directories, and create and use custom tags/
filters to manage the User/Endpoint Directory tree. It cannot view reports generated by other
users.
SSO User: This role can perform all actions on all menu items but cannot monitor, review, or
investigate DLP incidents triggered by any Active Directory user.
Threat Investigator: This role can investigate security threat incidents on managed
endpoints/servers.

Custom Roles
New custom user roles can be created if the available built-in roles do not satisfy the
requirements of your organization.

Configuring User Accounts
Administrative users log into Apex Central Web Management console with their account details.
The account defines their role, which assigns administrative permissions to the account holder.

Predefined Accounts
There are two predefined accounts:

SSO_User: This user is assigned the SSO_Users role.
System: This user is assigned the Administrators role.

Importing Active Directory Accounts
credentials. Both Active Directory users and groups can be used. The account and assigned
permissions exist in Apex Central database, but login credentials remain in Active Directory
account.
Once Apex Central has been synchronized with Active Directory, Apex Central administrators can
import Active Directory accounts, which in turn creates an account that is designated as an
Active Directory account. .

Logging into the Apex One Web Management
Console
The Apex One server is configured as an Apex Central managed server during the account setup process.
If access to the Apex One Web Management console is required, for example, to configure firewall policies
and profiles, access the server from the Managed Servers list in the Apex Central Web Management
console.

Global Agent Settings
Global agent settings apply to all agents that report to the Apex One as a Service server.

Security Settings
Security settings that apply to all Agents are configured from the Security Settings tab.

System Settings
Settings related to specific Apex One services are configured from the System Settings tab.

Network Settings
Settings related to network communications, including the polling interval, can be configured on
the Network Settings tab.

Agent Control
Settings related to Agent notifications and language are configured on the Agent Control tab.

Apex Central Management Modes
Apex Central can be deployed in a few different management modes, including a pure on-premise, cloud
or hybrid deployment.

On-premise Management Mode
In on-premise management mode, an Apex Central Server is deployed to provide management
and policy deployment capabilities to one or more Apex One Servers. In this type of deployment,
the Apex Central and Apex One Servers are installed on premise.

Cloud Management Mode
In cloud management mode, an instance of Apex Central as a Service is deployed to provide
management and policy deployment capabilities to an instance of Apex One as a Service.

Hybrid Management Mode
This management mode uses a combination of on-premise and cloud servers. This type of installation requires the Remote Connection Tool in the DMZ to allow the service
product consoles to register to the on-premise Apex Central Server. The Remote Connection Tool
will run as a service named SmartRelay (Smart Relay Service). The Remote Connection Tool can be downloaded, along with details on its use, from the Trend
Micro Customer Success Web site at:
https://success.trendmicro.com/solution/1118614-setting-up-apex-one-asa-
service-remote-connection-to-control-manager-tmcm

Managing Security Agents
Security Agents are the protection-tier component of an Apex One environment. The Agent is
responsible for protecting hosts from malware, network threats, and Web threats. The Agent sends
events (such as virus/malware detection) and status information (for example, completion of an update,
Agent shutdown etc.) to the Apex One Server in real time.

Security Agent Tasks
Security Agents provide the following protection on endpoint computers:

Conventional and SmartScan virus protection
Grayware/Spyware protection
Device control
Firewall
Outbreak prevention
Smart Protection
Behavior monitoring
Ransomware protection
Data loss prevention
Suspicious connection service
Web threat protection
Predictive Machine Learning protection
Sample submission
Memory scanning
Browser Exploit protection
Vulnerability protection
Application Control protection

Security Agent Services and Components
The following services and components are installed as part of the Security Agent.

Apex One NT Listener
Service (TmListen.exe)

Apex One NT Real-time
Scan Service
(Ntrtscan.exe)

Apex One NT Firewall
Service (TmPfw.exe)

Trend Micro Unauthorized
Change Prevention
Service (TMBMSRV.exe)

Apex One Common Client
Solution Framework
(TmCCSF.exe)

Trend Micro Endpoint
Sensor Service
(TMESC.exe)

Trend Micro Application
Control Agent Service
(TMiACAgentSvc.exe)

Trend Micro Vulnerability
Protection Service
(iVPAgent.exe)

Trend Micro Advanced
Threat Assessment
Service
(AtasAgent.exe)

Apex One Security Agents use the following non-service applications to provide additional functionality:

Apex One NT Monitor
(PccNTMon.exe)

Apex One NT Listener
Service (TmListen.exe)
Receives commands and notifications from the Apex One Server and is
responsible for the following functionality:

Server-Agent communication
Updates
Component startup
Log delivery

Apex One NT Real-time
Scan Service
(Ntrtscan.exe)
Performs manual, on-demand and real-time scanning functionality and is
responsible for using the following scan engines:

Virus Scanning API (VSAPI)
Spyware Scanning API (SSAPI)
Damage Cleanup Engine (DCE)
Advanced Threat Scanning Engine (ATSE)
iCRC modules
This service also assumes responsibility for starting the Unauthorized
Change Prevention Service (TMBMSRV.exe).

Apex One NT Firewall
Service (TmPfw.exe)
Provides packet level firewall, network virus scanning, and
intrusion detection capabilities. Through the Web Management console,
administrators can create rules and apply them to filter connections (for
example, by application, IP address, port number, or protocol).

Trend Micro Unauthorized
Change Prevention
Service (TMBMSRV.exe
This service is responsible for protecting the Apex One registry settings
from unauthorized changes and preventing processes and services from
being stopped. This service is responsible for the following:

Behavior Monitoring
Device Control
Certified Safe Software Service

Apex One Common Client
Solution Framework
(TmCCSF.exe)
This service provides a pluggable platform for new Trend Micro Core
Technologies. These technologies include:

Browser Exploit Prevention, which checks the behavior of web pages
in real time to detect malicious scripts and/or programs
Behavior-based, enhanced memory scanning
Advanced Threat Scan Engine DLL and Predictive Machine Learning

Trend Micro Endpoint
Sensor Service
(TMESC.exe)
This service provides integrated endpoint sensor capabilities.

Trend Micro Application
Control Agent Service
(TMiACAgentSvc.exe)
This service provides application and device control capabilities.

Trend Micro Vulnerability
Protection Service
(iVPAgent.exe)
This service provides integrated vulnerability protection capabilities. This
service detects Intrusion Prevention rule violations and automates the
application of virtual patches.

Trend Micro Advanced
Threat Assessment
Service
(AtasAgent.exe)
Identifies potentially compromised endpoints through on-demand
assessment and monitoring. By integration with Trend Micro Threat
Investigation Center, Advanced Threat Assessment Service allows
administrators and information security experts to perform forensic tasks
on endpoints for remote incident response.

Apex One NT Monitor
(PccNTMon.exe)
This process provides the user-interactive components of the Apex One
Security Agent. It is responsible for the following functionalities:

Starting the security agent console (PccNt.exe)
Displaying the security agent icon in the system tray
Sending quarantined files to the Apex One Server
Detecting Internet Explorer proxy settings

Configuration Repositories
Security Agent configuration settings are stored in the following locations:

Windows Registry: The Registry serves as the main repository for Security Agent settings on
Windows, including:
Scan settings
Agent-Server communication settings
Web threat functionality settings
Firewall settings
Location awareness settings
plist (Mac Agents): Mac Security Agent settings are stored in the macOS plist file.
ous.ini: Contains information about alternative update sources that an Security Agent can use
ofcscan.ini: Contains global Agent settings. Security Agents download this file from the Server to
obtain initial configuration settings

Security Agent System Requirements
The Security Agent can be installed on computers running Microsoft Windows, Mac or Linux platforms.

Note: Support for Linux is provided for deploying Endpoint Sensor only. Linux Security Agents do not
provide any other type of protection on Linux endpoints.

Security Agent System Requirements: Hardware Requirements
Hardware Requirements

Processor: 300 MHz Intel Pentium or equivalent (Windows 7, 8.1, 10 family) and Intel Core
processor for Mac
Memory: 512 MB minimum (2.0 GB recommended) with at least 100 MB exclusively for Apex
One (Windows 2008 R2, 2012 family)
Disk Space: 1.5GB minimum (3GB recommended for all products) for Windows, 300 MB
minimum for Mac

Security Agent Deployment Prerequisites
Insure that the following prerequisites are met before attempting to install an Security Agent on
an endpoint computer:

Ensure that Agent endpoints can communicate with the Apex One Server through port 443
(for Security Agent version 3.5.3.x or later) or 8443 (for Security Agent version 3.5.2.x).
Ensure that endpoints can access *.trendmicro.com
If required, configure Agent proxy server settings
Administrative level privileges are required to install software
No registry keys already on client from previous installation
If an existing antivirus application is present, it must be removable by Apex One or can be
manually removed through Windows Control Panel

Migrating From Other Endpoint Security Software
When you install the Security Agent on Windows, the installation program checks for any Trend
Micro or third-party endpoint security software installed on the target endpoint. The installation
program can automatically uninstall the software and replace it with the Security Agent.
If the software on the target endpoint is unknown to Trend Micro, you must manually uninstall it
first. Depending on the uninstallation process for the software in question, the endpoint may or
may not need to restart after uninstallation.

Creating a Security Agent Installer Package
The Security Agent setup is run from an installation package that you create and distribute to users
through conventional media such as a USB drive or CD-ROM, through a network share or deployed to
Windows users through Microsoft SMS or Active Directory. Users run the setup application on the Agent
endpoint computer to install or upgrade the Security Agent and update components.

Coexist Mode
Though it is not a recommended implementation, the Security Agent can be installed on Windows
endpoints in Coexist Mode. This mode allows third-party anti-malware products to be used on the
same endpoint as the Security Agent. In this implementation, Apex One provides some security
features, like Application Control and Vulnerability Protection, while making use of the malware
scanning capabilities of the other application.

Supports:

Symantec Endpoint Protection 14
Sophos Endpoint Security 10.6
Kaspersky Security Center 10
McAfee Endpoint Security 10.5
Microsoft Defender / Microsoft Security Essentials
In coexist mode, Security Agents will not report their status to Windows Security Center. This is
to keep other competitor applications running.

It is possible to upgrade Agents installed in Coexist Mode to full functionality through Apex
Central. This process will also uninstall any non-Microsoft third-party security applications. In
Apex Central, create and deploy a policy to the Security Agent including the Privileges and Other
Settings value of Permanently Convert Security Agents using coexist mode into fully-functional
Security Agents.

Creating the Installer Package Through Apex One
A Security Agent installation packages for Windows can also be created in the Apex One Web
Management console.

Note: The server regenerates a new Security Agent package daily to make sure newly installed agents
receive the most up-to-date configurations. Ensure that the most current version is repackaged
every time this method is used.

Microsoft System Center Configuration Manager or
Active Directory Installation
A Windows Security Agent package (*.msi) can be deployed using a Microsoft System Center
Configuration Manager (SCCM) if you have Microsoft BackOffice installed on the Server. The
SCCM Server needs to obtain the *.msi file from the Apex One Server before it can deploy the
package to target endpoints.

When Microsoft SCCM distributes the advertised program (that is, the Security Agent program)
to target endpoints, a screen displays on each target endpoint. Instruct users to click Yes and
follow the instructions provided by the wizard to install the Security Agent to their endpoints.
In addition, administrators can take advantage of Active Directory Group Policy features to
deploy the MSI package simultaneously to multiple Agent endpoints.

Security Agent: Post Installation Tasks
Component Updates
Update the Security Agent components to ensure that Agents have the most up-to-date
protection against security risks.

Test Scan using EICAR Test Script
The European Institute for Computer Antivirus Research (EICAR) developed the EICAR test script
as a safe way to confirm proper installation and configuration of antivirus software.

Installation Logs
A Security Agent installation log (ofcnt.log) is created in the same folder from which the
installer package was run. Any setup errors are displayed in the log file.

Agent-To-Server Communication
Agents communicate with their Server by sending HTTPS messages to the Apex One Server and calling
ISAPI/CGI commands. These commands invoke certain actions on the Server and the Server returns a
corresponding answer to the Agent’s request. These messages can be sent to the Server as a regular
polling messages. While doing this, they also pass information about the Agent, for example UID,
computer name, program version, etc. These calls are processed by the Agent command handler, which
checks if the Agent information is correct, complete and valid. If it is, the Server points the Agents to the
location to download relevant files

Server Polling
Security Agents attempt to connect with the Apex One Server at a regular interval to receive
updated settings or components and to report the Security Agent status. The Apex One server
classifies all Security Agents that did not successfully poll the server at the specified interval as
being Unreachable.

Agent Connection Status
The Security Agent connection status depends on the way in which the Apex One Server communicates
with the Security Agent

Online
The Security Agent can connect to the Apex One Server for communication

Offline
The Security Agent has no functional connection with the Apex One Server.

Independent
The Security Agent can connect to the on-premise Apex One Server but communication is
limited. While in Independent mode:

The Security Agent does not accept policy settings from the Server
The Security Agent does not initiate scan commands from the Server
The Security Agent does not send logs to the Server
You can configure Independent Agents with privileges to allow or block component updates if a
functional connection to the Apex One Server is available.

Endpoint Location
One of the ways the Security Agent determines which policy or profile to use is by checking its
connection status with a reference server. If an internal Security Agent (or any Agent within the
corporate network) cannot connect to the reference server, the Agent status becomes offline. The Agent
then applies a policy or profile intended for external Agents.

Reference Server List
Security Agent connect to reference servers using Telnet on a specified port. If the Agent
successfully establishes connection with the reference server, it applies the policy or profile for
internal Agents.
Security Agents connect to the first reference server on the list. If connection cannot be
established, the Agent tries connecting to the next server on the list.
Reference servers do not manage Agents or deploy updates and Agent settings. The Apex One
Server performs these tasks.

Add any reference servers by identifying the IP address, endpoint name or FQDN along with the
port number. Assign computers with server capabilities, such as a Web Server, SQL Server, or FTP
Server as reference servers. You can specify a maximum of 320 reference servers.

Gateways
Alternately to adding servers via the , Gateway IP addresses or MAC addresses can be used for endpoint location. Type the
IP address of the Gateway and optionally, the MAC address.
Multiple Gateway
addresses can be added.

Excluding VPN Connections
An enhancement for location awareness in Apex One checks the network adapter used to
connect to the reference host and identify if the endpoint is internal or external.
Previously, when an external Security Agent connects to the Apex One Server using VPN
connection, it was referred as an internal agent and the related internal policy settings were
applied. VPN clients (Cisco, F5, Fortigate…) create a virtual network adapter as a network device
to communicate with target network.
In Apex One, a setting called Exclude agents using VPN or PPP dial-up connections is available on
the Reference Server list page. When enabled, Security Agents connecting to the server using a
VPN connection, they will be identified as an external Agent and apply corresponding
configurations.

Moving Agents Between Apex One Instances
If you have more than one Apex One service instance, you can transfer existing Security Agents from one
Apex One instance to another. Alternately, if you are transitioning from on an-premise deployment of
Apex One to the service, you can move Agents from the on-premise server to the Apex One as a Service
server.

Uninstalling Security Agents
Security Agents can be uninstalled from an endpoint computer using one of the following methods.
Uninstalling From the Apex One Web Management
Console

Uninstalling from Windows Control Panel
Users must be granted the privilege to uninstall the Security Agent program. Depending on your
installation, users may be required to enter a password to perform the uninstall. If a password is
required, ensure that you share the password only to users that will run the uninstallation
program. Change the password immediately if it has been compromised.

Uninstalling Manually
If any problems are encountered using the above methods to uninstall the Security Agent, you
can manually uninstall the Security Agent

Custom Uninstall Tool
If it is not possible to reinstall an Agent because there are still program entries in the Registry,
Trend Micro Support can provide you with the Custom Uninstall Tool (CUT Tool). This time-limited
tool removes all trace of Apex One Security Agents from an endpoint.

Removing Inactive Agents
When you use the Security Agent uninstallation program to remove the Security Agent program from
endpoints, the program automatically notifies the Server. When the Server receives this notification, it
removes the Security Agent icon in the Agent tree to show that the Agent does not exist anymore.
However, if you use other methods to remove the Security Agent, such as reformatting the endpoint hard
drive or deleting the Security Agent files manually, Apex One will not be aware of the removal and it will
display the Security Agent as offline. If a user unloads or disables the Security Agent for an extended
period of time, the Server also displays the Security Agent as offline. To have the Agent tree display active Agents only, configure Apex One to automatically remove inactive
Agents from the Agent tree.

Viewing Agent Status
Administrators can view the status of Agents from the Apex One Web Management console or directly on
the endpoint computer.

Viewing Agent Status on the Endpoint

Viewing Agent Status in the Apex One Web
Management Console

Agent Self Protection
The protection that Apex One offers depends entirely on the ability of the Security Agent to implement
authentic Apex One Server settings. The Agent, therefore, must be protected from all unauthorized
attempts to change settings, which are all stored in the Windows Registry, and to disrupt its services.

Security Agents maintain two layers of protection for their settings:

Preventing changes: This is a proactive defense measure. It is aimed at blocking unauthorized
changes from happening in the first place.
Restarting Security Agent services: Apex One restarts Agent services that stopped responding
unexpectedly and were not stopped by a normal system process.
Apex One protects Agent components and settings using the Unauthorized Change Prevention Service.

The service appears in the Windows Service Control.

When the options to protect registry keys and services are enabled in the Apex One Web management
console, the NT Real-time Scan mechanism passes the relevant policy information to the Unauthorized
Change Prevention Service, which then converts the information into policies that it implements.

Protecting Security Agent Services
Apex One blocks all attempts to terminate the following Security Agent services:

Apex One NT Listener (TmListen.exe)
Apex One NT RealTime Scan (NTRtScan.exe)
Apex One NT Firewall (TmPfw.exe)
Apex One Data Protection Service (dsAgent.exe)
Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe)

Note: If this option is enabled, the Security Agent may prevent third-party products from installing
successfully on endpoints. If you encounter this issue, you can temporarily disable the option and
then re-enable it after the installation of the third-party product.

Trend Micro Common Client Solution Framework (TmCCSF.exe)

Protecting Security Agent Files
To prevent other programs and users from modifying or deleting Security Agent files, Apex One
provides several enhanced protection capabilities. After enabling Protect files in the Security
Agent installation folder, Apex One locks the following files in the root Agent installation folder:

All digitally-signed files with .exe, .dll, and .sys extensions
other files page 58

Protecting Security Agent Registry Keys
The Security Agent blocks all attempts to modify, delete, or add new entries under the following
registry keys and subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AMSP

Protecting Security Agent Processes
The Security Agent blocks all attempts to terminate the following processes:

TmListen.exe: Receives commands and notifications from the Apex One server and
facilitates communication from the Security Agent to the server
NTRtScan.exe: Performs Real-time, Scheduled, and Manual Scan on Security Agents
TmProxy.exe: Scans network traffic before passing it to the target application
TmPfw.exe: Provides packet level firewall, network virus scanning, and intrusion detection
capabilities
TMBMSRV.exe: Regulates access to external storage devices and prevents unauthorized
changes to registry keys and processes

Protecting from Kernel Mode Termination
Change Prevention blocks user mode termination events but there are some applications that
could potentially terminate processes through kernel mode. To address this issue, Apex One
introduced a Watchdog mechanism for kernel mode termination events. This mechanism will
attempt to recover target processes after being terminated.
When the Security Agent is started, services will monitor processes on the endpoint. If the
endpoint receives a terminate event, it will call Watchdog which checks if the process is still alive.
If the process is not running, it will recover the service. Watchdog is dependent on Agent Self-
Protection. Ensure that Security Agent Self-Protection is enabled to use this feature.

Restarting Security Agent Services
Apex One restarts Agent services that stopped responding unexpectedly and were not stopped
by a normal system process.

Restart the service after __ minutes: Specify the amount of time (in number of minutes) that
must elapse before Apex One restarts a service.
If the first attempt to restart the service is unsuccessful, retry __ times: Specify the maximum
retry attempts for restarting a service. Manually restart a service if it remains stopped after
the maximum retry attempts.
Reset the unsuccessful restart count after_ hour(s): If a service remains stopped after
exhausting the maximum retry attempts, Apex One waits a certain number of hours to reset
the failure count. If a service remains stopped after the number of hours elapses, Apex One
restarts the service.

Apex One Security Agent Tree
The Apex One Security Agent tree displays all the Agents grouped into domains that the Server currently
manages. Icons display the type of endpoint and the status of Security Agents that Apex One manages.
Above the Agent tree are menu items that allow administrators to perform specific tasks, such as
restoring a file from quarantine or uninstalling an Agent.
Deleting the Agent from the Agent tree does not remove the Security Agent from the Agent endpoint.
The Security Agent can still perform Server-independent tasks, such as updating components. However,
the Server is unaware of the existence of the Agent and will therefore not deploy configurations or send
notifications to the Agent.

Apex Central Endpoint list
The User/Endpoint Directory screen displays information about all the users and endpoints within the
Apex Central network.
The display of the endpoints can be filtered by different methods such as operating system and endpoint
type.

Deploying Policies
Policies are used to enforce product settings on managed products. With Apex One as a Service, policies
for endpoints are managed centrally from the Apex Central Web Management console. Administrators
deploy policies on destination endpoints identified using different criteria within Apex Central.
Policy management through Apex Central allows administrators to enforce settings on specific products
and specific targets from a single console. Administrators can assign a policy to a large number of
endpoints across different domains.
Administrators can easily check all deployment results from the Policy Management list, Policy Status
widget and Data Leak Prevention Violation widget and they can troubleshoot according to policy status
of each endpoint returned by the product.

Managing Apex One Policies in Apex Central
To manage Apex One policies through Apex Central as a Service, an administrative user would complete
the following steps:

Select the Apex One Security Agent (or Apex One (Mac) or Apex One (Linux)) as the product on which
you will configure policy settings.
Select the target endpoints on which to deploy the policy.
Define the policy settings required on the target endpoints.
Deploy the policy.
When a policy is created, administrators are able to specify the policy targets and the settings to be
applied. However, as the policy can only cover endpoints where the Apex Central administrative user has
access, it is important to plan who will create the policy. It is also possible for multiple administrators to
have the same policy settings but different targets because they have only access to specific endpoints
and entities.

Selecting the Destination Product
Apex Central can deploy policy settings to a variety of Trend Micro products. The Apex One
Security Agent can be selected as the destination product to receive policy attributes for
protecting endpoint computers.

Identifying Policy Targets
Administrators can manually select the target endpoint(s) or use a filter to automatically assign
targets to their policies. The target selection can be a dynamic or static binding and can be
selected by IP subnet, operating system, naming rules in the Apex Central product tree or Active
Directory organizations units.

None (Draft only)
This option provides a way to save a policy definition without applying it to any targets. This
allows an administrative user to fine tune settings and then switch over to either a Specified or
Filtered policy that can be put into actual use. Drafts have the lowest priority and always stay in
the bottom of the Policies list.

Filter by Criteria
Filter by Criteria is useful for deploying standard settings to a group of targets across the
organization. The filter uses known characteristics for devices, including operating system,
location, IP address or other metrics for the devices. If the specified criteria matches, Apex
Central applies the corresponding policy. If the matching characteristics change over time, then a
different policy gets deployed.
Note: Multiple criteria can be selected; the endpoint must match all the indicated criteria to apply the
policy.

Specify Target(s)
This option is useful for deploying settings only to specific target devices. This method uses a
static assignment, meaning once a policy is assigned to a selected targets, the assigned policy
will never change or be re-evaluated. This policy also has the highest priority and will always
apply. For a server in an environment where the security policy MUST be the same policy and
never change, use Specify Target(s) to deploy a policy that is locked to the specified device(s).

Browse Targets
Use the Browse tab to select the required endpoints from the appropriate branches of the
Product Directory. When defining policy targets, certain limitations must be kept in mind:

Apex Central policy assignments are not incremental; all settings deployed by the policy will
overwrite any existing settings that are currently configured on the endpoint.
A specified policy takes precedence over a filtered policy. In the case where a server or
endpoint matches multiple specified policies, the latest policy gets applied to the target.

Defining Policy Settings
Note: Apex Central re-enforces the policy settings in the targets every 24 hours.

Deploying the Policy
The policy settings defined in the Apex Central Web Management console gets saved in the Apex
One database and deployed to selected target products. The policy will display in the Policy
Management list as Pending until it is applied on the endpoint. It takes several minutes for the policy to be applied to the endpoint since it depends on the
endpoint polling the server, which by default gappens every 10 minutes. You can modify the
polling value to accelerate the deployment of the policy as a Global Agent Setting.

Policy Inheritance
Policy inheritance is useful in deployments where an Apex Central administrative user manages global
Apex One policies, and regional administrators defines local or regional policies requiring more specific
settings. A policy is defined as the Parent and the new policy is created as the Child. Only certain settings can be
modified in the child policy.
Only certain settings in the Parent policy can be set to be inherited or extended by its child policies.

Inherit From Parent
With this inheritance method enabled in the parent policy, an Apex Central administrative user
creating a child policy cannot change the settings configured on the parent. For example, if the
parent policy excludes PDF iles from being scanned during a Manual Scan, the administrative
user cannot modify this setting in a child policy.

Extend from parent
With this inheritance method enabled in the Parent policy, an Apex Central administrative user
creating a child policy can add to the items in the parent policy. For example, if the parent policy
excludes 20 file names from being scanned during a Manual Scan, the administrator can add 10
more file names that are deemed safe and trustworthy.

Keeping Security Agents Up
To Date
Apex One and Apex One (Mac) servers protected from the latest security threats. Security Agents in turn
update from the Apex One and Apex One (Mac) servers, or other Security Agents promoted to become
Update Agents.
Components that are udpated regularly include:

Engines
Patterns
Programs
Apex Central keeps the components of your managed products up-to-date by performing the following
tasks:
Downloading the latest component versions from an update source
Deploying the updated components to managed products

Security Agents: Pattern Updates
Trend Micro releases two types of pattern updates:

Official Pattern Release: Patterns are regularly made available to users as part of an Official Pattern
Release (OPR). Upon release, these patterns are posted on the ActiveUpdate system once per day,
where products can download using the default update source.
Controlled Pattern File Release: These are pre-release version of a Trend Micro virus pattern file. It is
a fully tested pattern file intended to provide additional antivirus protection in between official
pattern file releases.

Security Agents: Incremental Updates
Incremental update technology limits the impact of updates on network bandwidth. This was
originally only available for virus pattern updates, but has now been applied to other patterns. It
does not, however, apply to engine updates.
For each new pattern on the Trend Micro Update Server, there are several incremental patterns.
Each incremental pattern contains the difference between the malware signatures in the latest
version, and the version to which the increment corresponds.
Increments are provided for the 14 most recent Official Pattern Releases. If the pattern used in a
product is older than any of the 14 incremental patterns, then the latest full pattern is
downloaded

Security Agents: ActiveUpdate Logs
The ActiveUpdate module records all its actions in a log file called TmuDump.txt, making this
file a very important source of troubleshooting information when analyzing update-related
problems. This log can be written as a text file or as an HTML file, depending on settings in the
ActiveUpdate configuration file.

The log files can be located in the following folder:
C:\Program Files (x86)\Trend Micro\OfficeScan Client\AU_Data\AU_Log

Security Agents: Updating Managed Products
Apex Central serves as the main update source for all products registered with, and managed by Apex
Central. Apex Central updates itself from the Trend Micro ActiveUpdate server, then in turn makes those
components available to other products.

Security Agents:Scheduled Updates
Scheduled component update settings allow the Apex Central server to download selected
components from an update source based on the specified schedule.

Security Agents: Components List
The Components list displays the available components on the Apex Central server including the
current version, last download date and the managed products using the component.
Intelligent component downloading allows Apex Central to automatically detect and download
new components based on the selected component categories from an update source. If you
enable intelligent component downloading, Apex Central automatically selects all components
based on the selected component categories. You cannot select individual components to
update. To select individual components, clear the check box.
Use the Products, Categories and Types lists to filter the display in the components list.

Security Agents:Update Source
Configure the Update Source to tell Apex Central server whether to download components from
the Trend Micro ActiveUpdate server or other update sources. You can specify other update
sources if the Apex Central server is unable to connect to the Trend Micro ActiveUpdate server
directly or if you host an update server in your network.
By default, Apex Central uses a more secure HTTPS connection method to download
components from the Trend Micro ActiveUpdate server.
Trend Micro ActiveUpdate is the default source to obtain and distribute updates for specific
program components. ActiveUpdate was integrated into Apex Central to prevent man-in-themiddle
attacks where hackers can spoof ARP and mislead the Apex Central to retrieve updates
from the malicious source or attacker. Integrity of the ActiveUpdate packages is verified
through digital signatures. Security Agents verify the digital signature on the update package
before downloading the components. This ensures that the components being downloaded have
been provided by Trend Micro and have not been tampered with.
To access other update sources, Apex Central supports Remote UNC authentication, which uses
a user account from the update source server to share a folder for Apex Central to download
updates.

Download Schedule
Use the scheduling parameteres to define when the downloading of the updated components
should take place.

Security Agents: Deployment Plan
A deployment plan allows you to specify the scope and schedule in which the Apex Central
server deploys updated components to managed products.
After the Apex Central server downloads a new component version from an update source, you
can configure Apex Central to deploy updated components to managed products immediately, at
a specified time, or after a delay period.
You can also configure Apex Central to deploy updated components to selected managed
products based on different deployment schedules. You can only select one folder or managed
product for each deployment schedule.
Apex Central bases the deployment plan delays on the completion time of the download, and
these delays are independent of each other. For example, if you have three folders to update at
5-minute intervals, you can assign the first folder a delay of 5 minutes, and then set delays of 10
and 15 minutes for the two remaining folders, respectively.

Deploy to all selected managed products: Select this option to deploy updated components to
the selected managed products based on one of the following schedules:
Immediately: Apex Central deploys the updated components to the managed products as
soon as Apex Central finishes downloading new component versions.
Start at: Apex Central deploys updated components to managed products at the specified
time.
Delay: Apex Central deploys updated components to managed products after waiting for
the specified time.

Security Agents: Manual Updates
When an update is critical, use Manual Update to immediately notify managed products to
perform a component updates.

Updating Security Agents
The Apex One Server receives updates from Apex Central based on the download schedule and
deployment plan defined in the Scheduled and Manual Updates list. Security Agent in turn, update from
the Apex One Server, or another Security Agent configured as an Update Agent.

Scheduled Agent Updates
Security Agents are prompted to update based on the schedule settings in the Apex One Web
Management console.

Agent Update Source
By default, Security Agents update from the Apex One Server, but customized sources can also
be identified.

Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents
within an Apex One network. They permit the deployment of settings to Agents whose
connections to the Apex One Server would have been sufficient for regular Agent-Server
messages but not for bandwidth-intensive updates, including:

Component updates
Domain settings
Agent programs and hot fixes

Update Agents serve as local ActiveUpdate sites. Like the Apex One Server, they offer both full
and incremental patterns to their Agents by way of its own ActiveUpdate folder.

Best Practice: Any Security Agent can be promoted to an Update Agent, but typically, it is
recommended that an Agent on an endpoint computer that remains on at all times be
used.

Without Update Agents, all endpoint computers contact the Apex One Server for updates. In
installations with many Security Agent, this can create network traffic issues.

With Update Agents in place, endpoint computers will contact their Update Agents for updates
instead of contacting the Apex One Server. This reduces the amount of network traffic destined
for the Apex One Server. Security Agent are assigned Update Agents based on their IP addresses.

Best Practice: Since a single update agent can handle update requests from around 250 endpoints, it
is recommended to create one update agent for every 250 endpoints.

Promoting an Agent to an Update Agent
Promoting an Agent to an Update Agent is a two-step process:

Assign the Security Agent as an Update Agent for specific components through a policy.
Modify the update source for a range of IP addresses.

Update Components
Components made available to other Security Agents are stored in the ActiveUpdate folder on
the Update Agent computer at:
C:\Program Files (x86)\Trend Micro\OfficeScan Client\activeupdate

This is essentially a copy of the download folder on the Apex One Server.
The components that the Update Agent itself uses, for its own purposes, are still stored in the
main Security Agent folder.

Trend Micro Smart Protection
Smart Protection includes services that provide anti-malware signatures, web reputation credibility
scores, vulnerability patterns, in-the-cloud threat databases and more. Smart Protection Services used by
Apex One include:

File Reputation Services
Web Reputation Services
Census Service
Predictive Machine Learning Services
Certified Safe Software Service
Smart Feedback

File Reputation Services
File Reputation Services check the reputation of each file against an extensive in-the-cloud database.
Since the malware information is stored in the cloud, it is available instantly to all users. The cloud-Agent
architecture eliminates the burden of pattern deployment while significantly reducing the overall Agent
footprint.
Security Agents must be in Smart Scan mode to use File Reputation Services.

Web Reputation Services
With one of the largest domain-reputation databases in the world, Trend Micro Web reputation
technology tracks the credibility of Web domains by assigning a reputation score based on factors such
as a Website’s age, historical location changes and indications of suspicious activities discovered through
malware behavior analysis. Web reputation then continues to scan sites and block users from accessing
infected ones. Web reputation features help ensure that the pages that users access are safe and free
from Web threats, such as malware, spyware, and phishing scams that are designed to trick users into
providing personal information. To increase accuracy and reduce false positives, Trend Micro Web
reputation technology assigns reputation scores to specific pages or links within sites instead of
classifying or blocking entire sites, since often, only portions of legitimate sites are hacked and
reputations can change dynamically over time.

Census Service
This service provides information about the prevalence of detected files. Prevalence is a statistical
concept referring to the number of times a file was detected by Trend Micro sensors at a given time. If a
file has not triggered any detections, the file becomes suspicious as over 80% of all malware is only seen
once.
Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware. An unknown binary can mean a possible
targeted attack.

Predictive Machine Learning Services
Apex One provides enhanced malware protection for unknown threats and zero-day attacks through
Predictive Machine Learning. Trend Micro Predictive Machine Learning uses advanced machine learning
technology to correlate threat information and perform in-depth file analysis to detect emerging security
risks through digital DNA fingerprinting, API mapping, and other file features.
Predictive Machine Learning is effective in protecting against security breaches that result from targeted
attacks using techniques such as phishing and spear phishing. In these cases, malware that is designed
specifically to target your environment can bypass traditional malware scanning techniques.
During real-time scans, when Apex One detects an unknown or low-prevalence file, Apex One scans the
file using the Advanced Threat Scan Engine (ATSE) to extract file features. It then sends the report to the
Predictive Machine Learning engine which is hosted on the Trend Micro Smart Protection Network.
Through the use of malware modeling, Predictive Machine Learning compares the sample to the malware
model, assigns a probability score, and determines the probable malware type that the file contains. If the
file is identified as a threat, Apex One quarantines the file to prevent the threat from continuing to spread
across your network.

Certified Safe Software Service
The Certified Safe Software Service provides a comprehensive list of applications considered to be safe
by Trend Micro. The list includes most popular operating system files and binaries as well as applications
for desktops, servers, and mobile devices. Trend Micro periodically provides updates to the list.

Smart Feedback
Trend Micro Smart Feedback provides continuous communication between Trend Micro products and its
24/7 threat research centers and technologies. Each new threat identified through every single
customer’s routine reputation check automatically updates all Trend Micro threat databases, blocking
any subsequent customer encounters of a given threat.
By continuously processing the threat intelligence gathered through its extensive global network of
customers and partners, Trend Micro delivers automatic, real-time protection against the latest threats
and provides better together security, much like an automated neighborhood watch that involves the
community in the protection of others. Because the gathered threat information is based on the
reputation of the communication source, not on the content of the specific communication, the privacy
of a customer’s personal or business information is always protected.

You can terminate your participation to the program anytime from the Web Management console. You do
not need to participate in Smart Feedback to protect your endpoints. Your participation is optional and
you may opt out at any time. Trend Micro recommends that you participate in Smart Feedback to help
provide better overall protection for all Trend Micro customers.

Service URLs
The URLs used by the Security Agent to communicate with the services include:

Predictive Machine Learning: osce140-en-f.trx.trendmicro.com or
osce140-en-b.trx.trendmicro.com
ActiveUpdate: osce14-p.activeupdate.trendmicro.com/activeupdate
Census: osce14-en-census.trendmicro.com
Certified Safe Software Service: osce14-en.gfrbridge.trendmicro.com
Web Reputation: osce14-0-en.url.trendmicro.com
Smart Scan: osce14.icrc.trendmicro.com/tmcss
Smart Feedback: osce140-en.fbs25.trendmicro.com

Scanning for Malware
Security Agents scan endpoint computers for malware through one of the following methods:

Real-time Scan: This method scans files, folders and URLs as soon as they are accessed, triggered by
I/O event hooking.
Manual Scan: This method scans files and folders on demand, when initiated by the end user.
Scheduled Scan: This method uses the same scanning methods and has the same detection
capabilities as used for on-demand scanning. Scheduled scans are, however, triggered automatically
based on a selected frequency (daily, weekly or monthly) and a specified time.
Scan Now: This method scans files and folders on demand on one or more target computers when
initiated by the Administrator.

NT Real-time Scan Service
The NT Real-time Scan Service performs on-demand (Manual, Scheduled, Scan Now), and Realtime
scanning functionality. This service (NTRtScan.exe) uses the following scan engines:

Virus Scanning API (VSAPI)
Spyware Scanning API (SSAPI)
Damage Cleanup Engine (DCE)
Advanced Threat Scan Engine (ATSE)
This service also assumes responsibility for starting the Unauthorized Change Prevention
Service (TMBMSRV.exe).

When applications access or create files on the file system, they send information to the
Microsoft I/O Manager. This is true for both legitimate applications and malware. To be able to
differentiate between legitimate and malicious I/O events, and deal with them if they are of the
latter variety, Trend Micro products need a way to monitor these events as they occur, evaluate
them, and then take action when necessary.
Apex One registers with the Microsoft I/O Manager to identify file access and modification events
on the file system. This registration also grants Apex One access to the file when scanning is
required.

Scan Settings
These settings determine which files on the Security Agent host are scanned in each of the four scanning
types. Scanning is a resource intensive process. Judicious use of scanning coverage options can strike a
balance between security and minimizing the impact of scanning events on the network.
Each of the four scan types may have slightly different configuration options and include setting
collections displayed through the following tabs:

Scan Target: This tab defines how the Security Agent looks for files to scan.
Scan Action: This tab defines the action to be taken when malware is detected.
Scan Exclusion: This tab defines scan exclusions to increase the scanning performance and skip
scanning files causing false alarms. When a particular scan type runs, Apex One checks the scan
exclusion list to determine which files on the endpoint will be excluded from both virus/malware and
spyware/grayware scanning. When you enable scan exclusion, Apex One will not scan a file under the
following conditions:
The file is found under a specific directory (or any of its sub-directories).
The file name matches any of the names in the exclusion list.
The file extension matches any of the extensions in the exclusion list.

Real-time Scan Settings
These settings are used when Real-time scanning is enabled on Security Agents.

Real-time Scan Target Tab

User Activity on Files Section

Scan files being: Files will be scanned when they are created/modified, retrieved or both
Files to Scan Section
All scannable files: Scans all files
File types scanned by IntelliScan: IntelliScan is a method of identifying files to scan. For
executable files (for example, .exe), the true file type is determined based on the file content.
For non-executable files (for example, .txt), the true file type is determined based on the file
header. Using IntelliScan provides the following benefits:
Performance optimization: IntelliScan does not affect applications on the Agent because it
uses minimal system resources.
Shorter scanning period: Because IntelliScan uses true file type identification, it only scans
files that are vulnerable to infection. The scan time is therefore significantly shorter than
when you scan all files.
Files with the following extensions: Only scan files whose extensions are included in the file
extension list. Add new extensions or remove any of the existing extensions.

Real Scan Settings

Scan floppy disk during system shutdown: Real-time Scan scans any floppy disk for boot
viruses before shutting down the endpoint. This prevents any virus/ malware from executing
when a user reboots the endpoint from the disk.
Scan network drive: Scans network drives or folders mapped to the Security Agent endpoint
during Manual Scan or Real-time Scan.
Scan the boot sector of the USB storage device after plugging in: Automatically scans only
the boot sector of a USB storage device every time the user plugs it in (Real-time Scan).
Scan all files in removable storage devices after plugging in: Automatically scans all files on a
USB storage device every time the user plugs it in (Real-time Scan).
Quarantine malware variants detected in memory: Behavior Monitoring scans the system
memory for suspicious processes and Real-time Scan maps the process and scans it for
malware threats. If a malware threat exists, Real-Time scan quarantines the process and/or
file. Note: This feature requires that administrators enable the Unauthorized Change Prevention Service
and the Advanced Protection Service.

Note: Apex One treats Microsoft Office 2007 files in Office Open XML format as compressed files.
Office Open XML, the file format for Office 2007 applications, uses ZIP compression
technologies. If you want files created using these applications to be scanned for viruses/
malware, you need to enable scanning of compressed files.

Scan OLE objects: When a file contains multiple Object Linking and Embedding (OLE) layers,
Apex One scans the specified number of layers and ignores the remaining layers.
Detect exploit code in OLE files: OLE Exploit Detection heuristically identifies malware by
checking Microsoft Office files for exploit code. The specified number of layers is applicable to
both Scan OLE objects and Detect exploit code options.
Enable IntelliTrap: Detects and removes virus/malware on compressed executable files. Virus
writers often attempt to circumvent virus filtering by using real-time compression algorithms.
IntelliTrap helps reduce the risk of such viruses entering the network by blocking real-time
compressed executable files and pairing them with other malware characteristics. Because
IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting or cleaning) files after enabling IntelliTrap. If users regularly
exchange real-time compressed executable files, disable IntelliTrap.his option is available only
for Real-time Scan.
Enable CVE exploit scanning for files downloaded through web and email channels: Blocks
processes that attempt to exploit known vulnerabilities in commercially available products
based on the Common Vulnerabilities and Exposures (CVE) system. This option is available
only for Real-time Scan.

Real-Time Scan Action Tab
When the Security Agent detects malware, it can take the actions defined on this tab.

Virus/Malware Section

Use ActiveAction: With this option, the administrator relies on Trend Micro action
recommendations that are stored within the VSAPI pattern. Trend Micro Anti-virus engineers
determine these actions based on their analysis of various malware types. Customizing the
action allows the administrator to control the scan action according to the network’s specific
needs.
Use the same action for all virus/malware types: Select this option if you want the same
action performed on all types of virus/malware, except probable virus/malware. If you choose
Clean as the first action, select a second action that Apex One performs if cleaning is
unsuccessful. If the first action is not Clean, no second action is configurable. If you choose
Clean as the first action, Apex One performs the second action when it detects probable
virus/malware.
Use a Specific Action for Each Virus/Malware Type: Manually select a scan action for each
virus/malware type. For all virus/malware types except probable virus/malware, all scan
actions are available. If you choose
One performs if cleaning is unsuccessful. If the first action is not Clean, no second action is
configurable.
Pass: The Agent does nothing to the malware.
Rename: Encrypt and rename the infected file. The Agent uses scan engine functions to
change the file’s extension to .VIR, (or to .VI0, .VI1 and so on). If a virus is found and the
virus action is Rename, the action performed will be Clean or, if uncleanable, Quarantine. A
compressed file with an infected file inside will be renamed.
Quarantine: The Security Agent moves malware to a quarantine folder to an Agent, and
then to a quarantine folder on the Apex One Server.
Clean: Remove the virus code from the file. The Agent can only clean files within ZIP/LHA
files up to one layer of compression.
Delete: Delete the infected file. The Agent can delete files within ZIP/LHA file up to 6 layers
of compression.
Deny Access: Prevent access to infected file.
Note: Probable malware refers to suspicious files that have some of the characteristics of viruses/
malware.
Display a Notification Message When Virus/Malware is Detected: When Apex One detects
virus/malware during Real-time Scan and Scheduled Scan, it can display a notification
message to inform the user about the detection.
Display a Notification Message When Probable Virus/ Malware is Detected: When Apex One
detects probable virus/malware during Real-time Scan and Scheduled Scan, it can display a
notification message to inform the user about the detection.
Back Up Files Before Cleaning: If Apex One is set to clean an infected file, it can first back up
the file. This allows you to restore the file in case you need it in the future. Apex One encrypts
the backup file to prevent it from being opened, and then stores the file in the identified
folder.
Run cleanup when probable virus/malware is detected: You can only select this option if the
action on probable virus/malware is not Pass or Deny Access. For example, if the Security
Agent detects probable virus/malware during Real-time Scan and the action is quarantine, the Security Agent first quarantines the infected file and then runs cleanup if necessary. The
cleanup type (standard or advanced) depends on your selection.
Spyware/Grayware Section
Clean: Apex One terminates processes or delete registries, files, cookies, and shortcuts. After
cleaning spyware/grayware, Apex One agents back up spyware/ grayware data, which you can
restore if you consider the spyware/ grayware safe to access.
Deny access: Apex One denies access (copy, open) to the detected spyware/grayware
components.
Display a notification on endpoints when spyware/grayware is detected: When Apex One
detects spyware/grayware during Real-time Scan and Scheduled Scan, it can display a
notification message to inform the user about the detection.

Real-Time Scan Exclusion Tab
Configure scan exclusions to increase the scanning performance and skip scanning files causing
false alarms. When a particular scan type runs, Apex One checks the scan exclusion list to
determine which files on the endpoint will be excluded from both virus/malware and spyware/
grayware scanning. Scan exclusions are stored in the Windows Registry on the endpoint computer.

Scan Exclusion Section

Enable scan exclusions: Enables the use of the Scan exclusions described on this tab.
Apply scan exclusion settings to all scan types: Enables the scan exclusions list to be used,
regardless of the scan type.
Scan Exclusion List (Directories): Apex One will not scan all files found under a specific
directory on the computer. You can specify a maximum of 256 directories. By excluding a
directory from scans, Apex One automatically excludes all of the directory’s sub-directories
from scans.
Exclude directories where Trend Micro products are installed: If you select this option,
Apex One automatically excludes the directories of many Trend Micro products from
scanning.
Scan Exclusion List (Files): Apex One will not scan a file if its file name matches any of the
names included in this exclusion list. If you want to exclude a file found under a specific
location on the endpoint, include the file path, such as C:\Temp\sample.jpg. You can specify a
maximum of 256 files.
Scan Exclusion List (File Extensions): Apex One will not scan a file if its file extension matches
any of the extensions included in this exclusion list. You can specify a maximum of 256 file
extensions. A period (.) is not required before the extension.
For Manual Scan, Scheduled Scan, and Scan Now, use a question mark (?) to replace a
single character or an asterisk () to replace multiple characters as wildcard characters. For example, if you do not want to scan all files with extensions starting with D, such as DOC, DOT, or DAT, type D or D??.
Note: Real-time Scan does not support the use of wildcard characters when specifying extensions

Manual Scan Settings
Manual Scan is an on-demand scan and starts immediately after a user runs the scan on the Apex
One agent console. The time it takes to complete scanning depends on the number of files to
scan and the Apex One agent endpoint’s hardware resources.

Manual Scan Settings Section

Scan hidden folders: Allows Security Agents to detect and then scan hidden folders on the
endpoint during Manual Scan
Scan boot area: Scans the boot sector of the hard disk for virus/malware during Manual Scan,
Scheduled Scan and Scan Now.

CPU Usage Section
Apex One can pause after scanning one file and before scanning the next file. This setting is used
during Manual Scan, Scheduled Scan, and Scan Now.

High: No pausing between scans
Medium: Pause between file scans if CPU consumption is higher than 50%, and do not pause
if 50% or lower
Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause if
20% or lower
If you choose Medium or Low, when scanning is launched and CPU consumption is within the
threshold (50% or 20%), Apex One will not pause between scans, resulting in faster scanning
time. Apex One uses more CPU resource in the process but because CPU consumption is optimal,
endpoint performance is not drastically affected. When CPU consumption begins to exceed the
threshold, Apex One pauses to reduce CPU usage, and stops pausing when consumption is within
the threshold again. If you choose High, Apex One does not check the actual CPU consumption
and scans files without pausing.

Manual Scan Action Tab
Virus/Malware Section

Damage Cleanup Services: Damage Cleanup Services cleans computers of file-based and
network viruses, and virus and worm remnants (Trojans, registry entries, and viral files). The
Agent triggers Damage Cleanup Services before or after virus/malware scanning, depending
on the scan type.
Standard cleanup: The Security Agent performs any of the following actions during
standard cleanup:
-Detects and removes live Trojans
-Kills processes that Trojans create
-Repairs system files that Trojans modify
-Deletes files and applications that Trojans drop
Advanced cleanup: In addition to the standard cleanup actions, the Security Agent stops
activities by rogue security software (also known as FakeAV) and certain rootkit variants. The
Security Agent also uses advanced cleanup rules to proactively detect and stop applications
that exhibit FakeAV and rootkit behavior.

Scheduled Scan Settings
Scheduled Scan runs automatically on the appointed date and time. Use Scheduled Scan to
automate routine scans on the agent and improve scan management efficiency.

Schedule Section
Configure how often (daily, weekly, or monthly) and what time Scheduled Scan will run. For
monthly Scheduled Scans, you can choose either a particular day of a month or a day of a week
and the order of its occurrence.

Scan Now Settings
Scan Now is initiated remotely by administrators through the web console and can be targeted to
one or several Apex One agent endpoints.

Trusted Program List
You can configure Security Agents to skip scanning of trusted processes during Real-time,
Behavior Monitoring, Data Leak Prevention and Device Control scans (Scheduled, Manual and
Scan Now scans do not make use of the Truster Program List). Add trusted programs to the
Trusted Program List to improve the performance of scanning on endpoints.
You can add program files to the Trusted Programs List if the following requirements are met:

The program file is not located in the Windows system folder.
The program file has a valid digital signature.

Scan Caching
The Security Agent can build a digital signature and on-demand scan cache files to improve its
scan performance. When an on-demand scan runs, the Security Agent first checks the digital
signature cache file and then the on-demand scan cache file for files to exclude from the scan.
Scanning time is reduced if a large number of files are excluded from the scan.

Digital Signature Cache
Agents do not scan files whose signatures have been added to the digital signature cache file.
The Security Agent uses the same Digital Signature Pattern used for Behavior Monitoring to
build the digital signature cache file. The Digital Signature Pattern contains a list of files that
Trend Micro considers trustworthy and therefore can be excluded from scans.
Agents build the digital signature cache file according to a schedule, which is configurable from
the Web Management console. Agents do this to:

Add the signatures of new files that were introduced to the system since the last cache file
was built.
Remove the signatures of files that have been modified or deleted from the system.
During the cache building process, Agents check the following folders for trustworthy files and
then adds the signatures of these files to the digital signature cache file:
%PROGRAMFILES%
%WINDIR%

Other folders are not checked for trustworthy files. The cache building process does not affect
the endpoint’s performance because Agents use minimal system resources during the process.
Agents are also able to resume a cache building task that was interrupted for some reason (for
example, when the host machine is powered off or when a wireless endpoint’s AC adapter is
unplugged).

On-demand Scan Cache
Security Agents do not scan files whose caches have been added to the on-demand scan cache
file.
Each time scanning runs, the Security Agent checks the properties of threat-free files. If a threatfree
file has not been modified for a certain period of time (the time period is configurable), the
Security Agent adds the cache of the file to the on-demand scan cache file. When the next scan
occurs, the file will not be scanned if its cache has not expired.
The cache for a threat-free file expires within a certain number of days (the time period is also
configurable). When scanning occurs on, or after the cache expiration, the Security Agent
removes the expired cache and scans the file for threats. If the file is threat-free and remains
unmodified, the cache of the file is added back to the on demand scan cache file. If the file is
threat-free but was recently modified, the cache is not added and the file will be scanned again
on the next scan.
The cache for a threat-free file expires to prevent the exclusion of infected files from scans, as
illustrated in the following examples:

It is possible that a severely outdated pattern file may have treated an infected, unmodified
file as threat-free. If the cache does not expire, the infected file remains in the system until it
is modified and detected by Real-time Scan.
If a cached file was modified and Real-time Scan is not functional during the file modification,
the cache needs to expire so that the modified file can be scanned for threats.
The number of caches added to the on-demand scan cache file depends on the scan type and its
scan target. For example, the number of caches may be less if the Security Agent only scanned
200 of the 1,000 files in the endpoint during Manual Scan.
If on-demand scans are run frequently, the on-demand scan cache file reduces the scanning time
significantly. In a scan task where all caches are not expired, scanning that usually takes 12
minutes can be reduced to 1 minute. Reducing the number of days a file must remain unmodified
and extending the cache expiration usually improve the performance. Since files must remain
unmodified for a relatively short period of time, more caches can be added to the cache file. The
caches also expire longer, which means that more files are skipped from scans. If on-demand scans are seldom run, you can disable the on-demand scan cache since caches
would have expired when the next scan runs.

Quarantining Detected Malware
The Quarantine action instructs Security Agents to physically send detected malware to the Apex One
Server, where it is stored in a centralized quarantine folder for future analysis.
When the Agent detects a malware instance that it is set to quarantine, it moves the file to its
…\OfficeScan Client\SUSPECT folder. Afterwards, the Agent initiates the process of transferring
the malware to a folder called …\VIRUS on the Apex One Server, where it is rendered inert for safe
storage.
Files stored in the Quarantine folder are renamed according to the following naming convention:
_.
The sequence number differentiates files that were uploaded to the server within the same second.To
prevent infected files from being opened, Apex One encrypts the file before quarantining a file or when
backing up a file before cleaning it.

Restoring Quarantined Files
Apex One provides mechanisms to decrypt and then restore the files in case you believe that a
detection was inaccurate.
Note: Restoring an infected file may spread the virus/malware to other files and computers. Before
restoring the file, isolate the infected endpoint and move important files on this endpoint to a
backup location.

Quarantined files on the
Agent endpoint
These files are found in the C:\Program Files (x86)\Trend
Micro\OfficeScan Client\Suspect\Backup folder and are
automatically purged after 7 days.

Quarantined files on the
Apex One Server
A quarantine folder is also available on the Server to allow files to be
restored from the Agent Management list

Backed up encrypted files
These are the backups of infected files that Apex One was able to clean.
These files are found in the C:\Program Files (x86)\Trend
Micro\OfficeScan Client\Backup folder on the Agent endpoint.
To restore these files, users need to move them to the …\SUSPECT
\Backup folder on the Agent endpoint.
Apex One only backs up and encrypts files before cleaning if you select
Backup files before cleaning in the scan type policy.

vsencode.exe
The vsencode.exe tool can be used to restore files from quarantine on the Security Agent. In
Windows Explorer, navigate to the following folder on the Security Agent computer:
C:\Program Files (86)\Trend Micro\OfficeScan Client\

Note: The tool can only restore one file at a time.

Central Quarantine Restore
The Central Quarantine Restore in Apex One allows you to search for files in the quarantine
directory.

Smart Scan
In addition to conventional pattern-based detection, Apex One offers Smart Scan as a feature provided by
the File Reputation service hosted on the Trend Micro Smart Protection Network.
Smart Scan shifts much of the malware and spyware scanning functionality to a Smart Protection Server.
It keeps local pattern files small and reduces the size and number of updates required by Agents.

The move to in-the-cloud protection is driven by two considerations:

Malware creation is outstripping traditional malware knowledge deployment. By the time a malware is
recognized, it has already changed.
As patterns grow in power, they grow in size. An inescapable consequence of a rise in the number of
malware is accelerated growth of anti-malware patterns. As things currently stand, network
administrators now have to be careful about when they schedule their updates, to avoid network
disruption.
To address these conditions, Trend Micro re-thought how it deployed malware knowledge to its protection
products. Instead of pre-deploying anti-malware knowledge to the end points, with the resulting
deployment delay and bandwidth issues, this knowledge is now deployed on-demand from a centralized
database that is updated more frequently than traditional methods through a mechanism called File
Reputation.
Smart Scan provides the following features and benefits:
Reduces the overall time it takes to deliver protection against emerging threats
Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition updates
only needs to be delivered to the cloud and not to many endpoints
Reduces the cost and overhead associated with corporate-wide pattern deployments
Lowers kernel memory consumption on endpoints. Consumption increases minimally over time
Provides fast, real-time security status lookup capabilities in the cloud and therefore increases overall
protection
By default this option is set to on. Agents that are implementing the Smart Protection Network solution
use the following components:
Smart Scan Agent Pattern: The pattern file contains complete threat information for all malware that
is currently in the wild.
Smart Query Filter: This compressed index file references complete threat information that is stored
in the Smart Scan Pattern on the Smart Protection Server.
Smart Scan Pattern: This pattern file stores information for virus confirmation and actions to proceed
in case of cleaning and is located on the Smart Protection Server.

File Reputation
File Reputation is an implementation of malware identification through the use of Cyclic
Redundancy Check (CRC) values. Cyclic Redundancy Check information can be divided into two
parts:

Part 1 – Used for initial malware identification
Part 2 – Used for malware confirmation
The following diagram represents a file that has been infected by a virus.

When a virus infects a file, it typically appends a part of itself to the front of the file. This serves
two purposes:

To keep other instances of the virus from re-infecting an already infected file, thereby
ensuring efficient propagation.
To ensure that the virus code in the file runs first, whenever the file is opened this frontappended
portion often contains a jump command to the main portion of the virus, which is
located elsewhere in the file.
For this kind of virus, the CRC information in part 1 would be used to identify the first part of the
virus added to the front of the file.

The scan engine uses this information to detect if a file has been infected with a specific virus.
After detecting the first part of the virus using part 1 of the CRC information, the scan engine
looks for the corresponding part 2 of the CRC for additional identification information about the
remaining portion of the virus and to confirm that the file is indeed a virus.
To locate part 2 of the CRC information, the scan engine requires information about its expected
location within the file. This information is stored in what pattern builders call the CRC table, and
the location within the file is called its offset.
Once the virus has been identified, the scan engine requires information to clean/remove the
virus. This information comes from the Smart Protection Server. Once the scan engine retrieves
the cleaning/removal information that corresponds to the identified virus, it is then able to take
action against the virus.

File Reputation addresses the needs enumerated in the previous section by de-constructing the
existing pattern.
Note the following changes to the existing pattern:

CRC and virus information is still stored locally for malware that are classified as in-the-wild.
This means that the only malware information that is available locally corresponds to
malware that is actively doing harm. This information resides in the Smart Scan Agent
Pattern file.
CRC and virus information for malware that are no longer considered in-the-wild is moved to
an external database called the Smart Scan Pattern. This pattern contains all the CRC Parts 1
and 2 information of the traditional pattern. Non-CRC data is also stored in the Smart Scan
Pattern.
A compressed copy of CRC Part 1 information, for not-in-the-wild malware, is moved to a new
pattern called the Smart Query Filter, which the Security Agent uses to determine when to
query the external database for matching Part 2 information. This serves as a kind of index to
the information in the external database.
Note: Both the Smart Query Filter and Smart Scan Agent Pattern reside on the Security Agent.

External CRC Database
Components on the Security Agent are responsible for looking for malware and taking action
upon them when found. However, the knowledge required to identify malware does not
completely reside within the product itself, part of this knowledge is located externally.
The CRC database contains CRC information that corresponds to known malware. This database
resides on the Smart Protection Server. Security Agents can either refer to the global Trend
Micro Smart Protection Network, or a local Smart Protection Server if it is available.

Reference Smart Scan Agent Pattern
Each time the Security Agent scans a file, it first uses the local pattern file to check if the
scanned content contains malware and obtain cleaning instructions. It does this by
referencing information in the Smart Scan Agent Pattern. The Agent uses this to perform the
In-the-wild verification and clean/remove these active viruses.
Calculate CRC Part 1
If the content looks suspicious but the malware cannot be detected and cleaned using the
local pattern files, it calculates a Cyclic Redundancy Check (CRC) sum for the initial portion of
the content (CRC Part 1).
Submit CRC Part 1
The Agent submits the CRC Part 1 sum to the local or in-the-cloud File Reputation Server on
the Smart Protection network to query the malware database for all records matching the
calculated CRC Part 1.
Smart Scan Pattern query for CRC Part 2
In this step, the Smart Protection Server uses the CRC Part 1 value to query for matching CRC
Part 2 information, which enables the scan engine to confirm that the suspect file is indeed
malware.
The CRC Part 2 information is stored in a database on the Smart Protection Server called the
Smart Scan Pattern.
By design, the Agent only waits for a response from the Smart Protection Server for a specific
period of time (a maximum of 500 milliseconds). For this brief period, the scan engine locks
the file. If the scan engine is unable to query the Smart Protection Server, the server-side
processing portion of this step does not occur, and the Agent attempts to query another
Smart Protection Server if one is available, or proceeds using offline protection.
Reply with Corresponding CRC Part 2
If the CRC information sent in the query matches CRC Part 1 information in the Smart Scan
Pattern, the Smart Protection Server returns all the corresponding CRC Part 2 records to the
Agent.
Malware identification
When the Agent receives the CRC Part 2 information from the Smart Protection Server, it
passes the information to the scan engine to perform matching operations. If no match is
found, the file is safe and the scanning process ends.
Virus ID query
If a match is found, the Agent sends a second query to the Smart Protection Server for
information about how to clean/remove the malware. Instead of sending CRC information like
in the first query, the Agent sends the Virus ID of the CRC Part 2 record of the malware that
was detected.
Smart Scan Pattern query
The Smart Protection Server then searches for the virus information that corresponds to this
Virus ID submitted to retrieve cleaning instructions.
Cleaning instructions returned to Agents
Once the virus information is retrieved, the Smart Protection Server returns this to the Agent
for use by the scan engine.
The Agent waits for a maximum of 500 milliseconds for the Smart Protection Server to reply.
If the Agent does not receive a timely reply, the Agent will abandon the primary action, in
favor of the secondary action. A failure in this operation would cause the Agent to quarantine
the malware instead of cleaning it.
Remove Malware
Finally, the Security Agent receives the virus information from the Smart Protection Server,
and the scan engine uses this information to clean/remove the virus.
Note: Do not use Smart Scan if the computer doesn’t have reliable network connectivity to the Trend
Micro Smart Protection Network or your Smart Protection Server.

CRC Caching
The CRC cache contains the following information:

Malware confirmation CRC information
Malware removal information (VINFO)
Apex One uses both types of information during the local verification step of the File Reputation
operation.
The ability of an offline Agent’s scan engine to act upon suspected malware is entirely dependent
on information in the cache. This information depends on types of cache.

Server is restored.
Cache.dat contains a snapshot of the contents of the memory-only CRC cache when the
Security Agent shuts down. It serves as a repository of the CRC and VINFO information already
retrieved in previous queries. When the Security Agent starts up, it reads this file to re-populate
the cache.
The information in cache.dat is written in binary format, so it is unreadable. The only way to
read the information that is stored in the CRC cache is by way of a command line tool called
DumpCache.exe

Spyware/Grayware Protection
Spyware and grayware comprises applications and components that collect information to be
transmitted to a separate system or collected by another application. Spyware/grayware detections,
although exhibiting potentially malicious behavior, may include applications used for legitimate purposes
such as remote monitoring.
Apex One uses the Spyware Scanning API (SSAPI) to deal with spyware. This scan engine uses a variety of
internal scanning functions to remove spyware-related files, as well as the changes these files make in
various system areas (for example, Windows registry, shortcuts, etc.).
Ntrtscan.exe is the Security Agent component that is responsible for scanning functionality. For this
purpose, it calls both VSAPI and SSAPI scan engines.

VSAPI
VSAPI is responsible for real-time spyware detection. Since spyware always involves a file
component, these will still be detectable using conventional file scanning techniques.
Spyware removal, however, requires more than just removal of spyware-related files. Cookies, for
example, not only reside in the user’s cookie folder but also in a special registry for cookies. To
effectively remove cookies, the latter must also be addressed. VSAPI lacks this ability to remove
spyware-related alterations in different system areas. This is why SSAPI is part of the process.

SSAPI
Once VSAPI detects the creation of a spyware file-component on the system, it passes this
information to Ntrtscan.exe, which then calls SSAPI to remove the spyware.
SSAPI can detect spyware based on either signatures or changes from a specific baseline. SSAPI
signatures are stored in a definition file.

Enabling SSAPI Logs
Scanner-specific communications all use SSAPI log entries to show the scanner’s actions. To
generate these logs, the following registry entry must be added:
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc
Dwords: EnableSSAPILog = 1
The debug log is created in the location specified for the Security Agent debug log.

Digital Signatures
SSAPI checks the digital signatures of files that VSAPI recognizes as spyware. If the digital
signature of the file identified as spyware exists in the whitelist, the file is not removed. This
applies to all types of scanning (For example, Real-time, Manual, etc.).

Note: The digital signature for an application can be viewed on in the digital signature tab in its
Properties in Windows Explorer.

Damage Cleanup Services
Damage Cleanup Services (DCS) remove files that cannot be cleaned by the Virus Scan Engine,
such as files infected with Trojans. Damage Cleanup Services cleans computers of file-based and
network viruses, and virus and worm remnants (Trojans, Registry entries, viral files) through a
fully-automated process.
Damage Cleanup Services preforms the following functions:

Detects and removes live Trojans
Kills processes that Trojans create
Repairs system files that Trojans modify
Deletes files and applications that Trojans drop
Damage Cleanup Services run automatically in the background, and users are not even aware
when it runs. However, Apex One may sometimes notify the user to restart their endpoint to
complete the process of removing a Trojan.

Damage Cleanup Services does not run cleanup on probable virus/malware unless Run cleanup
when probable virus/malware is detected is selected. Note that you can only select this option if
the action on probable malware is not Deny Access.

Advanced Cleanup
In addition to the standard cleanup actions, Manual, Scheduled and Scan Now settings also
includes an advanced cleanup option. With this enabled, the Security Agent stops activities by
rogue security software (also known as FakeAV) and certain rootkit variants. The Security Agent
also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV
and rootkit behavior.

Damage Cleanup Services Components
Damage Cleanup Services consist of the following engine, template and driver components:

Damage Cleanup Engine: The Damage Cleanup Engine scans for and removes Trojans and
Trojan processes. This engine supports 32-bit and 64-bit platforms.
Damage Cleanup Template: The Damage Cleanup Template is used by the Damage Cleanup
Engine to identify Trojan files and processes so the engine can eliminate them.
Early Boot Cleanup Driver: The Trend Micro Early Boot Cleanup driver loads before the
operating system drivers which enables the detection and blocking of boot-type rootkits.
After the Security Agent loads, Trend Micro Early Boot Clean Driver calls Damage Cleanup
Services to clean the rootkit.

Assessment Mode
To help an administrator study the types of files that are flagged as spyware, Apex One provides
an option to prevent Security Agents from deleting spyware, even if they are set to clean.
Unlike other forms of malware, there is little consensus on what constitutes spyware. Cookies are
a good example of this. Like other security companies, Trend Micro can detect and remove
cookies. However, many claim that cookies are not actually spyware.
Assessment Mode give administrators a chance to fine tune their own policies for files addressed
as part of anti-spyware functionality. This assessment period allows the administrator to identify
the files that they want excluded from spyware cleaning, and to add them to the Approved List.
After the assessment period, the Security Agent implements spyware cleaning functionality.

When in assessment mode, Agents will log spyware/grayware detected during scan, but will not
clean spyware/grayware components. Cleaning terminates processes or deletes registries, files,
cookies, and shortcuts.

Preventing Outbreaks
To contain outbreaks, Apex One enforces outbreak prevention policies and isolates infected computers
until they are completely risk-free. Attack-specific security policies are deployed to prevent or contain
outbreaks before pattern files are available

Outbreak Prevention Policy
Outbreak Prevention security policies can include the following:

Limit/Deny access to shared folders
Block Ports (only available/visible if Firewall is enabled)
Deny write access to files and folders (excludes mapped drives)
Deny access to executable compressed files
Create mutual exclusion (mutex) handling on malware processes/files (only available if
Unauthorized Change Prevention service is enabled)

During outbreaks, block vulnerable ports that viruses/malware might use to gain access to
Security Agent endpoints.
Note: Configure Outbreak Prevention settings carefully. Blocking ports that are in use makes network
services that depend on them unavailable. For example, if you block the trusted port, Apex One
cannot communicate with the Agent for the duration of the outbreak.

Outbreak Notifications
Administrators can be notified when conditions warrant configuring Outbreak Prevention.

Starting Outbreak Prevention
When warranted, enable Outbreak Prevention to isolate infected endpoint computers

Terminating Outbreak Prevention
When you are confident that an outbreak has been contained and that Apex One has cleaned or
quarantined all infected files, restore network settings to normal by disabling Outbreak
Prevention.

What is the value of a high school education?

The Value of a High School Degree

What is the downside of dropping out?

The Value of a High School Degree

What is the value of a college degree?

The Value of a College Degree

What is the difference between a job and a career?

The Value of Careers

What is a self-evaluation? What are personal skills and personal qualities?

The Value of Careers

What is financial stability?

The Value of Financial Stability

How many years of each high school subject are required for someone to graduate from high school?

High School Requrements

How many years of each high school subject are required for college admission?

High School Requirements

What is a GPA? A cumulative GPA?

High School Requirements

What kind of information is on a high school transcript?

High School Transcripts

What are AP, IB, dual enrollment, and honors courses? What makes them different from one another?

High School Rigorous Coursework

What activities are considered extracurricular?

You Can Learn Just as Much After School

Can you list five study tips?

Study Tips

Can you list five memory strategies?

Study Tips

Can you list five memory strategies?

Study Tips

What is a mnemonic? List four types of mnemonics.

Study Tips

What are the five types of homework?

Smart Homework Habits

What dictates the principles of CONDUCT and PROFESSIONAL INTEGRITY that guide the decision making and behavior of nurse anesthetists?
AANA Code of Ethics

What document speaks to the anesthetist’s responsibilities as a professional, which holds the individual CRNA accountable for his/her own actions and judgments, regardless of institutional policy or physician orders?
AANA Code of Ethics

According to the AANA Code of Ethics, what two principles is the CRNA held individually accountable for?
The CRNA is individually accountable for his or her “conduct in maintaining the DIGNITY and INTEGRITY of the profession” and “does not knowingly engage in DECEPTION of any form”. – AANA Code of Ethics

A nurse anesthetist in middle management submits written complaints to a state board about several other nurse anesthetists that are FALSE and DEFAMATORY. Which AANA document could be applied to this situation?
Code of Ethics

What are systemically developed statements that assist providers in clinical decision making and are commonly accepted within the anesthesia community and “should” be adhered to?
Practice Guidelines

What are authoritative statements that describe minimum rules and responsiblities for which anesthetists are held accountable?
Practice Standards

What represents the expected behaviors that must be demonstrated in a professional practice nationwide?
Practice Standards

Practice __ MUST be adhered to.
Practice Standards

Practice __ SHOULD be adhered to.
Practice Guidelines

What expresses the AANA official positions or beliefs on practice-related topics; and may also define the knowledge, skills, and abilities considered necessary for a nurse anesthetist?
Position Statements

The use of unnecessary invasive preoperative testing is most likely to put the provider in violation of the principle of what?
Nonmaleficence

What asserts that a provider has an obligation not to inflict hurt or harm – in other words, “to do no harm” without distinction of intentional or unintentional harm?
Nonmaleficence

What are principles that govern human conduct as it relates to mortality, right and wrong, or good and evil?
Ethics

What comprises the set of moral principles, beliefs, and values that guide how choices are made in health care?
Health Care Ethics

What are 4 commonly accepted principles of Health Care Ethics?
Respect for Autonomy.
Nonmaleficence.
Beneficence.
Justice.

Which Principle of Health Care Ethics refers to the patient’s ability to choose without controlling interference by others, and without limitations that prevent meaningful choices?
Autonomy

Which Principle of Health Care Ethics might include failure of the provider to fully provide information that. reasonable person would want to know prior to making a decision during the informed consent process?
Autonomy

What does Respect for Autonomy mean?
Respect for Autonomy dictates that providers make every effort to remove barriers that may impede an informed decision.

Which Principle of Health Care Ethics asserts that a provider has an obligation NOT to inflict hurt or harm – “first do no harm” – with no distinction between intentional or unintentional harm?
Nonmaleficence

Which Principle of Health Care Ethics is often applied to the appropriate use of diagnostic testing with the inherent risk of false-positive or false-negative results?
Nonmaleficence

Requiring a pregnancy test in every female of child bearing age is not justified by evidence-based research, and violates patient autonomy in the absence of consent. What Principle of Health Care Ethics is this violating?
Nonmaleficence

Some diagnostic testing has inherent medical risks (eg. coronary artery perforation during angiography), along with carrying a significant financial cost. The use of unnecessary preoperative testing can put the provider in violation of which Principle of Health Care Ethics?
Nonmaleficence

Which Principle of Health Care Ethics says providers should take action for the benefit of others, including both preventing harm and actively helping their patients?
Beneficence

Which Principle of Health Care Ethics is the fundamental guiding principle of evidence-based interventions? (The benefits of the treatment should be demonstrable and must clearly outweigh the risks).
Beneficence

Which Principle of Health Care Ethics says that people under similar circumstances and conditions should be treated alike?
Justice

What is another name for people under similar circumstances and conditions being treated alike?
Justice, or Distributive Justice.

Which Principle of Health Care Ethics says that patients, despite differences in sex, age, race, ethnicity, education, sexual orientation, disability, geographic location, or socioeconomic status, should be treated fairly and equitably?
Justice

Which Principle of Health Care Ethics is violated when a provider is informed that “the next patient is the CEO of Richman Hospital System,” implying that this information will engender a higher quality of delivered care?
Justice

Which Principle of Health Care Ethics requires that all patients have the same moral claim to evidence-based quality health care?
Justice

The principles of which 3 Principles of Health Care Ethics support the position that medical mistakes must be disclosed to the patient?
Respect for Autonomy.
Nonmaleficence.
Beneficence.

What conversations include a discussion of risks and benefits of each type of appropriate anesthetic and takes into account patient preferences, questions, and fears?
Informed Consent

What are the 6 elements of Informed Consent?

Competence – the patient has the legal authority to consent.
Decision-Making Capacity – the patient has the ability to decide about specific anesthesia care.
Disclosure of Information – the patient is informed AT A MINIMUM of (4 things).
Understanding of Disclosed Information – the patient must demonstrate understanding.
Voluntary Consent – the patient consents in the absence of coercion or duress.
Documentation – the medical record must contain documentation of the patient’s informed consent.

Which one of the 6 elements of Informed Consent may be altered by the use of preoperative medications?
Decision-Making Capacity

What should the provider do if Decision-Making Capacity of the patient is altered by the use of preoperative medications before obtaining Informed Consent?
The provider may need to arrange legal, ethical, or psychiatric consult to determine capacity.

Which element of Informed Consent explains when someone else must be delegated as the legal decision maker for an incapacitated patient in accordance with state law and institutional policy?
Decision-Making Capacity

Which element of Informed Consent states:
“The patient is informed AT A MINIMUM of the:
Nature and purpose of proposed anesthesia technique.
Risks, benefits, and side effects of proposed techniques.
Alternative and their risks, benefits, and side effects.
Risks of not receiving anesthesia care. “
Disclosure of Information

What really needs to be disclosed during informed consent?
What any REASONABLE PERSON would want to know. What any REASONABLE PRACTITIONER would disclose. All common risks should be disclosed and rare risks should be disclosed if they would result in severe morbidity and mortality.

What is it considered if you try to talk the patient into your preferred anesthetic plan if they do not select it?
Coercion

Who is the competent party to consent for patients under 18 years of age?
Parents or Legal Guardians

Should minor children be included in the informed consent processes? What is this termed?
Yes. Unless developmentally inappropriate, minor children should be included in the informed consent discussion and their agreement should be sought. This is termed “ASSENT” and should be documented.

In an emergency, when immediate treatment is required and the patient is unconscious or unable to consent, what permits healthcare providers to provide lifesaving care?
Implied Consent.

The emergency status must e documented in the medical record and informed consent should be sought from legal decision makers, or close family members, as soon as possible.

“It is easier to justify agreeing to unusual preferences of a well-informed patient than to subject a poorly-informed patient to unorthodox care” is an example of what?
Informed Refusal

The refusal of blood or blood products by a Jehovah’s Witness is an example of what?
Informed Refusal

When a recommended therapy is refused, it places an even higher burden on the health care provider to disclose the risks and benefits of both the recommended and any alternatives to care. This is an referring to what?
Informed Refusal

Who are 4 persons that require special assistance?
Limited English Proficiency.
Cognitive Impairment.
Hearing Impairment.
Visual Impairment.

What should a healthcare provider do while obtaining informed consent for a patient with limited English proficiency?
Use, and document the use of, competent language assistance services.
Allow family members to translate only in an emergency.

What should a healthcare provider do while obtaining informed consent for a patient with cognitive impairment?
Use a Mini-Mental State Exam (MMSE) to evaluate.
Designate a legal decision maker.

What should a healthcare provider do while obtaining informed consent for a patient with hearing impairment?
Ensure patient is wearing hearing aids.
Speak slowly and clearing in a quiet environment.
Use qualified ASL interpreter.

What should a healthcare provider do while obtaining informed consent for a patient with visual impairment?
Present material verbally.
Use large font size or Braille translation.

What does an anesthesia provider need to obtain informed consent for epidural placement in a parturient who just received 50mg of Meperidine?
Determine that the patient has sufficient capacity.

When should informed consent discussions optimally occur in an OB patient?
Prior to the onset of labor.

What should the patient be told if regional analgesia is delayed due to an emergency?
Alternative pain management will be available until the anesthesia provider can tend to the patient.

Patient receiving regional anesthesia should be informed about, and consented for, what?
General Anesthesia – should it become necessary.

What should happen when a minor is receiving OB services?
State law and facility policies should be consulted.

What may occur if a parturient refuses emergency care as a result of fetal distress?
Maternal-Fetal Conflict

What is Maternal-Fetal Conflict?
The provider’s respect for maternal autonomy may oppose the principle of beneficence in promoting the well-being of the mother and fetus. The provider should keep communication open and non-coercive whilst procuring an ethics consultation, referencing hospital policy, and reviewing state law.

A terminal cancer patient with a DNR order presents for a port-a-cath placement. Which Standard of Nurse Anesthesia Practice has the most immediate relevance to the anesthetist’s preoperative activities?
Standard II on informed consent by a qualified professional

What is the name of a legally binding document that delineates the patients’ wishes regarding healthcare interventions in the case of incapacity and/or delegates the authority to make healthcare decisions to another party?
Advanced Directive

What often includes specific provisions that modify aspects of anesthesia management including intubation, use of antibiotics, blood transfusion, and/or the use of CPR and advanced life support measures?
Advanced Directive

Should Advanced Directives by reconsidered before anesthesia is administered?
Yes. Because many of the measures in an advanced directive, when used in conjunction with a procedure/surgery, are temporary, – it is recommended that advanced directives be reconsidered before anesthesia is administered.

Reconsideration of advanced directives may lead to what 3 different outcomes?
Full Suspension: All provisions of advanced directive are suspended during anesthesia or the procedure, for a specified time period.

Partial Suspension or Modification: Specific provisions are suspended or modified during anesthesia or the procedure, for a specified time period.

No Suspension: All provisions of advanced directive are followed during anesthesia or the procedure.

What are the 3 Standards published by the AANA?

Nurse Anesthesia Practice
Postanesthesia Care
Office Based Anesthesia Practice

In general, criminal charges seek , while civil charges seek redress of wrongs by or _.
Criminal Charges = Punishment.
Civil Charges = Redress by Compensation or Restitution.

3 branches of Tort Law (a type of Civil Law)

Intentional
Strict Liability
Negligence

What term refers to any sort of professional misconduct?
Malpractice

Malpractice is most frequently used in the setting of professional __, which is a subset of Tort Law.
Negligence

In a negligence or malpractice claim, the patient (plaintiff) must prove 4 separate things:

Duty
Breach of Duty
Causation
Damages

What is affirmed when the anesthesia provider establishes a relationship with the patient during the preoperative assessment and informed consent process, and agrees to provide anesthesia care to the patient?
Duty to the patient

What duty is owed to the patient?
To adhere to the standard of care necessary for the treatment plan.

What occurs when expert witnesses review the medical record and determine that the standard of care was not adhered to?
Breach of duty

What occurs as a result of doing something that should not have been done, or by failing to do something that should have been done (error of omission)?
Breach of duty

If the odds are greater than __% that the breach of duty led to the injury, then proximate cause is established.
50%

What are two tests used to determine causation?

But for or cause-in-fact: if the injury would not have occurred but for the actions of the provider, proximate cause is established.
Substantial factor: if the act of the provider was a substantial factor in the injury despite other causes, proximate cause is established.

What is the term for: if the injury would not have occurred but for the actions of the provider?
But for or Cause-in-fact

What is the term for: if the act of the provider was a substantial factor in the injury despite other causes?
Substantial factor

What is the name for “the thing speaks for itself”?
Res ipsa loquitur

What can shift the burden of proof from the plaintiff to the defendant?
Res ipsa loquitur (“the thing speaks for itself”)

Res ipsa loquitur (“the thing speaks for itself”) can occur if what 4 conditions can be established?

If the injury would not have occurred in the absence of negligence.
The injury was caused by something under the complete control of the defendant (provider).
The patient did not contribute in any way to the injury.
The evidence for the explanation of events is solely under the control of the provider.

What describes this example? Cases involving a foreign object such as a sponge or a clamp inadvertently left in a surgical patient.
Res ipsa loquitur (“the thing speaks for itself”)

What describes this example? A nerve injury sustained during the course of surgery to an area remote from the surgical site?
Res ipsa loquitur. A nerve injury sustained during the course of surgery to an area remote from the surgical site is the SECOND most common situation where a res ipsa charge request is usually granted.

What are two concepts detailing false statements that result in defamation of character?
Slander & Libel

What is defamation in the verbal form?
Slander

What is the term for a CRNA who knowingly SAYS a false thing about a patient that result in defamation of the patient’s character?
Slander

What is the term for telling the OR staff that a patient is “crazy,” when in fact the patient doesn’t have the DSM diagnosis of being “crazy.” In this example, the CRNA knowingly made a false statement that defames the patient’s character.
Slander

What is defamation in the written form?
Libel

What is the term for a CRNA who knowingly WRITES a false statement in the patient’s chart that results in defamation of the patient’s character?
Libel

What is the term for this example? After getting into an argument with a patient, a CRNA writes that the patient is “crazy” in the patient’s chart. This is a false statement, and defames the character of the patient.
Libel

What is the term for this example? If a CRNA intentionally writes a false statement in the patient’s chart (like charting an antibiotic that was never administered), then the CRENA has committed what?
Medical Malpractice (not libel)

Discussing patient information in a public location (such as a hospital elevator or cafeteria) is considered a violation of what?
Health Insurance Portability and Accountability Act (HIPPA)

You are 4 hours into a complex case and are relieved by another anesthesia provider. You are late to an appointment and give only a cursory report that results in a missed repeat antibiotic dose. The patient ultimately develops sepsis intraoperatively that results in an unexpected 3-day ICU stay. Which two causes of action against you might apply to this scenerio? (select 2)

-Vicarious liability for relieving anesthetist.
-Abandonment.
-Loss of chance of survival.
-Malpractice violation of Standard VII.
Abandonment: the transfer of care, although to a qualified provider, was incomplete in not addressing the requirement for a repeat dose of antibiotic.
Malpractice violation of Standard VII: relates to the accurate reporting of patient’s condition “including all essential information” when transferring responsibility of care.

What are torts?
Civil wrongdoings

What are two examples of tort?
Battery & Assault

What is the physical act of touching another person without either expressed or implied consent?
Battery

What is making a person feel or perceive that better is imminent?
Assault

What is the term for a key idea that the victim is made to “feel” a certain way in response to your actions?
Assault

Can assault occur in unconscious patients?
No. They are unaware of their environment.

What is the term for this example? If you place an epidural in a laboring patient without her consent.
Battery

What is the term for this example? If you’re preparing to place an epidural in a laboring patient and she feels that you’re going to place it without her consent.
Assault

What is the term for this example? A CRNA who administers a general anesthetic to a patient who has only consented for local by the surgeon (assuming no prior consent for the GA was given)?
Battery

Does harm need to be proven when battery or assault charges are brought upon a provider?
No.

What is a deadline before which a patient must file a lawsuit? For example: if a patient is a victim of a tort and the timeline is 3 years for this offense, then the patient can no longer sue after 3 years.
Statute of Limitations

As a general rule, the statute of limitations for a minor doesn’t being until when?

For instance, if the statute of limitations for an offense is 3 years, then a minor will be able to file a lawsuit up to the age of 21 (18 + 3 years).

What is the committed with lack of providing information material to a reasonable person?
Lack of Informed Consent

What is the term for lack of providing continuity of care once duty to a patient is established?
Abandonment

What is the term for when a patient must show that recovery or survival was likely but for the actions of the anesthetist?
Loss of Chance of Recovery or Survival

What is the term for a death that occurs earlier than it would otherwise?
Wrongful Death. If death is caused by negligence, survivors may sue.

What is the term for when one person (or entity) may be liable for the actions of another person?
Vicarious Liability

What is often used interchangeably with Vicarious Liability?
Respondeat superior (let the master answer)

What is the term for these examples? A hospital may be held liable for actions of an RN. A physician may be held liable for the actions of his her her PA. Typically DOES NOT apply to CRNAs working under a physician.
Vicarious Liability/Respondeat superior

Damages in medical malpractice cases are generally formulated around what?
Actual losses that the patient suffers or incurs.

What damages are meant to punish the provider for engaging in either intentional harm or particularly reckless behavior, and are very rare?
Punitive damages

Sometimes particularly egregious actions are prosecuted under what law?
Criminal Law

What damages directly result from an injury (e.g. pain and suffering, emotional distress; non-economic in nature)?
General Damages

What damages result form an injury (e.g. medical expenses, lost income, property damage; clearly quantifiable)?
Special Damages

What damages are rare and are a punishment for reckless or malicious behavior?
Punitive Damages

Which federal law requires citizens to give the government an individual shared responsibility payment?
Affordable Care Act

What is the ACA?
Affordable Care Act. “ObamaCare” based on “RomneyCare”

What does the Affordable Care Act (ACA) mandate?
All individuals carry health insurance

Who/What established standard and requirements for health insurance policies, and launched health care clearinghouses or exchanges to assist people in finding medical insurance?
The Affordable Care Act (ACA)

According to the ACA, are insurers permitted to charge more for pre-existing conditions?
No, no longer.

According to the ACA, adult children up to the age of _ can remain on their parents’ plan, even if married, financially independent, and/or not in college.
26

According to the ACA, Failure to provide proof of health insurance coverage will trigger a fee called what?
Individual Shared Responsibility Payment.

Fee payment is made as part of filing a federal tax return; if unpaid, it will be deducted from any future tax refunds.

Give examples of some preventive services that do not require a co-pay under the Affordable Care Act (ACA).
-Blood pressure, diabetes, and cholesterol tests.
-Cancer screening, including mammography and colonoscopy.
-Counseling on topics like smoking cessation, weight loss, healthy eating, treating depression and alcohol use reduction.
-Regular well-baby and well-child visits from birth to age 21.
-Routine vaccinations (measles, mumps, rubella, etc.)
-Counseling, screening, and vaccines to ensure healthy pregnancies.
-Influenza and pneumonia shots.

Who/What established an institute for comparative effectiveness research and authorized funding for research in pain management?
The Affordable Care Act (ACA)

What does EMTALA stand for?
Emergency in Medical Treatment and Active Labor Act

What ensures public access to emergency services regardless of their ability to pay? What is another name for this Act?
Emergency in Medical Treatment and Active Labor Act (EMTALA), also known as “Anti-Patient Dumping Act”

What Act imposes specific obligations on Medicare-participing hospitals that offer emergency services to provide a medical screening examination when a request is made for examination or treatment for an emergency medical condition (EMC) regardless of the individual’s ability to pay?
Emergency in Medical Treatment and Active Labor Act / “Anti-Patient Dumping Act”

May the patient be told to go elsewhere if a hospital is unable to stabilize a patient within its capability, or if the patient requests transfer?
No. If a hospital is unable to stabilize a patient within its capability, or if the patient requests, an appropriate transfer should be implemented. The patient may not simply be told to go elsewhere.

Would EMTALA apply to a missed diagnosis or negligence in the emergency room as long as the patient was triaged in a timely fashion and the diagnosed condition was non-urgent?
No. EMTALA does not apply in this situation.

Who is a lawsuit based on EMTALA filed against?
The hospital ; NOT the healthcare provider.

In the case of a missed diagnosis, the remedy must be pursued as _ in a state court.
malpractice

What is the federal law that prohibits the disclosure of individually identifiable health information (AKA personal health information, PHI)?

PHI includes past and present health conditions, treatments, and payments for health care.
Health Insurance Portability and Accountability Act.

How can disclosure of PHI occur?
Orally, written, or electronically.

What can occur merely by positioning computer screens that contain PHI in a manner that can be viewed by the public or an uninvolved provider? Violations can include texting, social media, mishandling of records, illegal access of patient files, or breaches that arise from social situations. What does this violate?
Inadvertent disclosure of PHI. Violates HIPAA.

What regulations apply to both individual providers and health care entities such as health plans, hospitals, offices and clinics, and insurers?
HIPAA regulations

Who defines what is a controlled substance, and what level of restriction various controlled substances are subject to?
The Federal Government

What is a drug that currently has no accepted medical use with a high potential for abuse? Give examples.
Schedule I drug:

Hallucinogens (LSD, peyote, mescaline, heroin, etophine).
Marijuana.
MDMA, Ecstasy.

What is a drug that has a high potential for abuse potentially leading to dependence? Give examples.
Schedule II drug:

Barbiturates (secobarbital, pentobarbital).
Cocaine, methamphetamine, methylphenidate.
Methadone.
Hydromorphone, meperidine, fentanyl, morphine, opium, oxycodone, hydrocodone.
Phencyclidine.

What is a drug with moderate to low potential for abuse and dependence? Give examples.
Schedule III drug:

Tylenol with codeine, buprenorphine.
Ketamine.
Anabolic steroids, testosterone.

What is a drug with low potential for abuse and dependence? Give examples.
Schedule IV drug:

Alprazolam (Xanax), valium, lorazepam (Ativan), zolpidem (Ambien).
Darvon, Darvocet, Talwin, Tramadol.
Chloral hydrate.
Phenobarbital.

What is a drug that has a lower potential for abuse than schedule IV; or contain limited quantities of certain narcotics? Give examples.
Schedule V drug:

Robitussin AC (cough suppressant with codeine).
Diphenoxylate hydrochloride and atropine sulfate (Lomotil).
Pregablin (Lyrica).

What does HITECH stand for?
Health Information Technology for Economic and Clinical Health Act

What act was intended to create a healthcare information technology infrastructure in order to improve care quality and coordination between providers (i.e. to promote the “meaningful use” of such information)?
Health Information Technology for Economic and Clinical Health Act (HITECH)

What act is essentially an amendment to HIPAA and applies to the same covered entities including providers, health plans, and healthcare clearinghouses?
Health Information Technology for Economic and Clinical Health Act (HITECH)

What act precipitated a massive expansion in the exchange of electronic PHI an widened the scope of privacy and security protections available under HIPAA?
Health Information Technology for Economic and Clinical Health Act (HITECH)

What act increases the potential legal liability for non-compliance ad proves for more encasement, including mandatory penalties for “willful neglect.”
Health Information Technology for Economic and Clinical Health Act (HITECH)

What is often defined as the storage and/or exposure of unencrypted PHI? – encryption is the key.
Willful neglect

What act requires patient and/or government notification about data breaches, including unauthorized use or access of data, and breach of unsecured (unencrypted) pHI and also limited the amount a patient can be charged for copies of their PHI although state laws often dictate fees?
Health Information Technology for Economic and Clinical Health Act (HITECH)

Under what act is significant taxpayer dollars spent in the form of incentive funding that directly targets provider adoption of an electronic health record system?
Health Information Technology for Economic and Clinical Health Act (HITECH)

What does ERISA stand for?
Employment Retirement Income Security Act

What act sets minimum standards for private employee benefit plans, including the health care benefits offered, and provides protection for persons in these plans?
Employment Retirement Income Security Act (ERISA)

What act was written to ensure that the funds placed in retirement plans will be there when the individual employee retires?
Employment Retirement Income Security Act (ERISA)

When a patient experiences a serious anesthetic complication, what information is most appropriate to offer to the patient’s relatives?
Describe the facts of the event while also expressing regret to reinforce the relationship of trust.

What approach to adverse events reduces claims, settlement amounts, and defense costs?
“Disclosure, apology, and offer” approach versus “Deny and defend” approach.

During adverse outcomes, what do you have the responsibility to do?
Communicate with the patient’s family about what happened to their loved one.

When should you begin preparing a post-critical incident report followed by talking to the family?
Only after the patient’s care has been transferred to other qualified providers, or she/he has been pronounced, should you begin preparing a post-critical incident report followed by talking to the family.

How is a critical incidence report best recorded?
In narrative form

Typically, in an emergency, the only EHR data that are accurate and timely is what?
The automatically downloaded vital signs

When filing a critical incidence report: First, and before talking with the patient’s family, the provider should extensively document the events that occurred including what 4 things?

What happened.
What drugs and doses were given, and when they were given.
The time sequence of events.
Who was present (all parties, not just anesthesia)

If the diagnosis was not obvious, then document the differential diagnoses that guided your therapeutic choices. Do not document speculation. Avoid documentation that is inconsistent with other sources.

Should you apologize for a critical incident?
Where apology laws exist, they usually protect sympathetic statements but not explanations. “I am sorry that this happened” is preferred over “I am sorry I made a mistake.” Follow the patient’s hospital course carefully with daily assessments and notes, along with continued contact after discharge. This strengthens your professional relationship with the family and patient.

“Proof” in a juried malpractice case must include which components?
Evidence of duty, breach, cause, and harm.
More likely than not that negligence occurred.

What is the defendant’s initial response for responding to a lawsuit?

Notify insurance carrier IMMEDIATELY.
Do nOT discuss the case – not even with other providers who were involved.
Do not alter any records.
Gather all records of the case (EHR, case notes, critical incident reports, Billings, any correspondence about the case)
Make notes regarding all aspects of the case (if you wrote a detailed case note/incident report immediately after the event as recommended, you will have much of this already).
Cooperate with your insurer’s attorney.

What is the next step after your initial response to a lawsuit?
Work with your attorney to write an initial response to the summons.

What happens after working with your attorney to write an initial response to the summons during a lawsuit?
Discovery ; Gathering of facts and clarification of issues that will be brought to trial.

What is a written interrogatory during a lawsuit?
Request for factual information and exchange of documents

What is a deposition during a lawsuit?
Plaintiff and defense attorneys will question you. This testimony is:
-under oath
-transcribed
-may be used as evidence in court

Are conversations with your attorney, spouse, personal doctor or therapist, and clergy admissible during deposition?
No.

Are conversation with friends or peers admissible during deposition?
Yes.

During what should you keep your guard up? Do not speculate, Answer only what is asked, Ask for clarification if question is unclear.
Deposition

What are two outcomes of deposition during a lawsuit?
Settlement or Trial

After discovery, even if you did nothing wrong, your insurer may elect to settle the case based on what?
Financial decision, despite the intense emotional trauma that it will cause you. Generally, the insurer will only take the risk of going to trial when the damages are very high, and the defense case is exceptionally wrong.

What are the causes of anesthesia-related lawsuits from most common to least common (8)?

Death
Nerve Damage
Permanent Brain Damage
Emotional Distress
Eye Injury
Myocardial Infarction
Stroke
Awareness

4 risks associated with increased odds of dying within 7 days of an anesthetic:

ASA 3 or 4 vs 1 or 2
Emergency vs elective surgery
Major vs minor surgery
Patient age (80 yrs vs <60yrs)

Among the 40% of claims made for death or permanent brain injury, the majority are due to what?
Airway management issues.

What are the top 3 airway issues in closed claims that lead to death or permanent brain injury?

Inadequate ventilation (hypoxia, hypercarbia, or both).
Esophageal intubation (unrecognized).
Difficult intubation.

What is the most common nerve damage claim?
Ulnar nerve damage (often despite appropriate positioning) and injuries associated with peripheral nerve blocks.

Almost 2/3 of claims are made regarding what type of anesthesia?
Surgical anesthesia

Almost 2/3 (65%) of claims are made regarding _ anesthesia, with procedures making up to 18%, 8%, and __ claims 9%.
Surgical anesthesia – 65%
Chronic pain procedures – 18%
Acute pain procedures – 8%
Obstetrical claims – 9%

Of note, claims made against providers of chronic pain are increasing, with almost 27% associated with _ and 17% associated with . __ are associated with another 16% of these claims.
Cervical Spine Injections – 27%
Medication Management – 17%
Implanted Devices – 16%

A 13 year old Jehovah’s Witness with a Cobb angle of 50 degrees presents for an elective spinal fusion. The parents are adamant that they do NOT want the child transfused. What is the best approach for discussing the possible need for intraoperative transfusion?
Delay surgery until the child is mature enough to join in the decision-making process. In elective cases, it is appropriate to wait of rot pediatric patient to reach a sufficient age and maturity, and then allow them to participate in the decision-making process.

The ethical basis for care of pediatric patients comes down to what two major points?

Who has the legal decision-making capacity – parent or pediatric patient?
What is in the best interest of the pediatric patient?

At what age does a patient have legal decision-making capacity?
18, unless deemed incapable.

Should pediatric patients ASSENT to their own care?
Yes. Older pediatric patients should assent to their own care. That is, developmentally able patients should be given the opportunity to participate in the health care decision-making process and agree to the final decision (informed ASSENT).

What is the term for patients younger than 18 years of age who are legally given the rights of an adult by a state court?
Emancipated Minor

Criteria for emancipating a minor may include the fact that they are what (4)?

Married.
A parent, or is currently pregnant.
In the military.
Economically independent.

What is the term for those who are at least 14 years old and considered to be legally and ethically capable of giving informed consent, under specific circumstances granted by court.
Mature minors. Typically, mature minors are only permitted to make low-risk decisions.

Do pregnant minors need parental consent to have an abortion?
Pregnant minors may need parental consent to have an abortion unless judicial bypass is sought and obtained. State laws on elective termination are complicated an vary from state to state. As such, careful consultation with facility counsel is a prudent choice when faced with a pregnant minor.

What principle says the government serves as the legal protector of citizens unable to protect themselves?
The principle of paren patriae (“father of the country”)

What principle allows the state to intervene in the event of a child abuse and/or parental negligence?
The principle of paren patriae (“father of the country”)

In the context of healthcare, what principle means that parents may be barred form decision-making that dictates grossly inappropriate overtreatment or under treatment of a child?
The principle of paren patriae (“father of the country”)

The determination of whether to intervene founded on what principle is based on how harmful the parental decision may be to the patient?
The principle of paren patriae (“father of the country”)

How should you deal with children of Jehovah’s Witnesses for surgery?
Families should be informed that despite all reasonable efforts to eliminate the need for transfusion, if an emergency occurs, a court order for transfusion will be sought. When the likelihood of transfusion is high, a court order should be sought prior to surgery. In a life-threatening crisis, emergency transfusion should be given prior to obtaining a court order. As these children approach maturity, they should be involved in the decision-making regarding the use of blood and blood products.

Which culture targets individuals for mistakes? Which culture deals with how individuals, groups, and systems interact to conduct their work?
Culture of blame. Culture of safety.

What are 3 elements of the culture of safety?
Values, Beliefs, and Norms.

What are these examples of?
-Low ranking personnel raise safety issues regardless of hierarchy or rank.
-Calling for help is encouraged and occurs frequently, even by experienced staff.
-Explicit communication is frequent.
-The hierarchy is flat: senior and junior members both listen to each other.
-Staff are rewarded for erring on the side of caution, even if their credible concerns turn out to be wrong.
Accepted norms in a culture of safety.

What is the first aim of quality defined by the Institute of Medicine’s report Crossing the Quality Chiasm in 2011?
Safety is the first aim of quality.

What describes the basic premise that no patient (or health care worker) should be harmed by the health care system at any time?
Health Care Quality

What two ways are medical errors generally categorized as?

Failure of an action to occur as planned.
Having or acting on the wrong plan altogether.

What type of medical error is this? Administering the wrong drug due to a syringe swap or mislabeled syringe.
Failure of an action to occur as planned

What type of medical error is this? Administering a drug that is absolutely contraindicated or placing a central neuraxial block in an anti coagulated patient?
Having or acting on the wrong plan altogether

What are the majority of errors in medicine due to?
Human Error

What is typically designed for analysis when performance falls below acceptable levels; at this point, providers and/or systems data are reviewed?
A Quality Assurance (QA) Program

These programs identify opportunities for improvement. They recognize that errors will occur, and focus on the processes involved in both successes and failures. These data are analyzed and used to improve the process of care itself, not sanction or penalize individual providers. This prcoess has this key attribute recommended by the 1991 Institute of Medicine Report : To Err is Human: the implementation of a non punitive system for reporting and analyzing errors.
Continuous Quality Improvement (CQI) Programs

What term describes a change in health status after delivery of care?
Outcome

What term describes planning and coordination of care activities?
Process

What term describes setting in which care is provided?
Structure

What are some reasons for reluctance to disclose errors?
-Personal shame.
-Fear of loss of prestige among their peers.
-Fear of dirt reprisal.
-Lack of experience disclosing uncomfortable information.
-Fear of causing further harm (emotional/psychological).
-Fear of litigation.

What implies that physicians have no duty to disclose medical errors that do no harm (near misses)?
The AMA Code of Ethics

A patient who has been consented to risks should be afforded full disclosure should the risk become a reality.
Informed Consent

Which skill is central to and most essential for effective Crisis Resource Management?
Communication

In an anesthetic crisis, effective response and management is dependent upon what?
Non-technical skills

What uses a simple model in which effective communication is the “glue” that holds all the other components together?
Crisis Resource Management (CRM)

What training is detailed and extensive, and is often accompanied with high fidelity simulation training?
Crisis Resource Management (CRM) training.

What type of error occurs when there is a failure to revise a diagnostic approach or plan in the face of plentiful evidence that it is wrong?
Fixation Error

What type of error is made? “Everything is OK” in which all relevant signs are dismissed as artifact or are just missed or dismissed?
Fixation Error

What proportion of anesthesia mishaps are estimated to occur as a result of human error?
70%

What has been implicated in many catastrophic accidents, and are likely contributory to iatrogenic adverse patient outcomes?
Fatigue and Sleep Deprivation

A typical adult needs how many hours of sleep daily?
7-9 hours

How is fatigue characterized?
-Diminished reaction time.
-Impaired decision-making.
-Decreased situational awareness.
-Impaired concentration or memory.
-Periods of microsleep

Research has shown that 24 hours of wakefulness is equivalent to a blood alcohol content of __%.
0.1% (legal impairment for driving is blood alcohol of 0.08%)

The most common reports of sleeping or sleep-related behavior during an anesthetic occur when working:
-16 or more continuous hours.
-During the night shift.

The most effective method of maintaining vigilance during an anesthesia workday is to:
Get a consistent 8 hours of sleep each night.

How can anesthesia providers mitigate fatigue?
-Napping
-Caffeine
-Exercise
-Consistent Sleep-Wake Pattern
-Medications (modafinil)
-Recovery between shifts

What is the annual OSHA limit for workplace exposure to ionizing radiation in a 38-year old provider? What is the lifetime limit for this patient?
5 rem annually.

Lifetime limit of (age-18) x 5

In this provider, the lifetime limit will be reached at 100 rem

What are effects of anesthetic waste gases?
Studies are equivocal on the effects of waste anesthetic gases on reproduction or cellular toxicity in an OR with appropriate and effective scavenging systems. Repeated exposure to methyl methacrylate can cause skin or eye irritation, allergic reactions, neurologic signs, or organ toxicity, although typical levels in a well-scavenged OR are well below recommended limits.

What types of allergic reactions may anesthesia providers develop?
Allergic reactions to volatile agents, muscle relaxants, or latex. The majority of reactions are contact dermatitis, but atopic individuals may experience bronchospasm, urticarial, or delayed or immediate hypersensitivity immune reactions.

What out of OR anesthesia suite is not associated with radiation exposure?
MRI fields. There are no published regulations limiting occupational exposure to MRI fields. Lower frequency EMG fields from MRI can cause transient symptoms of nausea, dizziness, vertigo, and light flashes.

Voices and auditory alarms must be ___dB above background noise to be heard.

Average OR noise levels are ___dB.

Music can reach levels up to ___dB.

What is the OSHA limit for an 8-hour span?

Single noise levels should not exceed ___dB.
20dB.

77dB.

105dB

8 hour span: 90dB

115dB

Anesthetized patients who are receiving _ drugs need especially careful noise management, as excessive noise potentiates hearing loss in these patients.
ototoxic drugs

One of the most significant acute stressors for an anesthesia provider is being involved in a case with a bad outcome (death or significant morbidity). Current thinking conceptualizes the provider as the “_ victim” and the provider’s subsequent patients as possible “_ victims.” Immediate relief from patient care responsibilities, peer support and professional support services are among the recommended interventions when such a critical event occurs.
Second Victim

Third Victims

What is an incurable disease of the brain? short term and lifetime recovery is possible and is the goal of treatment efforts.
Substance use disorder

What percentage of all providers misuse drugs or alcohol at some point in their careers? Adult addiction rates in the general public average what percent?
10-15%

8-10%

What is the best department-level intervention in preventing substance abuse?
Following strict controlled substance policies

What term describes recurrent use of substances that lead to clinical and functional impairment (a disease of the brain)
Substance use disorder

What term describes a need (psychological or compulsive) for a substance? There is often. loss of self-control, where the user continues using a drug despite the desire to stop drug use. This represents a severe stage of chronic substance abuse disorder.
Addiction

What is the term for the inability to safely participate in life (or professional) activities?
Impairment

What is the term for markedly diminished effects of the same drug amount?
Tolerance

What is the term for physical and emotional responses to very low drug levels? A characteristic syndrome that is the direct result of stopping or reducing the use of a drug.
Withdrawal

Nurses have a duty to report other licensed nurses if impairment due to alcohol or illicit drug use is suspected to whom?
Their respective nursing board.

What are some typical behaviors of an impaired provider?
-Frequent or unexplained tardiness, absences, or illness often with elaborate excuses.
-Poor performance with errors, accidents or injuries that are inadequately explained.
-Confusion, memory loss, difficulty concentrating or recalling details.
-Severe mood swings, changes in personality.
-Visibly intoxicated.
-Refuses drug testing.
-Track marks, bloodshot eyes, significant weight loss or gain.

Detailed guidelines for gathering evidence on a suspected impaired provider, assembling an intervention team, and conducting an intervention are available through what?
The AANA Peer Assistance Helpline.

Key points for intervention for impaired coworker:
-Do not let the person out of your site and do not let them drive.
-Have a bed in a treatment facility available.
-Do not let the impaired person decide their treatment. (They are sick, and an intervention can make them suicidal).
-Only when all else fails, threaten to call the police.

When can a drug abuser safely return to work?
Safe return to work is determined on an individual basis – not ll providers will be able to return to practice safely. Readiness for reentry is a collaborative deacon of the monitoring program, certified drug and alcohol counselor, and employer.

How long in recovery is recommended prior to retiring to anesthesia practice?
One full year in recovery

Due to high risk of relapse, abstinence-base recovery and refraining form substitute treatments is recommended. Of the ten criteria that should be met prior to considering re-entry into the workplace, the most salient point is what?
Participation in a monitoring program at least 5 years in length with random drug testing.

What is the “Triple Aim”?
A conceptual approach to improving the US health care system “aiming” at three primary areas: care, health, and cost.

The National Institute of Medicine describes what 6 domains of high-quality health care?

Patient-Centered
Safe
Effective
Timely
Efficient
Equitable

What is care that is “respectful of, and responsive to, individual patient preferences, needs and values, and ensuring that patient values guide all clinical decisions.” (IOM)?
Patient-Centered Care

Patient-Centered Care is based on what 4 concepts?

Dignity and Respect
Information Sharing
Participation
Collaboration

What is a strategy that reflects the attempts of providers to get the patient and family to participate in patient-centered care?
Patient Engagement

What is this an example of? The participation of the patient and family in planning an appropriate anesthetic.
Patient Engagement

Shared decision making is a method of what?
Patient Engagement

What extends into the realm of inter professional practice when patient care is complex and requires the collaboration of multiple type of health care professionals?
Shared decision making

Cultural competence is one important aspect of what?
Patient-Centered Care

What is emphasized as a strategy to reduce health care disparities and improve equity?
Cultural Competence

What is the term for providing the same level of care and consideration to a homeless drug user that you would to the hospital’s CEO?
Cultural Competence

What requires the anesthesia provider to:
-Know and apply current standards of care,
-Offer and use evidence-based interventions,
-Have a keen awareness of their own biases and assumptions,
-Be sensitive to the presence of health disparities and discrimination?
Cultural Competence

When goals are to provide individualized care and create personal-professional relationships, this is an example of what?
Goals of patient-centered care

When goals are to increase health equity and reduce health disparities, this is an example of what?
Goals of cultural competence

Related Posts

Leave a Comment Cancel Reply