About Intrusion Prevention

Intrusion Prevention rules define a set of conditions that are compared to the payload session and application layers of network packets (such as DNS, HTTP, SSL, and SMTP), as well as the sequence of those packets according to those higher-layer protocols.

Firewall rules examine the network and transport layers of a packet (IP, TCP, and UDP, for example).

When agents scan network traffic and the traffic meets a rule's match conditions, the agent handles it as a possible or confirmed attack and performs one of the following actions, depending on the rule:

Intrusion Prevention rules are assigned to policies and computers. Therefore you can enforce sets of rules on groups of computers based on the policy that they use, and override policies as required. See Policies, inheritance, and overrides.

For information about how you can affect the functionality of rules, see Configure Intrusion Prevention rules.

Application types organize rules by the application that they are associated with. Application types can also store property values that rules can reference as required, such as protocols used for communications, and port numbers. Some application types have configurable properties. For example, the Database Microsoft SQL application type contains rules that are associated with Microsoft SQL Server. You can configure this application type to specify the ports used to connect to the database.

For more information, see Application Types.

Trend Micro creates Intrusion Prevention rules for application vulnerabilities as they are discovered. Security updates can include new or updated rules and application types. When a rule is already assigned to a policy, and an update includes rules upon which the assigned rule depends, you can choose to automatically assign the updated rules.

Intrusion Prevention rules from Trend Micro include information about the vulnerability against which it protects.

Intrusion Prevention rules from Trend Micro are not directly editable through the Workload Security console. However some rules are configurable, and some rules require configuration. See Setting configuration options (Trend Micro rules only).

You can use recommendation scans to discover the Intrusion Prevention rules that you should assign to your policies and computers. See Recommendation scans.

You need a Workload license to run recommendation scans.

Intrusion Prevention works in either Detect or Prevent mode:

When you first apply new Intrusion Prevention rules, use Detect mode to verify that they do not accidentally block normal traffic (false positives). When you are satisfied that no false positives occur, you can use Prevent mode to enforce the rules and block attacks. See Enable Intrusion Prevention in Detect mode and Switch to Prevent mode.

Similarly to using Intrusion Prevention in Detect mode, the Workload Security network engine can run in tap mode for testing purposes. In tap mode, Intrusion Prevention detects rule-matching traffic and generates events, but doesn't block traffic. Also, tap mode affects the Firewall and Web Reputation modules. You can use Detect mode to test Intrusion Prevention rules separately. You use tap mode with Intrusion Prevention in the same way that tap mode is used for testing Firewall rules. See Test Firewall rules before deploying them.

By selecting Detect mode for individual rules, you can selectively override Prevent mode behavior set at the computer or policy level. This is useful for testing new Intrusion Prevention rules that are applied to a policy or computer. For example, when a policy is configured such that Intrusion Prevention works in Prevent mode, you can bypass the Prevent mode behavior for an individual rule by setting that rule to Detect mode. For that rule only, Intrusion Prevention merely logs the traffic, and enforces other rules that do not override the policy's behavior mode. See Override the behavior mode for a rule.

While Prevent mode at the computer or policy level can be overridden by contradictory rule settings, Detect mode cannot. Selecting Detect mode at the computer or policy level enforces Detect mode behavior regardless of rule settings.

Some rules issued by Trend Micro use Detect mode by default. For example, mail client rules generally use Detect mode because in Prevent mode they block the downloading of all mail. Some rules trigger an alert only when a condition occurs a large number times, or a certain number of times within a certain period of time. These types of rules apply to traffic that constitutes suspicious behavior only when a condition recurs, and a single occurrence of the condition is considered normal.

By default, Workload Security collects Firewall and Intrusion Prevention event logs from the agents at every heartbeat. Once collected by Workload Security, event logs are kept for a period of time which can be configured. The default setting is one week. You can configure event logging for individual rules as required. See Configure event logging for rules.

Event tagging can help you to sort events. You can manually apply tags to events or automatically tag them. You can also use the auto-tagging feature to group and label multiple events. For more information on event tagging, see Apply tags to identify and group events.

The Intrusion Prevention module supports inspecting packets over secure connections. See Inspect TLS traffic.

Contexts are a powerful way of implementing different security policies depending on the computer's network environment. You typically use contexts to create policies that apply different Firewall and Intrusion Prevention rules to computers (usually mobile laptops) depending on whether that computer is in the office or away.

To determine a computer's location, contexts examine the nature of the computer's connection to its domain controller. For more information, see Define contexts for policies.

You can use interface types when you need to assign Firewall or Intrusion Prevention rules to a specific interface when a machine has multiple network interfaces. By default, Firewall and Intrusion Prevention rules are assigned to all interfaces on a computer. For example, to apply special rules only to the wireless network interface, use interface types to accomplish this. For more information, see Configure a policy for multiple interfaces.