When you add or edit a Threat Protection template from the Threat Protection screen, a new screen opens, where you can specify the settings for the template.
-
Configure the basic template information:
Item
Setting
Template name
Specify a unique name for the template.
Description
(Optional) Meaningful description to easily identify the Threat Protection template.
-
Configure the Web Reputation section:
Item
Setting
Enable
Click On or Off as necessary.
Security level
Select the security level to block. Each security level comes with a description to help you make an informed decision.
Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold.
TMWS has three security levels that determine whether it will allow or block access to a URL with a certain risk level. For details about the risk levels, see About Web Reputation.
-
High: Blocks pages that are:
-
Dangerous
-
Highly suspicious
-
Suspicious
-
Untested
-
-
Medium: Blocks pages that are:
-
Dangerous
-
Highly suspicious
-
-
Low: Blocks pages that are:
-
Dangerous
-
Warning:Selecting High increases the risk of false-positives.
-
-
In the Content Type Exceptions section, select or type
the types or names of files that you want to exclude from scanning.
Note:
Trend Micro recommends minimizing the list of MIME content-types to skip to reduce the risk of virus infection. Also, Trend Micro does not recommend skipping any MIME content-types when large file handling is enabled, because it is possible for a MIME content-type to be forged.
The supported true file types are as follows:
File Type
File Format
Documents
DOC/DOCX, ODT, PDF, PPT/PPTX, WPD, XLS/XLSX
Images
BMP, GIF, JPG, PNG, PSD, PSP, TIF
Executables
COM/DLL/EXE, LNK, MSI
Audio/Video
AIF, FLV, M4A, MID, MOV/MP4, MP3, RA/RM, SWF, WAV/AVI, WMV/ASF
Archives
GZ, RAR, SIT, TAR, ZIP
Others
CHM, EPS
-
Configure the File Scanning section:
Item
Setting
Allow and do not scan files larger than
Specify the size limit for file scanning. TMWS does not scan files that exceed the size limit.
The file size limit cannot be greater than 2 GB.
Do not scan files whose compression layers exceed
Specify the maximum number of compression layers for file scanning. TMWS does not scan files that have more compression layers than the limit.
The range is from 1 through 20, and the default value is 10.
Unscannable files
Click Allow or Block as necessary.
An unscannable file includes but is not limited to: its compression layers exceed the configured limit, it is compressed with an unsupported file format, it is password protected, or it is corrupted.
When these files are blocked, TMWS displays a notification on the user's browser.
-
Configure the Advanced Threat Scanning section:
Item
Setting
Botnet Detection
Click Block or Monitor to select an action upon detection of botnets.
-
Block: TMWS blocks the web traffic.
-
Monitor: TMWS allows the web traffic but logs it for botnet activities for monitoring and analysis.
Predictive Machine Learning
Click On or Off to enable or disable scanning to detect emerging unknown security risks. For more information, see About Predictive Machine Learning.
If enabled, TMWS first sends suspicious files to the cloud-based Predictive Machine Learning engine that uses advanced analytics to detect unknown threats, and blocks access to the files if any unknown threat is detected.
If a suspicious file is blocked, it will not be sent to the Cloud Virtual Analyzer for further analysis.
Note:In this version, TMWS uses Predictive Machine Learning to scan executable files only.
Cloud Virtual Analyzer
Click On or Off to enable or disable the Cloud Virtual Analyzer to detect suspicious objects. When enabled, after the threat protection template is used in at least one enabled cloud access rule, TMWS submits sample files based on the rule configurations to the Cloud Virtual Analyzer for further analysis. A list of suspicious objects, if any, will be returned and displayed on the Suspicious Objects screen.
Note:This feature is not available for the Standard license. To use this feature, purchase an Advanced license, or you can purchase an add-on license to upgrade your service to the Advanced (Standard plus add-on) license.
Action on Suspicious Objects
Action upon detection of each suspicious object type after the threat protection template is used in at least one enabled cloud access rule. Suspicious objects are obtained from either the Cloud Virtual Analyzer or Apex Central.
Click On or Off to decide whether to take pre-defined actions on access to the requested web traffic that contains the suspicious objects upon detection.
By default, the value is set to Off.
Once enabled, options for each suspicious object type include:
-
Block indicates that TMWS blocks access to the requested web traffic.
-
Monitor indicates that TMWS allows access to the requested web traffic and logs the web activity for monitoring and analysis. You can go to Logs & Reports > LOG ANALYSIS > Virtual Analyzer for log query and analysis.
-
- Click Save.