Configuring Suspicious Object List

Trend Micro Control Manager consolidates your organization's Suspicious Object lists and synchronizes them (excluding exceptions) among integrated managed products. After Cloud App Security is registered to Control Manager, Control Manager automatically synchronizes the suspicious URL and file lists with Cloud App Security at a scheduled time interval. Besides its own scanning mechanisms, Cloud App Security can choose to implement these suspicious objects during URL and file scanning.

By default this feature is disabled.

Cloud App Security utilizes the suspicious file list in Malware Scanning and the suspicious URL list in Web Reputation. Once enabled, this feature applies to all configured Advanced Threat Protection policies. When a URL of file hits the list, Cloud App Security automatically takes a pre-defined action, which is Pass or Quarantine. You can go to Logs to query and view details.

Before you begin configuring this feature, make sure that:

  • You have installed Control Manager 7.0 with hot fix HF2574, and your Control Manager has a serving Deep Discovery product, which can be a Deep Discovery Inspector, Deep Discovery Email Inspector, or Deep Discovery Analyzer.

  • Your Cloud App Security is registered to your Control Manager. For details, see Registering Cloud App Security.

  • You have configured distribution settings on your Control Manager to enable it to consolidate and send suspicious objects to Cloud App Security. For details, see Configuring Distribution Settings in the Control Manager Online Help.

  • You have enabled Web Reputation in the Advanced Threat Protection policy you want to apply the suspicious URL list to.

Synchronization terminates when Cloud App Security is unregistered from Control Manager or synchronization is disabled on Control Manager. The Suspicious Object list will be cleared and no longer apply during scanning.

If your license expires, Cloud App Security continues synchronizing the Suspicious Object list with Control Manager and maintaining them in its database within 30 days. After that, all data is cleared.

  1. Go to Administration > Global Settings > Suspicious Object List.
  2. On the Suspicious Object List screen that appears, enable or disable the use of the lists during scanning as necessary.
  3. Click Save.