WFBSS Endpoint Protection

Worry Free Business Security Services (WFBSS) provides security services for endpoints. To provide security services, WFBSS customers must install an WFBSS Security Agent on the endpoints. These agents help manage network access control. When an agent has an out-of-date pattern or if an endpoint does not have the agent installed, compliance is not assured.

Cloud Edge WFBSS Endpoint Protection integrates with WFBSS to provide a means for enforcing compliance. Cloud Edge provides a compliance check for endpoints by determining if endpoints have an out-of-date WFBSS Security Agent pattern or if they do not have the WFBSS Security Agent installed. Additionally, Cloud Edge can provide network access control for out-of-compliance endpoints.

Note:

WFBSS Endpoint Protection does not support endpoint checking and compliance for IPv6 endpoints.

Enable Compliance Checks

You must enable this feature. The default is disabled.

After you enable the feature, you can specify what action (block or detect) to take for the following two conditions:

  • Endpoint has WFBSS Security Agent installed but pattern is out-of-date.
  • Endpoint does not have the WFBSS Security Agent installed.

Cloud Edge synchronizes information with Worry Free Business Security Services every hour to get updated information about the latest pattern status for endpoints.

Protection List

Endpoints are not automatically checked for compliance. You must configure protection lists to specify which endpoints to put under compliance protection.

  • Endpoints in the protection list are checked to determine if they have installed agents and if so, whether patterns for the installed agents are up-to-date.

  • If the endpoints are not in compliance, the configured action is taken.

  • You can add MAC addresses or IPv4 addresses (single or range).

  • Maximum entries is 256.

Actions

If the compliance check finds that an endpoint in the protection list is non-compliant, Cloud Edge can take one of two courses of action:

  • Block

    All access to the Internet is blocked.

    Exceptions: Endpoints are not blocked if the traffic/URLs are in the global approved list. Traffic to DNS and DHCP are not blocked.

    If an endpoint is blocked by the WFBSS Endpoint Protection function, the client browser is redirected to the WFBSS Endpoint Protection Violation notification page.

    Note:

    If you set the action for endpoints without agents to Block, endpoints without agents cannot access the Internet.

    If a user attempts to install agent on these endpoints, the following URLs should be added to Approved List; otherwise, installation might fail.

    • *.symcb.com/*
    • *.digicert.com/*
    • *.affirmtrust.com/*
    • crl.microsoft.com/*

    In addition, if a user accesses the Trend Micro CLP site on an endpoint without an agent, the following URLs should be added to Approved List; otherwise, the following access requests might be affected: www.google-analytics.com/* www.googletagmanager.com/*

  • Detect

    Access to the Internet is allowed, but access is logged in the WFBSS Endpoint Protection troubleshooting page along with the reason that the endpoint is out-of-compliance.

Exception List

You can configure an exception list that specifies which endpoints are not under compliance protection. The compliance action is not enforced for endpoints in the exception list.

  • You can add MAC addresses or IPv4 addresses (single or range).

  • Maximum entries is 256.

Client List

You can use the Client List section to view all endpoints detected by the Cloud Edge appliance over the last 24 hours.

  • The list is initially empty.

  • After you enable WFBSS Endpoint Protection and click on Apply to deploy the update to the Cloud Edge appliance, the appliance begins to tabulate information about endpoints that have had traffic pass through the Cloud Edge appliance over the past 24 hours. Cloud Edge displays the resultant list in the Client List section.

    For convenience, the endpoints initially detected after WFBSS Endpoint Protection deployment are automatically added to the protection list.

  • After initial endpoint detections, you can easily add a listed endpoint to the protection or exceptions lists by clicking on either the Protection List or Exception List option provided for each listed endpoint.