You can access the Global Settings screen to set global enforcement and exception policies. You can set enforcement policies that automatically apply to Unsupported, Deploy failed or Unassessed machines. When a task has an action set that conflicts with the global enforcement action, the global enforcement action overrides the action. Exceptions can be set according to machine name, IP address or IP address range. The exceptions override all other settings - even global enforcement settings.
Unassessed machines are not excluded from enforcement.
Example: Using the Account Management Tool, you configure a computer by the name of "Boss1". The IP address for this computer is 130.140.150.123, but you do not know the password. Later, you create an Assessment Task that scans machines in the IP range from 130.140.150.120 to 130.140.150.130 (which included "Boss1") and blocks all Deploy failed machines. If you run this task you would discover that "Boss1" is Deploy failed, therefore, blocked. However, if you do not want to block this machine you could set a global exception for "Boss1". When the global exception is set, and the task is run, "Boss1" is not blocked (even though it is Deploy failed). All other Deploy failed machines remain blocked.
You can also use this screen to configure actions for machines that use the Manual Vulnerability Assessment Tool. Machines must use the tool when they are Unsupported or Deploy failed and Vulnerability Assessment cannot assess them. In these cases, the system administrator provides a URL to the user which links to the Trend Micro Manual Vulnerability Assessment Tool. The user or the system administrator can use the tool to manually assess the computer.
For more information, refer to Using the Trend Micro Manual Vulnerability Assessment Tool.
To set Auto Enforcement Settings
Select one or both of the following:
Deploy failed machines - Vulnerability Assessment automatically requests blocking against Deploy failed machines
Unsupported machines - Vulnerability Assessment automatically requests blocking against unsupported machines
Unassessed machines - Vulnerability Assessment automatically requests blocking against machines that have never before been assessed.
To set Exceptions
Select Exclude the following machines during enforcement from the Exception list table.
Add machines by name, IP address or IP address range:
By name:
Type the machine name to add next to Machine name
Click to add the machine to the list of machines. Vulnerability Assessment does not apply any enforcement action against the machines on this list.
By IP address:
Type the IP address. Each box contains three numbers in the IP address. Click the appropriate field or use the tab key to move through the fields. Valid addresses follow the following format: xxx.xxx.xxx.xxx, for example:192.168.1.12
By IP address range:
Type the first IP address in the address range in IP Address From:. click the appropriate field or use the tab key to move through the fields. Valid addresses follow the following format: xxx.xxx.xxx.xxx, for example:192.168.1.12
Type the last IP address in the address range in IP Address To:.The subnet value of the first IP address must be a lower value than the corresponding value of the last IP address. The valid subnet values are 1 through 255. Press the Delete button to modify a value.
Click next toIP Address From: and IP Address To:.to add the range specified to the list. After adding a range, the first and last IP addresses will appear in the right hand box. Vulnerability Assessment does not apply any enforcement action against the machines on this list.
Click Save to save your exceptions.
To configure actions for machines that use the Manual Vulnerability Assessment Tool:
Assess by all vulnerability names
The task scans for all the known vulnerabilities in the current Vulnerability Assessment pattern file.
For a complete listing of all the known vulnerabilities refer to the Trend Micro Web site at http://www.trendmicro.com/advisory/.
When you select this action you can also request enforcement on machines according to the risk they present to the network. Select Enable enforcement on machines that are and then select a security risk level to set an enforcement for this task. The task applies enforcement policies to all machines that present vulnerabilities of the identified risk level.
Assess by the selected vulnerability name(s) only
The task scans for only those vulnerabilities that you identify in the list. To include a vulnerability in the list, type the vulnerability name in the box. Click to add vulnerability names to the task list and Remove to remove names from the list.
When you select this action you can also request enforcement on machines according to the vulnerability names. Select Enable enforcement on machines with any of the selected vulnerability name(s). The task will apply enforcement policies to all machines that contain the vulnerabilities identified in the scan.