Threat Mitigation

Threat Mitigation

Threat information received from data sources (such as Threat Discovery Appliance and OfficeScan client) prompts Threat Mitigator to issue mitigation tasks to the affected endpoints. Most mitigation tasks are carried out by Threat Management Agent, a program installed on an endpoint and managed by Threat Mitigator.

Threat mitigation tasks include:

Assessment

Threat Mitigator notifies Threat Management Agent to assess the endpoint after receiving a mitigation request from its data source. During assessment, the agent checks specific objects, processes, and network behavior connected to suspicious activity. Threat Mitigation then uses the Pattern-free Mitigation Engine and Template to stop suspicious processes, and disable and remove the targeted objects.

Post-assessment Cleanup

If the assessment confirms the presence of threats in the endpoint, Threat Management Agent runs post-assessment cleanup to eliminate threats. During cleanup, the agent leverages Trend Micro smart scan technology by using a lightweight pattern called Smart Scan Agent Pattern. This pattern is downloaded from Threat Mitigator. If the pattern is unable to determine the risk of a file, the agent sends a scan query to a Smart Scan Server.

A Smart Scan Server hosts the Smart Scan Pattern, which contains signatures not found in the Smart Scan Agent Pattern and checks whether the file is safe to access. A Smart Scan Server downloads the Smart Scan Pattern from the Trend Micro ActiveUpdate server.

Threat Management Agent reports the cleanup results to Threat Mitigator. The results are stored in the threat event logs, which you can view from the product console.

Case Submission

Threat Mitigator integrates with Threat Management Services, a portal through which TrendLabs security experts monitor endpoints that require further mitigation.

When threats are not completely removed from the endpoint after running post-assessment cleanup, Threat Management Agent collects information about the threat and the infected endpoint and sends the information to Threat Mitigator. This prompts a security expert at TrendLabs to inform you about the threat and the infected endpoint, and to ask you to submit a case so that the threat can be analyzed. TrendLabs then provides a solution (in the form of a pattern file) to address the threat.

Pattern Deployment

Any of the following patterns can be used to respond to threats not resolved during post-assessment cleanup:

Pattern Deployment Process

When a custom pattern or smart scan related patterns become available, the following process is initiated:

Pattern deployment process

 

Custom Pattern Deployment

Smart Scan Related Pattern Deployment

1

Threat Mitigator automatically downloads the pattern from Threat Management Services.

If scheduled updates is enabled, Threat Mitigator updates the Smart Scan Agent Pattern, while the Smart Scan Server updates the Smart Scan Pattern.

  • Manually update the patterns if scheduled updates is disabled.

2

If automatic pattern deployment is enabled, Threat Mitigator deploys the custom pattern/Smart Scan Agent Pattern to a particular endpoint.

If you do not want the pattern to deploy automatically:

  • Disable automatic pattern deployment from the product console’s Mitigation Tasks screen.

  • Manually deploy the pattern from the Threat Management screen. When you click the Require custom cleanup link on the screen, the pattern version displays.

3

Threat Mitigator notifies Threat Management Agent to run custom cleanup using the custom pattern/Smart Scan Agent Pattern.

  • If the Smart Scan Agent Pattern cannot verify the risk of the file, the agent queries the Smart Scan Pattern.

4

The agent reports the cleanup results back to Threat Mitigator.

See also: