Threat Mitigation

Threat Mitigation

Threat information received from data sources (such as Threat Discovery Appliance and OfficeScan client) prompts Threat Mitigator to issue mitigation tasks to the affected endpoints. Most mitigation tasks are carried out by Threat Management Agent, a program installed on an endpoint and managed by Threat Mitigator.

Threat mitigation tasks include:

Assessment

Threat Mitigator notifies Threat Management Agent to assess the endpoint after receiving a mitigation request from its data source. During assessment, the agent checks specific objects, processes, and network behavior connected to suspicious activity. Threat Mitigation then uses the Pattern-free Mitigation Engine and Template to stop suspicious processes, and disable and remove the targeted objects.

Post-assessment Cleanup

If the assessment confirms the presence of threats in the endpoint, Threat Management Agent runs post-assessment cleanup to eliminate threats. During cleanup, the agent leverages Trend Micro smart scan technology by using a lightweight pattern called Smart Scan Agent Pattern. This pattern is downloaded from Threat Mitigator. If the pattern is unable to determine the risk of a file, the agent sends a scan query to a Smart Scan Server.

A Smart Scan Server hosts the Smart Scan Pattern, which contains signatures not found in the Smart Scan Agent Pattern and checks whether the file is safe to access. A Smart Scan Server downloads the Smart Scan Pattern from the Trend Micro ActiveUpdate server.

• Set up a local Smart Scan Server to which agents send scan queries. If an agent cannot connect to the local scan server, it connects to the Global Smart Scan Server, a Trend Micro hosted service.

Threat Management Agent reports the cleanup results to Threat Mitigator. The results are stored in the threat event logs, which you can view from the product console.

Case Submission

Threat Mitigator integrates with Threat Management Services, a portal through which TrendLabs security experts monitor endpoints that require further mitigation.

When threats are not completely removed from the endpoint after running post-assessment cleanup, Threat Management Agent collects information about the threat and the infected endpoint and sends the information to Threat Mitigator. This prompts a security expert at TrendLabs to inform you about the threat and the infected endpoint, and to ask you to submit a case so that the threat can be analyzed. TrendLabs then provides a solution (in the form of a pattern file) to address the threat.

Pattern Deployment

Any of the following patterns can be used to respond to threats not resolved during post-assessment cleanup:

• Custom Pattern: TrendLabs creates a custom pattern in response to a particular threat and uploads it to Threat Management Services.

• The availability of custom patterns depends on your service agreement with Trend Micro. Contact your support provider for details about your service agreement.

• Smart Scan Related Patterns: If custom patterns are not available to you, newer versions of smart scan related patterns (either Smart Scan Agent Pattern or Smart Scan Pattern, or both) may be able to eliminate threats that were not eliminated during post-assessment cleanup. Smart scan related patterns are regularly updated to respond to the latest threats and are released through the Trend Micro ActiveUpdate server. These patterns are continuously available for download as long as the product license is valid. Information about specific pattern versions that can be used to run custom cleanup can be obtained from Trend Micro.

Pattern Deployment Process

When a custom pattern or smart scan related patterns become available, the following process is initiated:

See also:

• Data Sources

• Mitigation Settings

• Mitigation Tasks

• Threat Management

• About Threat Mitigator

• Smart Scan Server