Threat Mitigation
Threat information received from data sources (such as Threat Discovery Appliance and OfficeScan client) prompts Threat Mitigator to issue mitigation tasks to the affected endpoints. Most mitigation tasks are carried out by Threat Management Agent, a program installed on an endpoint and managed by Threat Mitigator.
Threat mitigation tasks include:
Threat Mitigator notifies Threat Management Agent to assess the endpoint after receiving a mitigation request from its data source. During assessment, the agent checks specific objects, processes, and network behavior connected to suspicious activity. Threat Mitigation then uses the Pattern-free Mitigation Engine and Template to stop suspicious processes, and disable and remove the targeted objects.
If the assessment confirms the presence of threats in the endpoint, Threat Management Agent runs post-assessment cleanup to eliminate threats. During cleanup, the agent leverages Trend Micro smart scan technology by using a lightweight pattern called Smart Scan Agent Pattern. This pattern is downloaded from Threat Mitigator. If the pattern is unable to determine the risk of a file, the agent sends a scan query to a Smart Scan Server.
A Smart Scan Server hosts the Smart Scan Pattern, which contains signatures not found in the Smart Scan Agent Pattern and checks whether the file is safe to access. A Smart Scan Server downloads the Smart Scan Pattern from the Trend Micro ActiveUpdate server.
Set up a local Smart Scan Server to which agents send scan queries. If an agent cannot connect to the local scan server, it connects to the Global Smart Scan Server, a Trend Micro hosted service.
Threat Management Agent reports the cleanup results to Threat Mitigator. The results are stored in the threat event logs, which you can view from the product console.
Threat Mitigator integrates with Threat Management Services, a portal through which TrendLabs security experts monitor endpoints that require further mitigation.
When threats are not completely removed from the endpoint after running post-assessment cleanup, Threat Management Agent collects information about the threat and the infected endpoint and sends the information to Threat Mitigator. This prompts a security expert at TrendLabs to inform you about the threat and the infected endpoint, and to ask you to submit a case so that the threat can be analyzed. TrendLabs then provides a solution (in the form of a pattern file) to address the threat.
Any of the following patterns can be used to respond to threats not resolved during post-assessment cleanup:
Custom Pattern: TrendLabs creates a custom pattern in response to a particular threat and uploads it to Threat Management Services.
The availability of custom patterns depends on your service agreement with Trend Micro. Contact your support provider for details about your service agreement.
Smart Scan Related Patterns: If custom patterns are not available to you, newer versions of smart scan related patterns (either Smart Scan Agent Pattern or Smart Scan Pattern, or both) may be able to eliminate threats that were not eliminated during post-assessment cleanup. Smart scan related patterns are regularly updated to respond to the latest threats and are released through the Trend Micro ActiveUpdate server. These patterns are continuously available for download as long as the product license is valid. Information about specific pattern versions that can be used to run custom cleanup can be obtained from Trend Micro.
Pattern Deployment Process
When a custom pattern or smart scan related patterns become available, the following process is initiated:
Pattern deployment process |
|
Custom Pattern Deployment |
Smart Scan Related Pattern Deployment |
1 |
Threat Mitigator automatically downloads the pattern from Threat Management Services. |
If scheduled updates is enabled, Threat Mitigator updates the Smart Scan Agent Pattern, while the Smart Scan Server updates the Smart Scan Pattern.
|
2 |
If automatic pattern deployment is enabled, Threat Mitigator deploys the custom pattern/Smart Scan Agent Pattern to a particular endpoint. If you do not want the pattern to deploy automatically:
|
|
3 |
Threat Mitigator notifies Threat Management Agent to run custom cleanup using the custom pattern/Smart Scan Agent Pattern.
|
|
4 |
The agent reports the cleanup results back to Threat Mitigator. |
See also: