Manage Pattern

Managing Pattern Files Issued by Trend Micro

After analyzing threats, Trend Micro notifies you of the pattern required to eliminate the threats. The pattern can be a custom pattern or smart protection patterns.

Custom Pattern

Trend Micro creates a custom pattern in response to a particular threat. The availability of custom patterns depends on your service agreement with Trend Micro. Contact your Trend Micro representative for details about your service agreement.

When threat signatures in the custom pattern are added to smart protection patterns, Trend Micro notifies you to download smart protection patterns instead.

A custom pattern can either be a Bandage Pattern or a Controlled Pattern. For details, see Bandage Pattern and Controlled Pattern.

• TMSP does not remove custom patterns from its database. Contact your support provider for help on removing these patterns.

To manage custom patterns:

1. Obtain the custom pattern from Trend Micro and save it to a computer. When you obtain the pattern, Trend Micro also provides you the following information:

• The type of custom pattern (Bandage Pattern or Controlled Pattern)

• The custom pattern’s version

• The case ID issued by Trend Micro when you sent the forensic data

2. Open the administrative console and click Customers in the main menu.

3. Click the hyperlink under the Account column. The Case List screen appears.

4. In the Upload Custom Pattern section, choose whether to upload a Bandage Pattern or a Controlled Pattern.

5. Type the version for the pattern.

6. Type a description for the pattern. For example, type the endpoint for which the pattern was created.

7. Click Browse, locate the pattern file, and click Open.

8. Click Submit. The custom pattern is uploaded to TMSP.

9. When the upload is complete:

1. Go to the Pattern List section and verify that a new entry was created. This new entry has the following information:

   Information in the Pattern List section

   Column Name	Information
   Pattern ID	The ID number for the pattern The product automatically generates the ID number. For example, if the entry is the third one to be created, the number is 3.
   Type	The custom pattern type
   File Name	The file name for the custom pattern
   Status	Not Applied
   Version	The custom pattern version
   Uploaded	The date and time you uploaded the custom pattern
   Uploaded By	The administrator account that you used to log on to the administrative console
   Description	The description for the custom pattern
   Target Case ID	The hyperlink under this column points to a new screen that provides the following information: Case ID: The case ID for which the custom pattern was created Received: The date and time forensic data (.zip file) was uploaded to TMSP Endpoint: The endpoint for which the custom pattern was created Mark the Resolved check box later when you have confirmed that the custom pattern has eliminated unresolved threats.

2. Go to the Case List section and locate the case. Information in the Status column changes to Threat Mitigator Notified About Pattern.

Threat Mitigator automatically downloads the custom pattern the next time it connects to TMSP.

10. Verify that Threat Mitigator has downloaded the pattern.

• In the Pattern List section, information in the Status column changes to Downloaded. This means that Threat Mitigator has started to download the pattern.

• If manual pattern deployment is enabled in Threat Mitigator (the Threat Mitigator administrator controls this setting), navigate to Threat Mitigator’s Threat Management screen. When you click Require custom cleanup, the custom pattern displays in the table at the lower section of the screen.

After Threat Mitigator deploys the custom pattern to the endpoint, Threat Management Agent runs custom cleanup using the custom pattern.

11. Check the custom cleanup status from Threat Mitigator’s threat event logs. If cleanup was successful:

1. In the administrative console, click Customers in the main menu.

2. Click the hyperlink under the Account column. The Case List screen appears.

3. Go to the Pattern List section and click the hyperlink under the Target Case ID column.

4. In the screen that opens, mark the check box under Resolved.

5. Click Save and then Back.

6. Go to the Case List section. Under the Case ID column, click the hyperlink of the case you just resolved.

7. In the new screen that appears, change the status to Closed.

8. Specify the reason for closing the case. For example, you can state that the custom pattern has eliminated unresolved threats from the endpoint.

9. Click Apply. In the Case List section, information in the Status column changes to Case Closed.

Smart Protection Patterns

Trend Micro regularly releases smart protection patterns (either Smart Scan Agent Pattern or Smart Scan Pattern, or both) through the Trend Micro ActiveUpdate server to respond to the latest threats. These patterns are continuously available for download as long as the product license is valid. Information about specific pattern versions that you can use to eliminate unresolved threats can be obtained from Trend Micro.

For detailed information about smart protection patterns, see Smart Protection.

Trend Micro may notify you to update one or both smart protection patterns if:

• Threat signatures in a custom pattern have been added to smart protection patterns

• Your service agreement with Trend Micro does not entitle you to custom patterns

To manage smart protection patterns:

1. Obtain the following information about smart protection patterns from Trend Micro:

• The type of smart protection pattern to use to eliminate unresolved threats (Smart Scan Pattern or Smart Scan Agent Pattern, or both)

• The version for the patterns

2. Open the administrative console and click Customers in the main menu.

3. Click the hyperlink under the Account column. The Case List screen appears.

4. In the Specify Smart Protection Patterns section, choose the pattern to use to eliminate unresolved threats.

5. Type the pattern version.

• If you choose Smart Scan Pattern, type the pattern version in the text box provided.

• If you choose Smart Scan Agent Pattern, type the pattern version in the text box provided.

• If you choose both Smart Scan Pattern and Smart Scan Agent Pattern, type the pattern versions in the two text boxes.

6. Type a description for the pattern. For example, type the endpoint to which to deploy the pattern.

7. Click Submit.

TMSP notifies Threat Mitigator about the patterns.

• If the pattern is the Smart Scan Agent Pattern, Threat Mitigator downloads the pattern from its update source, which is the Trend Micro ActiveUpdate server by default.

• If the pattern is the Smart Scan Pattern, view the pattern version that the smart protection source is using from Threat Mitigator’s Threat Management screen.

8. If you chose Smart Scan Agent Pattern, verify that Threat Mitigator has downloaded the pattern.

• In the Pattern List section, information in the Status column changes to Downloaded. This means that Threat Mitigator has started to download the pattern.

• In the Case List section, information in the Status column changes to Threat Mitigator Notified About Pattern.

• If manual pattern deployment is enabled in Threat Mitigator (the Threat Mitigator administrator controls this setting), navigate to Threat Mitigator’s Threat Management screen. When you click Require custom cleanup, the pattern displays in the table at the lower section of the screen.

After Threat Mitigator deploys the pattern to the endpoint, Threat Management Agent runs custom cleanup using the pattern.

9. Check the custom cleanup status from Threat Mitigator’s threat event logs. If cleanup was successful:

1. In the administrative console, click Customers in the main menu.

2. Click the hyperlink under the Account column. The Case List screen appears.

3. Go to the Pattern List section and click the hyperlink under the Target Case ID column.

4. In the screen that opens, mark the check box under Resolved.

5. Click Save and then Back.

6. Go to the Case List section. Under the Case ID column, click the hyperlink of the case you just resolved.

7. In the new screen that appears, change the status to Closed.

8. Specify the reason for closing the case. For example, you can state that the pattern has eliminated unresolved threats from the endpoint.

9. Click Apply. In the Case List section, information in the Status column changes to Case Closed.

No Pattern Required

In case of a false alarm, Trend Micro notifies you that no pattern is required. You can proceed to close the case if you receive such notice.

To close a case because no pattern is required:

1. Open the administrative console and click Customers in the main menu.

2. Click the hyperlink under the Account column. The Case List screen appears.

3. In the Specify Smart Protection Patterns section, choose None.

4. Type a description. For example, state that no pattern is required because no threat was detected in the forensic data sent to Trend Micro.

5. Click Submit.

6. Go to the Pattern List section and click the hyperlink under the Target Case ID column.

7. In the screen that opens, mark the check box under Resolved.

8. Click Save and then Back.

9. Go to the Case List section. Under the Case ID column, click the hyperlink of the case you just resolved.

10. In the new screen that appears, change the status to Closed.

11. Specify the reason for closing the case. For example, state that the case is a false alarm.

12. Click Apply. In the Case List section, information in the Status column changes to Case Closed.

See also:

• Performing Threat Mitigation Tasks

• Downloading Forensic Data