Terms
A Bandage Pattern (also called BPR) is a pre-release version of a Trend Micro anti-malware database available for manual download. This pattern has not undergone full validation or integration testing and is intended to provide emergency protection prior to the availability of a Controlled Pattern (also called CPR) or smart protection patterns. A pattern signature included in a Bandage Pattern may or may not be incorporated into a subsequent Controlled Pattern or smart protection patterns.
A Controlled Pattern (also called CPR) is a manually loadable, pre-release version of a Trend Micro anti-malware database, designed to provide users with additional protection in between smart protection pattern releases.
Instant messaging, streaming media, and peer-to-peer applications are considered to be disruptive because they slow down the network, are a security risk, and are generally a distraction to employees. Threat Discovery Appliance logs activities on these applications and sends the logs to TMSP.
Trend Micro products exchange heartbeat messages to initiate communication with each other. When communication is established, the products proceed with the required operation. For example, the initiating product starts to upload logs to the receiving product or requests the other product to quarantine a non-compliant endpoint.
Products exchange heartbeat messages at regular (and usually pre-determined) intervals. Some products offer users the ability to configure the time interval.
Threat Discovery Appliance and Threat Mitigator initiate a heartbeat message exchange with TMSP every 10 minutes.
A monitored network consists of IP addresses that Threat Discovery Appliance monitors for threats. By defining monitored networks, Threat Discovery Appliance can identify whether threats originate from within or outside the network.
Threat Discovery Appliance is set to automatically monitor the following IP address blocks reserved by the Internet Assigned Numbers Authority (IANA) for private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
An endpoint is considered nonconforming if the Threat Management Agent installed in the endpoint reports the following threat mitigation issues:
There are unresolved threats in an endpoint after Threat Management Agent runs routine cleanup. To resolve these threats, send forensic data to Trend Micro.
Trend Micro issued a pattern to eliminate the threats but the agent encountered issues while downloading the pattern.
Threat Management Agent downloaded the pattern but encountered issues launching custom cleanup.
Outbreak Containment Services in Threat Discovery Appliance blocks and disconnects malware activities that have the potential of causing an outbreak. After collecting Outbreak Containment Services logs, Threat Discovery Appliance sends the logs immediately to TMSP.
A registered domain in Threat Discovery Appliance is an internal or external email domain that Threat Discovery Appliance considers trustworthy. By identifying trustworthy email domains, Threat Discovery Appliance can detect and classify email traffic from unknown or unauthorized domains.
TMSP integrates with a registered product to perform most of its functions. A registered product can either be Threat Discovery Appliance or Threat Mitigator.
A registered service in Threat Discovery Appliance is an internal or external service or server pairs that Threat Discovery Appliance considers trustworthy. By identifying trustworthy services or servers, Threat Discovery Appliance can detect and classify network traffic from unknown or unauthorized services or locations. For example, a Domain Name System (DNS) is generally a trusted service within the network, but a hacker outside or even from within the network could launch a network attack masquerading as a DNS response. By registering your local (internal) DNS servers, you enable Threat Discovery Appliance to determine which DNS traffic needs to be monitored and which is trusted and authorized.
Security Compliance is a separately licensed feature in Threat Discovery Appliance that extracts meaningful content from various file formats and archives. Security Compliance checks whether the content contains information regulated by compliance rules. Threat Discovery Appliance logs violations to compliance rules and then uploads the logs to TMSP.
Compliance rules are contained in templates. Threat Discovery Appliance comes with a set of predefined templates for specific industries and regulations, such as:
Payment Card Industry Data Security Standard (PCI-DSS)
California Security Breach Information Act (SB-1386)
Health Insurance Portability and Accountability Act (HIPAA)
Financial Services Modernization Act (GLBA)
US Personally Identifiable Information Act (US PII)
See the Threat Discovery Appliance Administrator’s Guide for details about Security Compliance.
Trend Micro smart protection technology provides File and Web Reputation Services to point products. Trend Micro delivers these services through smart protection sources. The following table provides a comparison between the currently available smart protection sources:
|
Smart protection sources |
|
Basis of Comparison |
Smart Protection Source |
|
|
|
Trend Micro Smart Protection Network |
Smart Protection Server |
|
Purpose |
Smart Protection Network is a globally scaled, Internet-based infrastructure that provides File and Web Reputation Services to Trend Micro products that leverage smart protection technology. |
Smart Protection Server provides the same File and Web Reputation Services offered by Smart Protection Network but is intended to localize these services to the corporate network to optimize efficiency. |
|
Administration |
Trend Micro hosts and maintains this service. |
A point product’s administrator installs and manages this server. |
|
Connection protocol |
HTTPS |
HTTP/HTTPS |
About Web Reputation Services
Web Reputation Services tracks the credibility of web domains by assigning a reputation score based on factors such as a website's age, historical location changes and indications of suspicious activities discovered through malware behavior analysis. To increase accuracy and reduce false positives, Trend Micro web reputation technology assigns reputation scores to specific pages or links within sites instead of classifying or blocking entire sites since there are times that only portions of legitimate sites are hacked and reputations can change dynamically over time.
About File Reputation Services
File Reputation Services uses two lightweight patterns that work together to provide the same protection offered by Trend Micro conventional anti-malware patterns. These patterns are collectively referred to as smart protection patterns.
Smart Scan Pattern contains majority of the pattern definitions. A smart protection source hosts the Smart Scan Pattern and updates it several times a day. By default, the smart protection source updates the pattern from the Trend Micro ActiveUpdate server.
Point products (such as Threat Mitigator) that leverage smart protection technology do not download the Smart Scan Pattern. The point product verifies potential threats against the pattern by sending scan queries to the smart protection source.
Smart Scan Agent Pattern contains all the other pattern definitions not found on the Smart Scan Pattern. The point product hosts the Smart Scan Agent Pattern and updates it daily. By default, the point product updates the pattern from the Trend Micro ActiveUpdate server.
The point product, using the Smart Scan Agent Pattern and advanced filtering technology, can verify whether a file is infected without sending scan queries to the smart protection source. The point product only sends scan queries if it cannot determine the risk of the file during scanning. A point product that cannot verify a file’s risk locally and is unable to connect to a smart protection source after several attempts flags the file for verification. When connection to a smart protection source is restored, all the files that have been flagged are re-scanned. The appropriate scan action is then performed on files that have been confirmed as infected.
The Trend Micro threat management offering includes the following services:
|
Threat management services |
|
Service |
Description |
|
Threat Discovery Services |
These services continuously monitor networks for stealthy malware infections and generate daily and weekly infection reports. |
|
Threat Remediation Services |
These services provide early outbreak warnings and expert advisory to diagnose, contain, and remediate security threats. |
|
Threat Lifecycle Management Services |
These services combine automated threat remediation and root-cause analysis technology with proactive security planning from a dedicated Trend Micro Threat Management Advisor. |
Each service has the following features and benefits:
|
Features and benefits for each service |
|
Feature/Benefit |
Threat Discovery |
Threat Remediation |
Threat Lifecycle Management |
|
Network overwatch threat discovery |
Yes |
Yes |
Yes |
|
Network security assessment reports (manual – daily / weekly) |
Yes |
Yes |
Yes |
|
Proactive threat monitoring & early warning notifications |
No |
Yes |
Yes |
|
Threat containment and remediation advisory services |
No |
Yes |
Yes |
|
24x7 access to Trend Micro Threat Management Advisors |
No |
Yes |
Yes |
|
Automated threat remediation technology |
No |
No |
Yes |
|
Threat infection root-cause analysis |
No |
No |
Yes |
|
Bi-annual threat outbreak drills for best practice responses |
No |
No |
Yes |
|
Customized Threat Security Management Plan |
No |
No |
Yes |
|
Quarterly Executive Business Review |
No |
No |
Yes |
|
Annual threat landscape updates briefings |
No |
No |
Yes |