Enforcement Settings

Enforcement Settings

Enforcement settings include the following:

Security Assessment Rules and Actions

An endpoint’s security posture is established by assessing its compliance with security assessment rules. An endpoint that violates any of the rules is considered non-compliant. For each rule, you can configure the action to perform on non-compliant endpoints.

To configure security assessment rules and actions:

  1. In the Security Assessment section, select the check box for the rule you wish to enable.

    Security assessment rules

    Rule

    Description and Steps

    Antivirus product scan

    Checks for the presence of antivirus software on the endpoint

    Steps:

    1. Click the icon before the rule name.

    2. Select the antivirus products from the list.

    3. Click a product name for details about the product.

    An endpoint that does not have any of the products you selected or has a product that is not included in the list is considered non-compliant.

    On non-compliant endpoints, install any of the Trend Micro products included in the list.

    Antivirus version scan

    Checks the Virus Pattern for the products selected in "Antivirus product scan"

    Steps:

    1. Click the icon before the rule name.

    2. Set the pattern version requirement. You can require endpoints to have the latest pattern version, or 1, 2, 3, or 4 versions older than the latest version.

    3. To check the latest and previous versions of the pattern for each product, click Pattern Release History.

    An endpoint that does not meet the requirement is considered non-compliant.

    Vulnerability scan

    Checks if the endpoint has the patches to the following security vulnerability types:

    • Highly critical vulnerabilities

    • Critical vulnerabilities

    • Important vulnerabilities

    • Moderate-risk vulnerabilities

    • Low-risk vulnerabilities

    Steps:

    1. Click the icon before the rule name.

    2. Mouseover to the tool tip to view details about a vulnerability type.

    3. Select the vulnerabilities to monitor. You have two options when selecting vulnerabilities:

    • Select the check box next to the vulnerability type to select all the known vulnerabilities under this type.

    • Click the vulnerability type and then select individual vulnerabilities from the list that displays. For vulnerabilities to Microsoft products, a Vulnerability Information link directs you to the Microsoft website.

    • If Scheduled Update is enabled, Threat Mitigator automatically updates the list with each newly announced vulnerability. If you select individual vulnerabilities, check the web console periodically for new vulnerabilities and select the ones that you wish to monitor.

    An endpoint without patches to any of the selected vulnerabilities is considered non-compliant.

    Registry key scan

    Checks for missing or prohibited registry keys in the endpoint

    Steps:

    1. Before configuring settings, record the registry key paths. Optionally record the registry key names, types, and values. The paths can be obtained by right-clicking the key from the Registry Editor screen and clicking Copy Key Name. The names, types, and values can be obtained from the table on the right side of the screen.

    2. Click Add.

    3. Type a display name.

    4. Specify whether the registry key is required or prohibited.

    5. Type the registry key path.

    6. (Optional) Type the registry key name.

    7. (Optional) Specify the registry key type and type its value.

    8. Click OK.

    An endpoint without the required registry keys or has the prohibited registry keys is considered non-compliant.

    • If you change settings for security assessment rules, you will need to wait for several minutes before obtaining the assessment result for registry key scan. This is because, compared to the other rules, registry key scan requires more time to complete.

  2. For each selected rule, select the action on non-compliant endpoints.

    Actions on non-compliant endpoints

    Action

    Description

    Quarantine

    A quarantined endpoint will have limited or no access to the Internet and network resources.

    Threat Management Agent assesses the endpoint’s security posture regularly and notifies Threat Mitigator if compliance has been achieved.

    When an endpoint is finally compliant, Threat Mitigator notifies the enforcement device to release the endpoint from quarantine.

    Log only

    When the action is "log only", a non-compliant endpoint will continue to have access to the Internet and network resources.

  3. Click Save.

Actions on Endpoints with Unresolved Threats

After running Post-assessment Cleanup, an endpoint with unresolved threats continues to have access to the network and the Internet. Security enforcement adds another level of protection by quarantining the endpoint to prevent it from infecting other endpoints.

When all threats have been eliminated from the quarantined endpoint, manually release it from quarantine from the Threat Management screen. For details, see Threat Management.

To configure actions on endpoints with unresolved threats:

  1. In the Post-assessment Cleanup section, select the check boxes to quarantine endpoints if:

  2. Click Save.

Administrator and Endpoint User Notifications

Notifications inform you and endpoint users about security assessment events that require your attention.

As an administrator, you receive notifications about non-compliant endpoints through email. The email contains information about the endpoint, the assessment rule the endpoint violated, and recommended actions. The messages in the email cannot be customized.

Endpoint users receive notifications when the following events occur:

Notifications display in a popup window and in a web blocking page. The popup window informs users that the endpoint has been quarantined. The blocking page contains the reason for quarantine and recommended actions. You can customize the messages in the popup window and blocking page.

To configure administrator and endpoint user notifications:

  1. In the Administrator Notifications section, choose to send an email when a non-compliant endpoint is detected.

  2. In the Endpoint User Notifications section, modify the content of the blocking page by performing the following steps:

    1. Click Edit Template after Display a blocking page on quarantined endpoints.

    2. In the first text box, type a general statement. You can leave this text box blank.

    3. Type the message for each rule. You can include the following variables in the message:

      Available variables for use in notifications

      Variable

      Description

      <%=ID%>

      Threat Management Agent's GUID

      <%=LAST_CONNECTED_TIME%>

      The last time Threat Management Agent sent a heartbeat message to Threat Mitigator

      <%=LAST_REPORTED_TIME%>

      Threat Management Agent's last assessment report time

      <%=IP%>

      The endpoint's IP address

      <%=MAC%>

      The endpoint's MAC address

      <%=HOSTNAME%>

      The endpoint's host name

      <%=USERNAME%>

      The user name used to log on to the endpoint

      <%=OS%>

      The endpoint's operating system

      <%=SERVER_IP%>

      Threat Mitigator’s IP address

      <%=SERVER_HOSTNAME%>

      Threat Mitigator’s host name

      <%=DATETIME%>

      The date and time the blocking page displayed

      <%=AV_PRODUCT%>

      Name of the antivirus product installed in the endpoint

      • Use this variable in the Antivirus Product Scan message.

      <%=AV_PATTERN_VER%>

      The Virus Pattern version

      • Use this variable in the Antivirus Version Scan message.

      <%=AV_LATEST_PATTERN_
      VER%>

      The latest Virus Pattern version

      • Use this variable in the Antivirus Version Scan message.

      <%=AV_BASELINE_PATTERN_VER%>

      The baseline Virus Pattern version

      • Use this variable in the Antivirus Version Scan message.

      <%=VA_PATCH_REQUIRE%>

      A list of required patches missing in the endpoint

      • Use this variable in the Vulnerability Scan message.

      <%=REG_KEY_MISSING%>

      A list of required registry keys missing in the endpoint

      • Use this variable in the Registry Key Scan message.

      <%=REG_KEY_EXIST%>

      A list of prohibited registry keys existing in the endpoint

      • Use this variable in the Registry Key Scan message.

  3. In the Endpoint User Notifications section, select whether to display a popup window on quarantined endpoints.

    1. Select the check box before An endpoint is quarantined.

    2. To modify the message, click Edit Template, type a message in the text box, and click Save.

  4. In the Endpoint User Notifications section, select whether to display a popup window when an endpoint is released from quarantine.

    1. Select the check box before An endpoint is released from quarantine.

    2. To modify the message, click Edit Template, type a message in the text box, and click Save.

  5. Click Save.

See also: