Threat Mitigation

Threat Mitigation

Threat information received from data sources (such as Threat Discovery Appliance and OfficeScan client) prompts Threat Mitigator to issue mitigation tasks to the affected endpoints. Most mitigation tasks are carried out by Threat Management Agent, a program installed on an endpoint and managed by Threat Mitigator.

Threat mitigation tasks include:

Assessment

Threat Mitigator notifies Threat Management Agent to assess the endpoint after receiving a mitigation request from its data source. During assessment, the agent checks specific objects, processes, and network behavior connected to suspicious activity. Threat Mitigation then uses the Pattern-free Mitigation Engine and Template to stop suspicious processes, and disable and remove the targeted objects.

Post-assessment Cleanup

If the assessment confirms the presence of threats in the endpoint, Threat Management Agent runs post-assessment cleanup to eliminate threats. During cleanup, the agent leverages Trend Micro smart protection technology by using a lightweight pattern called Smart Scan Agent Pattern. This pattern is downloaded from Threat Mitigator. If the pattern is unable to determine the risk of a file, the agent sends a scan query to a smart protection source. For details about smart protection sources, see Smart Protection Technology.

Threat Management Agent reports the cleanup results to Threat Mitigator. The results are stored in the threat event logs, which you can view from the product console.

If there are unresolved threats after post-assessment cleanup and you have Security Enforcement as part of your protection strategy, Threat Mitigator notifies an enforcement device to quarantine the endpoint. A quarantined endpoint has limited or no access to the Internet and network resources. You can manually release an endpoint from quarantine at any time, but first confirm that the remaining threats have been resolved before doing so.

Threat Analysis

Threat Management Agent collects forensic data with information about unresolved threats and sends the data to Threat Mitigator. Threat Mitigator then uploads the data to Threat Management Services Portal (TMSP).

TMSP monitors endpoints that require further mitigation. It is available as a Trend Micro hosted service and as an on-premise application that you can install on a bare metal server or a virtual machine.

If you have TMSP as a hosted service, a Trend Micro security expert will inform you about the unresolved threats, and will ask you to submit a case so that the threat can be analyzed. After the analysis, Trend Micro provides a pattern file to address the threat.

If you have TMSP as an on-premise application, perform case submission from the Threat Management screen and then log on to TMSP’s administrative console for information on unresolved threats. You can then send the information to Trend Micro for analysis and wait for the pattern file.

Pattern Deployment and Custom Cleanup

Run custom cleanup to eliminate unresolved threats. Any of the patterns listed in Pattern files that can be used during custom cleanup can be used during custom cleanup.

Pattern files that can be used during custom cleanup

Pattern Type

Description

Custom pattern

Trend Micro creates a custom pattern in response to a particular threat.

Custom patterns are deployed through TMSP. If you have TMSP as a hosted service, a security expert at Trend Micro uploads the pattern to TMSP. If you have TMSP as an on-premise application, obtain the pattern from Trend Micro and then upload it to TMSP.

The availability of custom patterns depends on your service agreement with Trend Micro. Contact your Trend Micro representative for details about your service agreement.

Threat Mitigator keeps 5 custom patterns by default.

Smart protection patterns

If custom patterns are not available to you, newer versions of smart protection patterns (either Smart Scan Agent Pattern or Smart Scan Pattern, or both) may be able to eliminate unresolved threats. Smart protection patterns are regularly updated to respond to the latest threats and are released through the Trend Micro ActiveUpdate server. These patterns are continuously available for download as long as the product license is valid. Information about specific pattern versions that can be used to run custom cleanup can be obtained from Trend Micro.

When a custom pattern or smart protection patterns become available, the following process is initiated:

Pattern deployment and custom cleanup process

 

If Using a Custom Pattern

If Using Smart Protection Patterns

1

Threat Mitigator automatically downloads the custom pattern from TMSP.

If scheduled updates is enabled, Threat Mitigator updates the Smart Scan Agent Pattern, while the Smart Protection Server updates the Smart Scan Pattern.

  • Manually update the patterns if scheduled updates is disabled.

2

If automatic pattern deployment is enabled, Threat Mitigator deploys the custom pattern/Smart Scan Agent Pattern to a particular endpoint.

If disabled, manually deploy the pattern from the Threat Management screen. When you click the Require custom cleanup link on the screen, the pattern version displays.

  • You can enable or disable automatic pattern deployment from the Mitigation Tasks screen.

3

Threat Mitigator notifies Threat Management Agent to run custom cleanup using the custom pattern/Smart Scan Agent Pattern.

  • If the Smart Scan Agent Pattern cannot verify the risk of the file, the agent queries the Smart Scan Pattern.

4

The agent reports the cleanup results to Threat Mitigator.

See also: