![]() |
WARNINGDo not enable Auto apply core Endpoint & Workload rules when using classic recommendation scan.
|
During a classic recommendation scan, agents scan the following:
- Installed applications
- Windows registry
- Open ports
- Directory listing
- File system
- Running processes and services
- Environment variables
- Users
Scan limitations
Technical and logical limitations can cause inaccurate or missing recommendations
for some types of software.
-
Classic recommendation scans do not include the following:
-
Web application protection rules.
-
On Windows systems, OpenSSL rules which an application uses internally. The scanner can only make recommendations for OpenSSL if you explicitly install it.
-
-
The scanner may recommend unnecessary rules for the following technologies:
- Red Hat JBoss
- Eclipse Jetty
- Apache Struts
- Oracle WebLogic
- WebSphere
- Oracle Application Testing Suite
- Oracle Golden Gate
- Nginx
- Adobe Flash Player plug-in for Chrome - Recommendations are based on the Chrome version.
- A content management system (CMS) and any CMS plugins - For a web server with PHP, the scan recommends all intrusion prevention rules related to the CMS.
-
On Linux systems:
- If web browsers are the only applicable vector for Java-related vulnerabilities, the scanner does not recommend such rules.
-
On Unix or Linux systems:
-
The classic recommendation scan engine might have trouble detecting software that is not installed through the operating system's default package manager. Applications installed using standard package managers do not have this problem.
-
Recommendations do not include rules for desktop application vulnerabilities or local vulnerabilities. For example, browsers and media players.
-
Run a classic recommendation scan
Run recommendation scans on a regular basis (the best practice is weekly) because any change to your environment
can affect rule recommendations. Ideally, schedule recommendation scans soon after
Trend Micro releases new intrusion prevention rules each Tuesday. The use of system resources,
including central processing unit (CPU) cycles, memory, and network bandwidth, increases
during a classic recommendation scan, so schedule the scans at non-peak times. After
running a recommendation scan, alerts appear on all computers that have recommendations.
![]() |
NoteYou need a Endpoint & Workload
Security license to run recommendation scans.
|
You can run recommendation scans using any of the following methods:
Procedure
- Create a scheduled task that runs recommendation scans according to a schedule that you configure. You can
assign the scheduled task to all computers, one individual computer, a defined computer
group, or all computers protected by a particular policy.
Note
Scheduled tasks and ongoing scans can run classic recommendation scans independently with their own settings. Use either the scheduled tasks or ongoing scans, but not both. - Configure an ongoing scan policy to scan a group of computers for recommendations on a regular basis. You can also configure ongoing scans for individual computers. This type of scan checks the time that the last scan occurred and waits a configured interval to scan. This results in recommendation scans occurring at different times in your environment. Ongoing scans are helpful in environments where an agent might be online for short or intermittent periods. For example, cloud environments that build and decommission instances frequently.
- Manually run a single recommendation scan on one or more computers. A manual scan is useful if you recently made significant platform or application changes and want to force a check for new recommendations instead of waiting for a scheduled task.
- Use the Server & Workload Protection command-line interface (CLI) to initiate a classic recommendation scan. See Command-line utilities.
- Use the Server & Workload Protection application programming interface (API) to initiate a classic recommendation scan. See How to use the Server & Workload Protection REST API.
The results of the latest recommendation scan appear on the General tab of the Intrusion
Prevention, Integrity Monitoring, or Log Inspection protection module.
Schedule a recommendation scan
![]() |
TipFor large deployments, use policies to perform classic recommendation scans.
|
Procedure
- On the Server & Workload Protection console, go to .
- Select to display the New Scheduled Task wizard.
- Select .
- Select how often you want the scan to occur then click Next.
- Specify the scan frequency based on your selection then click Next.
- Select the computers to scan then click Next.
- Name the new scheduled task.
- To immediately run the scan, select Run Task on Finish.
- Click Finish.
The results of the latest recommendation scan appear on the General tab of the Intrusion
Prevention, Integrity Monitoring, or Log Inspection protection module.
Configure an ongoing recommendation scan
![]() |
TipFor large deployments, use policies to perform classic recommendation scans.
|
Procedure
- On the Server & Workload Protection console, open the editor:
- For an individual Computer.
- For all computers that are using a Policy.
- Click Settings.
- On the General tab, under Recommendations, use Perform ongoing Recommendation Scans to enable or disable ongoing classic recommendation scans. This setting is inheritable. See Policies, inheritance, and overrides.
- Specify how often the scans occur using Ongoing Scan Interval. This setting is inheritable. See Policies, inheritance, and overrides.
The results of the latest recommendation scan appear on the General tab of the Intrusion
Prevention, Integrity Monitoring, or Log Inspection protection module.
Manually run a classic recommendation scan
Procedure
- On the Server & Workload Protection console, go to Computers.
- Select the computers you want to scan.
- Click .
The results of the latest recommendation scan appear on the General tab of the Intrusion
Prevention, Integrity Monitoring, or Log Inspection protection module.
Cancel a classic recommendation scan
You can cancel a classic recommendation scan before it starts running.
Procedure
- On the Server & Workload Protection console, go to Computers.
- Select the computers where you want to cancel the scans.
- Click .
Additional rules for common vulnerabilities
Recommendation scans provide a good starting point for establishing a list of rules that you should implement,
but some additional rules for common vulnerabilities are not identified by recommendation
scans because must be carefully configured and tested before being implemented in
prevent (block) mode. Trend Micro recommends that you configure and test these rules, then manually enable them in
your policies or individual computers.
The table below includes the most common additional rules you should configure. You
can find others in Server & Workload Protection by searching for rules whose type is Smart or Policy.
Rule name
|
Application type
|
1007598 - Identified Possible Ransomware File Rename Activity Over Network Share
|
DCERPC Services
|
1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network
Share
|
DCERPC Services
|
1006906 - Identified Usage Of PsExec Command Line Tool
|
DCERPC Services
|
1007064 - Executable File Uploaded On System32 Folder Through SMB Share
|
DCERPC Services
|
1003222 - Block Administrative Share
|
DCERPC Services
|
1001126 - DNS Domain Blocker
|
DNS Client
|
1000608 - Generic SQL Injection Prevention
See Configure an SQL injection prevention rule for details.
|
Web Application Common
|
1005613 - Generic SQL Injection Prevention - 2
|
Web Application Common
|
1000552 - Generic Cross Site Scripting (XSS) Prevention
|
Web Application Common
|
1006022 - Identified Suspicious Image With Embedded PHP Code
|
Web Application Common
|
1005402 - Identified Suspicious User Agent In HTTP Request
|
Web Application Common
|
1005934 - Identified Suspicious Command Injection Attack
|
Web Application Common
|
1006823 - Identified Suspicious Command Injection Attack - 1
|
Web Application Common
|
1005933 - Identified Directory Traversal Sequence In Uri Query Parameter
|
Web Application Common
|
1006067 - Identified Too Many HTTP Requests With Specific HTTP Method
|
Web Server Common
|
1005434 - Disallow Upload Of A PHP File
|
Web Server Common
|
1003025 - Web Server Restrict Executable File Uploads
|
Web Server Common
|
1007212 - Disallow Upload Of An Archive File
|
Web Server Common
|
1007213 - Disallow Upload Of A Class File
|
Web Server Common
|
Troubleshooting classic recommendation scan
The following tips can help you troubleshoot classic recommendation scans:
-
Monitor the CPU and memory resources on the server. If the memory or CPU becomes exhausted during scanning, increase the resources.
-
For communication issues, protocol error often appears in the body of the error message. To resolve this issue, ensure that you are using agent-initiated communication. See Activate and protect agents using agent-initiated activation and communication.
-
If you receive a Recommendation Scan Failure message on your server, create a diagnostic package from the agent and contact support.