Views:

A suspicious object is a known malicious or potentially malicious IP address, domain, or URL found in submitted samples or defined by a user.

Cloud Edge Cloud Console can pull a list of up to 500 suspicious objects from Worry Free Business Security Services (WFBSS) through Trend Micro Remote Manager. Cloud Edge pulls both the User-Defined Suspicious Objects list and Virtual Analyzer Suspicious Objects list.

Cloud Edge can block or not block suspicious objects. The block action setting is initially based on the WFBSS Scan Action setting. If the Scan Action is Log Only, then the Cloud Edge setting is not block. If you change the block action on Cloud Edge, the setting is not synchronized with WFBSS. In addition, the Cloud EdgeApproved and Blocked list settings override the block action in the suspicious objects list.

Performing the following actions on WFBSS will affect the suspicious objects list on Cloud Edge.

Table 1.

Change on WFBSS

Automatic Change on Cloud Edge

Add a new Virtual Analyzer or user-defined Suspicious object

Add the new Virtual Analyzer or user-defined Suspicious object

Edit Scan Action for a suspicious object to Log Only

Edit Block action for the suspicious object to not block

Edit Scan Action for a suspicious object to Block

Update Block action for the suspicious object to block

Add a suspicious object to the Exception list

Remove the suspicious object from the suspicious objects list

Remove a suspicious object from the Exception list

Add the suspicious object to the suspicious objects list

Set expiration time to Never Expire for a suspicious object

Update expire time to Never Expire for the suspicious object

Edit expire time of a suspicious object

Update expire time of the suspicious object

Remove a suspicious object from the list

Remove the suspicious object from the list

The table on Cloud Edge containing the suspicious objects has the following information:

  • Object: The suspicious object

  • Type: The type of suspicious object, such as IP Address, Domain, or URL

  • Source: The source of the suspicious object, such as User-Defined, or Virtual Analyzer

  • Risk Level: The risk level of the suspicious object

  • Block Action: The block action for the suspicious object. When the box is checked, the action is block.

  • Expiration: The expiration date for the suspicious object

The following features are available when the suspicious objects setting is enabled:

  • Top Threat Detections widget: Located in the Security Status tab of the Dashboard, this widget shows the amount of detected suspicious objects.

  • Analysis & Reports > Log Analysis > Internet Security: This screen has an option for Suspicious Objects under Message Type.

  • Analysis & Reports > Log Analysis > Internet Security: Perform a raw log query on this screen to view the following details:

    • Columns containing the URL, server IP, and domain of the blocked suspicious object

    • A Detail column containing the URL, IP address, or domain that matched the suspicious object

  • Analysis & Reports > Reports > Internet Security

    : This screen contains the following reports:
    • Top N Users Detected by Suspicious Objects

    • Top N Groups Detected by Suspicious Objects

  • Polices > User Notifications: This screen provides an option for Suspicious Objects Violation under Notification Events.