Suspicious Objects | Trend Micro Service Central

Views:

Suspicious Objects use intelligence gathered from your Deep Discovery devices and your TippingPoint devices to block malware and other infections. In addition to preventing infections and disrupting malware communications, this integrated environment protects critical resources and isolates infected resources. Suspicious Objects also use data provided by the Deep Discovery and the Reputation Database.

When your Deep Discovery device detects a threat, it alerts your TippingPoint IPS and TPS devices by forwarding threat intelligence to the SMS. To view the Suspicious Objects on the SMS, select Profiles → Reputation Database → Search Entries → Tag Criteria → Trend Micro Detection Category → Tag value is any of Suspicious Object, and then click Search.

You can use reputation filters to set policies that monitor or block access to discovered Suspicious Objects. When you create the reputation filters, include criteria from the following tag categories:

Trend Micro Detection Category
Trend Micro Publisher
Trend Micro Severity
Trend Micro Source

Requirements

Note the following prerequisites before any data can be displayed for Suspicious Objects:

Configure predefined tag categories. Learn more: Tag Categories
Enable HTTP Context from the Reputation filter. Select the Trend Micro Detection Category check box, and then select a Suspicious Object value. Select the Trend Micro Severity check box, and then select a value. Learn more: Create or edit a Reputation filter
Enable HTTP Context on the profile. Learn more: Create a new profile

To view Suspicious Objects on the SMS web management console, select Threat Insights → Suspicious Objects. The following information displays.

Heading	Description
Object	IP address, host name, or URL, if available, of the suspicious object.
Severity	Severity identified for the suspicious object, based on the Trend Micro Severity tag category. Learn more: Tag Categories
Action in Profiles	Every profile that is configured for Reputation has at least one reputation filter. For a profile to block or permit Suspicious Objects, its reputation filter must specify the following criteria: Entry criteria that matches the predefined tag categories for Suspicious Objects. Learn more: Tag Categories The filter is enabled. The action is set to block or permit. Your security policy, as it relates to Suspicious Objects, is expressed using the following categories: Protected – All profiles configured for reputation block Suspicious Objects. Partially protected – Some profiles configured for reputation block Suspicious Objects, and other profiles permit Suspicious Objects. Monitored – All profiles configured for reputation permit Suspicious Objects. Unprotected – Displays for any of the following reasons: At least one profile is configured for reputation, but no filter is configured for Suspicious Objects on the SMS. A reputation filter matches but it is disabled. No profile is configured for reputation on the SMS. If you see Unprotected, consider updating your security policy. Learn more: Action sets
Last Hit Time	Date and time that the filter was processed by the inspection.
Blocked Hits	Number of times traffic was blocked by a filter and an event was generated.
Permitted Hits	Number of times traffic matched a filter and was permitted to flow through. If you see permitted hits, consider updating your security policy. You can change the action set to block or block + notify. Learn more: Action sets