User entries | Trend Micro Service Central

User-provided Reputation entries to the Reputation Database represent IP addresses, domain names, URLs, and file hashes that are known to be malicious or that are otherwise listed for specific handling by reputation filters.

The Reputation Database has been extended to include entries based on file hashes. You can add as many as 35,000 SHA-1 or SHA-256 (but not both for the same file) file hashes of any type except from the following categories, which are generally lower-risk files and/or files that can degrade performance:

HTML
Audio or video
Font
Files larger than 50 MB

The SMS can pull file hash entries from Trend Vision One, or entries can be added or imported through the SMS Client, SMS API, or through the SMS STIX/TAXII integration. File hash entries can be encrypted (if SSL/TLS inspection is enabled), compressed, uncompressed, and chunked. If reputation filters matching more than 35,000 file hash entries get distributed to the device, the TPS will ignore the excess entries and generate a system log error.

Note

Currently, only the HTTP/1.1 protocol is supported for file hash reputation. Any HTTP/2 traffic must be downgraded to HTTP/1.1.

Entries in the Reputation Database can be tagged or untagged. Untagged entries contain only an address and function as a user-defined list of sites to block. A CIDR counts as a single entry.

The time it takes before users begin to see their imported entries appear in the SMS interface depends on a number of factors:

The number of user entries being added.
The number of user entries that already exist.
The congestion of the reputation processing queue.

In a typical scenario—a few hundred entries contained in the file import, less than 100K user entries already on the system, and an empty reputation processing queue—entries can begin to appear in the SMS interface in as little as a minute's time. However, processing time increases along with the number of user entries and the number of tasks staged in the processing queue, which could include profile distributions and full Reputation DV feeds. In fact, entries cannot be imported until previously existing tasks in the queue have been completed.

When a Reputation entry is added to the database, you can associate one or more tag categories. For existing entries, you can add or remove one or more associated tag categories. When you associate a tag category with a Reputation entry, you must also specify one or more of the possible values for that tag category. Reputation entries are used to create filters. See Reputation filters.