If your agents or relays do not have access to the internet (air-gapped agents), then they cannot access some security services provided by the Trend Micro Smart Protection Network. These security services are necessary for the full and successful operation of the Workload Security Anti-Malware and Web Reputation modules.
The Trend Micro Smart Protection Network security services include the following:
Service name
Required for these features
Smart Scan Service
Smart Scan
Web Reputation Service
Web Reputation
Global Census Service
Behavior monitoring, predictive machine learning
Good File Reputation Service
Behavior monitoring, predictive machine learning, process memory scanning
Predictive Machine Learning Service
Predictive machine learning
In addition to these services, the agent and relay-enabled agent also need access to the Trend Micro Update Server (also known as Active Update), which is not part of the Smart Protection Network, but is a component that is hosted by Trend Micro and accessed over the internet.
If any of your agents or relay-enabled agents cannot reach the preceding services, you have several solutions.

Solutions

Use a proxy

If your agents or relay-enabled agents cannot connect to the internet, you can install a proxy that can. Your agents and relays connect to the proxy, and the proxy then connects outbound to the Trend Micro security services in the Smart Protection Network.
With a proxy, each Smart Scan or Web Reputation request goes out over the internet to the Smart Protection Network. Consider instead using a Smart Protection Server inside your LAN to keep these requests within your network and reduce extranet bandwidth usage.
To use a proxy, see Connect agents behind a proxy.

Install a Smart Protection Server locally

If your agents and relay-enabled agents cannot connect to the internet, you can install a Smart Protection Server in your local area network (LAN) to which your agents and relay-enabled agents can connect. The local Smart Protection Server periodically connects outbound over the internet to the Smart Protection Network to retrieve the latest Smart Scan Anti-Malware patterns and Web Reputation information. This information is cached on the Smart Protection Server and queried by your agents and relay-enabled agents. The Smart Protection Server does not push updates to the air-gapped agents or relay-enabled agents.
If you decide to use this solution, keep in mind the following:
To deploy a Smart Protection Server, install it manually, as described in Smart Protection Server documentation.

Disable functionality that uses Trend Micro security services

You can disable the functionality that uses Trend Micro security services. Doing so improves performance because the air-gapped agent no longer tries (and fails) to query the services.
Note that without Trend Micro security services, your malware detection is downgraded significantly, ransomware is not detected at all, and process memory scans are also affected. It is therefore strongly recommended that you use one of the other solutions to allow access to Trend Micro security services. If this is impossible, only then should you disable features to realize performance gains.

Disable Smart Scans

  1. Open the Computer or Policy editor .
  2. On the left, click Anti-Malware.
  3. In the main pane, click Smart Protection.
  4. Under Smart Scan, deselect Inherited (if it is selected) and then select Off.
  5. Click Save.

Disable Web Reputation

  1. Open the Computer or Policy editor.
  2. On the left, click Web Reputation.
  3. In the main pane, make sure the General tab is selected.
  4. From the Configuration list, select Off.
  5. Click Save.

Disable Smart Feedback

  1. In the Workload Security console, click Administration at the top.
  2. Click System Settings on the left.
  3. In the main pane, select the Smart Feedback tab.
  4. Deselect Enable Trend Micro Smart Feedback (recommended).
  5. Click Save.

Disable process memory scans

  1. In the Workload Security console, click Policies at the top.
  2. On the left, expand Common Objects Other, and then click Malware Scan Configurations.
  3. Double-click a malware scan configuration with a SCAN TYPE of Real-Time.
  4. On the General tab, under Process Memory Scan, deselect Scan process memory for malware.
  5. Click OK.

Disable predictive machine learning

  1. Make sure you still have a real-time malware scan configuration open.
  2. On the General tab, under Predictive Machine Learning, deselect Enable Predictive Machine Learning.
  3. Click OK.

Disable behavior monitoring

  1. Make sure you still have a real-time malware scan configuration open.
  2. On the General tab, under Behavior Monitoring, deselect both options, namely, Detect suspicious activity and unauthorized changes (incl. ransomware) and Back up and restore ransomware-encrypted files.
  3. Click OK.
To improve performance, you can disable the census and grid (Good File Reputation) queries. If you leave them enabled, a significant amount of unnecessary background processing takes place.
To disable the census query using the command line, execute the following:
dsm_c -action changesetting -name settings.configuration.enableCensusQuery -value false
To disable the census query from the UI:
  1. Go to Computer Settings General Network Setting for Census, Good File Reputation, and Predictive Machine Learning Services.
  2. For Enable Census query, select No.
To disable the grid query using the command line, execute the following:
dsm_c -action changesetting -name settings.configuration.enableGridQuery -value false
To disable the grid query from the UI:
  1. Go to Computer Settings General Network Setting for Census, Good File Reputation, and Predictive Machine Learning Services.
  2. For Enable Good file reputation query, select No.