Views:
When you add or edit a Threat Protection template from the Threat Protection screen, a new screen opens, where you can specify the settings for the template.

Procedure

  1. Configure the basic template information:
    Item
    Setting
    Template name
    Specify a unique name for the template.
    Description
    (Optional) Meaningful description to easily identify the Threat Protection template.
  2. Configure the Web Reputation section:
    Item
    Setting
    Enable
    Click On or Off as necessary.
    Security level
    Select the security level to block. Each security level comes with a description to help you make an informed decision.
    Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold.
    TMWS has three security levels that determine whether it will allow or block access to a URL with a certain risk level. For details about the risk levels, see About Web Reputation.
    • High: Blocks pages that are:
      • Dangerous
      • Highly suspicious
      • Suspicious
      • Untested
    • Medium: Blocks pages that are:
      • Dangerous
      • Highly suspicious
    • Low: Blocks pages that are:
      • Dangerous
    WARNING
    WARNING
    Selecting High increases the risk of false-positives.
  3. In the Content Type Exceptions section, select or type the types or names of files that you want to exclude from scanning.
    Note
    Note
    Trend Micro recommends minimizing the list of MIME content-types to skip to reduce the risk of virus infection. Also, Trend Micro does not recommend skipping any MIME content-types when large file handling is enabled, because it is possible for a MIME content-type to be forged.
    The supported true file types are as follows:
    File Type
    File Format
    Documents
    DOC/DOCX, ODT, PDF, PPT/PPTX, WPD, XLS/XLSX
    Images
    BMP, GIF, JPG, PNG, PSD, PSP, TIF
    Executables
    COM/DLL/EXE, LNK, MSI
    Audio/Video
    AIF, FLV, M4A, MID, MOV/MP4, MP3, RA/RM, SWF, WAV/AVI, WMV/ASF
    Archives
    GZ, RAR, SIT, TAR, ZIP
    Others
    CHM, EPS
  4. Configure the File Scanning section:
    Item
    Setting
    Allow and do not scan files larger than
    Specify the size limit for file scanning. TMWS does not scan files that exceed the size limit.
    The file size limit cannot be greater than 2 GB.
    Do not scan files whose compression layers exceed
    Specify the maximum number of compression layers for file scanning. TMWS does not scan files that have more compression layers than the limit.
    The range is from 1 through 20, and the default value is 10.
    Unscannable files
    Click Allow or Block as necessary.
    An unscannable file includes but is not limited to: its compression layers exceed the configured limit, it is compressed with an unsupported file format, it is password protected, or it is corrupted.
    When these files are blocked, TMWS displays a notification on the user's browser.
  5. Configure the Advanced Threat Scanning section:
    Item
    Setting
    Botnet Detection
    Click Block or Monitor to select an action upon detection of botnets.
    • Block: TMWS blocks the web traffic.
    • Monitor: TMWS allows the web traffic but logs it for botnet activities for monitoring and analysis.
    Predictive Machine Learning
    Click On or Off to enable or disable scanning to detect emerging unknown security risks. For more information, see About Predictive Machine Learning.
    If enabled, TMWS first sends suspicious files to the cloud-based Predictive Machine Learning engine that uses advanced analytics to detect unknown threats, and blocks access to the files if any unknown threat is detected.
    If a suspicious file is blocked, it will not be sent to the Cloud Virtual Analyzer for further analysis.
    Note
    Note
    In this version, TMWS uses Predictive Machine Learning to scan executable files only.
    Cloud Virtual Analyzer
    Click On or Off to enable or disable the Cloud Virtual Analyzer to detect suspicious objects. When enabled, after the threat protection template is used in at least one enabled cloud access rule, TMWS submits sample files based on the rule configurations to the Cloud Virtual Analyzer for further analysis. A list of suspicious objects, if any, will be returned and displayed on the Suspicious Objects screen.
    Note
    Note
    This feature is not available for the Standard license. To use this feature, purchase an Advanced license, or you can purchase an add-on license to upgrade your service to the Advanced (Standard plus add-on) license.
    Action on Suspicious Objects
    Action upon detection of each suspicious object type after the threat protection template is used in at least one enabled cloud access rule. Suspicious objects are obtained from either the Cloud Virtual Analyzer or Apex Central.
    Click On or Off to decide whether to take pre-defined actions on access to the requested web traffic that contains the suspicious objects upon detection.
    By default, the value is set to Off.
    Once enabled, options for each suspicious object type include:
    • Block indicates that TMWS blocks access to the requested web traffic.
    • Monitor indicates that TMWS allows access to the requested web traffic and logs the web activity for monitoring and analysis. You can go to Logs & ReportsLOG ANALYSISVirtual Analyzer for log query and analysis.
  6. Click Save.