Views:

Enable aggressive mode on targeted endpoints to provide more sensitive detection and response.

Important
Important
  • Detection mode and aggressive mode are pre-release sub-features and are not part of the existing features of an official commercial or general release. Please review the Pre-release Sub-Feature Disclaimer before using the sub-features.
  • Enabling aggressive mode raises the sensitivity level of the anti-malware scan and behavior monitoring, which might affect system performance and increase the number of Workbench alerts.
  • Aggressive mode supports a maximum of 20 active endpoints.
  • Aggressive mode currently only supports agents deployed to 64-bit (x86-64) operating systems using the agent installer package downloaded from Endpoint Inventory.
  • Server & Workload Protection agents deployed using the packages downloaded from the Software screen are not supported.
The Detection Mode option in Endpoint Inventory allows you to configure endpoints to utilize normal scanning behavior or to enable aggressive mode. Aggressive mode allows for more strict monitoring and response for situations such as on-going threat investigations, penetration testing, or prioritizing monitoring of sensitive assets.
Aggressive mode currently only applies to endpoints managed by Server & Workload Protection and Standard Endpoint Protection Managers. You must configure the settings in the protection manager before enabling aggressive mode. Use the steps below to prepare your environment and enable aggressive mode.

Procedure

  1. Configure your Standard Endpoint Protection Manager.
    1. In the Trend Vision One console, go to Endpoint SecurityStandard Endpoint Protection.
      If you have more than one Standard Endpoint Protection instance provisioned, navigate to the instance you want to configure.
    2. Go to PoliciesPolicy Management and edit the policy assigned to the endpoints you wish to use to enable aggressive mode.
      Tip
      Tip
      You can also create a new policy for this task. Ensure you assign the target endpoints to the task before enabling aggressive mode.
    3. In the policy details screen, go to Anti-Malware ScansReal-time Scan.
    4. On the Target tab, select Quarantine malware variants detected in memory.
    5. On the Action tab, under Virus/Malware, select Use ActiveAction.
      Important
      Important
      Do not select Customize action for probably virus/malware.
    6. Go to Advanced Threat ProtectionSuspicious Connection.
    7. Configure the actions based on which action you plan to configure for aggressive mode.
      • Detect network connections made to addresses in the Global C&C IP list
      • Detect connections using malware network fingerprinting
      Configure one of the following actions:
      • If you want to set aggressive mode to use the prevention action, select Block for both.
      • If you want to set aggressive mode to use the log only action, select Log only for both.
      Important
      Important
      For aggressive mode, Trend Micro highly recommends you leave the following setting enabled:
      • Clean suspicious connections when a C&C callback is detected
    8. Click Deploy to save the settings.
  2. Configure your Server & Workload Protection Manager.
    1. In the Trend Vision One console, go to Endpoint SecurityServer & Workload Protection.
      If you have more than one Server & Workload Protection instance provisioned, navigate to the instance you want to configure.
    2. Go to Policies, select the policy you want to edit and click Details...
      Tip
      Tip
      You can also create a new policy for this task. Ensure you assign the target endpoints to the task before enabling aggressive mode.
    3. In the policy details screen, go to Anti-Malware.
    4. Under Real-Time Scan, locate Malware Scan Configuration and click Edit.
    5. In the screen that appears, go to General.
    6. Under Behavior Monitoring, select Enable Behavior Monitoring.
    7. For Action to take, select ActiveAction (recommended).
    8. Under Windows Antimalware Scan Interface (AMSI), select Enable AMSI protection.
    9. For Action to take, select Terminate (recommended).
    10. Under Process Memory Scan, select Scan process memory for malware
    11. For Action to take, select ActiveAction (recommended).
    12. Go to Advanced.
    13. Under Remediation Actions, select Use recommended defaults.
    14. Click OK.
    15. In the policy details screen, click Save.
  3. In the Trend Vision One console, go to Endpoint SecurityEndpoint Inventory.
  4. Locate and select the endpoints you want to configure.
  5. Click Detection Mode.
  6. Select Aggressive mode.
  7. Select the action to take.
    • Prevention: The agent takes the default ActiveAction for the detected malware type.
      For more information on ActiveActions, see ActiveActions default actions.
    • Log only: The agent only logs the detection and takes no action.
  8. Click Next.
  9. Review the Selected Endpoints.
    Click the remove icon (xmark-icon.png) to remove a selected endpoint from the list.
  10. Click Apply.
    The selected endpoints apply the monitoring level the next time they connect to Trend Vision One.
Related information