Configuring Suspicious Object List

Trend Micro Apex Central / Control Manager consolidates your organization's Suspicious Object lists and synchronizes them (excluding exceptions) among integrated managed products. After Cloud App Security is registered to Apex Central / Control Manager, it automatically synchronizes the suspicious URL and file lists with Cloud App Security at a scheduled time interval. Besides its own scanning mechanisms, Cloud App Security can choose to implement these suspicious objects during URL and file scanning.

By default this feature is disabled.

Cloud App Security utilizes the suspicious file list in Malware Scanning and the suspicious URL list in Web Reputation. Once enabled, this feature applies to all configured Advanced Threat Protection policies. When a URL of file hits the list, Cloud App Security automatically takes a pre-defined action, which is Pass, Quarantine, or Label email. You can go to Logs to query and view details.


The Label email action applies only to Gmail messages.

Before you begin configuring this feature, make sure that:

  • You have installed Apex Central 2019 or Control Manager 7.0 with hot fix HF2574, and your Apex Central / Control Manager has a serving Deep Discovery product, which can be a Deep Discovery Inspector, Deep Discovery Email Inspector, or Deep Discovery Analyzer.

  • Your Cloud App Security is registered to your Apex Central / Control Manager. For details, see Registering Cloud App Security or Registering Cloud App Security.

  • You have configured distribution settings on your Apex Central / Control Manager to enable it to consolidate and send suspicious objects to Cloud App Security. For details, see "Configuring Distribution Settings" in the Apex Central Online Help or "Configuring Distribution Settings" in the Control Manager Online Help.

  • You have enabled Web Reputation in the Advanced Threat Protection policy you want to apply the suspicious URL list to.

Synchronization terminates when Cloud App Security is unregistered from Apex Central / Control Manager or synchronization is disabled on Apex Central / Control Manager. The Suspicious Object list will be cleared and no longer apply during scanning.

If your license expires, Cloud App Security continues synchronizing the Suspicious Object list with Apex Central / Control Manager and maintaining them in its database within 30 days. After that, all data is cleared.

  1. Go to Administration > Global Settings > Suspicious Object List.
  2. On the Suspicious Object List screen that appears, enable or disable the use of the lists during scanning as necessary.
  3. Click Save.