Configuring Suspicious Object List

A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples. After integrating with your Trend Vision One or Apex Central / Control Manager, Cloud App Security can use the Suspicious Object lists synchronized from these products during scanning.


The Suspicious Object List feature is disabled by default. It applies to all ATP policies.

Before you enable this feature, make sure your product that synchronizes the lists meets the following requirements.

Table 1.




Trend Vision One

Latest version

On Trend Vision One:

Apex Central / Control Manager

Synchronization terminates when the above conditions are no longer satisfied. The Suspicious Object lists are cleared and no longer apply during scanning.

  1. Go to Administration > Global Settings > Suspicious Object List.
  2. On the Suspicious Object List screen that appears, enable or disable the use of the lists during scanning as necessary.
  3. Click Save.

    Cloud App Security utilizes the suspicious file list in Malware Scanning and the suspicious URL list in Web Reputation.

    When a URL or file matches an item in the list, Cloud App Security takes the action synchronized from Trend Vision One or Apex Central / Control Manager. The action can be either of the following:

    • Pass: Record the detection in a log and leave the scanned item unchanged.

    • Block/Quarantine: Block the scanned item, or move the scanned item to a dedicated quarantine folder or object (for Salesforce)

      The quarantine action does not apply to Gmail. Instead, Cloud App Security labels the email message as risky.