Configuring Suspicious Object List

A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples. After integrating with your Trend Vision One or Apex Central / Control Manager, Cloud App Security can use the Suspicious Object lists synchronized from these products during scanning.


The Suspicious Object List feature is disabled by default. It applies to all ATP policies.

Before you enable this feature, make sure your product that synchronizes the lists meets the following requirements.

Table 1.




Trend Vision One

Latest version

On Trend Vision One:

Apex Central / Control Manager

Synchronization terminates when the above conditions are no longer satisfied. The Suspicious Object lists are cleared and no longer apply during scanning.

  1. Go to Administration > Global Settings > Suspicious Object List.
  2. On the Suspicious Object List screen that appears, enable or disable the use of the lists during scanning as necessary.
  3. Click Save.

    Cloud App Security utilizes the suspicious file list in Malware Scanning and the suspicious URL list in Web Reputation.

    When a URL or file hits a list, Cloud App Security takes the action synchronized from Trend Vision One or Apex Central / Control Manager. The action can be either of the following:

    • Pass: Record the detection in a log and leave the scanned item unchanged.

    • Quarantine: Move the scanned item to a dedicated quarantine folder or object (for Salesforce)

      The quarantine action does not apply to Gmail and Teams Chat. Instead, the following action applies:

      • For Gmail, label the email message as risky.

      • For Teams Chat, record a detection log and leave the message unchanged.