Configuring Suspicious Objects

A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples.

Smart Protection Server can subscribe to the following sources to synchronize suspicious objects:

Table 1. Smart Protection Server Suspicious Object Sources

Source

Suspicious Object Type

Description

Deep Discovery Analyzer

  • Virtual Analyzer

URL

Virtual Analyzer is a cloud-based virtual environment designed for analyzing suspicious files. Sandbox images allow observation of file behavior in an environment that simulates endpoints on your network without any risk of compromising the network.

Virtual Analyzer in managed products tracks and analyzes submitted samples. Virtual Analyzer flags suspicious objects based on their potential to expose systems to danger or loss.

Control Manager

Consolidated suspicious objects

  • Control Manager user-defined suspicious objects

  • Virtual Analyzer suspicious objects

URL

Deep Discovery Analyzer sends a list of suspicious objects to Control Manager.

Control Manager administrators can add objects they consider suspicious but are not currently in the list of Virtual Analyzer suspicious objects. User-defined suspicious objects have a higher priority than Virtual Analyzer suspicious objects.

Control Manager consolidates suspicious objects and scan actions against the objects and then distributes them to Smart Protection Server.
When subscribed, Smart Protection Server relays:
  • Suspicious URL information to Trend Micro products (such as OfficeScan agents, ScanMail, and Deep Security) that send Web Reputation queries
  • Actions against suspicious URLs to OfficeScan agents that send Web Reputation queries.
Note:

For information on how Control Manager manages suspicious objects, see: http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-3/whats_new_6sp3/suspicious_object_supported_products.aspx

  1. Go to Smart Protection > Suspicious Objects.
  2. Type the FQDN or IP address of the Suspicious Objects Source.
  3. Type the API Key obtained by the suspicious object source.
  4. Optional: Click Test connection to verify that the server name, IP address, and API key are valid, and that the source is available.
  5. Click Subscribe.
  6. To immediately synchronize suspicious objects, select Synchronize and enable suspicious objects and then click Sync Now.
    Note:

    The option is available only if Smart Protection Server successfully connects to the source.

  7. Click Save.
Parent topic: Using Smart Protection