Managing Monitoring Rules

Take note of the following considerations:

  • Managing monitoring rules:

    The Monitoring Rules tab displays user-defined rules only. While monitoring rules are shared across policies, the status of a monitoring rule (Enabled/Disabled/remove) is independent for each policy. Administrators can customize policies by selecting which monitoring rules are enabled, disabled, or remove for each policy. New monitoring rules are disabled by default.

    Control Manager is limited to remotely controlling monitoring rules in Endpoint Sensor servers where the rules are part of a Endpoint Sensor policy.

    If a new Endpoint Sensor server is registered, Control Manager automatically includes the new Endpoint Sensor server in its rule deployment schedule. Once the next deployment schedule is due, Control Manager uploads all active monitoring rules to the newly registered server.

  • Uploading monitoring rules:

    To upload a monitoring rule, Click Policies > Policies Management , and select Trend Micro Endpoint Sensor as the Product . Click Create to ceate a new policy, or click an existing policy to open the Create / Edit Policy screen. Expand Monitoring Settings, click Upload IOC Rule > Choose File, and navigate to the location of the monitoring rule. Click Open to automatically upload the monitoring rule. After the upload is complete, click Save or Deploy.

    • It is recommended to specify the target Endpoint Sensor servers before uploading the rule.

    • The Upload IOC Rule feature is enabled only when there is at least one Endpoint Sensor server registered to Control Manager.

      For details, see Registering with Control Manager.

    Uploading the same monitoring rule in both Control Manager and in a Endpoint Sensor server registered with Control Manager may cause conflicts. Regularly keep track of the uploaded monitoring rules through the Monitoring Settings screen to avoid duplication.

    If a duplicate monitoring rule is encountered, the following message appears: "Unable to upload file. The file already exists in the Endpoint Sensor server. Use the Endpoint Sensor management console to remove the file first, and try again."

  • Changing the status of a monitoring rule:

    To change the status of a monitoring rule, click Toggle Status, and select Enable or Disable. Afterwards, update the remote rule of the Endpoint Sensor servers specified as targets in this policy.

    The status of a monitoring rule is independent for each policy.

  • Removing monitoring rules:

    To remove a rule, select the rule and click Remove. The status of the removed rule changes to remove. Click Save or Deploy to complete the process.

    • Removal of a monitoring rule also removes the monitoring rule from all other Endpoint Sensor policies.

    • If the same rule is re-uploaded in a new policy, the old policy will remove the rule again during its scheduled run.

    If problems persist, contact Trend Micro support for assistance.