Configuring Custom Defense

As configured, your TMWS on-premises gateway can submit sample files to the Cloud Virtual Analyzer for further analysis, and can utilize the suspicious objects generated by the Cloud Virtual Analyzer and synchronized from Apex Central for threat detection. In addition, you can configure to integrate your on-premises gateway with Deep Discovery™ Analyzer (DDAn) deployed within your organization to defend against custom-defense APT attacks from malicious programs through HTTP/HTTPS traffic.

For each on-premises gateway, you can choose to use the Cloud Virtual Analyzer or integrate with DDAn to submit sample files. Once Custom Defense is enabled and configured, your on-premises gateway will submit sample files to the integrated DDAn, regardless of the Cloud Virtual Analyzer settings in the matched cloud access rules.

The suspicious objects generated by DDAn are only sent to each on-premises gateway that DDAn integrates with. The on-premises gateway will not upload these suspicious objects to other on-premises gateways deployed within your organization or to the TMWS cloud.

For the same suspicious object, its information is subject to the sources that come with the following priorities from high to low: Apex Central, Cloud Virtual Analyzer, DDAn.

  1. Select the Enable Custom Defense check box to enable on-premises gateway integration with the DDAn server.
  2. Specify the IP address, port, and API key of the DDAn server, and then click Test Connection to confirm proper integration.
  3. Optionally enable DDAn to work in a high availability cluster configuration.

    TMWS supports high availability for Custom Defense to ensure service continuity. You can specify one backup DDAn server to work with the primary DDAn server in active/standby mode. The backup server automatically takes over as the new active primary server if the active primary server encounters an error and is unable to recover.

    1. Select the Enable High Availability check box.
    2. Specify the IP address, port, and API key of the DDAn server, and then click Test Connection to confirm proper integration.
  4. Select the threat or file types that you want to submit to the DDAn server to scan for threats.
  5. Click Save.

    By clicking Save, TMWS only verifies the IP address and port format, and does not check whether the configured DDAn server can be connected. Trend Micro recommends using Test Connection to ensure the connection with the configured DDAn server. Otherwise, Custom Defense will not work properly even when it is enabled.