Configuring A Threat Protection Template

When you add or edit a Threat Protection template from the Threat Protection screen, a new screen opens, where you can specify the settings for the template.

  1. Configure the basic template information:



    Template name

    Specify a unique name for the template.


    (Optional) Meaningful description to easily identify the Threat Protection template.

  2. Configure the Web Reputation section:




    Click On or Off as necessary.

    Security level

    Select the security level to block. Each security level comes with a description to help you make an informed decision.

    Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold.

    TMWS has three security levels that determine whether it will allow or block access to a URL with a certain risk level. For details about the risk levels, see About Web Reputation.

    • High: Blocks pages that are:

      • Dangerous

      • Highly suspicious

      • Suspicious

      • Untested

    • Medium: Blocks pages that are:

      • Dangerous

      • Highly suspicious

    • Low: Blocks pages that are:

      • Dangerous


    Selecting High increases the risk of false-positives.

  3. In the Content Type Exceptions section, select or type the types or names of files that you want to exclude from scanning.

    Trend Micro recommends minimizing the list of MIME content-types to skip to reduce the risk of virus infection. Also, Trend Micro does not recommend skipping any MIME content-types when large file handling is enabled, because it is possible for a MIME content-type to be forged.

  4. Configure the File Scanning section:



    Do not scan files larger than

    Specify the size limit for file scanning. TMWS does not scan files that exceed the size limit.

    The file size limit cannot be greater than 2 GB.

    Do not scan files when the number of compression layers exceeds

    Specify the maximum number of compression layers for file scanning. TMWS does not scan files that have more compression layers than the limit.

    The range is from 1 through 20, and the default value is 10.

    Unscannable files

    Click Allow or Block as necessary.

    A file may be unscannable because it is compressed with an unsupported file format, it is password protected, or it is corrupted.

    When these files are blocked, TMWS displays a notification on the user's browser.

  5. Configure the Advanced Threat Scanning section:



    Botnet Detection

    Click Block or Monitor to select an action upon detection of botnets.

    • Block: TMWS blocks the web traffic.

    • Monitor: TMWS allows the web traffic but logs it for botnet activities for monitoring and analysis.

    Predictive Machine Learning

    Click On or Off to enable or disable scanning to detect emerging unknown security risks. For more information, see About Predictive Machine Learning.

    If enabled, TMWS first sends suspicious files to the cloud-based Predictive Machine Learning engine that uses advanced analytics to detect unknown threats, and blocks access to the files if any unknown threat is detected.

    If a suspicious file is blocked, it will not be sent to the Cloud Virtual Analyzer for further analysis.


    In this version, TMWS uses Predictive Machine Learning to scan executable files only.

    Cloud Virtual Analyzer

    Click On or Off to enable or disable the Cloud Virtual Analyzer to detect suspicious objects. When enabled, after the threat protection template is used in at least one enabled cloud access rule, TMWS submits sample files based on the rule configurations to the Cloud Virtual Analyzer for further analysis. A list of suspicious objects, if any, will be returned and displayed on the Suspicious Objects screen.


    This feature is not available for the Standard license. To use this feature, purchase an Advanced license, or you can purchase an add-on license to upgrade your service to the Advanced (Standard plus add-on) license.

    Action on Suspicious Objects

    Action upon detection of each suspicious object type after the threat protection template is used in at least one enabled cloud access rule. Suspicious objects are obtained from either the Cloud Virtual Analyzer or Apex Central.

    Click On or Off to decide whether to take pre-defined actions on access to the requested web traffic that contains the suspicious objects upon detection.

    By default, the value is set to Off.

    Once enabled, options for each suspicious object type include:

    • Block indicates that TMWS blocks access to the requested web traffic.

    • Monitor indicates that TMWS allows access to the requested web traffic and logs the web activity for monitoring and analysis. You can go to Logs & Reports > LOG ANALYSIS > Virtual Analyzer for log query and analysis.

  6. Click Save.