Suspicious Objects

A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples. As configured, TMWS obtains suspicious objects from the following two sources:

  • Cloud Virtual Analyzer

  • Trend Micro Apex Centralâ„¢

After obtaining the suspicious objects, TMWS can choose to implement them for threat detection based on the configured policies.

Note:

For an on-premises gateway, it can also obtain suspicious objects from a Trend Micro Deep Discoveryâ„¢ Analyzer (DDAn) server after it is integrated with the server and Custom Defense is enabled on the on-premises gateway's web console. For more information, see Configuring Custom Defense.

  1. Go to Policies > Suspicious Objects.
  2. View suspicious objects.
    • Status: Whether or not (: enable or : disable) to apply a suspicious object during policy enforcement and take the corresponding action as configured upon detection. Click the icon to enable or disable a suspicious object.

    • Type: Type of a suspicious object. Options include Domain, File, IP, and URL.

    • Suspicious Object: Object generated and recognized as suspicious by the Cloud Virtual Analyzer or synchronized from Apex Central.

    • File: File that contains the suspicious object upon most recent detection. Click the file name to view the corresponding log under Logs & Reports.

    • Source: Source that a suspicious object is obtained from. Options include:

      For the same suspicious object, its information is subject to what is synchronized from Apex Central, for example, the expiration time.

      Note:

      For the suspicious objects generated by DDAn will display on the web console of each on-premises gateway integrated with DDAn, and not on this screen.

    • Last Generated: Latest date and time when a suspicious object is generated by the Cloud Virtual Analyzer or synchronized from Apex Central. This information changes when the same suspicious object is detected in another file.

    • Expires at: Date and time when a suspicious object expires.

      • Suspicious object from the Cloud Virtual Analyzer: By default, expires in 30 days once generated, and is automatically removed from the list after expiration. This information changes with the date and time under Last Generated.

      • Suspicious object from Apex Central: Subject to the expiration time carried in the synchronized information.

  3. To search for a suspicious object, type a keyword or part of the keyword related to either column in the table in the Search text box to search for a suspicious object.
    Note:

    If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed immediately. TMWS searches all cells in the table for matches.

  4. Configure the Cloud Virtual Analyzer setting and the action upon detection of each suspicious object type, so that TMWS can implement them for threat detection based on the configured policies.

    For more information, see Configuring the Cloud Virtual Analyzer and Applying Suspicious Objects.