Trend Micro Email Security

Businesses today rely heavily on email communication, which makes email security a top priority. Hosted email security solutions, like TMEMS, and ERS Hosted, provide email protection through spam filtering, virus scanning, and other features. To ensure proper email delivery and security, it's essential to have a clear understanding of the Mail Exchange (MX) records associated with these services. In this article, we'll show you how to access the MX records for TMEMS, and ERS Hosted using NSLOOKUP.

Removal of valid IP addresses from the ERS database is needed when you experience any of the following:Emails and attachments are being rejected or bounced This solution also applies to the ERS of Worry-Free Business Security Standard/Advanced. 

This article shows you how to edit a customer or partner account in Licensing Management Platform (LMP).

Trend Micro has seen a dramatic rise of ransomware-related issues, especially the sophisticated Crypto-Ransomware. The issue concerns both home and commercial users. Like many other cyber threats, ransomware has become more complex and advanced over time. Thus, the prevention and protection become more challenging.Ransomware can enter an organization through many vectors, such as email spam, phishing attacks, or malicious web downloads. For highest level of protection, organizations are encouraged to deploy multiple layers of protection on endpoint, gateway, and mail servers.The image below shows a typical ransomware infection chain. For more details about infection chain, refer to this article: Mitigating the TROJ_CRYPWALL (also known as Cryptowall) v3 using Trend Micro products.This article discusses Trend Micro's recommended configuration on various products and important software updates to better protect against and combat ransomware.Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions.

Attention! Attention! Attention!” “Your documents, photos, databases and other important files have been encrypted!” Having a “voice” capability to verbally read out a message and inform you that your files are encrypted makes this unique from other ransomware. This innovative technique is reminiscent of one of the variants of REVETON, otherwise known as police ransomware, that can also “speak” in a language depending on where the user is located or based from. Based on our investigation, CERBER only uses English language; however, once users click on the link via Tor browser, it points to a page asking users which language to employ.  Even though the landing page offers various languages, only English works, as of this posting. The cybercriminals behind CERBER requires users to pay 1.24 BTC (~US$523, as of March 4, 2016), which will increase up to 2.48 BTC (~US$1046, as of March 4, 2016) in seven (7) days’ time. Based on SPN, this menace is seen mostly in APAC and NABU regions. Click image to enlarge. Antispam Pattern LAYERDETECTIONPATTERN VERSIONRELEASE DATEEXPOSURESpam mailAS23145/10/2016 SAL / BES Pattern LAYERDETECTIONPATTERN VERSIONRELEASE DATEINFECTIONSWF.HEU.HeapSpray.ASAL 121913.0.05/26/2016 VSAPI Pattern (Malicious File Detection) LAYERDETECTIONPATTERN VERSIONRelease DateINFECTIONRansom_CERBER.SM12.497.004/29/2016INFECTIONRansom_CERBER.SMA12.497.004/29/2016INFECTIONRansom_CERBER.SMC12.497.004/29/2016INFECTIONRansom_CERBER.SMB12.502.065/2/2016INFECTIONRansom_CERBER.SMR12.504.065/3/2016INFECTIONRansom_CERBER.SMD12.524.055/13/2016INFECTIONSWF_AXPERGLE.LN12.493.0004/27/16 WRS Pattern (Malicious URL and Classification) LAYERURLScoreBlocking DateEXPOSURE94{blocked}.102.63.7/11/files.exeVirus Accomplice5/11/2016EXPOSUREmobikash{blocked}..com/language/de-DE/com_loader.exeVirus Accomplice4/27/2016EXPOSURE119{blocked}.17.253.225/ok.jpgRansomware, Disease Vector5/3/2016EXPOSUREKewix{blocked}.hu:80/Ransomware, Disease Vector4/6/2016EXPOSURE188{blocked}.225.35.38/farest.555Virus Accomplice4/2/2016 AEGIS Pattern (Behavior Monitoring Pattern) LAYERDetectionPattern VersionRelease DateDYNAMICAN1979TOPR 15435/17/2016 Network Pattern LAYERDetectionPattern VersionRelease DateCLEAN-UPUDP_RANSOM_CERBER_REQUEST1.10159.005/24/2016   Make sure to always use the latest pattern available to detect the old and new variants of Ransom_CERBER.

THREAT INFORMATION It has been reported that a version of Piriform CCleaner.exe has been compromised/trojanized resulting in the installation of multi-stage backdoor capable of receiving instructions from threat actors on affected systems. Listed below are the affected versions of CCleaner: CCleaner version 5.33.6162CCleaner Cloud version 1.07.3191 Trend Micro already detects the trojanized CCleaner as BKDR_CCHACK.A and BKDR_CCHAK.B. ARRIVAL AND INSTALLATION The distribution of the compromised CCleaner came from the actual website of Piriform. Threat actors were able to compromise the CCleaner binary hosted in the website which resulted to the distribution of the malicious software to unsuspecting users. Since it came from a legitimate source and digitally signed, it would be almost impossible for users to identify that the software has been modified to perform malicious activity. Trojanized CCleaner Distribution

To ensure optimum protection while using Trend Micro products,our experts have compiled easy-to-follow guides on recommended product configuration that users and administrators should follow. This article contains a list of the most recent Best Practice Guides for Trend Micro's major products.

When an email has a URL that has already been rewritten by TMEMS's Time-of-Click Protection passes through a third-party service that has similar capability, it is possible that the URL may be rewritten again by the third-party, appending their own service's domain. If that email is sent back either through a reply or forward, TMEMS may once again rewrite the URL. And this process may go on while the email is being passed between the two parties.  At some point, the URL may become too long and may not work anymore.  The following is an example of such URL passed between TMEMS's Time-of-Click protection and Microsoft SafeLinks. Click image to enlarge

According to this Microsoft article, Microsoft will release a security update on Windows Update to add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers.This update will be available in March 2020. Know the impact of this update on Trend Micro Email Security (TMEMS) if administrators make the hardening changes.

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (From:) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.To leverage the DMARC protection, the sender domain owner should publish corresponding SPF, DKIM, DMARC records to DNS, send the message from the designated hosts or sign the message before sending; the message receiver (MTA, MUA) should get the instructions, including alignment criteria and actions in the record, combined with the local settings to do the verification and take necessary actions. For more details on DMARC, refer to RFC7489.In this guide, we will introduce the DMARC feature in Trend Micro Email Security (EMS), how to use it, and how to solve problems or violations.