Apex One Vulnerability Protection uses a host-based intrusion prevention system (HIPS) to virtually patch known and unknown vulnerabilities before a patch is available or deployable. The Firewall feature has also been removed from the Policy as the Apex One agent already has built-in Firewall capabilities.
Additionally, the Intrusion Prevention rules available will focus on Endpoint Solution and it is part of a comprehensive multilayer protection of Apex One to protect Endpoints.
You can take advantage of Trend Micro™ Deep Security, which is a comprehensive server security platform designed to protect dynamic data centers comprising of physical, virtual, and cloud servers, as well as virtual desktops. It also consists of IPS rules designed to protect server platforms.
Trend Micro Vulnerability Protection 2.0 has over 4000+ IPS rules, which is why the major purpose of Recommendation Scan is to help user select the best rules to apply based on the result.
The Vulnerability Protection pattern in Apex One agent has over 200+ IPS rules, which is based on Trend Micro’s global backend analysis, that makes the best recommendation for the endpoint’s environment to apply. The number of rules has reduced, therefore using Recommendation Scan is no longer needed.
Recommended Scanning
Recommended Scanning ensures protection against known vulnerabilities. It has the essential IPS rules recommended by Trend Micro for optimal protection and agent performance.
Aggressive Scanning
Aggressive Scanning protects against known vulnerability issues and provides enhanced protection against suspicious network activities.
Administrators should use Recommended scanning as this has the IPS rules that use network packet inspection to cover known OS platform vulnerabilities.
If you would like to temporary disable/enable some specific rules for endpoints, you can find it in the section shown below and modify the status of a rule by selecting from the Status drop-down control.
It should not affect the protection of the endpoint as a whole because the other features of Apex One cover other features.
It covers known vulnerabilities that are not covered by other protection modules of Apex One.
The following were removed from the IPS rules:
- Document Scan Rules (covered by Apex One agent’s Anti-Malware Solution)
- Web Exploit Rules (covered by Apex One agent’s Browser Exploit Solution)
- Application Control Rules (covered by Apex One agent’s Application Control feature)
You can select Network Engine Settings, which is used by the Apex One agent’s network driver to further configure their Vulnerability Protection module:
| Network Engine Mode |
|
| ESTABLISHED Timeout | Configure how long to stay in the ESTABLISHED state before closing the connection. |
| LAST_ACK Timeout | Configures how long to stay in the LAST-ACK state before closing the connection. |
| Cold Start Timeout | Configures the amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started. |
| UDP Timeout | Configures the maximum duration of a UDP connection. |
| Maximum TCP Connections | Configures the maximum simultaneous TCP Connections. |
| Maximum UDP Connections | Configures maximum simultaneous UDP Connections. |
| Ignore Status Code | This option lets you ignore certain types of Events. You can specify up to three Events to ignore. |
| Advanced Logging Policy |
Lets you select from the following settings:
|
The patterns are updated on a weekly basis. It also depends on the urgency of the vulnerability whether the pattern is released more often.
They can co-exist, but be sure to turn off the Apex One Vulnerability Protection Service. Additionally, when the Apex One Vulnerability Protection Policy is installed, it will uninstall the Trend Micro Vulnerability Protection 2.0 agent automatically when it exists.
Apex One Vulnerability Protection Service is triggered and a detection log will be generated and can be queried from Apex Central, but the end user won’t get a detection notification on the endpoint machine.
Vulnerability Protection 2.0 (On-Premise) was designed to protect legacy business applications running on legacy operating systems due to applications that have a platform or OS patch compatibility problem. Normally, those machine are set up in fix location or fix source/destination port communication to mitigate the security risk to the system. It’s more like Server security approach.
Apex One Vulnerablity Protection feature was re-designed to fit enterprise endpoints/desktops protection. Endpoints have the diversity of applications installed with different business purpose by users and also connects to dynamic network segments with network state changes.
You are required to access Apex One Server console by SSO for Firewall configuration as of July 2019. There is a plan to bring the Firewall configuration page to the Apex Central policy page in the near future.
The granularity configurations from TMVP came from Deep Security designed to manage server approach. Administrators are required to understand what application and network connectivity are good to interact with the endpoint. Apex One Vulnerability Protection (Apex One) rules simply go for pattern update approach with zero rule turning efforts and gives endpoint administrators granularity control to disable individual rule for mitigation control.
- Disable/Enable individual rule for FP mitigation control.
- Turn Vulnerabiliy Protection Engine to "Tap mode". This will make all working rules "Detect only".
- For rule quality issues, you can contact Trend Micro Technical Support for rules turning and update.
The ruleset's major difference compared to Vulnerability Protection 2.0 (On-Premise) is the removal of Web Client Exploit related rules. Since more than 80% of the client web traffic go for HTTPS and these rules have zero value on the endpoints, they will never have the private key for connections on endpoints for HTTPS inspection.
The Aggressive Scanning mode is not recommended to be enabled for all agents. You can enable this mode on a few agents with suspicious network activities for further investigation. (e.g. those machines being suspected based on EDR investigation). Enabling the Aggressive Scanning mode on all machines will cause the agents to send a lot of detections to the Apex One server. This might cause server performance issues.
- It is by design that Apex One does not display any extended services (Application Control, Vulnerability Protection, Endpoint Sensor) logs on the agent side. Any Vulnerability Protection detection should appear in the Apex Central console via Logs > Log Query > Intrusion Prevention
Know the meaning of the firewall events generated by Apex One Vulnerability Protection by reading the KB article, Understanding the firewall events generated in Deep Security and Apex One Vulnerability Protection.