Views:

If you have not yet enabled the Smart Feedback, Predictive Machine Learning or Behavior Monitoring in your product, you can activate these features and run the scan again. Data shared through these features allows Trend Micro to identify and address new threats such as Sunburst.

Please read through the steps first, since multiple configuration settings can be done at one configuration menu per product.

Customers are also encouraged to ensure that the Trend Micro products are patched and updated to the latest versions:

For more information about the features of Targeted Attack Detection, please refer to Targeted Attack Detection feature on Vision One.

Enable Smart Feedback

To enable Smart Feedback for Standard Endpoint Protection (for Windows):

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance.
  2. Go to Administration > Smart Protection.
  3. Click the Enable Trend Micro Smart Feedback.
  4. Select the Industry type to help Trend Micro understand your organization.
  5. Tick the Enable feedback of suspicious program files check box to send information about potential security threats in the files on your Standard Endpoint Protection Agents.
  6. Set the number of detections for the specific amount of time that triggers the feedback to configure the criteria for sending feedback.
  7. Specify the maximum bandwidth Standard Endpoint Protection can use when sending feedback to minimize network interruptions.
  8. Click Save.

To enable Smart Feedback for Standard Endpoint Protection (for Mac):

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance.
  2. Go to Administration > Smart Feedback.
  3. Click the Enable Trend Micro Smart Feedback.
  4. Click Save.
 
These new features will be available on August 07, 2023.
 

To enable Smart Feedback for Server & Workload Protection:

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target workload instance on Server & Workload Protection Manager.
  2. Go to Administration > Smart Protection.
  3. Click the Enable Trend Micro Smart Feedback.
  4. Select the Industry type to help Trend Micro understand your organization.
  5. Tick the Send suspicious file signatures along with feedback option.
  6. Set the number of detections for the specific amount of time that triggers the feedback to configure the criteria for sending feedback.
  7. Specify the maximum bandwidth Server & Workload Protection can use when sending feedback to minimize network interruptions.
  8. Click Save.

Reference: Protection in Workload Security

 
This new feature will be available on August 07, 2023.
 

To enable Smart Feedback for Apex One as a Service (for Windows):

  1. Use single sign-on to Apex One server. Go to Directories > Product Servers and click Apex One as a Service URL.
  2. Go to Administration > Smart Protection.
  3. Click the Enable Trend Micro Smart Feedback.
  4. Select the Industry type to help Trend Micro understand your organization.
  5. Tick the Enable feedback of suspicious program files check box to send information about potential security threats in the files on your Security Agents.
  6. Set the number of detections for the specific amount of time that triggers the feedback to configure the criteria for sending feedback.
  7. Specify the maximum bandwidth Apex One can use when sending feedback to minimize network interruptions.
  8. Click Save.

To enable Smart Feedback for Apex One as a Service (for Mac):

  1. Use single sign-on to Apex One server. Go to Directories > Product Servers and click Apex One (Mac) as a Service URL.
  2. Go to Administration > Smart Feedback.
  3. Click Enable Trend Micro Smart Feedback.
  4. Click Save.

To enable Smart Feedback for On-Premise Apex One:

  1. On the console, navigate to Administration > Smart Protection.
  2. Click Enable Trend Micro Smart Feedback.
  3. Select the Industry type to help Trend Micro understand your organization.
  4. Tick the Enable feedback of suspicious program files check box to send information about potential security threats in the files on your Security Agents.
  5. Set the number of detections for the specific amount of time that triggers the feedback to configure the criteria for sending feedback.
  6. Specify the maximum bandwidth Apex One can use when sending feedback to minimize network interruptions.
  7. Click Save.

To enable Smart Feedback for Cloud One Workload Security or Deep Security:

  1. Log in to Trend Micro Cloud One > Workload Security.
  2. Go to Administration > Smart Feedback.
  3. Click Enable Trend Micro Smart Feedback.
  4. Select the "Industry" type to help Trend Micro understand your organization.
  5. Tick the "Send suspicious file signatures along with feedback" option.
  6. Set the number of detections for the specific amount of time that triggers the feedback to configure the criteria for sending feedback.
  7. Specify the maximum bandwidth Cloud One Workload Security can use when sending feedback to minimize network interruptions.
  8. Click Save.

Reference: Protection in Workload Security

To enable Smart Feedback for Cloud App Security (CAS):

  1. Log in to Trend Micro Cloud App Security > Advanced Threat Protection.
  2. Choose the Default Exchange Policy ATP > Advanced Spam Protection.
  3. Tick "Allow Trend Micro to collect suspicious email information to improve its detection capabilities".
  4. Choose Default Exchange Policy ATP > Malware Scanning.
  5. Tick "Allow Trend Micro to collect suspicious file information to improve its detection capabilities".
  6. Click Save.
  7. Review other policies and ensure that the same option has been enabled.

To enable Smart Feedback for Deep Discovery Inspector (DDI):

  1. Log in to Deep Discovery Inspector > Administration > Threat Detections.
  2. Ensure that "Enable All Threat Detections" is enabled, and that "Enable threat detections" is ticked.
  3. Click Save.

 

Enable Predictive Machine Learning

To enable PML for Standard Endpoint Protection:

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance.
  2. Go to Policies > Policy Management.
  3. For the Standard Endpoint Protection Agent, create a new policy or click an existing policy to modify its settings.
  4. In the Advanced Threat Protection section, click Predictive Machine Learning.
  5. Select "Enable Predictive Machine Learning".
  6. Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.
  7. Repeat steps 1 to 6, but this time create a policy for Standard Endpoint Protection Agent (Mac).

Recommended Action:

Under Detection Settings, use the following actions:

Predictive Machine Learning 1

Click the image to enlarge.

 
This new feature will be available on August 07, 2023.
 

To enable PML for Server & Workload Protection (Recommended Action):

  1. Log in to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance..
  2. Go to the Policy tab.
  3. On the left column, navigate to Common Objects > Other > Malware Scan Configuration.
  4. Double-click the configuration with Scan Type "Real-Time" to open the Properties window.
  5. Under the General Tab, look for the section Predictive Machine Learning.
  6. Tick the option "Enable Predictive Machine Learning" and underneath it, set the "Action to take:" box to "Quarantine (Recommended)".

    Default Real Time Scan

    Click the image to enlarge.

  7. Click Apply/Ok to apply the change.

Reference: Detect emerging threats using Predictive Machine Learning

 
This new feature will be available on August 07, 2023.
 

To enable PML for Apex One as a Service:

  1. Go to Policies > Policy Management.
  2. For the Apex One Security Agent, create a new policy or click an existing policy to modify its settings.
  3. In the Advanced Threat Protection section, click Predictive Machine Learning.
  4. Select "Enable Predictive Machine Learning".
  5. Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.
  6. Repeat steps 1 to 5, but this time create a policy for Apex One (Mac).

Recommended Action:

Under Detection Settings, use the following actions:

Detection Settings

To enable PML for On-Premise Apex One:

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon to include all agents or select specific domains or agents.
  3. Click Settings > Predictive Machine Learning Settings. The Predictive Machine Learning Settings screen should appear.
  4. Select "Enable Predictive Machine Learning".
  5. Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.

Recommended Action:

Under Detection Settings, use the following actions:

Detection Settings

To enable PML for Cloud One Workload Security or Deep Security (Recommended Action):

  1. Log in to the Deep Security Manager or Cloud One Workload Security console.
  2. Go to the Policy tab.
  3. On the left column, navigate to Common Objects > Other > Malware Scan Configuration.
  4. Double-click the configuration with Scan Type "Real-Time" to open the Properties window.
  5. Under the General Tab, look for the section Predictive Machine Learning.
  6. Tick the option "Enable Predictive Machine Learning" and underneath it, set the "Action to take:" box to "Quarantine (Recommended)".

    Enable PML

  7. Click Apply/Ok to apply the change.

Reference: Detect emerging threats using Predictive Machine Learning

To enable PML for Cloud App Security (CAS):

  1. Log in to Trend Micro Cloud App Security > Advanced Threat Protection.
  2. Choose Default Exchange Policy ATP > Malware Scanning.
  3. Tick "Enable Predictive Machine Learning".
  4. Click Save.
  5. Review other policies and ensure that the same option has been enabled.
 
There are no recommended actions as per the CAS Best Practice Guide. CAS only provides the option to enable/disable the Predictive Machine Learning (PML) feature.

To enable PML for Deep Discovery Inspector (DDI):

  1. Log in to Deep Discovery Inspector > Administration > Threat Detections.
  2. Under Smart Feedback, ensure that both "Enable Smart Feedback" and "Submit suspicious files to Trend Micro" are ticked.
  3. Click Save.

 

Enable Behavior Monitoring

To enable Behavior Monitoring for Standard Endpoint Protection:

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance.
  2. Go to Policies > Policy Management.
  3. Create a new policy or click an existing policy to modify its setting.
  4. In the Advanced Threat Protection section, click Behavior Monitoring.
  5. Select "Enable Malware Behavior Monitoring".
  6. Under Threats to block, select "Known and potential threats".

Recommended Setting:

Enable Ransomware and Anti-exploit Protection:

Behavior Monitoring

Click the image to enlarge.

 
This new feature will be available on August 07, 2023.
 

To enable Behavior Monitoring for Server & Workload Protection (Recommended Action):

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Server & Workload Protection > select your target workload instance on Server & Workload Protection Manager.
  2. Go to the Policy tab.
  3. On the left column, navigate to Common Objects > Other > Malware Scan Configurations.
  4. Double-click the configuration with Scan Type "Real-Time" to open the Properties window.
  5. Under the General Tab, look for the section Behavior Monitoring.
     
    This feature is only available on agent-based protection.
  6. Check the option "Enable Behavior Monitoring" and then underneath it, set the "Action to take:" box to "ActiveAction (Recommended)". Additionally, tick the option "Back up and restore ransomware-encrypted files".

    Default Real Time Scan 2

    Click the image to enlarge.

  7. Click Apply/Ok to apply the change.

Reference: Enhanced Anti-Malware and Ransomware Scanning with Behavior Monitoring

 
This new feature will be available on August 07, 2023.
 

To enable Behavior Monitoring for Apex One as a Service:

  1. Go to Policies > Policy Management.
  2. Create a new policy or click an existing policy to modify its setting.
  3. In the Advanced Threat Protection section, click Behavior Monitoring.
  4. Select "Enable Malware Behavior Monitoring".
  5. Under Threats to block, select "Known and potential threats".

Recommended Setting:

Enable Ransomware and Anti-exploit Protection:

Enable Ransomware and Anti-exploit Protection

To enable Behavior Monitoring for On-Premise Apex One:

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon to include all agents or select specific domains or agents.
  3. Click Settings > Behavior Monitoring Settings. The Behavior Monitoring Settings screen appears.
  4. Select Enable Malware Behavior Blocking.
  5. Under Threats to block, select "Known and potential threats".

Recommended Setting:

Enable Ransomware and Anti-exploit Protection:

Enable Ransomware and Anti-exploit Protection

To enable Behavior Monitoring for Cloud One Workload Security or Deep Security (Recommended Action):

  1. Log in to the Deep Security Manager or Cloud One Workload Security console.
  2. Go to the Policy tab.
  3. On the left column, navigate to Common Objects > Other > Malware Scan Configurations.
  4. Double-click the configuration with Scan Type "Real-Time" to open the Properties window.
  5. Under the General Tab, look for the section Behavior Monitoring.
     
    This feature is only available on agent-based protection.
  6. Check the option "Enable Behavior Monitoring" and then underneath it, set the "Action to take:" box to "ActiveAction (Recommended)". Additionally, tick the option "Back up and restore ransomware-encrypted files".

    Back up and restore ransomware-encrypted files

  7. Click Apply/Ok to apply the change.

Reference: Enhanced Anti-Malware and Ransomware Scanning with Behavior Monitoring

 

Enable Virus Scan API

To enable VSAPI for Standard Endpoint Protection:

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance.
  2. Go to Policies > Policy Management.
  3. For Apex One Security Agent, create a new policy or click an existing policy to modify its settings.
  4. In the Anti-Malware Scans section, click Real-time Scan.
  5. Select "Enable virus/malware scan".
  6. Repeat the steps, but this time create a policy for Apex One (Mac).

Recommended Actions:

  1. Click the Action tab.
  2. Select "Use a specific action for each virus/malware type".
  3. Use the following action:

    Action

    Click the image to enlarge.

 
This new feature will be available on August 07, 2023.
 

To enable VSAPI for Server & Workload Protection:

  1. Log in to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Server & Workload Protection > select your target workload instance on Server & Workload Protection Manager.
  2. Go to the Policy tab.
  3. On the left column, navigate to Policies.
  4. Double-click the target policy to open the Properties window.
  5. Select Anti-Malware on the left column.
  6. On the General tab, make sure that the Anti-Malware State is set to "On". Additionally, make sure that there are Malware Scan Configurations set on the three Scan Types.

    Windows Server

    Click the image to enlarge.

Recommended Actions

To configure the scan settings, go to Policies > Common Objects > Other > Malware Scan Configuration and then double-click the target configuration to open the Properties window. From there, configure the scan settings based on the recommendations below (as per the Best Practice Guide):

BPGA

Click the image to enlarge.

BPGB

Click the image to enlarge.

BPGC

Click the image to enlarge.

Reference: Deep Security 20 BPG

 
This new feature will be available on August 07, 2023.
 

To enable VSAPI for Apex One as a Service:

  1. Go to Policies > Policy Management.
  2. For Apex One Security Agent, create a new policy or click an existing policy to modify its settings.
  3. In the Anti-Malware Scans section, click Real-time Scan.
  4. Select "Enable virus/malware scan".
  5. Repeat the steps, but this time create a policy for Apex One (Mac).

Recommended Actions:

  1. Click the Action tab.
  2. Select "Use a specific action for each virus/malware type".
  3. Use the following action:

    Use a specific action for each virus/malware type

To enable VSAPI for On-Premise Apex One:

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon to include all agents or select specific domains or agents.
  3. Click Settings > Scan Settings > Real-time Scan Settings. The Real-time Scan Settings screen should appear.
  4. Select "Enable virus/malware scan".

Recommended Actions:

  1. Click the Action tab.
  2. Select "Use a specific action for each virus/malware type".
  3. Use the following action:

    Use a specific action for each virus/malware type

To enable VSAPI for Cloud One Workload Security or Deep Security:

  1. Log in to the Deep Security Manager or Cloud One Workload Security console.
  2. Go to the Policy tab.
  3. On the left column, navigate to Policies.
  4. Double-click the target policy to open the Properties window.
  5. Select Anti-Malware on the left column.
  6. On the General tab, make sure that the Anti-Malware State is set to "On". Additionally, make sure that there are Malware Scan Configurations set on the three Scan Types.

    Anti-Malware

Recommended Actions

To configure the scan settings, go to Policies > Common Objects > Other > Malware Scan Configuration and then double-click the target configuration to open the Properties window. From there, configure the scan settings based on the recommendations below (as per the Best Practice Guide):

Anti-Malware

Anti-Malware

Anti-Malware

Reference: Deep Security 20 BPG

To enable VSAPI for Cloud App Security (CAS):

  1. Log in to Trend Micro Cloud App Security > Advanced Threat Protection.
  2. Choose Default Exchange Policy ATP > General, and then make sure that Enable Real-time Scanning is "ON". By default, this is enabled.
  3. Review other policies and ensure that the same option has been enabled.

Recommended Actions:

 
For POC customers, select the target group that contains several hundred users. It's not recommended to select only individual users for POC customers.
  1. Log in to Trend Micro Cloud App Security > Advanced Threat Protection.
  2. Choose Default Exchange Policy ATP > General, and then make sure that Enable Real-time Scanning is "ON". By default, this is enabled.
  3. In the Available Targets section, make sure to select "groups" instead of "users" for better protection.
 
The same steps apply to enabling Real-time Scan for Exchange Online policies, Gmail policies, Google Drive policies, OneDrive policies, Salesforce Production policies, SharePoint Online policies, and Microsoft Teams policies.

To enable VSAPI for Deep Discovery Inspector (DDI):

 

You may enable or disable the following features:

  • Threat Detections - detect both known and potential threats. Deep Discovery Inspector enables this feature by default.
  • Outbreak Containment Service - enables Deep Discovery Inspector to record detection information in the logs and block network traffic.
  1. Go to Administration > Monitoring/Scanning > Threat Detections.
  2. Select "Enable All Threat Detections".
  3. Under Threat Detection, select "Enable threat detections".
  4. (Optional) Select "Enable Mobile App Reputation Service (MARS) server query".
  5. Under Outbreak Containment Service, select one of the following:
    • Enable outbreak detection - does not block traffic
    • Enable outbreak detection and block traffic - blocks traffic
     
    Outbreak Containment Service is a Trend Micro utility that detects both known and unknown malware that can potentially start an outbreak.
  6. Click Enable Smart Feedback (recommended) to send threat information to the Trend Micro Smart Protection Network.
  7. Click Save.

 

Enable Web Reputation Services

To enable WRS for Standard Endpoint Protection:

  1. Login to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Standard Endpoint Protection > select your target endpoint instance.
  2. Go to Policies > Policy Management.
  3. For the Apex One Security Agent, create a new policy or click an existing policy to modify its settings.
  4. In the Advanced Threat Protection section, click Web Reputation.
  5. Select wihch operating systems for which you want to enable Web Reputation:
    • Windows Desktop platforms
    • Windows Server platforms
  6. Repeat the steps, but this time create a policy for Apex One (Mac).

Recommended Actions:

  • Under Security Level, select "Medium" for the policy:

    Security Level

    Click the image to enlarge.

  • For the Approved/Blocked URL List, it is also highly recommended to add “internal domains to the approved URL List”.
 
This new feature will be available on August 07, 2023.
 

To enable WRS for Server & Workload Protection (Recommended Action):

  1. Log in to Trend Vision One console > ENDPOINT SECURITY OPERATIONS > Server & Workload Protection > select your target workload instance on Server & Workload Protection Manager.
  2. Go to the Policy tab.
  3. On the left column, navigate to Policies.
  4. Double-click the target policy to open the Properties window.
  5. Select "Web Reputation" on the left column.
  6. On the General tab, enable "Web Reputation State" and then set the Security Level to "Medium".

    Windows Server 2

    Click the image to enlarge.

  7. Click Save and then Close to apply the new setting.
 
This new feature will be available on August 07, 2023.
 

To enable WRS for Apex One as a Service:

  1. Go to Policies > Policy Management.
  2. For the Apex One Security Agent, create a new policy or click an existing policy to modify its settings.
  3. In the Advanced Threat Protection section, click Web Reputation.
  4. Select wihch operating systems for which you want to enable Web Reputation:
    • Windows Desktop platforms
    • Windows Server platforms
  5. Repeat the steps, but this time create a policy for Apex One (Mac).

Recommended Actions:

  • Under Security Level, select "Medium" for the policy:

    Security Level

  • For the Approved/Blocked URL List, it is also highly recommended to add “internal domains to the approved URL List”.

To enable WRS for On-Premise Apex One:

  1. Go to Agents > Agent Management.
  2. In the agent tree, click the root domain icon to include all agents or select specific domains or agents.
  3. Click Settings > Web Reputation. The Web Reputation Setting screen should appear.
  4. Select which operating systems for which you want to enable Web Reputation:
    • Windows Desktop platforms
    • Windows Server platforms

Recommended Actions:

  • Under Security Level, select "Medium" for the policy:

    Security Level

  • For the Approved/Blocked URL List, it is also highly recommended to add “internal domains to the approved URL List”.

To enable WRS for Cloud One Workload Security or Deep Security (Recommended Action):

  1. Log in to the Deep Security Manager or Cloud One Workload Security console.
  2. Go to the Policy tab.
  3. On the left column, navigate to Policies.
  4. Double-click the target policy to open the Properties window.
  5. Select "Web Reputation" on the left column.
  6. On the General tab, enable "Web Reputation State" and then set the Security Level to "Medium".

    Base Policy

  7. Click Save and then Close to apply the new setting.

To enable WRS for Cloud App Security (CAS):

  1. Log in to Trend Micro Cloud App Security > Advanced Threat Protection.
  2. Choose Default Exchange Policy ATP > Web Reputation, and then tick "Enable Web Reputation".
  3. Under Security Level, select High, Medium or Low settings as needed.
  4. Make sure that the following options are checked as well:
    • Scan message attachment content for suspicious URLs
    • Analyze URLs in real-time to detect phishing websites
    • Rescan historical URLs when patterns update and take remedial actions
  5. Click Save.
  6. Review other policies and ensure that the same option has been enabled.

Recommended Actions

  1. Log in to Trend Micro Cloud App Security > Advanced Threat Protection.
  2. Choose Default Exchange Policy ATP > Web Reputation, and then tick "Enable Web Reputation".
  3. Under Security Level, select "Medium".
  4. Make sure that the following options are checked as well:
    • Scan message attachment content for suspicious URLs
    • Analyze URLs in real-time to detect phishing websites
    • Rescan historical URLs when patterns update and take remedial actions
  5. Under Action, make sure that the settings are as follows:
    • Action: Quarantine and Notify
    • Blocked URL List: Quarantine and Notify
  6. For the Approved/Blocked URL List, it is highly recommended to add “internal domains to the approved URL List”.
 
The same steps apply when enabling WRS for Exchange Online policies, Gmail policies, Google Drive policies, OneDrive policies, Salesforce Production policies, SharePoint Online policies, and Microsoft Teams policies.

To enable WRS for Deep Discovery Inspector (DDI):

 
The steps below use Deep Discovery Inspector 6.0 as reference.
  1. Go to Administration > Monitoring/Scanning > Web Reputation.
  2. Select "Enable Web Reputation".
  3. Select a Smart Protection source. Choose between:
    • Trend Micro Smart Protection Network
    • Smart Protection Server
     
    For more information about Smart Protection sources, please refer to the DDI 6.0 Administrator's Guide.
  4. (Optional) Enable Retro Scan.
  5. Select Smart Protection Server by configuring the Smart Protection Server List:
    1. Type the Smart Protection server name or IP address.
       
      Obtain the IP address by going to Smart Protection > Reputation Services > Web Reputation on the Smart Protection Server console. The IP address forms part of the URL listed on the screen.
    2. (Optional) Click Test Connection.
    3. Type a description for the server.
    4. Update Smart Protection Server regularly.
    5. (Optional) If proxy settings for Deep Discovery Inspector have been configured for use with Smart Protection Server connections, select "Connect through a proxy server".
    6. Click Add.
    7. (Optional) Add more servers.
    8. Use the arrows under the Order column to set server priority.
  6. To filter excessive Web Reputation detections, tick "Exclude Spam and Adware detections to reduce detection volume".
  7. Click Save.

 

Additional Information

After configuring the required services for Targeted Attack, periodic analysis of your Smart Protection Network data would be performed, with continuous analysis of attack campaigns. The attack scope should reflect the actual endpoints, similar to the following image:

attack scope

However, if only GUIDs appear, and not the actual endpoint hostname, as shown in the following image:

only GUIDs appear

You may refer to the KB article: Checklist for migrating Apex One Agent to Trend Micro Vision One, and ensure that the necessary products are patched and updated.

Keywords: enable required services early warning app,early warning app services,Targeted Attack Detection