Views:

Details

 
This deployment step is considered to be the best solution when the customer's URL SO entries are greater than 500.
 

Trend Micro products support multiple types of SO, their maximum entry is as the shown table below. We have recently received reports from customers pointing out that some features are not running smoothly as expected.

Suspicious Object TypeUpper Limit
SO-exception25,000
*All SO types are counted together
User-Defined SO (UDSO)10,000 per SO type
Virtual Analyzer SO (VASO)25,000 per SO type

From our investigation, we concluded that different types of SO has different limitions as the table below. We strongly recommend customers to install SPS in order to extend the maximum volume of URL SO. This can resolve the current found issue.

TypeComment
URL
  • If query from SPN or iSPS, internally limited on 500 entries
  • If query from SPS, good to serve upper limited entries
File SHA-1Good to serve upper limited entries
File CRCGood to serve upper limited entries
Domain/IPGood to serve upper limited entries

In addition, the SPS system can directly benefit other point products from Trend Micro also, for example Apex One, ScanMail, and Deep Security, which connects the whole threat defense ecosystem more swiftly.

The following instructions illustrates how to deploy SPS in detail:

Steps

  1. Get required information about the Suspicious Object list source:
    1. Open the Apex One as a Service management console.
    2. Go to Threat Intel > Distribution Settings.
    3. Click the Managed Products tab.
    4. Write down the following connection details:
      • Service URL: The service URL of Apex One as a Service.
      • API key: The code that identifies Apex One as a Service to the managed product.

        Managed Products

        Click the image to enlarge.

     

     
    Apex One as a Service doesn't support manually trigger Suspicious Object synchronization to the Smart Protection Servers by clicking the Sync Now button.
     

     

  2. Subscribe to Apex One as a Service as the Suspicious Object source to synchronize suspicious objects:
    1. Open the Smart Protecton Server management console.
    2. Go to Smart Protection > Suspicious Objects.
    3. Type the FQDN or IP address of the suspicious object source.
    4. Type the API Key obtained by the suspicious object source.
    5. Click Subscribe.
    6. To immediately synchronize suspicious objects, select Synchronize and enable suspicious objects and then click Sync Now.
    7. Click Save.

      SmartProtectionServer

      Click the image to enlarge.

  3. Configure the Smart Protection Server for internal agents:
    1. SSO to the Apex One as a Service management console
    2. Go to Administration > Smart Protection > Smart Protection Sources.
    3. Select Internal Agent tab.
    4. Click Add.
    5. In the IP range section, specify an IP address range for internal agents.
    6. In the Custom Smart Protection Server List section, add the Smart Protection Server subscribed to the suspicious object source.
      1. Specify the Smart Protection Server’s host name or IPv4/IPv6 address.
      2. Select Web Reputation Services and input the port number.
      3. Click Add to List.
    7. Click Save.
    8. Click Save and Notify Agents.

      ServerList

      Click the image to enlarge.

Keywords: Smart protection server,massive suspicious objects,a lot of suspicious objects,SPS system benefit,install SPS,deploy SPS, massive suspicious objects,deploy sps,increase URL SO