WARNING: The Security-Optimized deployment profile was designed to meet specific testing criteria and is not intended for deployment in a production environment. Trend Micro shall not be liable for technical or editorial errors contained in this article.
Security-Optimized Deployment Mode
The Security-Optimized deployment mode favors additional security over network performance or application adherence to protocol standards. It enables more Zero Day Initiative (ZDI) protection filters than any other deployment mode. Trend Micro DV Labs designed the Security-Optimized profile to meet specific testing criteria to block ALL known avenues for compromising systems. It was NOT developed to be used in production environments except in the most stringent conditions. A few default-enabled filters WILL cause certain situations and break a "normal" network. Use of the Security-Optimized profile will more than double the number of filters enabled (from around 7300 to nearly 16,000). Therefore, this is only recommended for low-traffic networks or networks that need a high level of security (more than performance).
It is easy for an inspection device to congest when more filters are enabled, causing latency or dropped packets. Before deployment, real-world traffic should be tested to see if certain filters have frequent blocking. Each should be investigated to determine if the filter is needed or matches your environment's legitimate traffic. Once high notification filters are resolved, you should be safe to test in line. If congestion seems to be an issue, a review of the specific protocols, OS, and other filtering objects should be performed on the SMS to disable filters not needed. Review the following filters before activation:
| Filter | Description | Explanation |
| 560 | DNS Version Request (UDP) | This filter should not be enabled to block under certain configurations: A) In a split DNS architecture, B) where the TippingPoint device is between the internal DNS server and external DNS server, or C) where the internal DNS server is configured for port reuse when communicating with the external DNS server. Under these conditions, the TippingPoint device would sever all DNS communication for the duration of the block, typically 30 minutes. This filter should be enabled only on the Internet perimeter, where the filter will block responses from the malicious DNS server rather than a relayed response or in environments where internal DNS servers are not configured for port reuse. |
| 2558 | HTTP HTTP CONNECT TCP Tunnel to other than HTTP ports (ATT&CK T1071) | This filter may interfere with VPN connections or applications that do not use default ports. |
| 7120 | TCP Segment Overlap With Different Data, e.g., Fragroute | This filter can cause issues on large networks with multiple paths. If this fires frequently, it should be disabled. |
| 9772 | HTTP Zip Archive Containing .exe file | This filter will break Microsoft and other Update tools where a zip file is used. It should be disabled. |
| 10030 | HTTP Microsoft Shell Link Binary File Download | This filter detects an attempt to download a Microsoft Shell Link Binary (LNK) file. These files are commonly used to support application launching and linking. Shell Links can also be used by applications that need the ability to store a reference to a target file. Enabling this filter will block the download of all Shell Link Binary files. |
| 11105 | HTTP Suspicious Request for an Executable (Possible Malware Download Attempt) | This filter detects an attempt to download an executable using a crafted HTTP request. It is a common attack technique to exploit a system with a small amount of code that subsequently downloads a larger, more feature full executable from the internet. When making this request to the internet, it is common for the attacker to craft their HTTP requests, which look very different from a normal web browser HTTP request. |
| 13012 | SIP SipVicious Brute Force SIP Tool | Under heavy attacks, this filter can overload the Block table and the Notify process. Each attack is a different source port, so Quarantine will prevent multiple Blocks from being created. This filter should be set to quarantine. |
| 13527 | HTTP Microsoft XML Core Services 3.0 ActiveX Control Instantiation | This filter detects an attempt to instantiate the version-dependent ActiveX Control for Microsoft XML Core Services 3. This control has been tied to one or more vulnerabilities, and as such, this filter can be used to block any and all use of MS XML Core Services 3.0 via ActiveX controls. There is nothing inherently malicious about the use of this control; therefore, it should only be enabled for policy implementation to block MS XML Core Services version 3.0 |
| 16800 | TCP Non-Standard Function Declaration | This filter detects a sequence of non-malicious meta characters typically used in non-standard formatting of function declarations. This filter addresses the minimum required to exploit characters for a vulnerability in GNU Bash. Hence, this filter will fire on the usage of: ',", space, tab, or % followed immediately by () { over any TCP port. Poorly designed websites may not adhere to best practices and use these in the URL. It will block these sites if enabled. |