Views:

Intrusion Prevention and Firewall

You can optionally configure Deep Security to use a Whois service to look up which domain name is associated with an IP address when you review the logged intrusion prevention and firewall events. The IP address is sent directly to the Whois service and not to Trend Micro.

Data collectedIP address
Console locationAdministration > System Settings > Advanced
Console settings

Whois URL

Whois URL

Back to top

Anti-Malware: Smart Protection

Smart Protection Server for File Reputation Service is used by the anti-malware module. It supplies file reputation information required by Smart Scan. Alternatively, you can use a locally installed Smart Protection Server. For more information on Trend Micro Smart Protection Network, see:http://www.trendmicro.com/en_us/about/legal/privacy-whitepapers.html?modal=wp-smart-protection-network-gdprpdf

Data collected
  • Client device OS
  • File information
  • Suspicious file signatures
Console locationComputer or Policy editor > Anti-Malware > Smart Protection
Console settings

Connect directly to Global Smart Protection Service

Connect directly to Global Smart Protection Service

Back to top

Anti-Malware: Process Memory Scan

Process memory scans connect to the Good File Reputation Service. This information enables Deep Security to identify good file hashes.

Data collected
  • Resource name or file name
  • Language
Console locationPolicies > Common Object > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings

Scan process memory for malware

Scan process memory for malware

Back to top

Anti-Malware: Predictive Machine Learning

Predictive machine learning enables identification of potential malicious files.

Data collected
  • File name
  • Path
  • Signer
Console locationPolicies > Common Objects > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings

Enable Predictive Machine Learning

Enable Predictive Machine Learning

Back to top

Anti-Malware: Smart Scan

This information is sent when a file scan occurs and enables Deep Security to identify malicious file hashes.

Data collected
  • Source IP
  • Server GUID
  • Client GUID
  • Pattern info (VirusID, malware name, pattern version)
  • Info of user agent (product name & version)
  • Product FQDN
Console locationComputer or policy editor > Anti-Malware > Smart Protection > Smart Scan
Console settings

Untick Inherited check box (if it's selected) and select Off.

Smart Scan configuration

Back to top

Anti-Malware: Behavior Monitoring

The behavior monitoring feature communicates with the Global Census Server and Good File Reputation Service. This enables Deep Security to identify good file hashes and to retrieve statistical data.

Data collected
  • GUID
  • Product name and version
  • GRID result
  • Source IP
Console locationPolicies > Common Objects > Other > Malware Scan Configuration > Real-Time Scan configuration > General
Console settings
  • Detect suspicious activity and unauthorized changes (incl. ransomware)
  • Back up and restore ransomware-encrypted files

Behavior Monitoring configuration

Back to top

Integrity Monitoring

You can configure Deep Security Manager to automatically tag integrity monitoring events. If you select the Certified Safe Software Service option, information is sent to the Trend Micro Certified Safe Software service. Alternatively, you can select one of the other options when configuring auto tagging, or don’t enable auto-tagging.

Data collected
  • Resource name or file name
  • Language
Console locationEvents and Reports > Integrity Monitoring Events > Auto-Tagging > New Trusted Source
Console settings

Certified Safe Software Service

Certified Safe Software Service

Back to top

Web Reputation

The web reputation module uses the Trend Micro Smart Protection Network to determine whether URLs are malicious. When Connect directly to Global Smart Protection Service is selected, URLs are sent to Trend Micro. Alternatively, you can opt to use a locally installed Smart Protection Server. You must select one of these options to use the web reputation module. If you don’t want to use either of those options, go to the General tab and change the Web Reputation State to Off to disable the web reputation module.

Data collectedURL
Console locationComputer or Policy editor > Web Reputation > Smart Protection
Console settings

Connect directly to Global Smart Protection Service

Connect directly to Global Smart Protection Service

Back to top

Smart Feedback

Smart Feedback enables you to participate, share, and leverage Trend Micro’s global database of threat-related intelligence to rapidly identify and defend against potential threats within your unique network environment. For more information on Trend Micro Smart Protection Network, see: http://www.trendmicro.com/en_us/about/legal/privacy-whitepapers.html?modal=wp-smart-protection-network-gdprpdf

Data collected
  • IP address
  • Filename/Path
  • Hostname
  • Suspicious executables and partial file content
Console locationAdministration > System Settings > Smart Feedback
Console settings

Enable Trend Micro Smart Feedback

Module state

Back to top

Managed Detection and Response

With industry-leading detection technologies managed and correlated by expert threat investigators, Trend Micro MDR service detects, analyzes, and responds to threat activities actively in timely manner for subscribed customers.

Data collected
  • Host name
  • IP
  • File information
  • URL information
  • Network traffic information
  • Log/event information
Console locationAdministration > System Settings > Managed Detection and Response ​​
 
Contact sales to enroll MDR service.
 
Console settings

Enable the MDR service

Enable MDR service

Back to top

Grid and Census Queries

The Census, Good File Reputation, and Predictive Machine Learning services are security services hosted by Trend Micro in its Smart Protection Network. They are necessary for the full and successful operation of the Deep Security behavior monitoring, predictive machine learning, and process memory scan features.
If you have disabled all of the settings listed in this article, you may find that Deep Security still attempts to connect to these services. You can disable the grid and census queries by running the following commands on your Deep Security Manager. For details on the dsm_c command, see the Deep Security Help Center article, Command-line basics.

dsm_c -action changesetting -name settings.configuration.enableCensusQuery -
value false -tenantname <tenantname>

dsm_c -action changesetting -name settings.configuration.enableGridQuery -
value false -tenantname <tenantname>

 

 
Disabling these services is not recommended and may result in a lower detection rate and a higher false-positive rate because Deep Security can no longer confirm the validity of files that it is scanning.
 

Back to top

BIF

This feature is used to calculate the installation base and system status of Trend Micro Deep Security.

Data collected
  • Activation Code and GUID
  • Product version
  • Feature enabled status
  • System status
Console locationThis feature can be disabled. If you do not want this data to be collected, please go to System Settings > Advanced > Product Usage Data Collection and deselect Enable Product Usage Data Collection.
Console settings

Back to top

Threat Intelligence

Users can manually or automatically send suspicious files from Deep Security to Trend Micro Vision One, which executes and observes the suspicious file in a sandbox (a secure, isolated virtual environment)

Data collectedSuspicious files ( including executables, Office and PDF documents, Flash, images, HTML scripts, etc.)
Console locationAdministration > System Settings > Threat Intelligence > Sandbox Analysis
Console settingsSubmit suspicious files to

Module state

Back to top

Keywords: DCN for ds 20, data collected by deep security 20, deep security DCN