Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Trend Micro Cloud One™ – Workload Security Data Collection Notice

    • Updated:
    • 6 Aug 2021
    • Product/Version:
    • Cloud One - Workload Security Not Applicable
    • Platform:
Summary

The following sections outline the features that collect data, the data transmitted, and the locations on the product console where you can disable the features.

 
For accounts created via Cloud One, you may refer to the Trend Micro Cloud One Data Collection Notice.
 

To see where this data is processed, refer to our list of data centers and authorized data subprocessors and their locations.

 
All connections to the Trend Micro Smart Protection Network (SPN) include the Internet-facing source IP that originated the request to the Trend Micro servers, along with product type and version and operating system type and version. This data is collected in web server logs and Security Information and Event Management (SIEM) systems.
 
Details
Public

Account Enrollment

You supply this information when registering for a Workload Security account. Trend Micro uses this data for analytics and insight into Workload Security registration.

Workload Security uses Marketo for trial engagement and marketing-related activities. This form is designed to allow a minimum set of information so that customers can choose to limit information provided at registration time.

Data collected
  • Name
  • Email address
  • Phone number(s)
  • Country
Console locationRegistration information is provided by the customer during the registration process. A minimum amount of information is required to ensure we can contact the account owner for support and maintenance of the service.
Console settings

Back to top

User Access

This section is about the user access of Workload Security, which also covers optional email notification and reports. You can add users to your Workload Security account. The information for those additional users is transmitted to Trend Micro.

You can choose to enter a minimum amount of information about the users. You can also remove users, but those users will no longer be able to access the Workload Security console or receive email notifications.

Data collected
  • User's name
  • Email address
  • Phone number(s)
Console locationAdministration > User Management
Console settings

Users

Users

Contacts

Contacts

Back to top

User Authentication

When you enroll for a Workload Security account or add a new user to your account, you must supply a password. Passwords are transmitted to Trend Micro over HTTPS and stored as an unrecoverable salted hash.

Every user must have a password. You can remove users, but those users will no longer be able to access the Workload Security console.

User Authentication (Set Password)
Data collectedPasswords
Console locationAdministration > User Management > Users > Properties
Console settings

Set Password

set password

User Authentication (Contact Properties)
Data collectedPasswords
Console locationAdministration > User Management > Contacts
Console settings

Properties

Properties

Back to top

General Product Operation

When a security event occurs, information about the event is transferred to Trend Micro.

Workload Security, by design, does not collect personal information.

Depending on the nature of the protected environment and the object that is the target of the security event (for example, files, memory, network traffic) there is a risk that personal information may be collected within a security event. Security policy configuration and module selection are provided to meet the requirements of your target environment and minimize this risk.

The default event retention period for Workload Security is 32 days.

General Product Operation (Modules)
Data collected

Security event information:

  • Intrusion prevention packet
  • URL reputation
  • Firewall packet
  • Log entry
  • Malware file
  • IP addresses
Console locationComputer or Policy editor > Select module (e.g. Anti-Malware, Web Reputation, etc)
Console settings

State: Off or Inherited (Off)

Module state

General Product Operation (Event Forwarding)
Data collected

Security event information:

  • Intrusion prevention packet
  • URL reputation
  • Firewall packet
  • Log entry
  • Malware file
  • IP addresses
Console locationAdministration > System Settings > Event Forwarding
Console settings
  • Forward System Events to a remote computer (via Syslog) using configuration
  • Publish Events to AWS Simple Notification Service

General Product Operation

General Product Operation (Logging and Monitoring)
Data collected

Data from AWS ELB and other logs, including:

  • Names
  • Email addresses
  • Session IDs
  • IP addresses
  • CloudWatch logs
  • Server0 entries
  • HTTP traffic
Console locationThis information is stored in the Workload Security SIEM and is used for troubleshooting, monitoring, and overall protection of the system. It cannot be configured or disabled by customer.
Console settings

Back to top

Email

Workload Security transmits reports, alerts, and registration confirmation to its email server when sending this information to customers.

Email Configuration (Users)
Data collected
  • Reports
  • Alerts
  • Registration confirmation
Console locationAdministration > User Management > Users > Properties > Contact Information
Console settings

Receive Alert Emails

Receive Alert Emails

Email Configuration (Contacts)
Data collected
  • Reports
  • Alerts
  • Registration confirmation
Console locationAdministration > User Management > Contacts
Console settings

Email Address

Email Address

This contact information will show up when configuring Scheduled Reports under Generate Reports.

contact information

Back to top

Support Requests

When you submit a support request, this information is sent to Salesforce.

Data collected
  • Account ID
  • Tenant ID
  • Name
  • Account Name
  • Company
  • Country
  • Email address
  • Phone number
  • Description of support request
Console locationSupport > Contact Support
Console settings

Create Case

Create Case

Back to top

Intrusion Prevention and Firewall

You can optionally configure Workload Security to use a Whois service to look up which domain name is associated with an IP address when you review logged intrusion prevention and firewall events. The IP address is sent directly to the Whois service and not to Trend Micro.

Data collectedIP addresses
Console locationAdministration > System Settings > Advanced
Console settings

Whois URL

Whois URL

Back to top

Anti-Malware: Smart Protection

Smart Protection Server for File Reputation Service is used by the anti-malware module. It supplies file reputation information required by Smart Scan. Alternatively, you can use a locally installed Smart Protection Server.

Data collected
  • Product information
  • Client device OS
  • Malicious or suspicious file information
  • Suspicious file signatures
  • Malicious or suspicious process information
Console locationComputer or Policy editor > Anti-Malware > Smart Protection
Console settings

Connect directly to Global Smart Protection Service

Connect directly to Global Smart Protection Service

Back to top

Anti-Malware: Process Memory Scan

Process Memory Scan connects to the Good File Reputation Service. This information enables Workload Security to identify good file hashes.

Data collectedFile hashes (SHA1)
Console locationPolicies > Common Object > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings

Scan process memory for malware

Scan process memory for malware

Back to top

Anti-Malware: Predictive Machine Learning

Predictive Machine Learning enables identification of potential malicious files.

Data collected
  • File name
  • Path
  • Signer
  • Hashes (SHA1)
Console locationPolicies > Common Objects > Other > Malware Scan Configurations > Real-Time Scan configuration > General
Console settings

Enable Predictive Machine Learning

Enable Predictive Machine Learning

Back to top

Anti-Malware: Smart Scan

This information is sent when a file scan occurs and enables Workload Security to identify malicious file hashes.

Data collectedFile hashes (CRC)
Console locationComputer or policy editor > Anti-Malware > Smart Protection > Smart Scan
Console settings

Untick Inherited check box (if it's selected) and select Off.

Smart Scan configuration

Back to top

Anti-Malware: Behavior Monitoring

The behavior monitoring feature communicates with the Global Census Server and Good File Reputation Service. This enables Workload Security to identify good file hashes and to retrieve statistical data.

Data collectedFile hashes (SHA1)
Console locationPolicies > Common Objects > Other > Malware Scan Configuration > Real-Time Scan configuration > General
Console settings
  • Detect suspicious activity and unauthorized changes (incl. ransomware)
  • Back up and restore ransomware-encrypted files

Behavior Monitoring

Back to top

Integrity Monitoring

You can configure Workload Security to automatically tag integrity monitoring events. If you select the Certified Safe Software Service option, information is sent to the Trend Micro Certified Safe Software service. Alternatively, you can select one of the other options when configuring auto tagging, or don’t enable auto-tagging.

Data collectedFile hashes (SHA1) and additional information
Console locationEvents and Reports > Integrity Monitoring Events > Auto-Tagging > New Trusted Source
Console settings

Certified Safe Software Service

Certified Safe Software Service

Back to top

Web Reputation

The web reputation module uses the Trend Micro Smart Protection Network to determine whether URLs are malicious. When Connect directly to Global Smart Protection Service is selected, URLs are sent to Trend Micro. Alternatively, you can opt to use a locally installed Smart Protection Server. You must select one of these options to use the web reputation module. If you don’t want to use either of those options, go to the General tab and change the Web Reputation State to Off to disable the web reputation module.

Data collectedURL
Console locationComputer or Policy editor > Web Reputation > Smart Protection
Console settings

Connect directly to Global Smart Protection Service

Connect directly to Global Smart Protection Service

Back to top

Smart Feedback

Smart Feedback enables you to participate, share, and leverage Trend Micro’s global database of threat-related intelligence to rapidly identify and defend against potential threats within your unique network environment.

 
Smart Feedback is enabled by default for new customers.
 
Data collected
  • Hostname
  • IP address
  • Endpoint IP
  • URL
  • Filename/Path
  • Suspicious executables and partial file content
  • Industry
  • Country
Console locationAdministration > System Settings > Smart Feedback
Console settings

To disable Trend Micro Smart Feedback, uncheck the Enable Trend Micro Smart Feedback checkbox.

Disable Smart Feedback

Back to top

Anti-Malware: Identified (Quarantined) Files

An identified file is a file that has been found to be or to contain malware and has therefore been encrypted and moved to a special folder on the protected computer. Identified files are not sent to Workload Security  unless you specifically download them using the actions described below.

Data collectedFiles that have been identified as potential malware
Console locationEvents & Reports > Events > Anti-Malware Events > Identified Files
Console settingsThe file is sent to Workload Security only if you select it and click Download.

Back to top

Activity Monitoring

Activity Monitoring is a protection policy that enables security activity to be sent to Trend Micro XDR, providing effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks.

 
Activity Monitoring data is only sent to Trend Micro if the server has the Activity Monitoring policy assigned and state of the policy is On.
 
Data collected
  • Tenant GUID
  • Account name
  • Protection module events:
    • Anti-Malware
    • Web Reputation
    • Integrity Monitoring
    • Log Inspection
    • Intrusion Prevention
  • Process activity
  • File activity
  • Network activity
  • Registry activity (Windows only)
  • Connection activity
  • Domain query activity
  • User account activity (Windows only)
  • Modified process activity
  • Memory activity
  • Behavior Monitoring Activity
Console locationComputer or Policy editor > Activity Monitoring > General > Activity Monitoring State: On
Console settings

Activity Monitoring

Back to top

Data Center Gateway Registration

When you register a new Data Center Gateway on Workload Security, an identifiable name and optional description will be collected for future reference. The information that you provided may or may not refer to your data-center name or its location.

 
Data Center Gateway is required only for deployments that Add a VMware vCenter accounts to Cloud One Workload Security.
 
Data collected
  • Data Center Gateway Name
  • Data Center Gateway Description
Console locationSystem Settings > Data Center Gateway > New
Console settings

Add a new data center gateway

Back to top

VMware vCenter Registration

When you add a VMware vCenter account on Workload Security, the following data is stored and encrypted in order to synchronize the virtual machine data from vCenter servers.

Data collected
  • vCenter Server Address
  • vCenter Server Port
  • vCenter Credential
Console locationComputers > Add
Console settings

Add VMware vCenter

Back to top

VMware vCenter Synchronization

Workload Security periodically synchronizes the virtual machine metadata from VMware vCenter via the Data Center Gateway.  During this process the Data Center Gateway collects the following information for general product operation as well as analytics.

Data collected
  • For Data Center Gateways

    • IP addresses
    • Hostname
  • For vCenter servers

    • vCenter UUID (Moref)
    • vCenter version
    • vCenter build
    • Custom fields
  • For virtual machines

    • Name
    • Parent
    • Hardware devices
    • vApp Configs
    • vmtool status
    • IP address
    • Network config
    • Hostname
    • Parent vApp
    • Resource pool
    • Runtime power state
    • Runtime boot time
    • Runtime suspend time
    • Annotation
    • Instance uuid
    • Memory size in mb
    • Number of cpu
    • UUID
    • Custom value
  • For host systems (ESXI)

    • Name
    • Parent
    • Network configuration
    • Kernel module system
    • Kernel module patch
    • Hardware
    • Summary
    • Custom value
  • For DataCenter

    • Name
    • Parent
    • hostFolder
    • vmFolder
  • For vApp Folder

    • Name
    • Parent
    • Parent folder
  • For Compute Resource, Folder, Resource pool, Data store

    • Name
    • Parent
Console locationIP Address of the Data Center Gateway will not be displayed in the console or any customer facing location For the rest, will be shown in Computers page.
Console settings

VMware vCenter Synchronization

VMware vCenter Synchronization

VMware vCenter Synchronization

VMware vCenter Synchronization

Back to top

BIF

This feature is used to calculate the installation base and system status of Workload Security.

Data collected
  • Activation Code and GUID
  • Product version
  • Feature enabled status
  • System status
Console locationThis feature can be disabled. If you do not want this data to be collected, please go to System Settings > Advanced > Product Usage Data Collection and deselect Enable Product Usage Data Collection.
Console settings

Back to top

Premium
Internal
Partner
Rating:
Category:
SPEC
Solution Id:
000258329
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.