Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enabling ATSE Macro Threat Detection feature in InterScan Messaging Virtual Appliance (IMSVA)

    • Updated:
    • 1 Jul 2015
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • Platform:
    • CentOS 6 64-bit
Summary

IMSVA with ATSE 9.826.1078 or later version supports macro threat detection feature.

 
The ATSE's Macro Threat Detection support feature is not enabled by default and administrator can manually turn it on.

IMSVA 8.2 with Critical Patch 1771 applied supports this feature.

IMSVA 8.5 with Critical Patch 1635 applied supports this feature.

IMSVA 9.0 any build supports this feature.

Details
Public

The ATSE's macro threat detection support feature is not enabled by default. Administrator can manually activate it with the following options:

Administrator can modify the ATSE aggressive level to 4 (default level is 3) if the IMSVA is registered to DDAN and wants to detect macro threat.

  1. Connect IMSVA database database using the command:

    # /opt/trend/imss/PostgreSQL/bin/psql imss sa

  2. Execute following SQL statement to set the ATSE aggressive level to 4:

    update tb_global_setting set value = '4' where name = 'detection_aggressive_level'

    *****************

    SQL command and output as below:

    imss=# update tb_global_setting set value = '4' where name = 'detection_aggressive_level';
    UPDATE 1
    imss=# \q

    *****************

  3. Restart scanning service to apply the change using the command:

    # S99IMSS restart

When the aggressive level is set to 4, the ATSE false positive rate will increase. And for the IMSVA with no DDAN integrated, it is not recommended to set the aggressive level to 4. 

Administrator also can configure the hidden key to enable new macro heuristic rules when aggressive level is 3:

  1. Connect to the IMSVA database using the command:

    # /opt/trend/imss/PostgreSQL/bin/psql imss sa

  2. Execute the following SQL statement to set the hidden key:

    insert into tb_global_setting values('general', 'rules_included', 'HEUR_VBA.O1;HEUR_VBA.O2;HEUR_VBA.D;HEUR_VBA.E;HEUR_VBA.E2;HEUR_VBA.E3', 'imss.ini', NULL)

    *******************

    SQL command and output as below:

    imss=# insert into tb_global_setting values('general', 'rules_included', 'HEUR_VBA.O1;HEUR_VBA.O2;HEUR_VBA.D;HEUR_VBA.E;HEUR_VBA.E2;HEUR_VBA.E3', 'imss.ini', NULL);
    INSERT 0 1
    imss=# \q

    *******************

     
    You may copy and paste the SQL statement above.

     

  3. Restart scanning service to apply the change using the command:

    # S99IMSS restart

 
For the IMSVA without DDAN integrated, Option 2 is suggested to enable this feature.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy; Upgrade; Remove a Malware / Virus
Solution Id:
1110914
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.