Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring the Advanced Threat Scanning Engine (ATSE) in InterScan Web Security Virtual Appliance (IWSVA)

    • Updated:
    • 21 Jul 2016
    • Product/Version:
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • Platform:
    • N/A N/A
Summary

You want to know how to configure ATSE when it is not used in combination with Deep Discovery Analyzer (DDAN) to avoid false positive detections.

Details
Public

ATSE uses heuristic methods for determining suspicious files and therefore it is possible to have false positive detections. ATSE is most effective when combined with DDAN. In this case, IWSVA can send files that are flagged as suspicious to DDAN to get confirmation whether they are malicious or not. Without DDAN integration, the benefit of using ATSE is reduced.

When using ATSE without DDAN, we recommend to set ATSE to "Monitor" rather than "Block" suspicious files. This way, a notification will be sent when ATSE flags a file as suspicious and this allows the files to be investigated further. ATSE detections can be recognized from the virus name as they always start with "EXPL_" or "HEUR_".

To set ATSE to "Monitor":

  1. On the IWSVA web console, go to HTTP > Advanced Threat Protection > Policies > Virus Scan Global Policy > Virus/Malware Scan Rule.
  2. Under the Advanced Threat Scan section, select Monitor on the Exploits Scan Action dropdown menu.

    Set action to "Monitor"

    Click image to enlarge.

IWSVA also offers the option to tweak the level of aggressiveness of ATSE to reduce the number of false positive detections. To do this, it is neccesary to edit the configuration file /var/iwss/intscan.ini as described in the KB article: Editing configuration files of Linux-based products.

To tweak the level of aggressiveness of ATSE, you need to change the value of the parameter "atse_aggressive_level".

The following table contains the description of the levels you can set:

   
ValueDescription
-1 IWSVA will not set ATSE aggressive level.
0disable all ATSE rules
very high confidence (very conservative) - only CVE detections
2high confidence (conservative) - with some HEUR rules
3low confidence (aggressive) - with most HEUR rules
even include poc rules (very aggressive) - with all rules
 
The Advanced Threat Scanning Engine (ATSE) has its own default setting which is level 3 (aggressive). IWSVA simply accepts this level set in the ATSE module itself. To set the level for ATSE from IWSVA the value of the parameter atse_aggressive_level needs to be changed from the default value of "-1".
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Remove a Malware / Virus
Solution Id:
1114550
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.