Recommended Security Settings to Prevent Threats - Worry-Free Business Security Services

EXPAND ALL

Recommended Global Security Settings

Configure the following under Policies > Global Security Agent Settings.

Security Settings tab

Under General Scan, enable the following:
- Enable deferred scanning on file operations
  
  Enabling this feature significantly improves performance, but may introduce a slight security risk
- Exclude the Microsoft Exchange Server 2003 folders
- Exclude the Microsoft domain controller folders (Not applicable to manual and scheduled spyware/grayware scans)
- Exclude Shadow Copy sections
- Resume a missed scheduled scan at the same time next day
Under Virus Scan, enable the following:
- Configure Scan Settings for large compressed files (Keep the default settings for compressed files)
- Clean compressed files
- Scan up to ____¬OLE layer(s) (Keep the default settings)
- Add Manual Scan to the Windows shortcut menu on clients
Under Spyware/Grayware Scan, enable the following:
- Scan for cookies
- Add cookie detections to the Spyware log
Under Behavior Monitoring, enable the following:
- Enable warning messages for low-risk changes or other monitored actions
- Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded)
Under HTTPS Web Threat Protection, enable the following:
- Enable HTTPS checking for Web Reputation and URL Filtering on Chrome and Microsoft Edge
- Display a notification above the Security Agent icon when an update to the feature requires users to restart Chrome

Agent Control tab

Under Watchdog, tick the Enable the Security Agent Watchdog service and keep the default agent status checking time interval.
Under Uninstallation, make sure to select Require users to provide a password to uninstall the Security Agent.
Under Exit / Unlock, enable Require a password to exit the Security Agent or unlock advanced settings to prevent end users from disabling the security agent in the workstations.

Recommended Security Settings for Server OS

Under Security Agents, select Manual Groups > Server (Default) group and then configure policy.

Scan Method

The recommended scan method is Smart Scan, to lessen the bandwidth consumption, storage consumption, and network traffic.

Scan Settings

Under Real-Time Scan, toggle the slide to enable it.
Click Configure Settings.
Under Target tab, choose File types scanned by IntelliScan.
Under Advanced Settings, tick the following:
- Enable IntelliTrap
- Scan compressed files (keep the default value of two (2) Maximum Layers)
Enabling other settings may cause performance issues on servers.

Behavior Monitoring

Toggle the slide to enable Behavior Monitoring.
Configure Behavior Monitoring using the procedure in this article: Enabling ransomware protection for Worry-Free Business Security Services (WFBS-SVC).

Predictive Machine Learning

Enabling Predictive Machine Learning for Servers is not recommended especially for file servers as it may result in false positive detections specifically for internally developed application.

Web Reputation

Toggle the slide to enable Web Reputation.
Under Security Level, choose Medium, which is recommended for Web Reputation Service.
Under Browser Exploit Prevention, enable Block websites containing malicious script.

Device Control

It is recommended to enable the Block the autorun function on USB storage devices option.

URL Filtering

Toggle the slide to enable URL Filtering.
Set the Filter Strength to Medium.
For Servers, click All days (24x7) under Business Hours.

Agent Privileges

Navigate to Privileges and Other Settings > Other Settings.
Enable Prevent users or other processes from modifying Trend Micro program files, registries and processes.

Recommended Settings for Client OS

Under Security Agents, select Manual Groups > Device (Default) group and then configure policy.

Scan Method

The recommended scan method is Smart Scan, to lessen the bandwidth consumption, storage consumption, and network traffic.

Scan Settings

Under Real-Time Scan, toggle the slide to enable it.
Click Configure Settings.
Under Target tab, choose File types scanned by IntelliScan.
Under Advanced Settings, tick the following:
- Enable IntelliTrap
- Scan compressed files (keep the default value of two (2) Maximum Layers)
Enabling other settings may cause performance issues on servers.

Behavior Monitoring

Toggle the slide to enable Behavior Monitoring.
Configure Behavior Monitoring using the procedure in this article: Enabling ransomware protection for Worry-Free Business Security Services (WFBS-SVC).

Predictive Machine Learning

Toggle the slide to enable Predictive Machine Learning. For detailed instruction on how to configure Predictive Machine Learning, refer to this article: Enabling ransomware protection for Worry-Free Business Security Services (WFBS-SVC).

Web Reputation

Toggle the slide to enable Web Reputation.
Under Security Level, choose Medium, which is recommended for Web Reputation Service.
Under Browser Exploit Prevention, enable Block pages websites containing malicious script.

Device Control

Toggle the slide to enable Device Control.
Set the device control permission depending on your IT environment need.
Enable Block the autorun function on USB storage devices option.

URL Filtering

Toggle the slide to enable URL Filtering.
Set the Filter Strength to Medium.
All days (24x7) under Business Hours.

Application Control

Enable Application to block applications/path that is restricted on each group that you create (i.e. per department on your company). For the complete procedure in configuring the Application Control, refer to the article: Configuring Application Control in Worry-Free Business Security Services (WFBS-SVC).

Agent Privileges

Navigate to Privileges and Other Settings > Other Settings.
Enable Prevent users or other processes from modifying Trend Micro program files, registries and processes.

Additional Recommendations for Threat Prevention (Platform/OS side)

Currently, the known Microsoft vulnerability that attackers, specifically ransomware authors, are using is the MS17-010 vulnerability. Here are the update links from Microsoft to patch the said vulnerability:

For Windows OS users, Microsoft also provides Security Bulletin for documentation and download links for critical information such as patch availability, new vulnerabilities, and critical updates. You can find the lists of those vulnerabilities and updates on the following websites: