Data Collection Disclosure - Trend Micro IoT Security

Trend Micro IoT Security Data Collection Notice

- Updated:
- 27 Apr 2018
- Product/Version:
- Trend Micro IoT Security 1.3
- Platform:
- N/A N/A

By installing Trend Micro IoT Security, Trend Micro will analyze, receive, and collect the following information:

General

Collected Data	Description
Email address	The email address used to log onto the management console.
Password hash	Hash for the password used to log onto the management console
Kernel header file (optional)	The header file used to integrate the Approved Applications List (AAL) into a device
Toolchain	A set of programming tools used to integrate the Trend Micro IoT Security agent into a device
Google Analytics data	Collected data that Google Analytics uses to track management console usage
TMIS configuration	TMIS configuration for devices that can be downloaded from the management console after baseline release
Device status and TMIS agent version	Status for each device and the Trend Micro IoT Security agent version information for display on the management console

Remote Attestation

Remote Attestation detects device file integrity using a challenge-response method. When you first use Trend Micro IoT Security, the device must upload a baseline of its file system to the Trend Micro IoT Security server, the baseline includes file hash, file path and directory path.

Collected Data	Description
File/Directory path and attributes	Specified files or directories for data collection
File hash	Specified hash algorithm to use. Only one type of file hash is collected by the Trend Micro IoT Security server. To stop sending file hash information to the Trend Micro IoT Security server, comment out all settings in the configuration file (located in /etc/opt/atom/baseline_rule ) for Trend Micro IoT Security agents. The following figure shows an example.

Approved Application List

The Approved Application List (AAL) intercepts system calls with Linux kernel module and provides a locked security feature in the Trend Micro IoT Security agent. This feature automatically generates a policy to match the target Linux device environment. The policy information (including file path, file hash and audit log) is sent to the Trend Micro IoT Security server.

Collected Data	Description
Executable/library path	Data displayed in detection logs on the management console
Executable/library hash
Audit log

System Vulnerability Scan

The System Vulnerability Scan feature checks for vulnerabilities related to system libraries. The Trend Micro IoT Security agent scans the system libraries in IoT devices on a daily basis.

Collected Data	Description
Library path, name, and version	Data collected by the Trend Micro IoT Security agent to enable library vulnerability scans

Hosted IPS

Hosted IPS (HIPS) provides network-based intrusion protection in the TMIS agent. This feature protects devices by detecting and blocking intrusions from network traffic (with or without encryption). The Trend Micro IoT Security agent sends the blocked attack information to the Trend Micro IoT Security server for display on the management console.

Collected Data	Description
Blocked attack information	Data sent to the Trend Micro IoT Security server for display on the management console

Network Anomaly Detection

The Network Anomaly Detection feature detects abnormal network occurrences and behaviors. A continuous learning process first defines ‘normal’ behaviors, which Trend Micro IoT Security uses to detect any unusual network occurrences, such as communication with an external server or connections to suspicious websites. Trend Micro IoT Security collects Netflow metadata to enable the Network Anomaly Detection feature.

Collected Data	Description
Network interface name	Data used for analyzing network traffic and detecting abnormal network behaviors
MAC address
Network packet metadata (in flow format)