Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions (FAQs) about Apex One Vulnerability Protection

    • Updated:
    • 20 May 2021
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • Platform:
    • N/A N/A

The article answers frequently asked questions about the Vulnerability Protection feature in Apex One.


Apex One Vulnerability Protection uses a host-based intrusion prevention system (HIPS) to virtually patch known and unknown vulnerabilities before a patch is available or deployable. The Firewall feature has also been removed from the Policy as the Apex One agent already has built-in Firewall capabilities.

Additionally, the Intrusion Prevention rules available will focus on Endpoint Solution and it is part of a comprehensive multilayer protection of Apex One to protect Endpoints.

You can take advantage of Trend Micro™ Deep Security, which is a comprehensive server security platform designed to protect dynamic data centers comprising of physical, virtual, and cloud servers, as well as virtual desktops. It also consists of IPS rules designed to protect server platforms.

Trend Micro Vulnerability Protection 2.0 has over 4000+ IPS rules, which is why the major purpose of Recommendation Scan is to help user select the best rules to apply based on the result.

The Vulnerability Protection pattern in Apex One agent has over 200+ IPS rules, which is based on Trend Micro’s global backend analysis, that makes the best recommendation for the endpoint’s environment to apply. The number of rules has reduced, therefore using Recommendation Scan is no longer needed.

Recommended Scanning

Recommended Scanning ensures protection against known vulnerabilities. It has the essential IPS rules recommended by Trend Micro for optimal protection and agent performance.

Aggressive Scanning

Aggressive Scanning protects against known vulnerability issues and provides enhanced protection against suspicious network activities.

Administrators should use Recommended scanning as this has the IPS rules that use network packet inspection to cover known OS platform vulnerabilities.

If you would like to temporary disable/enable some specific rules for endpoints, you can find it in the section shown below and modify the status of a rule by selecting from the Status drop-down control.

This image is not available because: You don’t have the privileges to see it, or it has been removed from the system

It should not affect the protection of the endpoint as a whole because the other features of Apex One cover other features.

It covers known vulnerabilities that are not covered by other protection modules of Apex One.

The following were removed from the IPS rules:

  • Document Scan Rules (covered by Apex One agent’s Anti-Malware Solution)
  • Web Exploit Rules (covered by Apex One agent’s Browser Exploit Solution)
  • Application Control Rules (covered by Apex One agent’s Application Control feature)

You can select Network Engine Settings, which is used by the Apex One agent’s network driver to further configure their Vulnerability Protection module:

Apex One™ VP

Network Engine Mode
  • Inline: Live packet streams pass directly through the Vulnerability Protection network engine. All rules are applied to the network traffic before the packets proceed up the protocol stack.
  • Tap (Detect-only): Live packet streams are replicated and diverted from the main stream.
ESTABLISHED TimeoutConfigure how long to stay in the ESTABLISHED state before closing the connection.
LAST_ACK TimeoutConfigures how long to stay in the LAST-ACK state before closing the connection.
Cold Start TimeoutConfigures the amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started.
UDP TimeoutConfigures the maximum duration of a UDP connection.
Maximum TCP ConnectionsConfigures the maximum simultaneous TCP Connections.
Maximum UDP ConnectionsConfigures maximum simultaneous UDP Connections.
Ignore Status CodeThis option lets you ignore certain types of Events. You can specify up to three Events to ignore.
Advanced Logging Policy

Lets you select from the following settings:

  • Bypass: No filtering of Events. Overrides the Ignore Status Code settings (above) and other advanced settings, but does not override logging settings defined on the Apex One server.
  • Default: Will switch to Tap Mode if the engine is in Tap Mode, and will switch to Normal if the engine is in Inline Mode.
  • Normal: All Events are logged except dropped retransmits
  • Backwards Compatibility Mode: For support use only
  • Verbose Mode: Same as Normal but including dropped retransmits.
  • Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy.
  • Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and Normalization Suppression ignores as well as events related to fragmentation.
  • Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and Frag Suppression ignores as well as verifier-related events.
  • Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection.

The patterns are updated on a weekly basis. It also depends on the urgency of the vulnerability whether the pattern is released more often.

They can co-exist, but be sure to turn off the Apex One Vulnerability Protection Service. Additionally, when the Apex One Vulnerability Protection Policy is installed, it will uninstall the Trend Micro Vulnerability Protection 2.0 agent automatically when it exists.

Apex One Vulnerability Protection Service is triggered and a detection log will be generated and can be queried from Apex Central, but the end user won’t get a detection notification on the endpoint machine.

Vulnerability Protection 2.0 (On-Premise) was designed to protect legacy business applications running on legacy operating systems due to applications that have a platform or OS patch compatibility problem. Normally, those machine are set up in fix location or fix source/destination port communication to mitigate the security risk to the system. It’s more like Server security approach.

Apex One Vulnerablity Protection feature was re-designed to fit enterprise endpoints/desktops protection. Endpoints have the diversity of applications installed with different business purpose by users and also connects to dynamic network segments with network state changes.

You are required to access Apex One Server console by SSO for Firewall configuration as of July 2019. There is a plan to bring the Firewall configuration page to the Apex Central policy page in the near future.

The granularity configurations from TMVP came from Deep Security designed to manage server approach. Administrators are required to understand what application and network connectivity are good to interact with the endpoint. Apex One Vulnerability Protection (Apex One) rules simply go for pattern update approach with zero rule turning efforts and gives endpoint administrators granularity control to disable individual rule for mitigation control.

  • Disable/Enable individual rule for FP mitigation control.
  • Turn Vulnerabiliy Protection Engine to "Tap mode". This will make all working rules "Detect only".
  • For rule quality issues, you can contact Trend Micro Technical Support for rules turning and update.

The ruleset's major difference compared to Vulnerability Protection 2.0 (On-Premise) is the removal of Web Client Exploit related rules. Since more than 80% of the client web traffic go for HTTPS and these rules have zero value on the endpoints, they will never have the private key for connections on endpoints for HTTPS inspection.

The Aggressive Scanning mode is not recommended to be enabled for all agents. You can enable this mode on a few agents with suspicious network activities for further investigation. (e.g. those machines being suspected based on EDR investigation). Enabling the Aggressive Scanning mode on all machines will cause the agents to send a lot of detections to the Apex One server. This might cause server performance issues.

Configure; Deploy
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

Related Articles