Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions (FAQs) about Apex One Vulnerability Protection

    • Updated:
    • 19 Mar 2019
    • Product/Version:
    • Apex One All.All
    • Platform:
    • N/A N/A
Summary

The article answers frequently asked questions about the Integrated Vulnerability Protection feature in Apex One.

Details
Public

Apex One Vulnerability Protection uses a host-based intrusion prevention system (HIPS) to virtually patch known and unknown vulnerabilities before a patch is available or deployable. The Firewall feature has also been removed from the Policy as the Apex One agent already has built-in Firewall capabilities.

Additionally, the Intrusion Prevention rules available will focus on Endpoint Solution and it is part of a comprehensive multilayer protection of Apex One to protect Endpoints.

You can take advantage of Trend Micro™ Deep Security, which is a comprehensive server security platform designed to protect dynamic data centers comprising of physical, virtual, and cloud servers, as well as virtual desktops. It also consists of IPS rules designed to protect server platforms.

Trend Micro Vulnerability Protection 2.0 has over 4000+ IPS rules, which is why the major purpose of Recommendation Scan is to help user select the best rules to apply based on the result.

The Integrated Vulnerability Protection pattern in Apex One agent has over 200+ IPS rules, which is based on Trend Micro’s global backend analysis, that makes the best recommendation for the endpoint’s environment to apply. The number of rules has reduced, therefore using Recommendation Scan is no longer needed.

Performance Priority

Performance Priority ensures protection against known vulnerability issues. It also has the essential IPS rules we recommend to apply with the consideration of balance with agent performance.

Security Priority

Security Priority protects against known vulnerability issues and provides enhanced protection against suspicious network activities.

Administrators can use Security Mode to maximize security being offered by Apex One Vulnerability Protection’s IDP rules.

If you would like to temporary disable/enable some specific rules for endpoints, you can find it in the section shown below and modify the status of a rule by selecting from the Status drop-down control.

Apex One™ VP

It should not affect the protection of the endpoint as a whole because the other features of Apex One cover other features.

It covers known vulnerabilities that are not covered by other protection modules of Apex One.

The following were removed from the IPS rules:

  • Document Scan Rules (covered by Apex One agent’s Anti-Malware Solution)
  • Web Exploit Rules (covered by Apex One agent’s Browser Exploit Solution)
  • Application Control Rules (covered by Apex One agent’s Application Control feature)

You can select Network Engine Settings, which is used by the Apex One agent’s network driver to further configure their Vulnerability Protection module:

Apex One™ VP

Network Engine Mode
  • Inline: Live packet streams pass directly through the Vulnerability Protection network engine. All rules are applied to the network traffic before the packets proceed up the protocol stack.
  • Tap (Detect-only): Live packet streams are replicated and diverted from the main stream.
ESTABLISHED TimeoutConfigure how long to stay in the ESTABLISHED state before closing the connection.
LAST_ACK TimeoutConfigures how long to stay in the LAST-ACK state before closing the connection.
Cold Start TimeoutConfigures the amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started.
UDP TimeoutConfigures the maximum duration of a UDP connection.
Maximum TCP ConnectionsConfigures the maximum simultaneous TCP Connections.
Maximum UDP ConnectionsConfigures maximum simultaneous UDP Connections.
Ignore Status CodeThis option lets you ignore certain types of Events. You can specify up to three Events to ignore.
Advanced Logging Policy

Lets you select from the following settings:

  • Bypass: No filtering of Events. Overrides the Ignore Status Code settings (above) and other advanced settings, but does not override logging settings defined on the Apex One server.
  • Default: Will switch to Tap Mode if the engine is in Tap Mode, and will switch to Normal if the engine is in Inline Mode.
  • Normal: All Events are logged except dropped retransmits
  • Backwards Compatibility Mode: For support use only
  • Verbose Mode: Same as Normal but including dropped retransmits.
  • Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy.
  • Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and Normalization Suppression ignores as well as events related to fragmentation.
  • Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and Frag Suppression ignores as well as verifier-related events.
  • Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection.

The patterns are updated on a weekly basis. It also depends on the urgency of the vulnerability whether the pattern is released more often.

They can co-exist, but be sure to turn off the Apex One Vulnerability Protection Service. Additionally, when the Apex One Vulnerability Protection Policy is installed, it will uninstall the Trend Micro Vulnerability Protection 2.0 agent automatically when it exists.

Apex One Vulnerability Protection Service is triggered and a detection log will be generated and can be queried from Apex Central, but the end user won’t get a detection notification on the endpoint machine.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1122213
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Related Articles