The article answers frequently asked questions about the Integrated Vulnerability Protection feature in Apex One.
Apex One Vulnerability Protection uses a host-based intrusion prevention system (HIPS) to virtually patch known and unknown vulnerabilities before a patch is available or deployable. The Firewall feature has also been removed from the Policy as the Apex One agent already has built-in Firewall capabilities.
Additionally, the Intrusion Prevention rules available will focus on Endpoint Solution and it is part of a comprehensive multilayer protection of Apex One to protect Endpoints.
You can take advantage of Trend Micro™ Deep Security, which is a comprehensive server security platform designed to protect dynamic data centers comprising of physical, virtual, and cloud servers, as well as virtual desktops. It also consists of IPS rules designed to protect server platforms.
Trend Micro Vulnerability Protection 2.0 has over 4000+ IPS rules, which is why the major purpose of Recommendation Scan is to help user select the best rules to apply based on the result.
The Integrated Vulnerability Protection pattern in Apex One agent has over 200+ IPS rules, which is based on Trend Micro’s global backend analysis, that makes the best recommendation for the endpoint’s environment to apply. The number of rules has reduced, therefore using Recommendation Scan is no longer needed.
Recommended Scanning ensures protection against known vulnerability issues. It also has the essential IPS rules we recommend to apply with the consideration of balance with agent performance.
Aggressive Scanning protects against known vulnerability issues and provides enhanced protection against suspicious network activities.
Administrators should use Recommended scanning as this has the IPS rules that use network packet inspection to cover known OS platform vulnerabilities.
It should not affect the protection of the endpoint as a whole because the other features of Apex One cover other features.
It covers known vulnerabilities that are not covered by other protection modules of Apex One.
The following were removed from the IPS rules:
- Document Scan Rules (covered by Apex One agent’s Anti-Malware Solution)
- Web Exploit Rules (covered by Apex One agent’s Browser Exploit Solution)
- Application Control Rules (covered by Apex One agent’s Application Control feature)
You can select Network Engine Settings, which is used by the Apex One agent’s network driver to further configure their Vulnerability Protection module:
|Network Engine Mode||
|ESTABLISHED Timeout||Configure how long to stay in the ESTABLISHED state before closing the connection.|
|LAST_ACK Timeout||Configures how long to stay in the LAST-ACK state before closing the connection.|
|Cold Start Timeout||Configures the amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started.|
|UDP Timeout||Configures the maximum duration of a UDP connection.|
|Maximum TCP Connections||Configures the maximum simultaneous TCP Connections.|
|Maximum UDP Connections||Configures maximum simultaneous UDP Connections.|
|Ignore Status Code||This option lets you ignore certain types of Events. You can specify up to three Events to ignore.|
|Advanced Logging Policy||
Lets you select from the following settings:
The patterns are updated on a weekly basis. It also depends on the urgency of the vulnerability whether the pattern is released more often.
They can co-exist, but be sure to turn off the Apex One Vulnerability Protection Service. Additionally, when the Apex One Vulnerability Protection Policy is installed, it will uninstall the Trend Micro Vulnerability Protection 2.0 agent automatically when it exists.
Apex One Vulnerability Protection Service is triggered and a detection log will be generated and can be queried from Apex Central, but the end user won’t get a detection notification on the endpoint machine.
Vulnerability Protection 2.0 (On-Premise) was designed to protect legacy business applications running on legacy operating systems due to applications that have a platform or OS patch compatibility problem. Normally, those machine are set up in fix location or fix source/destination port communication to mitigate the security risk to the system. It’s more like Server security approach.
Apex One Integrated Vulnerablity Protection feature was re-designed to fit enterprise endpoints/desktops protection. Endpoints have the diversity of applications installed with different business purpose by users and also connects to dynamic network segments with network state changes.
You are required to access Apex One Server console by SSO for Firewall configuration as of July 2019. There is a plan to bring the Firewall configuration page to the Apex Central policy page in the near future.
The granularity configurations from TMVP came from Deep Security designed to manage server approach. Administrators are required to understand what application and network connectivity are good to interact with the endpoint. Integrated Vulnerability Protection (Apex One) rules simply go for pattern update approach with zero rule turning efforts and gives endpoint administrators granularity control to disable individual rule for mitigation control.
- Disable/Enable individual rule for FP mitigation control.
- Turn Integrated Vulnerabiliy Protection Engine to "Tap mode". This will make all working rules "Detect only".
- For rule quality issues, you can contact Trend Micro Technical Support for rules turning and update.
The ruleset's major difference compared to Vulnerability Protection 2.0 (On-Premise) is the removal of Web Client Exploit related rules. Since more than 80% of the client web traffic go for HTTPS and these rules have zero value on the endpoints, they will never have the private key for connections on endpoints for HTTPS inspection.
The Aggressive Scanning mode is not recommended to be enabled for all agents. You can enable this mode on a few agents with suspicious network activities for further investigation. (e.g. those machines being suspected based on EDR investigation). Enabling the Aggressive Scanning mode on all machines will cause the agents to send a lot of detections to the Apex One server. This might cause server performance issues.