Web reputation policies dictate whether OfficeScan will block or allow access to a website. You can configure policies for internal and external agents. OfficeScan administrators typically configure a stricter policy for external agents.
Policies are granular settings in the OfficeScan agent tree. You can enforce specific policies to agent groups or individual agents. You can also enforce a single policy to all agents.
After you deploy the policies, agents use the location criteria you have set in the Endpoint Location screen (see Endpoint Location) to determine their location and the policy to apply. Agents switch policies each time the location changes.
Specify proxy server authentication credentials if you have set up a proxy server to handle HTTP communication in your organization and authentication is required before web access is allowed.
External agents can only use the proxy server settings configured in Windows Internet Options when connecting to the OfficeScan server or Smart Protection Servers:
- Go to Administration > Settings > Proxy.
- Click the Agent tab.
- Go to the External Proxy section.
- Specify proxy authentication credentials, if required.
- Click Save.
To configure a Web Reputation Policy:
- Go to Agents > Agent Management.
- Select the targets in the agent tree.
- To configure a policy for agents running Windows desktop platforms, select the root domain icon, specific domains, or agents. When you select the root domain or specific domains, the setting will only apply to agents running Windows desktop platforms. The setting will not apply to agents running Windows Server platforms, even if they part of the domains.
- To configure a policy for agents running Windows Server platforms, select a specific agent.
- To configure a policy for agents running Windows desktop platforms, select the root domain icon, specific domains, or agents.
- Click Settings > Web Reputation Settings.
- Click the External Agents tab to configure a policy for external agents or the Internal Agentstab to configure a policy for internal agents. Configure agent location settings if you have not done so. Agents will use these settings to determine their location and apply the correct web reputation policy. For details, see Endpoint Location.
- Under "Enable Web Reputation on the following operating systems", select the types of Windows platforms to protect (Windows desktop platforms and Windows Server platforms).
The operating systems listed in the screen depends on the targets you selected in step 1.Trend Micro recommends disabling web reputation for internal agents if you already use a Trend Micro product with the web reputation capability, such as InterScan Web Security Virtual Appliance.
When a web reputation policy is enabled:
- External agents send web reputation queries to the Smart Protection Network.
- Internal agents send web reputation queries to:
- Smart Protection Servers if the "Send queries to Smart Protection Servers" option is enabled. For details about this option, see step 7.
- Smart Protection Network if the "Send queries to Smart Protection Servers" option is disabled.
- Select "Enable assessment". When in assessment mode, OfficeScan agents allow access to all websites. For any accessed website that violates the configured Security Level setting, the OfficeScan agent logs the event. Assessment mode allows you to monitor website access and evaluate the safety of websites before actively blocking users access. Based on your evaluation of the access logs, you can add trusted websites to the Approved URL List before disabling assessment mode.
- Select "Check HTTPS URLs".
HTTPS communication uses certificates to identify web servers. It encrypts data to prevent theft and eavesdropping. Although more secure, accessing websites using HTTPS still has risks. Compromised sites, even those with valid certificates, can host malware and steal personal information. In addition, certificates are relatively easy to obtain, making it easy to set up malicious web servers that use HTTPS.
Enable checking of HTTPS URLs to reduce exposure to compromised and malicious sites that use HTTPS. Web Reputation can monitor HTTPS traffic on the following browsers:
Browser Version Microsoft Internet Explorer 8.x
Mozilla Firefox 3.5 or later Chrome Latest version Microsoft Edge Latest version
- HTTPS scanning only supports Windows 8, Windows 8.1, Windows 10, or Windows 2012 platforms operating in desktop mode.
- Firefox, Microsoft Edge, and Chrome (HTTPS scanning on these browsers is not supported on Windows XP, Server 2003/2003 R2, or Server 2008 platforms).
You must enable the Unauthorized Change Prevention service and the Behavior Monitoring "Enable program inspection to detect and block compromised executable files" feature on agents to scan HTTPS traffic.
- After enabling HTTPS scanning for the first time on OfficeScan agents, users must enable the required add-on in the browser before HTTPS scanning is operational.
- Internet Explorer 9, 10, and 11
For OfficeScan agents running Windows 7, 8, 8.1, 10, Server 2008 R2, or Server 2012, users must enable the Trend Micro Osprey Plugin Class add-on in the browser pop-up window.
For OfficeScan agents running Windows XP, Server 2003, or Server 2008, users must enable the TmIEPlugInBHO Class add-on in the browser pop-up window.
For more information on configuring Internet Explorer settings for web reputation, see the following Knowledge Base articles:
- Internet Explorer 9, 10, and 11
- Select "Scan common HTTP ports only" to restrict web reputation scanning to traffic through ports 80, 81, and 8080. By default, Web Reputation scans all traffic through all ports. Not supported on Windows 7, 8, 8.1, 10, or Windows Server 2008 R2, 2012 or later platforms.
- For internal OfficeScan agents, select "Send queries to Smart Protection Servers" if you want OfficeScan agents to send web reputation queries to Smart Protection Servers.
- If you enable this option:
- Agents refer to the smart protection source list to determine the Smart Protection Servers to which they send queries. Agents send queries to smart protection sources when scanning for security risks and determining a website’s reputation.
- Be sure that Smart Protection Servers are available. If all Smart Protection Servers are unavailable, agents do not send queries to Smart Protection Network. The only remaining sources of web reputation data for agents are the approved and blocked URL lists.
- If you want agents to connect to Smart Protection Servers through a proxy server, specify proxy settings in the Internal Proxy section on the Administration > Settings > Proxy > Agent tab.
- Be sure to update Smart Protection Servers regularly so that protection remains current.
- Agents do not block untested websites. Smart Protection Servers do not store web reputation data for these websites.
- If you disable this option:
- Agents send web reputation queries to the Smart Protection Network. Endpoints must have an Internet connection to send queries successfully.
- If connection to Smart Protection Network requires proxy server authentication, specify authentication credentials in Administration > Settings > Proxy > Agent (tab) > External Proxy.
- Agents can block untested websites if you select the "Block pages that have not been tested by Trend Micro" option.
- If you enable this option:
- Select from the available web reputation security levels: High, Medium, or Low. The security levels determine whether Web Reputation allows or blocks access to a URL. For example, if you set the security level to Low, Web Reputation only blocks URLs that are known to be web threats. As you set the security level higher, the web threat detection rate improves but the possibility of false positives also increases.
- If you disabled the "Send queries to Smart Protection Servers" option in step 7, you can select "Block pages that have not been tested by Trend Micro". While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages.
- Select "Block pages containing malicious script" to identify web browser exploits and malicious scripts, and prevent the use of these threats from compromising the web browser.
Web Reputation utilizes both the Browser Exploit Prevention pattern and the Script Analyzer pattern to identify and block web pages before exposing the system.
Browser Version Microsoft Internet Explorer 7.x
Chrome Latest version Mozilla Firefox 3.5 or later Microsoft Edge Latest version
The Browser Exploit Prevention feature requires that you enable the Advanced Protection Service. To enable the Advanced Protection Service, go to Agents > Agent Management, click Settings > Additional Service Settings.
After enabling the Browser Exploit Prevention feature for the first time on OfficeScan agents, users must enable the required add-on in the browser before Browser Exploit Prevention is operational. For OfficeScan agents running Internet Explorer 9, 10, or 11, users must enable the Trend Micro IE Protection add-on in the browser pop-up window.
- Configure the approved and blocked lists. The approved list takes precedence over the blocked list. When a URL matches an entry in the approved list, agents always allow access to the URL, even if it is in the blocked list.
Web Reputation does not perform any scanning on addresses located in the Approved and Blocked lists.
- Select "Enable approved/blocked list".
- Type a URL.
You can add a wildcard character (*) anywhere on the URL. For example:
- Typing www.trendmicro.com/* means that Web Reputation approves all pages in the Trend Micro website.
- Typing *.trendmicro.com/* means that Web Reputation approves all pages on any sub-domain of trendmicro.com.
You can type URLs containing IP addresses. If a URL contains an IPv6 address, enclose the address in parentheses.
- Click Add to Approved List or Add to Blocked List.
- To export the list to a .dat file, click Export and then click Save.
- If you have exported a list from another server and want to import it to this screen, click Import and locate the .dat file. The list will load on the screen.
- To submit Web Reputation feedback, click the URL provided under Reassess URL. The Trend Micro Web Reputation Query system opens in a browser window.
- Select whether to allow the OfficeScan agent to send web reputation logs to the server. Allow agents to send logs if you want to analyze URLs blocked by Web Reputation and take the appropriate action on URLs you think are safe to access.
- If you selected domain(s) or agent(s) in the agent tree, click Save. If you clicked the root domain icon, choose from the following options:
- Apply to All Agents: Applies settings to all existing agents and to any new agent added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings
- Apply to Future Domains Only: Applies settings only to agents added to future domains. This option will not apply settings to new agents added to an existing domain