Configure the following setting on your WFBS-SVC web console:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
- In the Scan Settings section, select from the following under Files to scan:
- All scannable files (Recommended): Includes all scannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.
This option provides the maximum security possible. However, scanning every file requires a lot of time and resources and might be redundant in some situations. Therefore, you might want to limit the amount of files the agent includes in the scan.
- File types scanned by IntelliScan: Scans files based on true-file type.
- Files with specified extensions: Manually specify the files to scan based on their extensions. Separate multiple entries with commas.
Wildcard support for file extensions in scan settings is different from scan exclusion settings. The * character replaces zero to many characters. For example, scanning can still detect the .COM extension when COM* is specified.
- All scannable files (Recommended): Includes all scannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.
- In the Scan Settings section, select which file operations trigger scanning under User activity on files.
- Created, modified, or retrieved (Recommended) : Scans all files created, modified, or opened on the endpoint
- Retrieved: Scans all files opened on the endpoint
- Created or modified: Scans all files created or modified on the endpoint
- Configure the recommended Scan Settings using the Table below.
Feature Real-Time Scan Manual Scan Scheduled Scan Enable IntelliTrap O Quarantine malware variants detected in memory O Scan compressed files Maximum 4 layers Maximum 4 layers Maximum 4 layers Enable CVE exploit scanning for files downloaded through web and email channels O Scan boot area O O Scan mapped drives and shared folders on the network O Spyware/Grayware Clean Clean Clean Administrators can opt to disable/minimize other scan setting should higher performance is required for those machines. - Go to the Action tab and set it to Customized actions so that probable malware will be quarantined.
- Click Save.
Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, software, files and folders. The settings can be enabled or disabled only per group.
To configure:
- In the Behavior Monitoring section, configure the following settings:
- Enable Behavior Monitoring
- Malware Behavior Blocking: A necessary layer of additional threat protection from programs that exhibit malicious behavior is given upon using this. It observes system events over a period of time. As programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.
- Enable malware Behavior Blocking for known and potential threats
Malware Behavior Monitoring provides the following threat-level scanning options:
Block known threats: Blocks behaviors associated with known malware threats
Block known and potential threats: Blocks behavior associated with known threats and takes action on behavior that is potentially malicious
- Enable malware Behavior Blocking for known and potential threats
- Ransomware Protection
- Enable document protection against unauthorized encryption or modification: Protects documents from unauthorized changes. Enabling this option stops processes that rename, modify and delete files, and then quarantines the programs that are running these processes.
- Enable automatic back up and restore: Automatically backing up files before suspicious programs attempt any modification enables easier file restoration when unauthorized encryption occurs. Enabling this feature however requires an additional storage space of 100 MB.
- Enable blocking of processes commonly associated with ransomware: Protects endpoints from ransomware attacks by blocking processes commonly associated with hijacking attempts
- Enable program inspection to detect and block compromised executable files: Protects endpoints from ransomware attacks by increasing the overall detection ratio for compromised executable files and programs that are behaving in an unexpected manner
- Anti-Exploit Protection: Enables termination of programs that exhibit abnormal behavior associated with exploit attacks to protect against potentially exploited programs
- Enable Intuit QuickBooks Protection: Protects all Intuit QuickBooks files and folders from unauthorized changes by other programs. Enabling this feature will not affect changes made from within Intuit QuickBooks programs, but will only prevent changes to the files from other unauthorized applications.
The following products are supported:
- QuickBooks Simple Start
- QuickBooks Pro
- QuickBooks Premier
- QuickBooks Online
- Event Monitoring: For a more generic approach to protecting against unauthorized software and malware attacks, Event Monitoring oversees system areas for certain events, allowing administrators to regulate programs that trigger such events. Use Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.
The following table provides a list of monitored system events:
EVENT DESCRIPTION Duplicated System File Many malicious programs create copies of themselves or other malicious programs using file names used by Windows system files. This is typically done to override or replace system files, avoid detection, or discourage users from deleting the malicious files. Hosts File Modification The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the web browser is redirected to infected, non-existent, or fake websites. Suspicious Behavior Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution. New Internet Explorer Plugin Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects. Internet Explorer Setting Modification Many virus/malware change Internet Explorer settings, including the home page, trusted websites, proxy server settings, and menu extensions. Security Policy Modification Modifications in Windows Security Policy can allow unwanted applications to run and change system settings. Program Library Injection Many malicious programs configure Windows so that all applications automatically load a program library (DLL). This allows the malicious routines in the DLL to run every time an application starts. Shell Modification Many malicious programs modify Windows shell settings to associate themselves to certain file types. This routine allows malicious programs to launch automatically if users open the associated files in Windows Explorer. Changes to Windows shell settings can also allow malicious programs to track the programs used and start alongside legitimate applications. New Service Windows services are processes that have special functions and typically run continuously in the background with full administrative access. Malicious programs sometimes install themselves as services to stay hidden. System File Modification Certain Windows system files determine system behavior, including startup programs and screen saver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior. Firewall Policy Modification The Windows Firewall policy determines the applications that have access to the network, the ports that are open for communication, and the IP addresses that can communicate with the computer. Many malicious programs modify the policy to allow themselves to access to the network and the Internet. System Process Modification Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes. New Startup Program Malicious applications usually add or modify autostart entries in the Windows registry to automatically launch every time the computer starts. When Event Monitoring detects a monitored system event, it performs the action configured for the event.
The following table lists possible actions that administrators can take on monitored system events.
ACTION DESCRIPTION Always allow Worry-Free Business Security Services always allows programs associated with an event. Ask when necessary Worry-Free Business Security Services prompts users to allow or deny programs associated with an event and add the programs to the exception list.
If the user does not respond within a certain time period, Worry-Free Business Security Services automatically allows the program to run. The default time period is 30 seconds.
This option is not supported for Program Library Injections on 64-bit systems.Always block Worry-Free Business Security Services always blocks programs associated with an event and records this action in the logs.
When a program is blocked and alerts are enabled, Worry-Free Business Security Services displays an alert on the Worry-Free Business Security Services computer. - Exceptions: Approved Program List and a Blocked Program List can be found under Scan Exclusions > Behavior Monitoring. Programs in the Approved Programs List can be started even if they violate a monitored change, while programs in the Blocked Program List can never be started.
- Security Agent Alerts: Enable Security Agent alerts for Behavior Monitoring by going to Privileges and Other Settings > Alerts then checking Behavior Monitoring under Threat Protection.
- Click Save.
Trend Micro Predictive Machine Learning uses advanced machine learning technology to detect emerging unknown security risks found in low-prevalence suspicious processes or files originating from removable storage, web, or email channels.
- On Predictive Machine Learning section the following settings are configured
- Predictive Machine Learning is enabled.
- Under Detection Settings, select the type of detections and related action that Predictive Machine Learning takes.
DETECTION TYPE ACTIONS File - Quarantine: Select to automatically quarantine files that exhibit malware-related features based on the Predictive Machine Learning analysis.
- Log only: Select to scan unknown files and log the Predictive Machine Learning analysis for further in-house investigation of the threat
Process - Terminate: Select to automatically terminate processes that exhibit malware-related behaviors based on the Predictive Machine Learning analysis.
- Log only: Select to scan unknown processes and log the Predictive Machine Learning analysis for further in-house investigation of the threat.
- Click Save.
Enable Vulnerability Protection to apply Intrusion Prevention Rules to protect your endpoints.
Vulnerability Protection uses a host-based intrusion prevention system (HIPS) to apply virtual patches to known vulnerabilities.
Web Reputation enhances protection against malicious websites. Web Reputation leverages Trend Micro's extensive web security database to check the reputation of URLs that Clients are attempting to access or URLs embedded in email messages that are contacting websites.
- In Web Reputation section, configure the following settings:
- Web Reputation is enabled.
- Update Security Level:
- High: Blocks the following pages:
- Dangerous: Verified to be fraudulent or known sources of threats Highly suspicious: Suspected to be fraudulent or possible sources of threats Suspicious: Associated with spam or possibly compromised
- Medium (Recommended): Blocks the following pages:
- Dangerous: Verified to be fraudulent or known sources of threats Highly suspicious: Suspected to be fraudulent or possible sources of threats
- Low: Blocks the following pages:
- Dangerous: Verified to be fraudulent or known sources of threats
- Untested URLs
- Block websites that have not been tested by Trend Micro: While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages.
If unsure whether untested website is safe, visit the Site Safety Center to check for the reputation of the websiteTo modify Approved/Blocked URLs, go to the Approved Blocked URLs screen under Exception Lists or refer to Configuring the Approved/Blocked URL Lists:
- Configuring the Approved/Blocked URL via Global Settings
- Configuring the Approved/Blocked URL via Specific Group / Policy
Enable Browser Exploit Prevention > Block websites containing malicious script to protect against browser exploits containing malicious script. - High: Blocks the following pages:
- Click Save.
Enable Application Control to block applications/path that is restricted on each group that you create. For the complete procedure in configuring the Application Control, refer to Configuring Application Control in Worry-Free Business Security Services (WFBS-SVC)
- In the CPU Usage section, select from the following:
- High: No pausing between scans
- Medium: Pause between file scans if CPU consumption is higher than 50%, and do not pause if 50% or lower
- Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause if 20% or lower
- In the Virus/Malware section, configure the required settings.
- Clean: Terminates all related processes and deletes associated registry values, files, cookies and shortcuts
- Pass: Logs the detection but allows the program to execute
- In the Spyware/Grayware section, select the action the Security Agent takes after detecting spyware or grayware programs.
- In Privileges and Other Settings Section, the following setting is configured:
- Click Other Settings.
- Click Other Settings.
- Configure the required settings.
Section Privileges Security Agent Upgrade Settings Upgrading or deploying hotfixes to a large number of Security Agents simultaneously can significantly increase network traffic. Consider enabling the following settings on several groups so you can stagger the deployment. - Postpone major version upgrade: This setting applies when the Security Agent program requires a major version upgrade. Depending on the user's environment, the actual upgrade might occur later than the specified day.
- Do not apply non-critical hot fixes: Non-critical hotfixes contain minor updates for the Security Agent program.
Security Agent Self-Protection Prevent users or other processes from modifying Trend Micro program files, registries and processes. The access permission settings of the Security Agent folders, files, and registry entries are inherited from the Program Files folder (for endpoints running Windows Vista/XP/Server 2003). Therefore, if the permissions settings (security settings in Windows) of the Windows file or Program Files folder are set to allow full read/write access, enabling this setting still allows endpoints full read/write access to the Security Agent folders, files, and registry entries. - Click Save.
- Go to POLICIES > Global Security Agent Settings > Security Settings and configure the recommended settings:
Section Settings General Scan - Enable deferred scanning on file operations: Administrators can configure Worry-Free Services to defer the scanning of files. Worry-Free Services allows the user to copy files and then scans the files after the copy process completes. This deferred scanning improves the performance of the copy and scan processes.
- Exclude the Microsoft Exchange Server 2003 folders: Prevents Security Agents installed on the Microsoft Exchange server from scanning Microsoft Exchange 2003 folders.
For information on excluding other versions of Exchange server folders, refer to the Microsoft document, Running Windows antivirus software on Exchange servers.
- Exclude the Microsoft domain controller folders (Not applicable to Manual and Scheduled spyware/grayware scans): Prevents Agents installed on the domain controller from scanning domain controller folders. These folders store user information, user names, passwords, and other information.
- Exclude Shadow Copy sections: Shadow Copy or Volume Snapshot Services takes manual or automatic backup copies or snapshots of a file or folder on a specific volume.
- Resume a missed scheduled scan at the same time next day: Indicates whether a missed weekly or monthly scan should resume the next day. When this option is enabled, if an Agent is unavailable when the scan is scheduled to start, the scan will run at the same time the next day the Agent is available. However, if the Scheduled Scan has started and is canceled or aborted by the user (for example, by shutting down the computer), the Agent will not resume the Scheduled Scan.
Virus Scan - Configure scan settings for large compressed files: Specify the maximum size of the extracted file and the number of files in the compressed file the Agent should scan.
- Clean compressed files: Agents will try to clean infected files within a compressed file.
- Scan up to {} OLE layer(s): Agents will scan the specified number of Object Linking and Embedding (OLE) layers. OLE allows users to create objects with one application and then link or embed them in a second application. For example, an .xls file embedded in a .doc file.
- Add Manual Scan to the Windows shortcut menu on endpoints: With this, users can right-click a file or folder (on the Desktop or in Windows Explorer) and manually scan the file or folder.
Spyware/Grayware Scan - Scan for cookies: Agents will scan for and remove tracking cookies downloaded to clients by visiting websites. Detected tracking cookies are added to the spyware/grayware counter on the Live Status screen.
- Add cookie detections to the spyware/grayware log: Adds each detected spyware cookie to the spyware log.
Behavior Monitoring - Enable warning messages for low-risk changes or other monitored actions: Agents warn users of low-risk changes or monitored actions.
- Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded): After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.
HTTPS Web Threat Protection - Enable HTTPS checking for Web Reputation and URL Filtering on Chrome, Firefox and Microsoft Edge: HTTPS checking does not require additional add-ons for the Chrome, Firefox, or Microsoft Edge browsers and supports the HTTP/2 protocol.
HTTPS checking support for Internet Explorer is enabled by default in Web Reputation policies and requires an additional browser add-on.
- Go to POLICIES > Global Security Agent Settings > Agent Control and configure the recommended settings:
Watchdog - Enable the Security Agent Watchdog service: enabling the Watchdog service to help ensure that the Agent is protecting your clients. If the Agent unexpectedly terminates, which could happen if the client is under attack from a hacker, the Watchdog service restarts the Agent.
Keep the default agent status checking time interval.Uninstallation - Enable Require users to provide a password to uninstall the Security Agent
Exit/Unlock - Enable Require a password to exit the Security Agent or unlock advanced settings
- Click Save.