When you add or edit a Threat Protection template from the Threat
Protection screen, a new screen opens, where you can specify the
settings for the template.
Procedure
- Configure the basic template information:ItemSettingTemplate nameSpecify a unique name for the template.Description(Optional) Meaningful description to easily identify the Threat Protection template.
- Configure the Web Reputation section:ItemSettingEnableClick On or Off as necessary.Security levelSelect the security level to block. Each security level comes with a description to help you make an informed decision.Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold.TMWS has three security levels that determine whether it will allow or block access to a URL with a certain risk level. For details about the risk levels, see About Web Reputation.
-
High: Blocks pages that are:
-
Dangerous
-
Highly suspicious
-
Suspicious
-
Untested
-
-
Medium: Blocks pages that are:
-
Dangerous
-
Highly suspicious
-
-
Low: Blocks pages that are:
-
Dangerous
-
WARNING
Selecting High increases the risk of false-positives. -
- In the Content Type Exceptions section, select or type
the types or names of files that you want to exclude from scanning.
Note
Trend Micro recommends minimizing the list of MIME content-types to skip to reduce the risk of virus infection. Also, Trend Micro does not recommend skipping any MIME content-types when large file handling is enabled, because it is possible for a MIME content-type to be forged.The supported true file types are as follows:File TypeFile FormatDocumentsDOC/DOCX, ODT, PDF, PPT/PPTX, WPD, XLS/XLSXImagesBMP, GIF, JPG, PNG, PSD, PSP, TIFExecutablesCOM/DLL/EXE, LNK, MSIAudio/VideoAIF, FLV, M4A, MID, MOV/MP4, MP3, RA/RM, SWF, WAV/AVI, WMV/ASFArchivesGZ, RAR, SIT, TAR, ZIPOthersCHM, EPS - Configure the File Scanning section:ItemSettingAllow and do not scan files larger thanSpecify the size limit for file scanning. TMWS does not scan files that exceed the size limit.The file size limit cannot be greater than 2 GB.Do not scan files whose compression layers exceedSpecify the maximum number of compression layers for file scanning. TMWS does not scan files that have more compression layers than the limit.The range is from 1 through 20, and the default value is 10.Unscannable filesClick Allow or Block as necessary.An unscannable file includes but is not limited to: its compression layers exceed the configured limit, it is compressed with an unsupported file format, it is password protected, or it is corrupted.When these files are blocked, TMWS displays a notification on the user's browser.
- Configure the Advanced Threat Scanning section:ItemSettingBotnet DetectionClick Block or Monitor to select an action upon detection of botnets.
-
Block: TMWS blocks the web traffic.
-
Monitor: TMWS allows the web traffic but logs it for botnet activities for monitoring and analysis.
Predictive Machine LearningClick On or Off to enable or disable scanning to detect emerging unknown security risks. For more information, see About Predictive Machine Learning.If enabled, TMWS first sends suspicious files to the cloud-based Predictive Machine Learning engine that uses advanced analytics to detect unknown threats, and blocks access to the files if any unknown threat is detected.If a suspicious file is blocked, it will not be sent to the Cloud Virtual Analyzer for further analysis.Note
In this version, TMWS uses Predictive Machine Learning to scan executable files only.Cloud Virtual AnalyzerClick On or Off to enable or disable the Cloud Virtual Analyzer to detect suspicious objects. When enabled, after the threat protection template is used in at least one enabled cloud access rule, TMWS submits sample files based on the rule configurations to the Cloud Virtual Analyzer for further analysis. A list of suspicious objects, if any, will be returned and displayed on the Suspicious Objects screen.Note
This feature is not available for the Standard license. To use this feature, purchase an Advanced license, or you can purchase an add-on license to upgrade your service to the Advanced (Standard plus add-on) license.Action on Suspicious ObjectsAction upon detection of each suspicious object type after the threat protection template is used in at least one enabled cloud access rule. Suspicious objects are obtained from either the Cloud Virtual Analyzer or Apex Central.Click On or Off to decide whether to take pre-defined actions on access to the requested web traffic that contains the suspicious objects upon detection.By default, the value is set to Off.Once enabled, options for each suspicious object type include:-
Block indicates that TMWS blocks access to the requested web traffic.
-
Monitor indicates that TMWS allows access to the requested web traffic and logs the web activity for monitoring and analysis. You can go to for log query and analysis.
-
- Click Save.