Views:
WARNING
WARNING
Do not enable Auto apply core Endpoint & Workload rules when using classic recommendation scan.
During a classic recommendation scan, agents scan the following:
  • Installed applications
  • Windows registry
  • Open ports
  • Directory listing
  • File system
  • Running processes and services
  • Environment variables
  • Users

Scan limitations

Technical and logical limitations can cause inaccurate or missing recommendations for some types of software.
  • Classic recommendation scans do not include the following:
    • Web application protection rules.
    • Most smart rules unless they address a major threat or specific vulnerability. Smart rules address one or more (zero-day) vulnerabilities. Rule lists in Server & Workload Protection identify smart rules with Smart in the Type column.
    • On Windows systems, OpenSSL rules which an application uses internally. The scanner can only make recommendations for OpenSSL if you explicitly install it.
  • The scanner may recommend unnecessary rules for the following technologies:
    • Red Hat JBoss
    • Eclipse Jetty
    • Apache Struts
    • Oracle WebLogic
    • WebSphere
    • Oracle Application Testing Suite
    • Oracle Golden Gate
    • Nginx
    • Adobe Flash Player plug-in for Chrome - Recommendations are based on the Chrome version.
    • A content management system (CMS) and any CMS plugins - For a web server with PHP, the scan recommends all intrusion prevention rules related to the CMS.
  • On Linux systems:
    • If web browsers are the only applicable vector for Java-related vulnerabilities, the scanner does not recommend such rules.
  • On Unix or Linux systems:
    • The classic recommendation scan engine might have trouble detecting software that is not installed through the operating system's default package manager. Applications installed using standard package managers do not have this problem.
    • Recommendations do not include rules for desktop application vulnerabilities or local vulnerabilities. For example, browsers and media players.
Related information

Run a classic recommendation scan

Run recommendation scans on a regular basis (the best practice is weekly) because any change to your environment can affect rule recommendations. Ideally, schedule recommendation scans soon after Trend Micro releases new intrusion prevention rules each Tuesday. The use of system resources, including central processing unit (CPU) cycles, memory, and network bandwidth, increases during a classic recommendation scan, so schedule the scans at non-peak times. After running a recommendation scan, alerts appear on all computers that have recommendations.
Note
Note
You need a Endpoint & Workload Security license to run recommendation scans.
You can run recommendation scans using any of the following methods:

Procedure

  • Create a scheduled task that runs recommendation scans according to a schedule that you configure. You can assign the scheduled task to all computers, one individual computer, a defined computer group, or all computers protected by a particular policy.
    Note
    Note
    Scheduled tasks and ongoing scans can run classic recommendation scans independently with their own settings. Use either the scheduled tasks or ongoing scans, but not both.
  • Configure an ongoing scan policy to scan a group of computers for recommendations on a regular basis. You can also configure ongoing scans for individual computers. This type of scan checks the time that the last scan occurred and waits a configured interval to scan. This results in recommendation scans occurring at different times in your environment. Ongoing scans are helpful in environments where an agent might be online for short or intermittent periods. For example, cloud environments that build and decommission instances frequently.
  • Manually run a single recommendation scan on one or more computers. A manual scan is useful if you recently made significant platform or application changes and want to force a check for new recommendations instead of waiting for a scheduled task.
  • Use the Server & Workload Protection command-line interface (CLI) to initiate a classic recommendation scan. See Command-line utilities.
  • Use the Server & Workload Protection application programming interface (API) to initiate a classic recommendation scan. See How to use the Server & Workload Protection REST API.
The results of the latest recommendation scan appear on the General tab of the Intrusion Prevention, Integrity Monitoring, or Log Inspection protection module.

Schedule a recommendation scan

Tip
Tip
For large deployments, use policies to perform classic recommendation scans.

Procedure

  1. On the Server & Workload Protection console, go to Administration Scheduled Tasks.
  2. Select NewNew Scheduled Task to display the New Scheduled Task wizard.
  3. Select TypeScan Computers for Recommendations.
  4. Select how often you want the scan to occur then click Next.
  5. Specify the scan frequency based on your selection then click Next.
  6. Select the computers to scan then click Next.
  7. Name the new scheduled task.
  8. To immediately run the scan, select Run Task on Finish.
  9. Click Finish.
The results of the latest recommendation scan appear on the General tab of the Intrusion Prevention, Integrity Monitoring, or Log Inspection protection module.

Configure an ongoing recommendation scan

Tip
Tip
For large deployments, use policies to perform classic recommendation scans.

Procedure

  1. On the Server & Workload Protection console, open the editor:
    • For an individual Computer.
    • For all computers that are using a Policy.
  2. Click Settings.
  3. On the General tab, under Recommendations, use Perform ongoing Recommendation Scans to enable or disable ongoing classic recommendation scans. This setting is inheritable. See Policies, inheritance, and overrides.
  4. Specify how often the scans occur using Ongoing Scan Interval. This setting is inheritable. See Policies, inheritance, and overrides.
The results of the latest recommendation scan appear on the General tab of the Intrusion Prevention, Integrity Monitoring, or Log Inspection protection module.

Manually run a classic recommendation scan

Procedure

  1. On the Server & Workload Protection console, go to Computers.
  2. Select the computers you want to scan.
  3. Click Actions Scan for Recommendations.
The results of the latest recommendation scan appear on the General tab of the Intrusion Prevention, Integrity Monitoring, or Log Inspection protection module.

Cancel a classic recommendation scan

You can cancel a classic recommendation scan before it starts running.

Procedure

  1. On the Server & Workload Protection console, go to Computers.
  2. Select the computers where you want to cancel the scans.
  3. Click Actions Cancel Recommendation Scan.

Exclude a rule or application type from classic recommendation scans

For large deployments without access to the enhanced recommendation scan, create policies to manage recommendations. Policies make rule assignments from a single source rather than needing to manage individual rules on each computer. Consequently, policies may assign some rules to computers which do not need them.
When enabling recommendation scans in policies, use separate policies for scanning Windows and Linux computers to avoid assigning Windows rules to Linux computers or vice-verse.

Procedure

  1. On the Server & Workload Protection console, open the editor:
    • For an individual Computer.
    • For all computers that are using a Policy.
  2. Select the type of rule you want to exclude:
    • Intrusion Prevention
    • Integrity Monitoring
    • Log Inspection
  3. On the General tab, choose one of the following:
    • Assign/Unassign for rules
    • Application Types for application types
  4. Double-click the rule or application type that you want to exclude.
  5. Click the Options tab.
  6. Do one of the following:

Automatically implement recommendations

You can configure Server & Workload Protection to automatically implement recommendation scan results except for the following rules:
  • Rules that require configuration before being applied.
  • Rules that are excluded from recommendation scans.
  • Rules that have been automatically assigned or unassigned, but that a user has overridden. For example, if Server & Workload Protection automatically assigns a rule and then you unassign it, the next recommendation scan does not reassign that rule.
  • Rules that have been assigned at a higher level in the policy hierarchy cannot be unassigned at a lower level. A rule assigned to a computer at the policy level must be unassigned at the policy level.
  • Rules that Trend Micro has issued, but which may pose a risk of producing false positives. This is addressed in the rule description.

Procedure

  1. On the Server & Workload Protection console, open the editor:
    • For an individual Computer.
    • For all computers that are using a Policy.
  2. Select the type you want to implement automatically:
    • Intrusion Prevention
    • Integrity Monitoring
    • Log Inspection
    You can change the setting independently for each protection module.
  3. On the General tab, under Recommendations, choose one of the following:

Manually assign rules

The example below illustrates how to make a policy to handle recommendation scan results for Intrusion Prevention:

Procedure

  1. After a recommendation scan is complete, open the policy that assigned to the scanned computers.
  2. Go to Intrusion Prevention General. Any unresolved recommendations appear in the Recommendations section.
  3. Click Assign/Unassign to open the rule assignment window.
  4. Sort the list of the recommended, unassigned rules By Application Type.
  5. Select Recommended for Assignment.
    • Recommended rules have a rectangular, or full, flagrecommended_rule=114f086b-5872-4ecd-a0a2-0548ca8efd22.png.
    • A flag partially_recommended_rule=2d2059eb-bb2d-4d29-80f8-5f818f9dba86.png indicates that only some of the rules for the application type have been recommended.
  6. To assign a single rule to a policy, select the box next to the rule name.
    • Rules with warning=dfb7f735-8b48-42ab-b0eb-604833e44f85.png have settings that you must configure before enabling the rule.
      For example, some log inspection rules require the location of the log files. An alert appears on the computer where the recommendation was made. The text of the alert contains the information required to configure the rule.
    • Rules with dpi_rules_option=84381749-8bce-4bd3-82d6-ae9e9804e843.png have configuration options that you can set.
  7. To assign several rules at once:
    1. Select multiple rules.
      • To select a group of rules next to each other, press and hold the Shift key.
      • To select separated rules, press and hold the Control key.
    2. Right-click the selection.
  8. Click Assign Rule(s).

Additional rules for common vulnerabilities

Recommendation scans provide a good starting point for establishing a list of rules that you should implement, but some additional rules for common vulnerabilities are not identified by recommendation scans because must be carefully configured and tested before being implemented in prevent (block) mode. Trend Micro recommends that you configure and test these rules, then manually enable them in your policies or individual computers.
The table below includes the most common additional rules you should configure. You can find others in Server & Workload Protection by searching for rules whose type is Smart or Policy.
Rule name
Application type
1007598 - Identified Possible Ransomware File Rename Activity Over Network Share
DCERPC Services
1007596 - Identified Possible Ransomware File Extension Rename Activity Over Network Share
DCERPC Services
1006906 - Identified Usage Of PsExec Command Line Tool
DCERPC Services
1007064 - Executable File Uploaded On System32 Folder Through SMB Share
DCERPC Services
1003222 - Block Administrative Share
DCERPC Services
1001126 - DNS Domain Blocker
DNS Client
1000608 - Generic SQL Injection Prevention
See Configure an SQL injection prevention rule for details.
Web Application Common
1005613 - Generic SQL Injection Prevention - 2
Web Application Common
1000552 - Generic Cross Site Scripting (XSS) Prevention
Web Application Common
1006022 - Identified Suspicious Image With Embedded PHP Code
Web Application Common
1005402 - Identified Suspicious User Agent In HTTP Request
Web Application Common
1005934 - Identified Suspicious Command Injection Attack
Web Application Common
1006823 - Identified Suspicious Command Injection Attack - 1
Web Application Common
1005933 - Identified Directory Traversal Sequence In Uri Query Parameter
Web Application Common
1006067 - Identified Too Many HTTP Requests With Specific HTTP Method
Web Server Common
1005434 - Disallow Upload Of A PHP File
Web Server Common
1003025 - Web Server Restrict Executable File Uploads
Web Server Common
1007212 - Disallow Upload Of An Archive File
Web Server Common
1007213 - Disallow Upload Of A Class File
Web Server Common

Troubleshooting classic recommendation scan

The following tips can help you troubleshoot classic recommendation scans: