Views:
Note
Note
For a list of operating systems where Web Reputation is supported, see Supported features by platform.
The Web Reputation module protects against web threats by blocking access to malicious URLs. Server & Workload Protection uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of websites that users are attempting to access. The website's reputation is correlated with the specific Web Reputation policy enforced on the computer. Depending on the security level being enforced, Server & Workload Protection will either block or allow access to the URL.
Note
Note
The Web Reputation module does not block HTTPS traffic.
To enable and configure Web Reputation, perform the basic steps below:

Procedure

  1. Turn on the Web Reputation module
  2. Enable the Trend Micro Toolbar
  3. Switch between inline and tap mode
  4. Enforce the security level
  5. Create exceptions
  6. Configure the Smart Protection Server
  7. Edit advanced settings
  8. Test Web Reputation

What to do next

To suppress messages that appear to users of agent computers, see Configure notifications on the computer.

Turn on the Web Reputation module Parent topic

Procedure

  1. Go to Policies.
  2. Double-click the policy for which you want to enable Web Reputation.
  3. Click Web Reputation General.
  4. For Web Reputation State, select On.
  5. Click Save.

Enable the Trend Micro Toolbar Parent topic

After you enable the Trend Micro Toolbar, when you use your web browser to visit a dangerous, highly suspicious, or suspicious website, you will see both a blocking page in the main window of your web browser and a pop-up message will appear in the notification area. In addition, attempts to access a URL rated as dangerous, highly suspicious, or suspicious will be logged in Server & Workload Protection's Web Reputation Events tab.
Note
Note
In macOS, the dialog box may not always appear, depending on how the System Preferences for notifications are configured.
When the Trend Micro Toolbar is included in your browser extensions, a small Trend Micro logo will appear in your browser:
  • In Chrome and Firefox, the logo appears to the right of the website address field.
  • In Safari, the logo appears to the left of the website address field.

Install the toolbar for macOS Parent topic

Note
Note
For general help configuring the macOS agent, see Configure Mobile Device Management on Server & Workload Protection for the macOS agent.
To enable the toolbar, you'll need to download the extension for your browser using one of the following links:
Tip
Tip
It is possible to configure the Trend Micro Toolbar from macOS Mobile Device Management; for details, see Configure browser plugin extension.
On the macOS computers running the macOS agent, your web browser (Chrome, Firefox, or Safari) will display a dialog box titled "Agent Update: Action Required".
  • From the dialog box, click the Enable Extension button.

Install the toolbar for Windows Parent topic

The Trend Micro Toolbar extension for Windows is supported only on certain Windows platforms. It is currently supported only with the Chrome browser. See the supported features by platform tables for more details.
The Trend Micro Toolbar for Windows is downloaded automatically when the Web Reputation module is enabled and will be installed the next time the web browser is restarted.

Switch between inline and tap mode Parent topic

Web Reputation uses the Server & Workload Protection Network Engine which can operate in one of two modes:
  • Inline: Packet streams pass directly through the Server & Workload Protection network engine. All rules are applied to the network traffic before they proceed up the protocol stack.
  • Tap mode: Packet streams are not modified. The traffic is still processed by Web Reputation, if it's enabled. However any issues detected do not result in packet or connection drops. When in Tap mode, Server & Workload Protection offers no protection beyond providing a record of events.
In tap mode, the live stream is not modified. All operations are performed on the replicated stream. When in tap mode, Server & Workload Protection offers no protection beyond providing a record of events.
To switch between inline and tap mode, open the Computer or Policy editor and go to Settings Advanced Network Engine Mode.
For more on the network engine, see Test firewall rules before deploying them.

Enforce the security level Parent topic

Web addresses that are known to be or are suspected of being malicious are assigned a risk level of:
  • Dangerous: Verified to be fraudulent or known sources of threats
  • Highly suspicious: Suspected to be fraudulent or possible sources of threats
  • Suspicious: Associated with spam or possibly compromised
Security levels determine whether Server & Workload Protection will allow or block access to a URL, based on the associated risk level. For example, if you set the security level to low, Server & Workload Protection will only block URLs that are known to be web threats. As you set the security level higher, the web threat detection rate improves but the possibility of false positives also increases.

Configure the security level Parent topic

Procedure

  1. Go to Policies.
  2. Double-click the policy that you want to edit.
  3. Click Web Reputation General.
  4. Select one of the following security levels:
    • High: Blocks pages that are:
      • Dangerous
      • Highly suspicious
      • Suspicious
    • Medium: Blocks pages that are:
      • Dangerous
      • Highly Suspicious
    • Low: Blocks pages that are:
      • Dangerous
  5. Click Save.

What to do next

Create exceptions Parent topic

You can override the block and allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow.
Note
Note
The Allowed list takes precedence over the Blocked list. URLs that match entries in the Allowed list are not checked against the Blocked list.

Create URL exceptions Parent topic

Procedure

  1. Go to Policies.
  2. Double-click the policy that you want to edit.
  3. Click Web Reputation Exceptions.
  4. To allow URLs:
    1. Go to the Allowed section.
    2. In the blank under URLs to be added to the Allowed list (one per line), enter your desired URL. Multiple URLs can be added at once but they must be separated by a line break.
    3. Select either:
      • Allow URLs from the domain: Allow all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, "example.com" and "another.example.com" are valid entries.
      • Allow the URL: The URL as entered will be allowed. Wildcards are supported. For example, "example.com/shopping/coats.html", and "example.com/shopping/*" are valid entries.
    4. Click Add.
  5. To block URLs:
    1. Go to the Blocked section.
    2. In the area under URLs to be added to the Blocked list (one per line), enter your desired URL. Multiple URLs or keywords can be added at once but they must be separated by a line break.
    3. Select either:
      • Block URLs from the domain: Block all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, "example.com" and "another.example.com" are valid entries.
      • Block the URL: The URL as entered will be blocked. Wildcards are supported. For example, "example.com/shopping/coats.html", and "example.com/shopping/*" are valid entries.
      • Block URLs containing this keyword: Any URL containing the keyword will be blocked.
    4. Click Add.
  6. Click Save.

Configure the Smart Protection Server Parent topic

Smart Protection Service for Web Reputation supplies web information required by the Web Reputation module. For more information, see Smart Protection Network - Global Threat Intelligence.
To configure Smart Protection Server:

Procedure

  1. Go to Policies.
  2. Double-click the policy you'd like to edit.
  3. Click Web Reputation Smart Protection.
  4. Select whether to connect directly to Trend Micro's Smart Protection service:
    1. Select Connect directly to Global Smart Protection Service.
    2. Optionally select When accessing Global Smart Protection Service, use proxy. Select New from the drop down menu and enter your desired proxy.
    Or to connect to one or more locally installed Smart Protection Servers:
    1. Select Use locally installed Smart Protection Server (ex: "http://[server]:5274").
    2. Enter the Smart Protection Server URL into the field and click Add. To find the Smart Protection Server URL, do one of the following:
      • Log in to the Smart Protection Server, and in the main pane, look under Real Time Status. The Smart Protection Server's HTTP and HTTPS URLs are listed in the Web Reputation row. The HTTPS URL is only supported with agent versions 11.0 and newer. If you have 10.3 or earlier agents, use the HTTP URL.
      Or
      • If you deployed the Smart Protection Server in AWS, go to the AWS CloudFormation service, select the check box next to the Smart Protection Server stack, and in the bottom pane, click the Outputs tab. The Smart Protection Server's HTTP and HTTPS URLs appear in the WRSurl and WRSHTTPSurl fields. The WRSHTTPSurl is only supported with agent versions 11.0 and newer. If you have 10.3 or earlier agents, use the WRSurl URL.
    3. Optionally select When off domain, connect to global Smart Protection Service. (Windows only).
  5. Click Save.

Smart Protection Server Connection Warning Parent topic

This option determines whether error events are generated and alerts are raised if a computer loses its connection to the Smart Protection Server. Select either Yes or No and click Save.
Note
Note
If you have a locally installed Smart Protection Server, this option should be set to Yes on at least one computer so that you are notified if there is a problem with the Smart Protection Server itself.

Edit advanced settings Parent topic

Blocking Page Parent topic

When users attempt to access a blocked URL, they will be redirected to a blocking page. In the blank for Link, provide a link that users can use to request access to the blocked URL.

Alert Parent topic

Decide to raise an alert when a Web Reputation event is logged by selecting either Yes or No.

Ports Parent topic

Select specific ports to monitor for potentially harmful web pages from the drop down list next to Ports to monitor for potentially harmful web pages.

Test Web Reputation Parent topic

Before continuing, test that the Web Reputation is working correctly:

Procedure

  1. Ensure Web Reputation is enabled.
  2. Go to the Computer or Policy editor Web Reputation Exceptions.
  3. Under Blocked, enter http://www.speedtest.net and click Add. Click Save.
  4. Open a browser and attempt to access the website. A message denying the access should appear.
  5. Go to Events & Reports Web Reputation to verify the record of the denied web access. If the detection is recorded, the Web Reputation module is working correctly.