Manage and run recommendation scans

What gets scanned?

• installed applications
• Windows registry
• open ports
• directory listing
• file system
• running processes and services
• environment variables
• users

Scan limitations

• Recommendation scans do not include the following:
  • Web application protection rules.
  • Most smart rules unless they address a major threat or specific vulnerability. Smart rules address one or more (zero-day) vulnerabilities. Rule lists in Server & Workload Protection identify smart rules with Smart in the Type column.
  • On Windows systems, OpenSSL rules which an application uses internally. The scanner can only make recommendations for OpenSSL if you explicitly install it.
• The scanner may recommend unnecessary rules for the following technologies:
  • Red Hat JBoss
  • Eclipse Jetty
  • Apache Struts
  • Oracle WebLogic
  • WebSphere
  • Oracle Application Testing Suite
  • Oracle Golden Gate
  • Nginx
  • Adobe Flash Player plug-in for Chrome - Recommendations are based on the Chrome version.
  • A content management system (CMS) and any CMS plugins - For a web server with PHP, the scan recommends all intrusion prevention rules related to the CMS.
• On Linux systems:
  • If web browsers are the only applicable vector for Java-related vulnerabilities, the scanner does not recommend such rules.
• On Unix or Linux systems:
  • The recommendation scan engine might have trouble detecting software that is not installed through the operating system's default package manager. Applications installed using standard package managers do not have this problem.
  • Recommendations do not include rules for desktop application vulnerabilities or local vulnerabilities. For example, browsers and media players.

Run a recommendation scan

Note You need a Workload license to run recommendation scans.

• Scheduled task: Create a scheduled task that runs recommendation scans according to a schedule that you configure. You can assign the scheduled task to all computers, one individual computer, a defined computer group, or all computers protected by a particular policy. See Create a scheduled task to regularly run recommendation scans.
• Ongoing scans: Configure a policy so that all computers protected by the policy are scanned for recommendations on a regular basis. You can also configure ongoing scans for individual computers. This type of scan checks the time that the last scan occurred and waits a configured interval to scan. This results in recommendation scans occurring at different times in your environment. Ongoing scans are helpful in environments where an agent might be online for short or intermittent periods. For example, cloud environments that build and decommission instances frequently. See Configure an ongoing scan.
• Manual scans: Run a single recommendation scan on one or more computers. A manual scan is useful if you recently made significant platform or application changes and want to force a check for new recommendations instead of waiting for a scheduled task. See Manually run a recommendation scan.
• Command line: Initiate a recommendation scan using the Server & Workload Protection command-line interface. See Command-line utilities.
• API: Initiate a recommendation scan using the Server & Workload Protection application programming interface (API). See How to use the Server & Workload Protection REST API.

Note Scheduled tasks and ongoing scans can run recommendation scans independently with their own settings. Use either the scheduled tasks or ongoing scans, but not both.

Create a scheduled task to regularly run recommendation scans

Tip For large deployments, use policies to perform all actions including recommendation scans.

1. On the Server & Workload Protection console, go to Administration → Scheduled Tasks.
2. Select New → New Scheduled Task to display the New Scheduled Task wizard.
3. Select Type → Scan Computers for Recommendations.
4. Select how often you want the scan to occur.
5. Click Next.
6. Specify the scan frequency based on your selection.
7. Click Next.
8. Select the computers to scan.
9. Click Next.
10. Name the new scheduled task.
11. Select whether to Run Task on Finish.
12. Click Finish.

Configure an ongoing scan

Tip For large deployments, use policies to perform all actions including recommendation scans.

1. On the Server & Workload Protection console, open the corresponding editor:
   • For an individual Computer.
   • For all computers that are using a Policy.
2. Click Settings.
3. On the General tab, under Recommendations, use Perform ongoing Recommendation Scans to enable or disable ongoing recommendation scans. This setting is inheritable. See Policies, inheritance, and overrides.
4. Specify how often the scans occur using Ongoing Scan Interval. This setting is inheritable. See Policies, inheritance, and overrides.

Manually run a recommendation scan

1. On the Server & Workload Protection console, go to Computers.
2. Select the computers you want to scan.
3. Click Actions → Scan for Recommendations.

Cancel a recommendation scan

1. On the Server & Workload Protection console, go to Computers.
2. Select the computers where you want to cancel the scans.
3. Click Actions → Cancel Recommendation Scan.

Exclude a rule or application type from recommendation scans

Tip For large deployments, it's best to perform all actions, including recommendation scans, through policies.

1. On the Server & Workload Protection console, open the corresponding editor:
   • For an individual Computer.
   • For all computers that are using a Policy.
2. Select the type of rule you want to exclude:
   • Intrusion Prevention
   • Integrity Monitoring
   • Log Inspection
3. On the General tab, choose one of the following:
   • Assign/Unassign for rules
   • Application Types for application types
4. Double-click the rule or application type that you want to exclude.
5. Click the Options tab.
6. Do one of the following:
   • For rules, set Exclude from Recommendations to Yes or Inherited (Yes).
   • For application types, select Exclude from Recommendations.

Automatically implement recommendations

Tip For large deployments, use policies to perform all actions including implementing recommendations.

1. On the Server & Workload Protection console, open the corresponding editor:
   • For an individual Computer.
   • For all computers that are using a Policy.
2. Select the type you want to implement automatically:
   • Intrusion Prevention
   • Integrity Monitoring
   • Log Inspection
   You can change the setting independently for each protection module.
3. On the General tab, under Recommendations, select Yes or Inherited (Yes).

• Rules that require configuration before being applied.
• Rules that are excluded from recommendation scans.
• Rules that have been automatically assigned or unassigned, but that a user has overridden. For example, if Server & Workload Protection automatically assigns a rule and then you unassign it, the next recommendation scan does not reassign that rule.
• Rules that have been assigned at a higher level in the policy hierarchy cannot be unassigned at a lower level. A rule assigned to a computer at the policy level must be unassigned at the policy level.
• Rules that Trend Micro has issued, but which may pose a risk of producing false positives. This is addressed in the rule description.

Check scan results and manually assign rules

1. Once a recommendation scan is complete, open the policy that is assigned to the computers you have just scanned.
2. Go to Intrusion Prevention → General. The number of unresolved recommendations (if any) is displayed in the Recommendations section.
3. Click Assign/Unassign to open the rule assignment window.
4. Display a list of the recommended rules that have not been assigned:
   1. Sort the rules By Application Type.
   2. Select Recommended for Assignment.
      • Recommended rules have a rectangular, or full, flag.
      • A triangular, or partial, flag indicates that only some of the rules that are part of the application type have been recommended.
5. To assign a single rule to a policy, select the box next to the rule name.
   • Rules with have configuration options that you can set.
   • Rules with have settings that you must configure before enabling the rule.
6. To assign several rules at once:
   1. Hold Shift or Control while selecting the rules.
   2. Right-click the selection.
   3. Click Assign Rule(s).

Configure recommended rules

Some rules require configuration before you can apply them. For example, some log inspection rules require the location of the log files. If this is the case, an alert appears on the computer where the recommendation was made. The text of the alert contains the information required to configure the rule. In the policy or computer editor, rules with have settings that you must configured before enabling the rule. Rules with have optional configurations.

Implement additional rules for common vulnerabilities

Troubleshooting: Recommendation Scan Failure

Communication

Server resources