Managed Host-based Security Package¶
About This Menu¶
Overview¶
Features¶
This menu has following features:
- All the necessary security functions for the security measures within the host will be provisioned as “all-in-one package”It offers the all-in-one functions necessary to the security of the host. Customers, without having to own the assets, can use it when needed without an initial investment and without a minimum usage period.● Anti-malware (Protect from Virus)● Intrusion protection(Protect and detection from vulnerability)● Firewall (Control of communication).● Web reputation (Block of access to fraudulent Web site).● Change monitoring (Monitoring of change to file and registry).● Security log monitoring (Visualization of important security event).
- Immediately manipulate changed Settings through strict self-managed operation of portal panelCustomers can operate on their own online to update settings through Security Control Panel of the Enterprise Cloud 2.0 Portal .
- ** Management server equipment is operated safety and secured by NTT Com’s managed service **The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.
Available Functions¶
List of Available Functions¶
This menu provides following functions;
Functions |
Overview |
|---|---|
Anti-malware |
Once implemented, Anti-Malware Measures protect managed device from getting infected virally. The measures include real-time scan detection as the virus invades the host and protect the host from viral infection through opting to scan schedules based upon the settings on the Customers’ own assigned dates. |
Intrusion protection |
Virtual patch protects host from attack regarding to vulnerability. |
Firewall |
Firewall shielding systems through utilizing transmission controls in each and every IP address, MAC address, and port. |
Web reputation |
At every web access, Trend Micro’s collection of related information, Web Reputation assesses the webpage to evaluate based upon what quality the link is being placed to. Based upon such presumptive however decisively clarified assessment, it could be possible for this function to deny an access to the link. By assessing with this function, intrusions from unauthorized programs, Malware updates to rev up the versions and such threats will be thoroughly prevented. |
Integrity Monitoring |
Integrity Monitoring is a function where Customers’ Admin. in charge will be rooted to be notified on any manipulative change or invalid exploits when the preliminarily assigned file and registries and filing permissions and ports appear to be either modified, altered or revised in any invalid and unauthorized fashion whilst they are being monitored online. Exemplar activity of such can be noted that of an unauthorized intruder deleting a part of logs by hiding accessing logs, by which (Customers’) Admin. in charge will be duly alerted appropriately once this function is subscribed and being turned on. |
Log Inspection Monitoring |
Log Inspection Monitoring is to inspect event logs generated by the OS and / or applications and further detect intrusions and thereby alert the Customers’ Admin. in charge when preassigned “tolerant” level of threshold gradually or drastically exceeds. Exemplar case here is where Windows’ event logs show multiple log-in fail-overs more than what the preassigned (or threshold) numbers of such fails, then the Customers’ Admin. in charge is duly alerted to be notified so as for him/her to confirm the status. |
Control panel |
Function that allows the customer to send applications and do setting of each function from the Security Control Panel of the Enterprise Cloud 2.0 Portal. |
Description of Respective Functions¶
Anti-malware¶
Functions |
Overview |
|---|---|
Descriptions |
Set the function either with ON (valid) and / or OFF (invalid). |
Type of scan |
The followings are the types of scan by timing:
Real Time Scan
Scan every time the operation on the file is performed.
Manual Scan
It’s possible to Scan at any time.
Scheduled Scan
Automatically the scan is executed in the specified date and time.
|
Scan Setting |
Specify the directory, file for scan. |
Scan Exclusion Setting |
Specify the directory, file, file extension for scan exclusion. |
Actions |
Select the action to be taken when a malware is detected.
Trend Micro recommended
Automatically determines the processing to be executed.
Custom actions
The action to be executed can be specified.
The types of action to be performed are as follow:
Pass
Nothing done to the infected file and it’s recorded in the log.
Clean
Remove only the infected parts from the infected file.
Delete
Remove each infected file.
Deny Access (real time scan only)
If the customer tries to manipulate the infected file, the process will be blocked immediately.
Quarantine
Move the file to a quarantine directory on the host.
|
Smart Scan |
A minimum of pattern files on the local and using the complete pattern file of Trend Micro’s server on the internet, to determine the presence or absence of danger. |
Scan Limitations |
It is possible to specify the maximum size of files to scan. (Files that are larger than this size are not scanned) |
Note
Recommended action by Trend Micro is to handle properly the detection of individual malicious programs and the action will be adjusted on an ongoing basis. Recommended action of Trend Micro will be updated and at the same time the virus patterns will be updated.
In the manual scan or scheduled scan, if the malware scan setting, that has the “Deny Access” option selected, is selected then the “Pass” processing is applied.
If the smart scan is on, the size of the local is examined in a small pattern files, files that were regarded as “Possible Malware”, and access to the Trend Micro server on the Internet. Compare with the full pattern file on the server, to determine the presence or absence of danger. In this method, the size of the local pattern file is kept small, also reduces the size and number of the necessary updates in the Agent.
If you set a 0 to the value of the limit of the scan, which means that there is no maximum size, all of the files will be scanned.
Intrusion protection¶
Functions |
Overview |
|---|---|
Descriptions |
Set the function either with ON (valid) and / or OFF (invalid). |
Behavioral Settings |
The followings can be selected in the case that attack packets are detected:
*PREVENT: Attacking packet will be intercepted.
DETECT: Attacking packet is being detected; even when the transmission attack is being detected, however, transmission will not be intercepted.
|
Rule Setting |
Display of intrusion prevention rules that are currently assigned. |
Recommended Settings |
It is possible to search the recommended intrusion prevention rules. If the automatic application is set, the recommended rule is automatically assigned and unnecessary rules will be automatically removed. |
Note
Even if this feature is enable, potential problems in the software itself will remain. In addition, since this function is to detect vulnerabilities of the communication over the network, if an attack was completed on the local site, the establishment of the information about the attack and correspond is difficult.
In operation setting, if a defense is selected, not all of the rules are cut off, and some rules will include detection only.
Firewall¶
Functions |
Overview |
|---|---|
Descriptions |
Set the function either with ON (valid) and / or OFF (invalid). |
Stateful Settings |
It is possible to operate as a stateful inspection. |
Rule Setting |
Display of firewall rules that are currently assigned. Allocation/release of the rules and Create/delete rules can be performed.
The overview of possible items for the rule are as follows.
Processing (authorization, bypass, Deny, Force Allow)
Priority (0 [lowest] to 4 [highest])
Packet direction (receive/transmit)
Type of frame (IP, ARP, etc.)
Protocol (ICMP, TCP, UDP, TCP + UDP, etc.)
Packet source (IP address, MAC address)
Packet destination (IP address, MAC address)
The content of the processing is as follows:
Permission
Allow the passage of traffic that matches the rules.
Bypass
To allow the passage of traffic that matches the rule (bypass). It does not check in intrusion prevention and firewall functions. Since the stateful function does not work, you need to set the bypass rule of two-way (receive and transmit).
Deny
Discard the communication of traffic that matches the rules.
Force Allow
Forces allow traffic to pass through, which is rejected by other rules. Do the inspection for the intrusion defense.
|
Note
In the case there is not a valid authorization rule to the host, as long as it’s not blocked by a den rule, all traffic is permitted. Regardless of the valid authorization rule for receive/transmit, if it is set even one as long as that does not meet the conditions of the authorization rules are all communications other than those permitted in each direction rejected.
The priority of the rules setting determines the order in which the rules are applied. If you select “Force Allow”or “Deny” in the processing rule, the customer can set the priority from 0 [lowest] to 4 [highest]. (In the “Allow” rule, 0 can only be set). Before lower priority rules, higher priority rules are applied. For example, before the priority 2 rule for force allow of reception by the port 80 is applied, the priority 3 rule for deny of reception by the port 80 is applied, and discards the packet.
Under the same conditions for rules utilizing a bypass, if there is rule with another permit/deny policy with higher priority, the rule with higher priority will be process and not be bypassed. If the customer wants to use bypass, customers need to set higher priority than set permit/deny rules.
Assigned firewall rules to one or more of the hosts and firewall rules that are part of the policy can not be deleted.
Web reputation¶
Functions |
Overview |
|---|---|
Descriptions |
Set the function either with ON (valid) and / or OFF (invalid). |
Security Level Settings |
Web Addresses that are known as fraudulent Web Addresses or suspicious Web Addresses will be divided into the following risk levels:
Dangerous
Pages that are verified to be fraudulent or known sources of threats.
Highly Suspicious
Pages that are suspected to be fraudulent or possible sources of threats.
Suspicious
Pages that are associated with spam or possibly compromised.
Select one of the security levels: high, medium, low. Determine which risk level of URL will be blocked.
High: block Dangerous/Highly Suspicious/Suspicious pages
Medium: block Dangerous/Highly Suspicious pages
Low: block Dangerous pages
|
Exceptions Settings |
Specify the allowed URL and the blocked URL. |
Note
Depending on the security level, the permission or block of the access to a URL is determined. For example, if the security level is set to [low], only Webs already found as threat will be blocked. The higher security level, [medium] and [high], will improve the detection rate of web threats, but it also increases the possibility of erroneous determination.
In the Exceptions setting, the [Allowed] list takes precedence over the [Blocked] list. URL that matches with one in the [Allowed] list will not be checked in the [Blocked] list.
Integrity Monitoring¶
Functions |
Overview |
|---|---|
Descriptions |
Set the function either with ON (valid) and / or OFF (invalid). |
Baseline Configurations |
Record the the original state of Integrity Monitoring. |
Scan Setting |
It will detect the change on the basis of the information of the base line and the setting of the applied rules.
Real Time Scan
Real-time Scan
Manual Scan
It’s possible to Scan at any time.
Scheduled Scan
Automatically the scan is executed in the specified date and time.
|
Rule Setting |
It is possible to display/associate/detach rules of Integrity Monitoring assigned now.
Customers can not just create scans in Integrity Monitoring Rule categories but also they can update the specific details of computer file, directory, registry key, and the values which subjected the change, and existing software that is already installed, process, postponed port (or port in waiting), service that is made modifications whilst running in operations.
|
Recommended Settings |
It’s possible to scan the recommended Integrity Monitoring rules. If you set the automatic application, the recommended rule is automatically assigned, unnecessary rules will be automatically unassigned. |
Note
After the previous scan is made in multiple times in sessions, there will be modifications agreeable to the scan engine as the detected results in the most recent sessions.
Security log monitoring¶
Functions |
Overview |
|---|---|
Descriptions |
Set the function either with ON (valid) and / or OFF (invalid).
Security Log Monitoring is a real-time monitoring.
|
Rule Setting |
It is possible to display the monitoring rules for security log that are currently assigned, assign/unassign of the rules, create/delete rules.
When creating a monitoring rules for security log, it is possible to specify and create the file path and scan conditions.
|
Recommended Settings |
It is possible to scan the recommended monitoring rules for the security log. If you set the automatic application, the recommended rule is automatically assigned, unnecessary rules will be automatically unassigned. |
Note
A part of the monitoring rules for the security log, in order to function properly, customer needs to set it on the host. By assigning the rules to the host or automatically, alert notifications informing that “setting is necessary” are issued.
Control panel¶
Functions |
Overview |
|---|---|
Order |
Customers can subscribe the Security Menu |
Operation |
It is possible to perform the setting / management of this menu |
● Order
Following actions are processable from the Order Panel:
Functions |
Overview |
|---|---|
New |
Start a new order |
Change Function |
It is possible to change the usage menu. |
Change Quantity |
It is possible to change the quantity of the menu. |
Cancel |
Terminate the use of the menu |
● Operation
The operable items from the operation are as follows.
Functions |
Overview |
|---|---|
Computer |
It is possible to carry out the setting of various security functions. |
Policy |
It is possible to define rules and settings collectively and assign the same settings to multiple computers. |
Alert |
Alert will be issued to the administrator when a event, that requires attention, has occurred. |
Report |
It is possible to output various reports. |
Management |
It is possible to carry out the management of the setting of scheduled tasks (for example, scheduling the security updates and scheduled scans), pattern file and rules. |
Note
Available period of logs is 4 weeks on security control panel . This menu does not ensure completeness of logs. Please export logs regularly by customer self.
When customer wants to manage this menu on one operation screen among multi region or tenant, Please subscribe this menu on 1 region and tenant for usage in use. Price information will be shown on the tenant which is subscribed.
Menu¶
Subscriptions Method¶
Subscriptions types |
Details |
Subscription Methods |
Delivery Timing |
|---|---|---|---|
New |
New Subscription |
Subscription by customer on service portal through security control panel . |
Immediate |
Change Function |
Modify Menu |
Same as above. |
Same as above. |
Change Quantity |
Modify the quantities of subscriptions |
Same as above. |
Same as above. |
Cancel |
Termination of Use |
Same as above. |
Same as above. |
Note
For one tenant of the Enterprise Cloud 2.0, it is possible to use any one of the menu of the host-based Security.
- Managed Anti-Virus
- Managed Virtual Patch
- Managed Host-based Security Package
Until the process of one order is complete, it will not be able to perform the next order.
Change Function (Modify Menu), is an order where all the host of the menu are changed to other host-based security’s menu.
- Managed Host-based Security Package → Managed Anti-Virus
- Managed Host-based Security Package → Managed Virtual Patch
Please stop communications between Agent and management server, and uninstall Agent, before customer places an order for termination.
New Host-based security order is not available after 2 weeks when customer terminate this menu on the tenant.
Restrictions¶
Sales Unit |
Uppermost |
|---|---|
| 1 | 256 |
Note
Customers are advised to consult with NTT Com Sales in charge if the required availability exceeds 256 units.
Terms And Conditions¶
Terms And Conditions¶
System requirements¶
In order for Customers to utilize this Menu, Agent needs to be installed to the device that is to be managed. Host system requirements for the installation of the Agent are as follows.:
Functions |
Details |
|---|---|
Memory |
More than 512MB |
Internal Disk |
More than 500MB
|
| OS | Windows:
Note
Linux:
Note
|
| [1] | Relay function can download pattern file and rule from TrendMicro server, and deliver host which install Agent. |
Communication requirements¶
● Agent communication requirements
This Menu’s network connectivity requirements are as follows:
The Agent installed on the host needs to connect with the management server via the Internet. Similarly, when using some functions, it is necessary to connect with Trend Micro server.
If you are using a device that performs communication control such as a firewall, please set the communication permission setting to Management Server, Agent, and Trend Micro’s server appropriately.
Name resolution is required to communicate with the management server and the Trend Micro server. Make settings so that name resolution can be performed on the host where Agent is installed.
The Agent used in this service can connect to the management server using a proxy server. When using a proxy server, it is necessary to prepare an Agent with Relay function enabled in the customer environment.
Agent with Relay function enabled connects to the management server and Trend Micro server. Make sure to configure settings so that the management server and Trend Micro server can be connected.
If the Agent communicates with Relay in the customer environment, configure settings so that it is possible to resolve the name of the Relay Function enabled host in the customer environment on the host where the Agent is installed.
When Agent communicates with Relay in the customer environment, it communicates using a different port from Relay that provides service.
The Agent uses encrypted communication when communicating with the Management Server or Relay Server. Although it seems to use HTTP / HTTPS from the communication port, please note the following points because it uses TCP encrypted communication.
When using a device that performs encrypted communication control, management communication may not be available.
When using a device that performs access control, communication may not be possible according to the specifications of the Agent.
If you are using a device that performs such communication control, be sure to exclude the management server address (FQDN / IP address) and allow encrypted communication. Customers should conduct a survey to identify problems that occur in environments that use these devices that perform communication control.
Transmissions Details |
Destination |
Port |
|---|---|---|
Manager Server |
|
TCP 80, 443 |
Connection to a host which enable Relay function.
* When customer prepare in customer environment.
|
|
TCP 4122 |
Communication with Trend Micro Server |
|
|---|---|
Functions |
URL |
Smart scan (anti-malware measures) |
https://ds96-jp.icrc.trendmicro.com:443 |
Web Reputation |
http://ds96-jp.url.trendmicro.com:80 |
Security Update *
Update of component.
|
* Required when using the Relay function.
● Mail communication requirement
The communication requirements of the e-mail notification of this menu are as follows.
To use e-mail notification, please indicate customer managed SMTP server on Security Control Panel . If SMTP server restrict a connection, please allow below IP addresses.
210.161.150.240~248
Port number waiting for the SMTP server of the customer is specified as the following:
tcp 25 or 587
Conditions of Use in Combination with Other Services¶
Pricing¶
Initial Fee¶
Monthly Fee¶
Quality of Menu¶
Support Coverage¶
● Management server
● Agent
Note
Settings values and operations methodologies and inquiries requiring consulting will not apply to the coverage of such support.
Operations¶
● Management server
The menu performs the following operation in the management server:
Functions |
Overview |
|---|---|
Applies security patches |
Apply the security patch depending on the degree of influence |
Product Life-cycle Management |
Proceeds with the updated versions in operations |
Monitoring / Maintenance |
Implementation of the operation monitoring and fault response |
Note
Operations related to the Agent is performed by the customer
Modify work and settings such as agent installation, introduction of the the connection to the management server, etc.
Version-up of the Agent
Agent monitoring (confirmation that it is always running)
Isolation of the cause at the time of failure in the host, etc
Restrictions¶
Restrictions of this menu are following;
Common¶
To install the Agent, you must be logged in as an administrator in the target host.
In the Host on which you want to install the Agent, please do the time synchronization using NTP, etc. If the time is out of synchronization, it may fail to activate the Agent.
A short break will occur on target host, when customer enable Web reputation, Firewall and Intrusion Prevention. Detail information is described on http://esupport.trendmicro.com/solution/ja-jp/1106385.aspx.
Agent uses 4118 port and the port number cannot be changed. Please confirm other applications on host installing Agent use the port.
Conflict test was not conducted by TrendMicro service and other services on same host. We cannot answer the inquiry about coexistence of other services. Please check behavior on customer environment. There are detail restriction about coexistence of other Trend Micro services. Detail information is described on http://esupport.trendmicro.com/solution/ja-jp/1310039.aspx .
Please allow 80 port for CONNECT method, when Agent connects management server through Proxy server.
Termination of use may occur to Customers when following case(s) fit(s) to the circumstances where Customers are involved with:
Usage of the menu with the Customers seems to greatly affect other customers who share the platform with them.
Back logs of the usage of the menu with the particular Customers seem particularly unmatched in terms of difference in between the actual usage and the usage claimed to be reported at subscription request.
Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer’s purpose of use.
Following is required to be attained to provide details to developer and seller of this menu’s functions who had configured to produce these functions:
Setting details and data obtained at such time the menu is provisioned.
Information obtained with the menu functions
We cannot ensure the recovery from flaw based on combinations between customer environment and function provided by this menu, and customer operation except for operation NTT communications indicate.
Restrictions for Anti-malware¶
Following files are excluded from Anti-malware:
Password-protected file
Files frozen with unsupported formats
Destructed file
Encrypted file
Files frozen for more than max six (6) times
Files that their sizes after been decompressed exceeds the set value
Following usages of server does not appropriately set viral scan objects, which thereby causes the server performance a great deal of loads to downgrade the output. NTT Com recommends, in such cases, Customers duly exclude such scan setting. Primal examples will be as follows:
Server that mounts directories within network
Server where I/O is frequently generated, like database, Active Directory, etc.
Server that is so appropriately called “Big Data”
Mail Server (POP / IMAP)
Common Restrictions for Intrusion protection and Firewall¶
If a connection, that exceeds the maximum number of TCP connections or the maximum number of UDP connections, is performed, then that connection will be blocked. Number of connections is the number of simultaneous connections. By increasing the value, because the memory resource consumption on the required host for the evaluation of communication increases, on top of the sufficient verification, please tune the settings.
Max connectivity of TCP exceeds 30,000 transmissions (initial value)
Max connectivity of UDP exceeds 30,000 transmissions (initial value)
When a transmission does not correspond to RFC and thereby seems unauthorized and irregular, then such transmissions could be intercepted immediately.
No IP header
In the event the transmission source IP and destination IP are concurrent
In the event the unusable letters are included in URI
If separation “/” exceeds more than 100 times in one transmitted content
If “/xxx/xxx” is being utilized over the routing.
Restrictions for Intrusion protection¶
Encrypted transmissions are excluded from the prevention search.
Applications types which are associated with applicable rules, when exceeded typing limit, eight (8) types for single inspected port – such as transmission source and destination, etc. – then ruling update is not available. At this point Agent cannot optimize a new rule. Thereby it is impossible for Agent to prescribe against a newly found threat. In any event that the single inspected port exceeds the number of application types which it corresponds to, then respective makers provide appropriate patches (thereby the full-fledged counter against epidemic is proceeded); therefore, the best prescription here is to either reduce the number of rules optimized within Intrusion Prevention Control with Host-Based IDS/IPS or set an exclusion settings for the applicable rules in Intrusion Prevention Control with Host-Based IDS/IPS.
Following server usage requires the most appropriate evaluation and examinations of most optimized set values at the hand of Customers:
Server with extensive transmissions
Server that demands real-time quality in the outputs (such as VoIP and / or streaming server)
Restrictions for Firewall¶
When you enable multiple firewall features on a single host, and the functions conflict of each other, an unexpected behavior might happen. For this reason, the firewall function of the OS standard, is automatically disabled in the following cases.
During the installation and upgrade of the Windows version, it will not disable the Windows firewall, but it enable the firewall function, and disable when one or more firewall rules are assigned. (After that, when you turn off the firewall feature, the Windows Firewall is enable )
During the installation of the Linux version, it does not disable the Linux’s iptables , but if you have enabled the firewall or intrusion prevention, the iptables will be disable . If the customer disables the Agent, the iptables will also return to the original enabled setting.
In the rule processing, there is a “log only”, please don’t set it in the normal time. “Log only” is set to save the communication contents of the host that is sent and received as a log. In order to record a large amount of log information, there is a risk of compression on the resources of the management server and host. Therefore, the setting of “log only”, except for the use of research purposes at the time of the isolation of a failure, etc please not set it.