Home >Documents >Service Descriptions >Host-based Security v2.1.9 >Managed Host-based Security Package

Managed Host-based Security Package

This page is the service description for DeepSecurity 20.0 version.

For the old version (Deep Security 9.6) , please refer to here .

For the old version (Deep Security 11) , please refer to here .

Overview

Overview

Managed Host-based Security Package can be used on Enterprise Cloud 2.0 / Enterprise Cloud 1.0 / Enterprise Cloud for ERP, host connected to SD-Exchange (on-premises environment connected to SD-Exchange, host running on AWS etc.), providing integrated security features.

You can use it by installing Agent on the operating system (OS) on the host and connecting to the management server on the Internet.

(Hereafter, Managed Host-based Security Package is referred to as this menu.)

Features

Following are the features of this menu:

1. Offers security functions required for security measures on the hosts as all-in-one

It offers the all-in-one functions necessary to the security of the host. Customers, without having to own the assets, can use it when needed without an initial investment and without a minimum usage period.

● Anti-malware (Protect from Virus)

● Intrusion protection(Protect and detection from vulnerability)

● Host-based firewall (Communication control)

● Web reputation (Block of access to fraudulent Web site).

● Change monitoring (Monitoring of change to file and registry).

● Security log monitoring (Visualization of important security event).

● Application control (Application monitoring)

2. Immediate setting change by self operation

Customers can operate on their own online to update settings through Enterprise Cloud 2.0 portal’s security control panel .

3. Management server equipment is operated safely and secured by NTT Com’s managed service

The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.

Available Functions

List of Functions

Following functions are available with Customers with this menu:

Functions	Overview	Descriptions
Anti-malware	Detection of malware	Using pattern files and search engines for anti-malware measures offered by Trend Micro, we detect attacks from malicious persons using malware.
	Update pattern file	Using date and time set by the customer as the start time, the unupdated pattern file for anti-malware measures will be updated. (The update time is the time of issue of the update start task, and the start time differs depending on the action conditions on the Agent (Deep Security Agent) side.)
	Schedulescan	Using date and time set by the customer as the start time, the scan of malware will be started. (The start time is the time of issue of the scan start task, and the start time differs depending on the action conditions of the Agent side.)
Intrusion prevention	Host-based packet audit	The host-based packet audit protects your system from known and unknown attacks to vulnerabilities using networks of OS, middle ware, application, etc. It controls suspicious communication by Intrusion Detection/Intrusion Prevention function (IDS/IPS function).
	Schedulescan	Using date and time set by the customer as the start time, the scan to check conditions of the applications installed in the server will be performed. The possibility of the rule to be applied is judged and the rule is applied automatically if required. Also, as it can be checked by the customer, the need of the rule can be easily checked. (The scan time is the time of issue of the scan start task, and the start time differs depending on the action conditions of the AGENT side.)
	Update rule	Using rule update offered by Trend Micro, we offer rules to detect malware and attack packets from malicious persons. As the basic schedule, the update is made twice per month but additional update will be made by Trend Micro according to the situation. The rule update is basically made automatically. But manual update is also possible if set up as such.
Host-based firewall	Host-based communication control	Use the communication control function up to L4 level (communication control per IP and port) to protect the system.
Web reputation	Download control of malware	When accessing the Web, access destinations are evaluated based on the information collected by Trend Micro. The access may be blocked depending on the evaluation result. This enables protection from threats such as intrusion of malware and version-up of malware.
Integrity Monitoring	Integrity Monitoring	The change monitor monitors specified files, registries, etc. and issues an alert if there is a change. It can be used for monitoring illegal changes not based on the rules, and for detection of alterations.
	Schedulescan	Using date and time set by the customer as the start time, the scan to check conditions of the registries and files subject to monitoring will be performed. The condition after the scan is set as the baseline and files and registries changed from this condition will be subject of alert. (The scan time is the time of issue of the scan start task, and the start time differs depending on the action conditions of the Agent side.)
Log Inspection Monitoring	Log inspection	The log inspection monitors various logs, and issues an alert if an event exceeding a predefined threshold value is observed. For example, an action such as raising an alert when multiple log-in failure events are recorded in a short time to the Windows event log is possible.
Application control	Monitor application	The inventory of software installed is searched and the initial baseline will be created. Changes from the baseline is detected, and applications to be changed are controlled according to the settings (detection and protection).
Control panel		Function that allows the customer to send applications and do setting of each function from the Security Control Panel of the Enterprise Cloud 2.0 Portal.

Description of Functions

Functions provided in this menu are described below.

Anti-malware

Prevents the hosts from being infected with malware.

It protects the hosts from being infected with malware by using real time search where detection is made when malware tries to intrude the host or scheduled search where search is made by task at a date and time specified by the customer.

Following functions are available with Anti-Virus:

Item	Descriptions
Functions Settings	Set the function either with ON (valid) and / or OFF (invalid).
Type of scan	The followings are the types of scan by timing: Real Time Scan Scan every time the operation on the file is performed. Manual Scan It’s possible to Scan at any time. Scheduled Scan Automatically the scan is executed in the specified date and time.
Scan Setting	Specify the directory, file for scan.
Scan Exclusion Setting	Specify the directory, file, file extension for scan exclusion.
Actions	Select the action to be taken when a malware is detected. Trend Micro recommended Automatically determines the processing to be executed. Custom actions The action to be executed can be specified. The types of action to be performed are as follow: Pass Nothing done to the infected file and it’s recorded in the log. Clean Remove only the infected parts from the infected file. Delete Remove each infected file. Deny Access （real time scan only） If the customer tries to manipulate the infected file, the process will be blocked immediately. Quarantine Move the file to a quarantine directory on the host.
Smart Scan	A minimum of pattern files on the local and using the complete pattern file of Trend Micro’s server on the internet, to determine the presence or absence of danger.
Scan Limitations	It is possible to specify the maximum size of files to scan. (Files that are larger than this size are not scanned)

Note

• Recommended action by Trend Micro is to handle properly the detection of individual malicious programs and the action will be adjusted on an ongoing basis. Recommended action of Trend Micro will be updated and at the same time the virus patterns will be updated.

• In the manual scan or scheduled scan, if the malware scan setting, that has the “Deny Access” option selected, is selected then the “Pass” processing is applied.

• If the smart scan is on, the size of the local is examined in a small pattern files, files that were regarded as “Possible Malware”, and access to the Trend Micro server on the Internet. Compare with the full pattern file on the server, to determine the presence or absence of danger. In this method, the size of the local pattern file is kept small, also reduces the size and number of the necessary updates in the Agent.

• If you set a 0 to the value of the limit of the scan, which means that there is no maximum size, all of the files will be scanned.

Intrusion protection

With virtual patches (vulnerability rules), protects servers from attacks of malicious persons exploiting vulnerabilities.

Supports major Server OSs including Windows, Linux and Solaris, and covers vulnerabilities of more than 100 applications such as Apache, BIND, Microsoft SQL and Oracle.

For Windows Update released by Microsoft on the 2nd Tuesday (UTC) in every month, rules corresponding to the applicable Windows Update will be distributed directly from Trend Micro.

By applying the rules, you can protect the newest vulnerabilities for the Windows system OS.

Each rule can select the protection mode (where packets are discarded) or the detection mode (where only events are logged and traffics are passed).

Following functions are available with Intrusion prevention .

Item	Descriptions
Functions Settings	Set the function either with ON (valid) and / or OFF (invalid).
Operation setting (in-line)	The followings can be selected in the case that attack packets are detected: ● Prevention: It shuts off attack packets. It works as an IPS mode. Basically, it shuts off all communications detected but some rules perform detection only. ● Detection: It detects attack packets. But some communications will be shut off.
Operation setting (TAP)	It detects attack packets. As it works as the IDS mode, the communication will not be shut off. If TAP is selected, host-based firewall function is not available.
Rule Setting	Display of intrusion prevention rules that are currently assigned.
Recommended Settings	It is possible to search the recommended intrusion prevention rules. If the automatic application is set, the recommended rule is automatically assigned and unnecessary rules will be automatically removed.

Note

• Even if this feature is enable, potential problems in the software itself will remain. In addition, since this function is to detect vulnerabilities of the communication over the network, if an attack was completed on the local site, the establishment of the information about the attack and correspond is difficult.

• In operation setting, if a defense is selected, not all of the rules are cut off, and some rules will include detection only.

• If there is a concern of erroneous detection such as stopping normal packets, safe installation is possible by installing in the detection mode at first and then switching to the protection mode after confirming operation of the application. As a basic operation for intrusion prevention, you can select either “In-line” mode or “TAP” mode. When In-line mode is used, you can select “Protection” mode or “Detection” mode as the rule detection mode. In the case of TAP mode, Detection only is available.

Image figure

Host-based firewall

IP address, MAC address and port filtering can be set in detail per host.

Policy creation per network is also possible.

It supports each protocol of TCP, UDP and ICMP, and each frame of IP and ARP.

For example, settings being performed individually per host by using Windows firewall or the like, can be set all together and centralized by setting policies per host type and per installed segment, through the Management server.

Of course, the setting can be customized per host.

Host-based firewall function mainly offers the following functions.

Item	Descriptions
Functions Settings	Set the function either with ON (valid) and / or OFF (invalid).
Stateful Settings	It is possible to operate as a stateful inspection.
Frame type	IP / ARP / REVARP / Any frame number
Communication source/destination that can be specified	Single IP address/ Subnet specified/ Address range/ Multiple IP addresses/ IP address list/ Single MAC address/ Multiple MAC address/ MAC address list
Communication direction	Transmit/Receive
Protocol	ICMP / IGMP / GGP / TCP / PUP / UDP / IDP / ND / RAW / TCP+UDP / Any protocol number
Filter action	● Allow: Allows traffic that matches the rule to pass. ● Bypass: Allows (Bypasses) traffic that matches the rule to pass. Intrusion prevention and inspection by host-based firewall function will not be made. ● Deny: Discards communication of the traffic that matches the rule. ● Force Allow: Allows traffic forcibly to pass that would otherwise be denied by other rules. Performs inspection of intrusion prevention.
Priority	0[Lowest]–4[Highest]

Note

• In the case there is not a valid authorization rule to the host, as long as it’s not blocked by a den rule, all traffic is permitted. Regardless of the valid authorization rule for receive/transmit, if it is set even one as long as that does not meet the conditions of the authorization rules are all communications other than those permitted in each direction rejected.

• The priority of the rules setting determines the order in which the rules are applied. If you select “Force Allow”or “Deny” in the processing rule, the customer can set the priority from 0 [lowest] to 4 [highest]. (In the “Allow” rule, 0 can only be set). Before lower priority rules, higher priority rules are applied. For example, before the priority 2 rule for force allow of reception by the port 80 is applied, the priority 3 rule for deny of reception by the port 80 is applied, and discards the packet.

• However, if another Allow/Deny policy rule exists, that has the same condition as the rule using the Bypass or Force Allow and has a higher priority, then Bypass will not be performed since action by the higher rule will be used. To bypass, the priority should be set higher than the Allow/Deny rule.

• For the communication that a bypass rule is applied, you need to set a bidirectional (incoming and outgoing) bypass.

• For the communication that a Force Allow rule is applied, you need to set a bidirectional (incoming and outgoing) Force Allow.

• You cannot delete a firewall rule assigned to one or more firewalls, or a host firewall rule that is a part of a policy.

Image figure

Web reputation

We cope with the newest threats by using various information collected through Trend Micro Threat Information Collection Network and by using Trend Micro Smart Protection Network (SPN) to enhance the conventional-type pattern file functions.

When communication that accesses to a Web site occurs, the access is controlled by referencing to fraud site information in Trend Micro Smart Protection Network (SPN).

For the Web Reputation function, use of Managed Host-based Security Package is mandatory.

Following functions are available with Web Reputation:

Item	Descriptions
Functions Settings	Set the function either with ON (valid) and / or OFF (invalid).
Security Level Settings	Web Addresses that are known as fraudulent Web Addresses or suspicious Web Addresses will be divided into the following risk levels: Dangerous Pages that are verified to be fraudulent or known sources of threats. Highly Suspicious Pages that are suspected to be fraudulent or possible sources of threats. Suspicious Pages that are associated with spam or possibly compromised. Select one of the security levels: high, medium, low. Determine which risk level of URL will be blocked. High: block Dangerous/Highly Suspicious/Suspicious pages Medium： block Dangerous/Highly Suspicious pages Low： block Dangerous pages
Exceptions Settings	Specify the allowed URL and the blocked URL.

Note

• Depending on the security level, the permission or block of the access to a URL is determined. For example, if the security level is set to [low], only Webs already found as threat will be blocked. The higher security level, [medium] and [high], will improve the detection rate of web threats, but it also increases the possibility of erroneous determination.

• In the Exceptions setting, the [Allowed] list takes precedence over the [Blocked] list. URL that matches with one in the [Allowed] list will not be checked in the [Blocked] list.

Image figure

Integrity Monitoring

It is a function to monitor prespecified files, registries, file authorities, ports, etc. and to notify the administrator in the case of changes.

For example, by monitoring file size, an alert can be issued when an unauthorized intruder deletes a part of the access log to obscure the log.

Following functions are available with Integrity Monitoring:

Item	Descriptions
Functions Settings	Set the function either with ON (valid) and / or OFF (invalid).
Baseline Configurations	Record the the original state of Integrity Monitoring.
Scan Setting	It will detect the change on the basis of the information of the base line and the setting of the applied rules. Real Time Scan Real-time Scan Manual Scan It’s possible to Scan at any time. Scheduled Scan Automatically the scan is executed in the specified date and time.
Rule Setting	It is possible to display/associate/detach rules of Integrity Monitoring assigned now. Customers can not just create scans in Integrity Monitoring Rule categories but also they can update the specific details of computer file, directory, registry key, and the values which subjected the change, and existing software that is already installed, process, postponed port (or port in waiting), service that is made modifications whilst running in operations.
Recommended Settings	It’s possible to scan the recommended Integrity Monitoring rules. If you set the automatic application, the recommended rule is automatically assigned, unnecessary rules will be automatically unassigned.

Note

• After the previous scan is made in multiple times in sessions, there will be modifications agreeable to the scan engine as the detected results in the most recent sessions.

• If you use this function, minute investigations of detailed setting of the host to use and of information subject to monitoring are required. If monitoring is conducted without using adequate set values, it may lead to large amount of log generation or to overlook of highly hazardous events and validity of use of this function may drop. For the investigation of set values and target items for monitoring, please consult the persons in charge of construction and design of the host environment.

Security log monitoring

Monitors Windows event logs and application logs, and issues an alert if a predefined threshold value is exceeded.

For example, if multiple log-in failure events are recorded in a short period of time to the Windows event log, it can be notified to the administrator at once.

Following functions are available with Log Inspection Monitoring:

Item	Descriptions
Functions Settings	Set the function either with ON (valid) and / or OFF (invalid). Log Inspection Monitoring is a real-time monitoring.
Rule Setting	It is possible to display the monitoring rules for Log Inspection Monitoring that are currently assigned, assign/unassign of the rules, create/delete rules. When creating a monitoring rules for Log Inspection Monitoring, it is possible to specify and create the file path and scan conditions.
Recommended Settings	It is possible to scan the recommended monitoring rules for the Log Inspection Monitoring. If you set the automatic application, the recommended rule is automatically assigned, unnecessary rules will be automatically unassigned.

Note

• A part of the monitoring rules for the security log, in order to function properly, customer needs to set it on the host. By assigning the rules to the host or automatically, alert notifications informing that “setting is necessary” are issued.

• If you use this function, minute investigations of detailed setting of the host to use and of information subject to monitoring are required. If monitoring is conducted without using adequate set values, it may lead to large amount of log generation or to overlook of highly hazardous events and validity of use of this function may drop. For the investigation of set values and target items for monitoring, please consult the persons in charge of construction and design of the host environment.

Image figure

Application control

By application control, changes to the following executable files will be detected.

・ Installation of unnecessary software by the user

・ Addition of PHP page, Python script or Java application

・ Unscheduled automatic update

・ Zero day ransomware

If any change is detected, you can lock down the computer as required, and block unapproved software.

Application control function mainly offers following functions.

Item	Detection mode	Descriptions
Execute	Block until explicitly allow	If an application changed from the baseline is detected, the application will be blocked until allowed.
	Allow until explicitly block	If an application changed from the baseline is detected, the application is allowed. Judgment per block should be made individually by the administrator.
Maintenance mode		Basically allow changes detected during maintenance mode period. After the completion of the maintenance mode, it operates in the mode set during the construction.

Note

• If you use this function, you need to check execution status of the host application you use. If this function is enabled without using the adequate values, operation of the applications may be stopped, or normal operation may become impossible resulting in lower system performance. For the investigation of set values and judgment of target applications, please consult the persons in charge of construction and design of the host environment.

Image figure

Control panel

The functions of Control Panel are as follow.

For details, see the Enterprise Cloud 2.0 tutorial.

Item	Descriptions
Order	Customers can subscribe the Security Menu
Operation	Setting/Management of this menu is possible.

● Order

Following actions are processable from the Order Panel:

Item	Descriptions
New	Start a new order
Change Function	It is possible to change the usage menu.
Change Quantity	It is possible to change the quantity of the menu.
Cancel	Terminate the use of the menu

● Operation

The operable items from the operation are as follows.

Item	Descriptions
Computer	It is possible to carry out the setting of various security functions.
Policy	It is possible to define rules and settings collectively and assign the same settings to multiple computers.
Alert	Alert will be issued to the administrator when a event, that requires attention, has occurred.
Report	It is possible to output various reports.
Management	It is possible to carry out the management of the setting of scheduled tasks (for example, scheduling the security updates and scheduled scans), pattern file and rules.

Note

• Available period of logs is 4 weeks on Security Control Panel. This menu does not ensure completeness of logs. Please export logs regularly by customer self.

• When customer wants to manage this menu on one operation screen among multi region or tenant, Please subscribe this menu on 1 region and tenant for usage in use. Price information will be shown on the tenant which is subscribed.

Menu

Plan

There is no plan in this menu.

Application Process

Customers with Enterprise Cloud 2.0 can basically request to subscribe this menu.

Subscriptions types, Subscription methods and Delivery are as follows:

Subscriptions types	Contents	Order Methods	Offering Date
New	New Subscription	Subscription by customer on Enterprise Cloud 2.0 Portal through Security Control Panel.	Immediate
Change Function	Modify Menu	Same as the above.	Same as the above.
Change Quantity	Modify the quantities of subscriptions	Same as the above.	Same as the above.
Cancel	Termination of Use	Same as the above.	Same as the above.

Note

• For one tenant of the Enterprise Cloud 2.0, it is possible to use any one of the menu of the host-based Security.

  • Managed Anti-Virus

  • Managed Virtual Patch

  • Managed Host-based Security Package

• Until the process of one order is complete, it will not be able to perform the next order.

• Change Function (Modify Menu), is an order where all the host of the menu are changed to other host-based security’s menu.

  • Managed Host-based Security Package → Managed Anti-Virus
  • Managed Host-based Security Package → Managed Virtual Patch

• Please stop communications between Agent and management server, and uninstall Agent, before customer places an order for termination.

• New Host-based security order is not available after 2 weeks when customer terminate this menu on the tenant.

Restrictions In Subscriptions

Following is the unit for one subscription and the maximum number of the units for sale:

Unit	Maximum Number
1	256

Note

• Customers are advised to consult with NTT Com Sales in charge if the required availability exceeds 256 units.

Terms and Conditions

Device requirements

Agent system requirements

To use this service, installation of Agent to the host is required.

When Agent is installed, the following system requirements should be met.

Item	Contents
Memory	1 GB or more 2 GB or more is recommended when anti-malware measures and intrusion prevention are used. 5 GB or more is recommended if Managed Host-based Security Package is used and all functions are enabled.
Internal Disk	More than 500MB Recommend over 1GB if Anti-Virus is enable. 8GB or more is recommended when Relay function [1] is enabled (various update files and Agent programs are stored. Therefore, the disk capacity should be 30GB or more, larger than the vendor recommended 8GB or more. It is recommended.)

[1]	Relay function can download pattern file and rule from TrendMicro server, and deliver host which install Agent.

System requirements of Deep Security Notifier

Deep Security Notifier is a Windows application to display Agent state on the desktop, prepared for Windows system OS and installed at the same time as the Agent installation.

With this, you can make a simplified check of enabled/disabled state of a function, check the pattern file state and notification at the time of malware detection.

Item	Contents
Memory	3MB
Internal Disk	1MB

Target OS (Microsoft Windows)

Windows 7 (32/64bit)

Windows 8 (32/64bit)

Windows 8.1 (32/64bit)

Windows 10、10 TH2 (32/64bit)

Windows 10 RS2 (32/64-bit)

Windows 10 RS3 (32/64-bit)

Windows Server 2008 (32/64bit)

Windows Server 2008 R2 (64bit)

Windows Server 2008 R2 Hyper-V

Windows Server 2012 (64bit)

Windows Server 2012 (64bit)

Windows Server 2012 R2 Hyper-V

Windows Server Core 2012 (64bit)

Windows Server Core 2012 R2 (64bit)

Windows Server 2016 (64bit)

Windows Server 2016 RS3 (64bit)

Windows Server 2019 Version 1809 (64bit)

Note

• A Windows product whose edition is not specified will be guaranteed of its operation within the vendor support range regardless of the edition.

• Service packs that are not listed in the system requirements, but are newer than those listed in the requirements, are guaranteed to work within the vendor’s support. For more information, please see here

• Relay function can work on 64bit above OS.

• The following environments are outside of our support even if they are the targets of vendor support.

  • Windows Server 2008/2012 (Server Core)
  • Microsoft Virtual Server 2005 R2 SP1

Target OS (Linux)

Red Hat 6、7、 8 (32/64 bit)

CentOS 6、7、 8 (32/64 bit)

SUSE 12 (64bit)

SUSE 15 (64bit)

Ubuntu Linux 16.04、 18.04 (64bit)

Oracle Linux 6 RedHat/Unbreakable Kernel (32/64 bit)

Oracle Linux 7 RedHat/Unbreakable Kernel (64 bit)

CloudLinux 6 (32/64bit)

CloudLinux 7 (64bit)

Amazon Red Hat 6 EC2 (32/64bit)

Amazon Red Hat 7 EC2 (64bit)

Amazon SUSE 12 EC2 (64bit)

Amazon Ubuntu 16.04 LTS (64bit)

Note

• The Linux version of Agent must also support your kernel. For the supported kernel versions, see the Tutorial - Linux OS kernel support and the following product Q&A.

• Available functions differ depending on the version of Agent to be installed and the type of OS on which it is installed. Please refer to Supported function list .

• For information on installing the OS on cloud environments such as Amazon Web Services and Microsoft Azure, please refer to the following product Q&A .

• Deep Security supports only UTF-8 as multi-byte character encoding, and in Linux / UNIX environment, you need to set the OS locale to UTF-8 (e.g. ja_JP.UTF-8). For more details, please refer to the following product Q&A .

• Relay function can work on 64bit above OS.

• Concerning some OSs, we may not be able to offer them even if they are among the targets of vendor support. For details of the some OSs, please talk with us through the Enterprise Cloud 2.0 ticket system.

• DSA operation with RHEL8, CentOS8, and Ubuntu 18.04 enabled for secure boot is not supported. Please disable Secure Boot in advance. For DSA secure boot support, please refer to Product Q&A.

• CentOS8 cannot be installed by script. Please enable it after manually installing the Agent.

Communication Requirements

Agent communication requirements

This Menu’s network connectivity requirements are as follows:

• The Agent installed on the host needs to connect with the management server via the Internet. Similarly, when using some functions, it is necessary to connect with Trend Micro server.

• If environments such as fire wall exist, set them adequately.

• Name resolution is necessary to communicate management server and TrendMicro server. Please configure host installing Agent to perform name resolution.

• If hosts cannot directly connect internet, please configure internet communication through Proxy server. When a host use internet communication via Proxy server, please prepare host which enable Relay function in customer environment. The host installing Agent can enable Relay function.

  • If Agent communicate with Relay, please configure host installing Agent to perform name resolution for connecting the host which enable Relay function.

  • Installation of the internal distribution server (Deep Security Relay Server) is recommended even in the environment where the number of management devices of the environment exceeds 5, or where you want to restrain the traffic to the Internet. Installation of the internal distribution server (Deep Security Relay Server) is essential in the environment where the number of management devices of the environment exceeds 20.

Transmissions Details	Destination	Port
Manager Server	hbs01.jp.ivs.wideanglentt.com hbs02.jp.ivs.wideanglentt.com hbs03.jp.ivs.wideanglentt.com hbs04.jp.ivs.wideanglentt.com hbs05.jp.ivs.wideanglentt.com hbs06.jp.ivs.wideanglentt.com hbs07.jp.ivs.wideanglentt.com hbs08.jp.ivs.wideanglentt.com hbs09.jp.ivs.wideanglentt.com hbs10.jp.ivs.wideanglentt.com	TCP 80, 443
Connection to a host which enable Relay function. * When customer prepare in customer environment.	The host enabling Relay function.	TCP 4122

For functions listed below, access to the server released by Trend Micro is essential. Because of this, please prepare an environment where Agent can access the server released by Trend Micro at port 80 and 443 through the Internet.

・ Web reputation

・ Census (Behavior monitoring)

・ Machine learning-type search

Note

• Click here for behavior monitoring.

• Click here search for machine learning type .

Communication with Trend Micro server

reference

Functions	URL
Download Center or web server - Hosts software.	files.trendmicro.com
Smart Protection Network - Certified Safe Software Service (CSSS)	gacl.trendmicro.com grid-global.trendmicro.com grid.trendmicro.com
Smart Protection Network - Global Census Service - Used for behavior monitoring, and predictive machine learning.	ds2000-en-census.trendmicro.com ds2000-jp-census.trendmicro.com
Smart Protection Network - Good File Reputation Service - Used for behavior monitoring, predictive machine learning, and process memory scans.	deepsec20-en.gfrbridge.trendmicro.com deepsec20-jp.gfrbridge.trendmicro.com
Smart Protection Network - Smart Scan Service	ds20.icrc.trendmicro.com ds20-jp.icrc.trendmicro.com
Smart Protection Network - predictive machine learning - Used for predictive machine learning.	ds20-en-b.trx.trendmicro.com ds20-jp-b.trx.trendmicro.com ds20-en-f.trx.trendmicro.com ds20-jp-f.trx.trendmicro.com
Update Server (also called Active Update) - Hosts security updates.	iaus.activeupdate.trendmicro.com iaus.trendmicro.com ipv6-iaus.trendmicro.com ipv6-iaus.activeupdate.trendmicro.com

The above FQDN may change in the future, so please refer to the link below.

List of Trend Micro web servers to which Deep Security 10.x or later connects

Mail communication requirements

The communication requirements of the e-mail notification of this menu are as follows.

• To use e-mail notification, please indicate customer managed SMTP server on Security Control Panel . If SMTP server restrict a connection, please allow below IP addresses.

  • 210.161.150.240～248

• Port number waiting for the SMTP server of the customer is specified as the following:

  • tcp 25 or 587

Conditions for This Service in Combining with Other Services

This menu does not specifically limit as with combined usage with any other services.

Minimum Usage Period

This menu does not require minimum usage period.

Price

Initial Fee

Regardless of subscriptions types Customers request, there will be no initial fee required with this menu.

Monthly Fees

This menu, regardless of the use of time, has a monthly fixed fee.

If in any case the Customers decided to change the quantities of subscriptions or even modify the menu details, the billing will be calculated so that the highest charge amount will be applied to the billing based upon the comparison of monthly charges with quantities Customers are subscribing based upon what menu they are utilizing, and the monthly charge will be so fit.

Quality of Service

Support Coverage

Management server

The functions and facilities equipments provided by Menu’s managed server, will be covered by the support.

Agent

Support behavior and service specification of installed Agent on host in the scope of license.

(With the details of permission of use, the details themselves will be shown at the beginning of installation of Agent.)

Note

• Settings values and operations methodologies and inquiries requiring consulting will not apply to the coverage of such support.

• Problems concerning other parts than Agent such as OS, virtual environment and network, shall be outside of our support. For problems arising from specification and setting of OS, or environment dependency, we may not be able to show solutions or workarounds for malfunctions.

• Monitoring and setting change work shall be outside of our support.

• Investigation of and action to incidents on the host caused as a result of malware infection or attacks from malicious persons shall be outside of our support.

• The virtual environment (Docker, etc.) that uses the container technology shall be outside of our support. If used in the Docker environment, the customer’s system may stop for some reason.

Operations

This menu is subject to the operational quality, which has been defined by the standard in Enterprise Cloud 2.0.

Management server

The menu performs the following operation in the management server:

Item	Descriptions
Applies security patches	Apply the security patch depending on the degree of influence
Product Life-cycle Management	Implementation of version upgrade
Monitoring / Maintenance	Implementation of the operation monitoring and fault response

Device management (host)

For the host management, Agent should be installed. Customers shall be responsible for the installation of the Agent. By the customer performing various settings for the corresponding Agent from the management console by oneself, security functions of the Agent are enabled and the protection from threats is started. Customers shall be responsible for the management of the Agent status and setting.

This service does not perform monitoring of the hosts from the Security Operation Center (SOC). The customer is expected to perform monitoring by oneself using event check on the management console provided in this service or event notification function that can be set on the management console.

Security event

The security events detected on the host can be confirmed on the management console. The events related with each function and outputted by the Agent installed on the host, are sent to the management server, and the occurrence time, detected event name and action details are displayed. It is possible to notify events to the customer by setting the targets and destinations to notify and conditions of the target events, with the event notification function of the management server.

System event

The system events detected on the host can be confirmed on the management console. The results of various actions taken by the Agent installed on the host are transferred to the management server. The results of various actions include information such as the results of security update, various scan results, and Agent errors, and you can check the occurrence time, event name and action status on the management server. It is possible to notify events to the customer by setting conditions of the targets and destinations to notify with the event notification function of the management server.

Failure isolation

For failures that occur on the boundary to a network where Internet connection to the host is possible, actions are left for the customer to take. For problems possibly related with operations of various functions or competitions with other products, the customer is requested to isolate the problem by enabling/disabling functions and products.　Please check various manuals and support pages released by Trend Micro, and online help that becomes accessible from the Management console, and investigate the problems. Please contact us if the problem is still unsolved even after using these sites. Contents we can support are those on the product only. Please understand beforehand that we are unable to respond to inquiries on the contents other than the services and the products, such as OSs and networks that you are using.

Security update management

The security update management can be performed on the management console. You can check the security update status with the contents of the system events outputted by Agent installed on the host, and with the alert indication. By setting conditions and destinations of the notification with the event notification function, you can automatically notify the update management events by mail according to your requirements.

Product update

Customers shall be responsible for the update of Agent used on the host. Please perform the regular update to use the newest version any time.

The update of Agent can be made with the operation from the management console. It is also possible to update by obtaining the installer from the management console.

Update of the management servers and distribution servers used by the Management Server groups will be conducted by the Security Operation Center (SOC). This update is scheduled after evaluation and verification in the Security Operation Center (SOC). Therefore, there is no guarantee that a management server/distribution server of the version that the customer want is available.

Note

• Life cycle of Agent used on the host conforms to the support specification of Trend Micro. Perform update of Agent and/or the host OS after confirming the support period.

  • Support life cycle .

  • Product and search engine support end notice .

  • Operating system middleware support policy .

Security incident report

The security incident reports can be created on the management console. By creating a report per function, status of the host can be confirmed. By cooperation of task function and event notification function, automatic report generation at the date/time set by the customer and its transmission by mail are also possible.

SLA

This menu does not cover SLA.

Restrictions

Constraints of this menu are as follows.

Common

• To install the Agent, you must be logged in as an administrator in the target host.

• In the Host on which you want to install the Agent, please do the time synchronization using NTP, etc. If the time is out of synchronization, it may fail to activate the Agent.

• Rebooting of the OS may become required at the time of installation/uninstallation, or when you update various modules. As an alert indicating the requirement of rebooting is displayed on the management console in these cases, reboot the OS promptly.

• In the case a module has to be replaced or switched over, temporary communication interruption (momentary interruption) may occur.

• If you enable the Web Reputation, Firewall, and Intrusion Prevention features, the network driver will be installed on the target host, causing a momentary interruption. Click here for details .

• Agent uses 4118 port and the port number cannot be changed. Please confirm other applications on host installing Agent do not use the port.

• Operation tests, including competition tests with products other than Trend Micro, have not been performed on the host on which the Agent is installed. Therefore, we cannot answer about coexistence with individual software. Please check the operation in your environment. There are also detailed conditions for coexistence with other Trend Micro products. For details, see Operation when coexisting with Trend Micro products and products of other companies .

• Please allow 80 port for CONNECT method, when Agent connects management server through Proxy server.

• Termination of use may occur to Customers when following case(s) fit(s) to the circumstances where Customers are involved with:

  • Usage of the menu with the Customers seems to greatly affect other customers who share the platform with them.

  • Back logs of the usage of the menu with the particular Customers seem particularly unmatched in terms of difference in between the actual usage and the usage claimed to be reported at subscription request.

• Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer’s purpose of use.

• Following is required to be attained to provide details to developer and seller of this menu’s functions who had configured to produce these functions:

  • Setting details and data obtained at such time the menu is provisioned.

  • Information obtained with the menu functions

• We cannot ensure the recovery from flaw based on combinations between customer environment and function provided by this menu, and customer operation except for operation NTT communications indicate.

• If you use the Agent in an environment with SELinux enabled, the iptables rules may be initialized. We cannot provide any support for SELinux policy creation methods, including the purpose of avoiding this event. We will support the Agent even if SELinux is enabled, but please note that we may not be able to provide a solution for problems caused by SELinux. Click here for details.

Restrictions for Anti-malware

• Following files are excluded from Anti-malware:

  • Password-protected file

  • Files frozen with unsupported formats

  • Destructed file

  • Encrypted file

  • Files frozen for more than max six (6) times

  • Files that their sizes after been decompressed exceeds the set value

• Following usages of server does not appropriately set viral scan objects, which thereby causes the server performance a great deal of loads to downgrade the output. NTT Com recommends, in such cases, Customers duly exclude such scan setting. Primal examples will be as follows:

  • Server that mounts directories within network

  • Server where I/O is frequently generated, like database, Active Directory, etc.

  • Server that is so appropriately called “Big Data”

  • Mail Server (POP / IMAP)

Restrictions in Intrusion prevention and Host-based firewall

• In the case of in-line mode of intrusion prevention, following communications may be shut off depending on the server communication state regardless of the selection of “Detection” or “Protection”. In the case “Memory allocation failure” occurs, tune the setting based on sufficient verifications because the memory resource consumption on the host required for evaluation of the communication increases when the number of simultaneous connections is increased.

  • Max connectivity of TCP exceeds 30,000 transmissions (initial value)

  • Max connectivity of UDP exceeds 30,000 transmissions (initial value)

• When a transmission does not correspond to RFC and thereby seems unauthorized and irregular, then such transmissions could be intercepted immediately.

  • No IP header

  • In the event the transmission source IP and destination IP are concurrent

  • In the event the unusable letters are included in URI

  • If separation “/” exceeds more than 100 times in one transmitted content

  • If “/xxx/xxx” is being utilized over the routing.

• The host-based firewall function includes a setting to save notification contents sent/received by the computer as logs (logs only). If this setting is used, it leads to suppression of resources on the Management server since large amount of log information will be recorded. Therefore, use of this setting shall be prohibited from the viewpoint of the service specification.

• Encrypted transmissions are excluded from the prevention search.

• Applications types which are associated with applicable rules, when exceeded typing limit, eight (8) types for single inspected port – such as transmission source and destination, etc. – then ruling update is not available. At this point Agent cannot optimize a new rule. Thereby it is impossible for Agent to prescribe against a newly found threat. In any event that the single inspected port exceeds the number of application types which it corresponds to, then respective makers provide appropriate patches (thereby the full-fledged counter against epidemic is proceeded); therefore, the best prescription here is to either reduce the number of rules optimized within Intrusion Prevention Control with Host-Based IDS/IPS or set an exclusion settings for the applicable rules in Intrusion Prevention Control with Host-Based IDS/IPS.

• Following server usage requires the most appropriate evaluation and examinations of most optimized set values at the hand of Customers:

  • High traffic server (Large-scale Web server, DNS server, AD server, Mail server, File (Storage) server, etc.)

  • Server that demands real-time quality in the outputs (such as VoIP and / or streaming server)

• When multiple host-based firewall functions are enabled on a host, each function may compete and may cause unexpected operations. Therefore, OS standard host-based firewall functions are automatically disabled as shown below.

  • Windows firewall will not be disabled when installing or upgrading Windows version of host-based firewall, but it will be disabled when host-based firewall function is enabled and one or more host-based firewall rules are assigned. (After that, Windows firewall will be enabled if the host-based firewall function is turned off.)

  • The iptables of Linux will not become disabled during the installation of Linux version of the software, but the iptables will be disabled if the host-based firewall or the intrusion prevention function is enabled. If Agent is disabled, the iptables will be enabled and the setting will return to the original.

• In the rule processing, there is a “log only”, please don’t set it in the normal time. “Log only” is set to save the communication contents of the host that is sent and received as a log. In order to record a large amount of log information, there is a risk of compression on the resources of the management server and host. Therefore, the setting of “log only”, except for the use of research purposes at the time of the isolation of a failure, etc please not set it.

• Regardless of the priority, if you create even one Allow rule, communication other than the setting rules will be denied forcibly (Implicit Deny). Therefore, if you use an Allow rule, make sufficient investigation of the communication requirements before creating a rule you need.

• If a Bypass/Force Allow action is used, the priority should be set higher than the Allow/Deny rule. If the priority of the Allow/Deny rule is higher, Bypass/Force Allow may not be enabled. If Bypass/Force Allow only is used in the host-based firewall function, “Implicit Deny” will not work. If you create this rule, make sure to create one for transmission and receive.

• Bypass is used for communication that you don’t want to restrict. Communications subject to the bypass rule cannot be restricted by the intrusion prevention and the host-based firewall function. However, if another Allow/Deny rule exists, that has the same condition as the rule using the bypass and has a higher priority, then the bypass action will not be taken since action by the higher rule will be used. Therefore, for the communication that has to be bypassed, you need to set its priority higher than Allow/Deny rules so that the communication will not be affected by other rules. In addition, for the communication that a bypass rule is applied, you need to set a bidirectional (incoming and outgoing) bypass.

• Force Allow is used when you want to communicate without using the host-based firewall functions and stateful functions. For communications subject to Force Allow rules, you can operate intrusion prevention functions. However, if another Allow/Deny rule exists, that has the same condition as the rule using the Force Allow and has a higher priority, then the Force Allow action will not be taken since action by the higher rule will be used. Therefore, for the communication that you need to Force Allow, you need to set its priority higher than Allow/Deny rules so that the communication will not be affected by other rules. In addition, for the communication that a Force Allow rule is applied, you need to set a bidirectional (incoming and outgoing) bypass.

Restrictions in Application control

• Different from integrity monitoring where all files are monitored, objects to check in application control during investigation and change are software files only.

  • Linux .so library

  • Java .jar file and .class file

  • PHP, Python, Shell script

• Even without execution authority, files with the following extension will be detected as software.

  • class / jar / war / ear / php / py / pyc / pyo / pyz

---

Managed Virtual Patch

Revision History