Set up Web Reputation

The Web Reputation module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL.

The Web Reputation module does not block HTTPS traffic.

Basic Configuration

To enable Web Reputation functionality on a computer:

  1. In the Computer or Policy editorClosed You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Web Reputation > General.
  2. Select On, and then click Save.

Inline vs. Tap Mode

Web Reputation uses the Deep Security Network Engine which can operate in one of two modes:

  • Inline: Packet streams pass directly through the Deep Security network engine. All rules, therefore are applied to the network traffic before they proceed up the protocol stack
  • Tap Mode: Packet streams are replicated and diverted from the main stream.

In Tap Mode, the live stream is not modified. All operations are performed on the replicated stream. When in Tap Mode, Deep Security offers no protection beyond providing a record of Events.

To switch between Inline and Tap mode, open the Computer or Policy editorClosed You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Settings > Advanced > Network Engine Mode.

Smart Protection Server

The Smart Protection Service for web reputation supplies web information required by the web reputation module. For more information, see Smart Protection in Deep Security.

To configure Smart Protection Server:

  1. Go to Policies.
  2. Double-click the policy you'd like to edit.
  3. Click Web Reputation > Smart Protection.
  4. Select whether to connect directly to Trend Micro's Smart Protection service:
    1. Select Connect directly to Global Smart Protection Service.
    2. Optionally select When accessing Global Smart Protection Service, use proxy. Select New from the drop down menu and enter your desired proxy.

    Or to connect to one or more locally installed Smart Protection Servers:

    1. Select Use locally installed Smart Protection Server (ex: "http://[server]:5274").
    2. Enter the Smart Protection Server URL into the field and click Add. To find the Smart Protection Server URL, do one of the following:
      • Log in to the Smart Protection Server, and in the main pane, look under Real Time Status. The Smart Protection Server's HTTP and HTTPS URLs are listed in the Web Reputation row. Use the HTTP URL with 10.0 agents or earlier.

        Or

      • If you deployed the Smart Protection Server in AWS, go to the AWS CloudFormation service, select the check box next to the Smart Protection Server stack, and in the bottom pane, click the Outputs tab. The Smart Protection Server's HTTP and HTTPS URLs appear in the WRSurl and WRSHTTPSurl fields. Use the WRSurl URL with 10.0 agents or earlier.
    3. Optionally select When off domain, connect to global Smart Protection Service. (Windows only).
  5. Click Save.

Smart Protection Server Connection Warning

This option determines whether error events are generated and alerts are raised if a computer loses its connection to the Smart Protection Server. Select either Yes or No and click Save.

If you have a locally installed Smart Protection Server, this option should be set to Yes on at least one computer so that you are notified if there is a problem with the Smart Protection Server itself.

Security Levels

Web addresses that are known to be or are suspected of being malicious are assigned a risk level of

  • Suspicious: Associated with spam or possibly compromised
  • Highly suspicious: Suspected to be fraudulent or possible sources of threats
  • Dangerous: Verified to be fraudulent or known sources of threats

You can enforce the one of the following Security Levels:

  • High: Blocks sites that are assessed as:
    • Dangerous
    • Highly Suspicious
    • Suspicious
  • Medium: Blocks only sites that are assessed as:
    • Dangerous
    • Highly Suspicious
  • Low: Blocks only sites that are assessed as:
    • Dangerous
The security levels determine whether Deep Security will allow or block access to a URL. For example, if you set the security level to Low, Deep Security will only block URLs that are known to be Web threats. As you set the security level higher, the Web threat detection rate improves but the possibility of false positives also increases.

You can also choose to block URLs that have not been tested by Trend Micro.

To enforce a Security Level, go to the Computer or Policy editorClosed You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Web Reputation > General tab.

Exceptions

You can override the block and allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow. To create these block and allow exception lists, go to the Computer or Policy editorClosed You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Web Reputation > Exceptions tab.

Test Web Reputation

Before continuing, test that the Web Reputation is working correctly:

  1. Ensure Web Reputation is enabled.
  2. Go to the Computer or Policy editor > Web Reputation > Exceptions.
  3. Under Blocked, enter http://www.speedtest.net and click Add. Click Save.
  4. Open a browser and attempt to access the website. A message denying the access should appear.
  5. Go to Events & Reports > Web Reputation to verify the record of the denied web access. If the detection is recorded, the Web Reputation module is working correctly.