Block access to malicious URLs with web reputation
The web reputation module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of websites that users are attempting to access. The website's reputation is correlated with the specific web reputation policy enforced on the computer. Depending on the security level being enforced, Deep Security will either block or allow access to the URL.
The web reputation module does not block HTTPS traffic.
To enable and configure web reputation, perform the basic steps below:
- Turn on the web reputation module
- Switch between inline and tap mode
- Enforce the security level
- Create exceptions
- Configure the Smart Protection Server
- Edit advanced settings
- Test Web Reputation
To suppress messages that appear to users of agent computers, see Configure notifications on the computer
Turn on the web reputation module
- Go to Policies.
- Double-click the policy for which you want to enable web reputation.
- Click Web Reputation > General.
- For Web Reputation State, select On.
- Click Save.
Switch between inline and tap mode
Web reputation uses the Deep Security Network Engine which can operate in one of two modes:
- Inline: Packet streams pass directly through the Deep Security network engine. All rules are applied to the network traffic before they proceed up the protocol stack.
- Tap mode: Packet streams are not modified. The traffic is still processed by Web Reputation, if it's enabled. However any issues detected do not result in packet or connection drops. When in Tap mode, Deep Security offers no protection beyond providing a record of events.
In tap mode, the live stream is not modified. All operations are performed on the replicated stream. When in tap mode, Deep Security offers no protection beyond providing a record of events.
To switch between inline and tap mode, open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Settings > Advanced > Network Engine Mode.
For more on the network engine, see Test Firewall rules before deploying them.
Enforce the security level
Web addresses that are known to be or are suspected of being malicious are assigned a risk level of:
- Dangerous: Verified to be fraudulent or known sources of threats
- Highly suspicious: Suspected to be fraudulent or possible sources of threats
- Suspicious: Associated with spam or possibly compromised
Security levels determine whether Deep Security will allow or block access to a URL, based on the associated risk level. For example, if you set the security level to low, Deep Security will only block URLs that are known to be web threats. As you set the security level higher, the web threat detection rate improves but the possibility of false positives also increases.
To configure the security level:
- Go to Policies.
- Double-click the policy that you want to edit.
- Click Web Reputation > General.
- Select one of the following security levels:
- High: Blocks pages that are:
- Dangerous
- Highly suspicious
- Suspicious
- Medium: Blocks pages that are:
- Dangerous
- Highly Suspicious
- Low: Blocks pages that are:
- Dangerous
- High: Blocks pages that are:
- Click Save.
Create exceptions
You can override the block and allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow.
To create URL exceptions:
- Go to Policies.
- Double-click the policy that you want to edit.
- Click Web Reputation > Exceptions.
- To allow URLs:
- Go to the Allowed section.
- In the blank under URLs to be added to the Allowed list (one per line), enter your desired URL. Multiple URLs can be added at once but they must be separated by a line break.
- Select either:
- Allow URLs from the domain: Allow all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, "example.com" and "another.example.com" are valid entries.
- Allow the URL:: The URL as entered will be allowed. Wildcards are supported. For example, "example.com/shopping/coats.html", and "example.com/shopping/*" are valid entries.
- Click Add.
To block URLs:
- Go to the Blocked section
- In the blank under URLs to be added to the Blocked list (one per line), enter your desired URL. Multiple URLs or keywords can be added at once but they must be separated by a line break.
- Select either:
- Block URLs from the domain: Block all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, "example.com" and "another.example.com" are valid entries.
- Block the URL: The URL as entered will be blocked. Wildcards are supported. For example, "example.com/shopping/coats.html", and "example.com/shopping/*" are valid entries.
- Block URLs containing this keyword: Any URL containing the keyword will be blocked.
- Click Add.
- Click Save.
Configure the Smart Protection Server
Smart Protection Service for web reputation supplies web information required by the web reputation module. For more information, see Smart Protection Network - Global Threat Intelligence.
To configure Smart Protection Server:
- Go to Policies.
- Double-click the policy you'd like to edit.
- Click Web Reputation > Smart Protection.
- Select whether to connect directly to Trend Micro's Smart Protection service:
- Select Connect directly to Global Smart Protection Service.
- Optionally select When accessing Global Smart Protection Service, use proxy. Select New from the drop down menu and enter your desired proxy.
- Select Use locally installed Smart Protection Server (ex: "http://[server]:5274").
- Enter the Smart Protection Server URL into the field and click Add. To find the Smart Protection Server URL, do one of the following:
- Log in to the Smart Protection Server, and in the main pane, look under Real Time Status. The Smart Protection Server's HTTP and HTTPS URLs are listed in the Web Reputation row. The HTTPS URL is only supported with 11.0 Deep Security Agents and up. If you have 10.3 or earlier agents, use the HTTP URL.
Or
- If you deployed the Smart Protection Server in AWS, go to the AWS CloudFormation service, select the check box next to the Smart Protection Server stack, and in the bottom pane, click the Outputs tab. The Smart Protection Server's HTTP and HTTPS URLs appear in the WRSurl and WRSHTTPSurl fields. The WRSHTTPSurl is only supported with 11.0 Deep Security Agents and up. If you have 10.3 or earlier agents, use the WRSurl URL.
- Optionally select When off domain, connect to global Smart Protection Service. (Windows only).
- Click Save.
Or to connect to one or more locally installed Smart Protection Servers:
Smart Protection Server Connection Warning
This option determines whether error events are generated and alerts are raised if a computer loses its connection to the Smart Protection Server. Select either Yes or No and click Save.
Edit advanced settings
Blocking Page
When users attempt to access a blocked URL, they will be redirected to a blocking page. In the blank for Link, provide a link that users can use to request access to the blocked URL.
Alert
Decide to raise an alert when a web reputation event is logged by selecting either Yes or No.
Ports
Select specific ports to monitor for potentially harmful web pages from the drop down list next to Ports to monitor for potentially harmful web pages.
Test Web Reputation
Before continuing, test that the Web Reputation is working correctly:
- Ensure Web Reputation is enabled.
- Go to the Computer or Policy editor > Web Reputation > Exceptions.
- Under Blocked, enter http://www.speedtest.net and click Add. Click Save.
- Open a browser and attempt to access the website. A message denying the access should appear.
- Go to Events & Reports > Web Reputation to verify the record of the denied web access. If the detection is recorded, the Web Reputation module is working correctly.