Block access to malicious URLs with web reputation

For a list of operating systems where web reputation is supported, see Supported features by platform.

The web reputation module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of websites that users are attempting to access. The website's reputation is correlated with the specific web reputation policy enforced on the computer. Depending on the security level being enforced, Deep Security will either block or allow access to the URL.

The web reputation module does not block HTTPS traffic.

To enable and configure web reputation, perform the basic steps below:

  1. Turn on the web reputation module
  2. Switch between inline and tap mode
  3. Enforce the security level
  4. Create exceptions
  5. Configure the Smart Protection Server
  6. Edit advanced settings
  7. Test Web Reputation threshold values

To suppress messages that appear to users of agent computers, see Configure notifications on the computer

Turn on the web reputation module

  1. Go to Policies.
  2. Double-click the policy for which you want to enable web reputation.
  3. Click Web Reputation > General.
  4. For Web Reputation State, select On.
  5. Click Save.

Switch between inline and tap mode

Web reputation uses the Deep Security Network Engine which can operate in one of two modes:

  • Inline: Packet streams pass directly through the Deep Security network engine. All rules, therefore are applied to the network traffic before they proceed up the protocol stack
  • Tap mode: Packet streams are replicated and diverted from the main stream.

In tap mode, the live stream is not modified. All operations are performed on the replicated stream. When in tap mode, Deep Security offers no protection beyond providing a record of events.

To switch between inline and tap mode, open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Settings > Advanced > Network Engine Mode.

For more on the network engine, see Test firewall rules before deploying them.

Enforce the security level

Web addresses that are known to be or are suspected of being malicious are assigned a risk level of:

  • Dangerous: Verified to be fraudulent or known sources of threats
  • Highly suspicious: Suspected to be fraudulent or possible sources of threats
  • Suspicious: Associated with spam or possibly compromised

Security levels determine whether Deep Security will allow or block access to a URL, based on the associated risk level. For example, if you set the security level to low, Deep Security will only block URLs that are known to be web threats. As you set the security level higher, the web threat detection rate improves but the possibility of false positives also increases.

To configure the security level:

  1. Go to Policies.
  2. Double-click the policy that you want to edit.
  3. Click Web Reputation > General.
  4. Select one of the following security levels:
    • High: Blocks pages that are:
      • Dangerous
      • Highly suspicious
      • Suspicious
    • Medium: Blocks pages that are:
      • Dangerous
      • Highly Suspicious
    • Low: Blocks pages that are:
      • Dangerous
  5. Click Save.

Create exceptions

You can override the block and allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow.

The Allowed list takes precedence over the Blocked list. URLs that match entries in the Allowed list are not checked against the Blocked list.

To create URL exceptions:

  1. Go to Policies.
  2. Double-click the policy that you want to edit.
  3. Click Web Reputation > Exceptions.
  4. To allow URLs:
    1. Go to the Allowed section.
    2. In the blank under URLs to be added to the Allowed list (one per line), enter your desired URL. Multiple URLs can be added at once but they must be separated by a line break.
    3. Select either:
      • Allow URLs from the domain: Allow all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, "example.com" and "another.example.com" are valid entries.
      • Allow the URL:: The URL as entered will be allowed. Wildcards are supported. For example, "example.com/shopping/coats.html", and "example.com/shopping/*" are valid entries.
    4. Click Add.

    To block URLs:

    1. Go to the Blocked section
    2. In the blank under URLs to be added to the Blocked list (one per line), enter your desired URL. Multiple URLs or keywords can be added at once but they must be separated by a line break.
    3. Select either:
      • Block URLs from the domain: Block all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, "example.com" and "another.example.com" are valid entries.
      • Block the URL: The URL as entered will be blocked. Wildcards are supported. For example, "example.com/shopping/coats.html", and "example.com/shopping/*" are valid entries.
      • Block URLs containing this keyword: Any URL containing the keyword will be blocked.
    4. Click Add.
  5. Click Save.

Configure the Smart Protection Server

Smart Protection Service for web reputation supplies web information required by the web reputation module. For more information, see Smart Protection Network - Global Threat Intelligence.

To configure Smart Protection Server:

  1. Go to Policies.
  2. Double-click the policy you'd like to edit.
  3. Click Web Reputation > Smart Protection.
  4. Select whether to connect directly to Trend Micro's Smart Protection service:
    1. Select Connect directly to Global Smart Protection Service.
    2. Optionally select When accessing Global Smart Protection Service, use proxy. Select New from the drop down menu and enter your desired proxy.
  5. Or to connect to one or more locally installed Smart Protection Servers:

    1. Select Use locally installed Smart Protection Server (ex: "http://[server]:5274").
    2. Enter the Smart Protection Server URL into the field and click Add. To find the Smart Protection Server URL, do one of the following:
      • Log in to the Smart Protection Server, and in the main pane, look under Real Time Status. The Smart Protection Server's HTTP and HTTPS URLs are listed in the Web Reputation row. The HTTPS URL is only supported with 11.0 Deep Security Agents and up. If you have 10.3 or earlier agents, use the HTTP URL.

      Or

      • If you deployed the Smart Protection Server in AWS, go to the AWS CloudFormation service, select the check box next to the Smart Protection Server stack, and in the bottom pane, click the Outputs tab. The Smart Protection Server's HTTP and HTTPS URLs appear in the WRSurl and WRSHTTPSurl fields. The WRSHTTPSurl is only supported with 11.0 Deep Security Agents and up. If you have 10.3 or earlier agents, use the WRSurl URL.
    3. Optionally select When off domain, connect to global Smart Protection Service. (Windows only).
  6. Click Save.

Smart Protection Server Connection Warning

This option determines whether error events are generated and alerts are raised if a computer loses its connection to the Smart Protection Server. Select either Yes or No and click Save.

If you have a locally installed Smart Protection Server, this option should be set to Yes on at least one computer so that you are notified if there is a problem with the Smart Protection Server itself.

Edit advanced settings

Blocking Page

When users attempt to access a blocked URL, they will be redirected to a blocking page. In the blank for Link, provide a link that users can use to request access to the blocked URL.

Alert

Decide to raise an alert when a web reputation event is logged by selecting either Yes or No.

Ports

Select specific ports to monitor for potentially harmful web pages from the drop down list next to Ports to monitor for potentially harmful web pages.

Test Web Reputation threshold values

The Web Reputation module will use the following threshold values to evaluate a URL:

Threshold Value URL evaluation
High 80 A score of 80 or above is considered safe.
Medium 65 A score of 50-79 is considered as unrated or suspicious.
Low 50 A score of 49 or below is considered as known malicious.

You can test the threshold value settings using the following test websites:

  • http://wrs21.winshipway.com/ with WRS score 21
  • http://wrs31.winshipway.com/ with WRS score 31
  • http://wrs41.winshipway.com/ with WRS score 41
  • http://wrs51.winshipway.com/ with WRS score 51
  • http://wrs61.winshipway.com/ with WRS score 61
  • http://wrs71.winshipway.com/ with WRS score 71
  • http://wrs81.winshipway.com/ with WRS score 81
  • http://wrs91.winshipway.com/ with WRS score 91

You can change the threshold values by going to Administration > System SettingsRanking > Web Reputation Event Risk Values.