Set up Web Reputation

The Web Reputation module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL.

The Web Reputation module does not block HTTPS traffic.

Basic Configuration

To enable Web Reputation functionality on a computer:

  1. In the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Web Reputation > General.
  2. Select On, and then click Save.

Inline vs. Tap Mode

Web Reputation uses the Deep Security Network Engine which can operate in one of two modes:

  • Inline: Packet streams pass directly through the Deep Security network engine. All rules, therefore are applied to the network traffic before they proceed up the protocol stack
  • Tap Mode: Packet streams are replicated and diverted from the main stream.

In Tap Mode, the live stream is not modified. All operations are performed on the replicated stream. When in Tap Mode, Deep Security offers no protection beyond providing a record of Events.

To switch between Inline and Tap mode, open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Settings > Advanced > Network Engine Mode.

Smart Protection Server

The Web Reputation module relies on databases maintained on the Trend Micro Smart Protection Network. Deep Security will either connect to a locally installed Smart Protection Server or it will connect to the Global smart Protection Service. To configure the connection to the Smart Protection Network, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Web Reputation > Smart Protection tab.

Security Levels

Web addresses that are known to be or are suspected of being malicious are assigned a risk level of

  • Suspicious: Associated with spam or possibly compromised
  • Highly suspicious: Suspected to be fraudulent or possible sources of threats
  • Dangerous: Verified to be fraudulent or known sources of threats

You can enforce the one of the following Security Levels:

  • High: Blocks sites that are assessed as:
    • Dangerous
    • Highly Suspicious
    • Suspicious
  • Medium: Blocks only sites that are assessed as:
    • Dangerous
    • Highly Suspicious
  • Low: Blocks only sites that are assessed as:
    • Dangerous
The security levels determine whether Deep Security will allow or block access to a URL. For example, if you set the security level to Low, Deep Security will only block URLs that are known to be Web threats. As you set the security level higher, the Web threat detection rate improves but the possibility of false positives also increases.

You can also choose to block URLs that have not been tested by Trend Micro.

To enforce a Security Level, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Web Reputation > General tab.

Test Web Reputation threshold values

The Web Reputation module will use the following threshold values to evaluate a URL:

Threshold Value URL evaluation
High 80 A score of 80 or above is considered safe.
Medium 65 A score of 50-79 is considered as unrated and / or suspicious.
Low 50 A score of 49 or below is considered as known malicious.

You can test the threshold value settings using the following test websites:

  • http://wrs21.winshipway.com/ with WRS score 21
  • http://wrs31.winshipway.com/ with WRS score 31
  • http://wrs41.winshipway.com/ with WRS score 41
  • http://wrs51.winshipway.com/ with WRS score 51
  • http://wrs61.winshipway.com/ with WRS score 61
  • http://wrs71.winshipway.com/ with WRS score 71
  • http://wrs81.winshipway.com/ with WRS score 81
  • http://wrs91.winshipway.com/ with WRS score 91

You can change the threshold values by going to Administration > System SettingsRanking > Web Reputation Settings.

Exceptions

You can override the block/allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow. To create these block/allow exception lists, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Web Reputation > Exceptions tab.