Detect emerging threats using Predictive Machine Learning
Use Predictive Machine Learning to detect unknown or low-prevalence malware. (For more information, see Predictive Machine Learning.)
Predictive Machine Learning uses the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the Predictive Machine Learning engine on the Trend Micro Smart Protection Network. To enable Predictive Machine Learning, perform the following:
As with all detected malware, Predictive Machine Learning logs an event when it detects malware. (See About Deep Security event logging.) You can also create an exception for any false positives. (See Create anti-malware exceptions.)
Predictive Machine Learning requires access to the Global Census Service, Good File Reputation Service, and Predictive Machine Learning Service. These services are hosted in the Trend Micro Smart Protection Network. If your Deep Security Agents or Virtual Appliance cannot access the Internet directly, see Configure agents that have no internet access for workarounds.
Predictive Machine Learning is configured as part of a real-time scan configuration that is applied to a policy or individual computer. (See Configure malware scans.) After you configure the scan configuration, apply it to a policy or computer.
Predictive Machine Learning protects only the files and directories that real-time scan is configured to scan. See Specify the files to scan.
These settings can only be applied to real-time scan configurations.
- Go to Policies > Common Objects > Other > Malware Scan Configurations.
- Select the real-time scan configuration to configure and click Details.
You can also create a new real-time scan configuration if desired.
- On the General tab, under Predictive Machine Learning, select Enable Predictive Machine Learning. In the Action to take list, choose the remediation action that you want Deep Security to take when it detects malware:
- Quarantine (recommended): Moves the infected file to the quarantine directory on the protected computer. The quarantined file can be viewed and restored in Events & Reports > Events > Anti-Malware Events > Identified Files.
- Pass: Allows full access to the infected file without doing anything to the file. (An Anti-Malware Event is still recorded.)
- Delete: On Linux, the infected file is deleted without a backup. On Windows, the infected file is backed up and then deleted. Windows backup files can be viewed and restored in Events & Reports > Events > Anti-Malware Events > Identified Files.
- Click OK.
- Open the policy or computer editor to which you want to apply the scan configuration and go to Anti-Malware > General.
- Ensure that Anti-Malware State is On or Inherited (On).
- In the Real-Time Scan section, select the malware scan configuration.
- Click Save.