Views:

Configure and manage the Intrusion Prevention module settings.

Important
Important
  • Policies, Threat Prevention, and the Intrusion Prevention module are "Pre-release" features and are not considered an official release. Please review the Pre-Release Disclaimer before using the feature.
  • These features are not available in all regions.
  • Certain settings in Intrusion Prevention require allocating additional credits when the policy is applied to your endpoints.
  • Trend Micro periodically releases new Intrusion Prevention rules. New rules might appear on the console before your agents update the new ruleset automatically. You can manually force agents to update the rules by making changes to the policy configuration.
  • Intrusion Prevention uses IP lists for configuring IP address exclusions. Configure IP lists in policy resources before configuring Intrusion Prevention.
  • Navigating between the security modules or leaving Policy Settings discards any unsaved changes. To avoid losing your work, always click Save before navigating to another location in the console.
Intrusion Prevention protects your computers from known and zero-day vulnerability attacks, and against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. You can use recommendation settings to allow endpoint agents to dynamically apply rules based on your security environment.

Procedure

  1. To protect your endpoints with Intrusion Prevention, select Enable.
    Note
    Note
    When you enable Intrusion Prevention, the Intrusion Prevention rules might be hidden. Click Display rule settings under Rule status and configuration to view the Intrusion Prevention rules.
  2. If you want to evaluate how the Intrusion Detection rules trigger before blocking events on endpoints, select Detect only mode under Intrusion prevention mode override.
    Note
    Note
    After evaluating the detected events, you can manually change the Mode settings for individual Intrusion Prevention rules to properly conform to your operational needs.
  3. Configure Recommendation settings.
    Recommendation settings control which Intrusion Prevention rules agents apply when monitoring your endpoints.
    • Use Recommendation Scan to dynamically apply rules to each endpoint: Allow agents to run the Recommendation Scan and dynamically apply recommended rules to each endpoint. Recommendation scan analyzes your security environment and the context for each endpoint, allowing agents to determine which Intrusion Prevention rules with the Dyanmic status to trigger and take actions on.
    • Apply Intrusion Prevention Core ruleset: Triggers and takes actions on Intrusion Prevention rules that are part of the Core and Essential rulesets. Agents can trigger and take actions on any Core or Essential rule not set to Never status in the Rule status and configuration table.
    • Apply Intrusion Prevention rules you have configured to "Always" status : Only triggers and performs actions on an Intrusion Prevention rule if you change the Status of the rule to Always applied in the Rule status and configuration table.
    Important
    Important
    Use Recommendation Scan to dynamically apply rules to each endpoint only supports endpoints with Server & Workload Protection features. Endpoint with Standard Endpoint Security features apply the Core ruleset. Support for Standard Endpoint Security is coming soon.
    Use Recommendation Scan to dynamically apply rules to each endpoint is part of the Advanced Server & Workload Protection feature. Selecting this setting allocates credits based on the number of supported endpoints assigned to the policy.
  4. Manage Rule status and configuration.
    View Intrusion Prevention rule details and manage the rule status.
    1. If the rule list is hidden, click Display rule settings to show the rule list.
    2. Locate the rule you want to configure.
      Use the search and filters to find the rule you want to manage. Click the Customize Columns icon (columns=dafaf686-f263-4003-b252-91dbb0ee6fd8.jpg) to manage which table columns are visible.
      To view more details about a rule, click the rule name. The view more details about the monitored application, click the application type.
    3. Configure the rule status.
      • Dynamic: Agents might apply the Intrusion Prevention rule to trigger and take action on security events depending on your recommendation settings. Dynamic is the default setting. You must manually change the rule status if you want to set a rule to Always or Never.
      • Always: Agents trigger and take action on the Intrusion Prevention rule regardless of your recommendation settings. You can configure up to 350 rules with the always applied status.
      • Never: Agents do not trigger and take action on the Intrusion Prevention rule regardless of your recommendation settings.
      Important
      Important
      Applying Intrusion Prevention rules that are part of the Advanced ruleset requires enabling the Advanced Server & Workload Protection feature. Advanced rules apply to agents with both Server & Workload Protection and Standard Endpoint Protection features. Credits are allocated based on the number of endpoints assigned to the policy.
  5. To exclude trusted IP addresses from Intrusion Prevention scans and monitoring, select an IP list for IP address exclusions.
    You can create and configure IP lists in Policy Resources. For more information, see IP lists.