Recommendation Scans

Vulnerability ProtectionDeep Security can run Recommendation Scans on computers to identify known vulnerabilities. The operation scans the operating system but also installed applications. Based on what is detected, Vulnerability ProtectionDeep Security will recommend security Rules that should be applied.

During a Recommendation Scan, Vulnerability ProtectionDeep Security Agents scan:

• the operating system
• installed applications
• the Windows registry
• open ports
• the directory listing
• the file system
• running processes and services
• users

Recommendation Scans can be initiated manually or you can create a Scheduled Task to periodically run scans on specified computers.

Limitations

On Linux, the Recommendation Scan engine may have trouble detecting applications that have been installed with kernel or software libraries not supported by the application being installed. Applications installed using standard package managers will not be a problem.

Running Recommendation Scans

To launch a Recommendation Scan manually:

1. In the Vulnerability ProtectionDeep Security Manager, go to the Computers page.
2. Select the computer or computers you want to scan.
3. Right-click the selection and choose Actions > Scan for Recommendations.

To create a Recommendation Scan Scheduled Task:

1. In the Vulnerability ProtectionDeep Security Manager, go to the Administration > Scheduled Tasks page.
2. Click New on the toolbar and select "New Scheduled Task" to display the New Scheduled Task wizard.
3. Select "Scan Computers for Recommendations" from the Type menu and select how often you want the scan to occur. Click Next.
4. The next page will let you be more specific about the scan frequency, depending on your choice in step 3. Make your selection and click Next.
5. Now select which computer(s) will be scanned and click Next.
   As usual, for large deployments it's best to perform all actions through Policies.
6. Finally, give a name to your new Scheduled Task, select whether or not to "Run Task on 'Finish'", click Finish.

Cancelling Recommendation Scans

You can cancel a Recommendation Scan before it starts running.

To cancel a Recommendation Scan:

1. In the Vulnerability ProtectionDeep Security Manager, go to the Computers page.
2. Select the computer or computers where you want to cancel the scans.
3. Click Actions > Cancel Recommendation Scan.

Managing Recommendation Scan Results

Vulnerability ProtectionDeep Security can be configured to automatically implement Recommendation Scan results when it is appropriate to do so. Not all recommendations can be implemented automatically. The exceptions are:

• Rules that require configuration before they can be applied.
• Rules that have been automatically assigned or unassigned based on a previous Recommendation Scan but which a User has overridden. For example, if Vulnerability ProtectionDeep Security automatically assigns a Rule and you subsequently unassign it, the Rule will not get reassigned after the next Recommendation Scan.
• Rules that have been assigned at a higher level in the policy hierarchy cannot be unassigned at a lower level. A Rule assigned to a computer at the Policy level must be unassigned at the Policy level.
• Rules that Trend Micro has issued but which may pose a risk of producing false positives. (This will be addressed in the Rule description.)

The results of the latest Recommendation Scan are displayed on the General tab of the protection module in the Policy/Computer Editor.

Once a Recommendation Scan is complete, open the Policy that is assigned to the computers you have just scanned. Navigate to Intrusion Prevention > General. Click Assign/Unassign... to open the rule Assignment window. Sort the rules "By Application Type", and select "Show Recommended for Assignment" from the display filter menu:

All the recommendations made for all the computers included in the Policy will be listed.

There are two kinds of green flags. Full flags () and partial flags(). Recommended Rules always have a full flag. Application Types may have a full or partial flag. If the flag is full, it signifies that all the Rules that are part of this Application Type have been recommended for assignment. If the flag is partial, it signifies that only some of the Rules that are part of this Application Type have been recommended.

Also notice the tool tip in the screen shot above. It reads: "This Intrusion Prevention Rule is recommended on 1 of 1 computer(s) to which this Policy is assigned." Trend Micro recommends assigning all the recommended Rules to all the computers covered by the Policy. This may mean that some Rules are assigned to computers on which they are not required. However, the minimal effect on performance is outweighed by the ease of management that results from working through Policies.

Remember that a Recommendation Scan will make recommendations for Intrusion Prevention Rules, Log Inspection Rules, and Integrity Monitoring Rules.

Once a Recommendation Scan has run, Alerts will be raised on the all computers for which recommendations have been made.

Configuring Recommended Rules

Some Rules require configuration before they can be applied. For example, some Log Inspection Rules require that you specify the location of the log files to be inspected for change. If this is the case, an Alert will be raised on the Computer on which the recommendation has been made. The text of the Alert will contain the information required to configure the rule.