Web Reputation

The Web Reputation module protects against web threats by blocking access to malicious URLs. Vulnerability ProtectionDeep Security uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Vulnerability ProtectionDeep Security will either block or allow access to the URL.

Basic Configuration

To enable Web Reputation functionality on a computer:

In the Policy/Computer editor, go to Web Reputation > General
Select On , and then click Save

Inline vs. Tap Mode

Web Reputation uses the Vulnerability ProtectionDeep Security Network Engine which can operate in one of two modes:

Inline: Live packet streams pass directly through the Vulnerability ProtectionDeep Security network engine. All rules, therefore are applied to the network traffic before they proceed up the protocol stack
Tap Mode: Live packet streams are replicated and diverted from the main stream.

In Tap Mode, the live stream is not modified. All operations are performed on the replicated stream. When in Tap Mode, Vulnerability ProtectionDeep Security offers no protection beyond providing a record of Events.

To switch between Inline and Tap mode, open a Policy or Computer Editor and go to Settings > Network Engine > Network Engine Mode.

Smart Protection Server

The Web Reputation module relies on databases maintained on the Trend Micro Smart Protection Network. Vulnerability ProtectionDeep Security will either connect to a locally installed Smart Protection Server or it will connect to the Global smart Protection Service. To configure the connection to the Smart Protection Network, go to the Policy/Computer Editor > Web Reputation > Smart Protection tab.

Security Levels

Web addresses that are known to be or are suspected of being malicious are assigned a risk level of

Suspicious: Associated with spam or possibly compromised
Highly suspicious: Suspected to be fraudulent or possible sources of threats
Dangerous: Verified to be fraudulent or known sources of threats

You can enforce the one of the following Security Levels:

High: Blocks sites that are assessed as:
- Dangerous
- Highly Suspicious
- Suspicious
Medium: Blocks only sites that are assessed as:
- Dangerous
- Highly Suspicious
Low: Blocks only sites that are assessed as:
- Dangerous

The security levels determine whether Vulnerability ProtectionDeep Security will allow or block access to a URL. For example, if you set the security level to Low, Vulnerability ProtectionDeep Security will only block URLs that are known to be Web threats. As you set the security level higher, the Web threat detection rate improves but the possibility of false positives also increases.

You can also choose to block URLs that have not been tested by Trend Micro.

To enforce a Security Level, go to the Policy/Computer Editor > Web Reputation > General tab.

Exceptions

You can override the block/allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow. To create these block/allow exception lists, go to the Policy/Computer Editor > Web Reputation > Exceptions tab.