- Configure Web Reputation
- Turn on the web reputation module
- Enable the Trend Micro Toolbar
- Install the toolbar for Windows
- Switch between inline and tap mode
- Enforce the security level
- To configure the security level:
- Create exceptions
- To create URL exceptions:
- Configure the Smart Protection Server
- Smart Protection Server Connection Warning
- Edit advanced settings
- Blocking Page
- Alert
- Ports
- Test Web Reputation
- Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
- Cause 1: The agent or relay-enabled agent doesn’t have Internet access
- Cause 2: A proxy was enabled but not configured properly
- Blocked?
Configure Web Reputation
The web reputation module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro’s Web security databases from Smart Protection Network sources to check the reputation of websites that users are attempting to access. The website’s reputation is correlated with the specific web reputation policy enforced on the computer. Depending on the security level being enforced, Deep Security will either block or allow access to the URL.
The web reputation module does not block HTTPS traffic.
To enable and configure web reputation, perform the basic steps below:
To suppress messages that appear to users of agent computers, see Configure notifications on the computer
Turn on the web reputation module
- Go to Policies .
- Double-click the policy for which you want to enable web reputation.
- Click Web Reputation > General .
- For Web Reputation State , select On .
- Click Save .
Enable the Trend Micro Toolbar
After you enable the Trend Micro Toolbar, if you use your web browser to visit a dangerous, highly suspicious, or suspicious website, you will see a blocking page in the main window of your web browser and a pop-up message in the Windows notification area. In addition, attempts to access a URL rated as dangerous, highly suspicious, or suspicious will be logged in Workload Security’s Web Reputation Events tab.
When the Trend Micro Toolbar is included in your browser extensions, a small Trend Micro logo will appear in your browser:
- In Chrome and Firefox, the logo appears to the right of the website address field.
Install the toolbar for Windows
The Trend Micro Toolbar extension for Windows is supported only on certain Windows platforms. It is currently supported only with the Chrome browser. See the Supported features by platform tables for more details.
The Trend Micro Toolbar for Windows is downloaded automatically when the Web Reputation module is enabled and will be installed the next time the web browser is restarted.
Switch between inline and tap mode
Web reputation uses the Deep Security Network Engine which can operate in one of two modes:
- Inline: Packet streams pass directly through the Deep Security network engine. All rules are applied to the network traffic before they proceed up the protocol stack.
- Tap mode: Packet streams are not modified. The traffic is still processed by Web Reputation, if it’s enabled. However any issues detected do not result in packet or connection drops. When in Tap mode, Deep Security offers no protection beyond providing a record of events.
In tap mode, the live stream is not modified. All operations are performed on the replicated stream. When in tap mode, Deep Security offers no protection beyond providing a record of events.
To switch between inline and tap mode, open the Computer or Policy editor 
You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Settings > Advanced > Network Engine Mode.
Enforce the security level
Web addresses that are known to be or are suspected of being malicious are assigned a risk level of:
- Dangerous: Verified to be fraudulent or known sources of threats
- Highly suspicious: Suspected to be fraudulent or possible sources of threats
- Suspicious: Associated with spam or possibly compromised
Security levels determine whether Deep Security will allow or block access to a URL, based on the associated risk level. For example, if you set the security level to low, Deep Security will only block URLs that are known to be web threats. As you set the security level higher, the web threat detection rate improves but the possibility of false positives also increases.
To configure the security level:
- Go to Policies .
- Double-click the policy that you want to edit.
- Click Web Reputation > General .
- Select one of the following security levels:
- High : Blocks pages that are:
- Dangerous
- Highly suspicious
- Suspicious
- Medium : Blocks pages that are:
- Dangerous
- Highly Suspicious
- Low : Blocks pages that are:
- Dangerous
- High : Blocks pages that are:
- Click Save .
Create exceptions
You can override the block and allow behavior dictated by the Smart Protection Network’s assessments with your lists of URLs that you want to block or allow.
To create URL exceptions:
- Go to Policies .
- Double-click the policy that you want to edit.
- Click Web Reputation > Exceptions .
- To allow URLs:
- Go to the Allowed section.
- In the blank under URLs to be added to the Allowed list (one per line) , enter your desired URL. Multiple URLs can be added at once but they must be separated by a line break.
- Select either:
- Allow URLs from the domain : Allow all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, «example.com» and «another.example.com» are valid entries.
- Allow the URL: : The URL as entered will be allowed. Wildcards are supported. For example, «example.com/shopping/coats.html», and «example.com/shopping/*» are valid entries.
- Click Add .
- Go to the Blocked section
- In the blank under URLs to be added to the Blocked list (one per line) , enter your desired URL. Multiple URLs or keywords can be added at once but they must be separated by a line break.
- Select either:
- Block URLs from the domain : Block all pages from the domain. Sub-domains are supported. Only include the domain (and optionally sub-domain) in the entry. For example, «example.com» and «another.example.com» are valid entries.
- Block the URL : The URL as entered will be blocked. Wildcards are supported. For example, «example.com/shopping/coats.html», and «example.com/shopping/*» are valid entries.
- Block URLs containing this keyword : Any URL containing the keyword will be blocked.
- Click Add .
- Click Save .
Configure the Smart Protection Server
Smart Protection Service for web reputation supplies web information required by the web reputation module. For more information, see Smart Protection Network — Global Threat Intelligence.
To configure Smart Protection Server:
- Go to Policies .
- Double-click the policy you’d like to edit.
- Click Web Reputation > Smart Protection .
- Select whether to connect directly to Trend Micro’s Smart Protection service:
- Select Connect directly to Global Smart Protection Service .
- Optionally select When accessing Global Smart Protection Service, use proxy . Select New from the drop down menu and enter your desired proxy.
Or to connect to one or more locally installed Smart Protection Servers:
- Select Use locally installed Smart Protection Server (ex: «http://[server]:5274») .
- Enter the Smart Protection Server URL into the field and click Add . To find the Smart Protection Server URL, do one of the following:
- Log in to the Smart Protection Server, and in the main pane, look under Real Time Status . The Smart Protection Server’s HTTP and HTTPS URLs are listed in the Web Reputation row. The HTTPS URL is only supported with 11.0 Deep Security Agents and up. If you have 10.3 or earlier agents, use the HTTP URL.
- If you deployed the Smart Protection Server in AWS, go to the AWS CloudFormation service, select the check box next to the Smart Protection Server stack, and in the bottom pane, click the Outputs tab. The Smart Protection Server’s HTTP and HTTPS URLs appear in the WRSurl and WRSHTTPSurl fields. The WRSHTTPSurl is only supported with 11.0 Deep Security Agents and up. If you have 10.3 or earlier agents, use the WRSurl URL.
- Optionally select When off domain, connect to global Smart Protection Service. (Windows only) .
Smart Protection Server Connection Warning
This option determines whether error events are generated and alerts are raised if a computer loses its connection to the Smart Protection Server. Select either Yes or No and click Save .
Edit advanced settings
Blocking Page
When users attempt to access a blocked URL, they will be redirected to a blocking page. In the blank for Link , provide a link that users can use to request access to the blocked URL.
Alert
Decide to raise an alert when a web reputation event is logged by selecting either Yes or No .
Ports
Select specific ports to monitor for potentially harmful web pages from the drop down list next to Ports to monitor for potentially harmful web pages .
Test Web Reputation
Before continuing, test that the Web Reputation is working correctly:
- Ensure Web Reputation is enabled.
- Go to the Computer or Policy editor > Web Reputation > Exceptions .
- Under Blocked , enter http://www.speedtest.net and click Add . Click Save .
- Open a browser and attempt to access the website. A message denying the access should appear.
- Go to Events & Reports > Web Reputation to verify the record of the denied web access. If the detection is recorded, the Web Reputation module is working correctly.
—>
В© 2023 Trend Micro Incorporated. All rights reserved.
Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
The Census, Good File Reputation, and Predictive Machine Learning Services are security services hosted by the Trend Micro Smart Protection Network. They are necessary for the full and successful operation of the Workload Security behavior monitoring, predictive machine learning, and process memory scan features.
The following table maps the services to features.
| Service name | Required for these features |
| Global Census Service | behavior monitoring, predictive machine learning |
| Good File Reputation Service | behavior monitoring, predictive machine learning, process memory scans |
| Predictive Machine Learning Service | predictive machine learning |
If you see the alert Census, Good File Reputation, and Predictive Machine Learning Service Disconnected, there are a few causes:
Cause 1: The agent or relay-enabled agent doesn’t have Internet access
If your agent or relay-enabled agent doesn’t have access to the Internet, then it can’t reach these services.
- Check your firewall policies and ensure that the outbound HTTP and HTTPS ports (by default, 80 or 443) are open.
- If you are unable to open those ports, see Configure agents that have no Internet access for other solutions.
Cause 2: A proxy was enabled but not configured properly
The Census, Good File Reputation and Predictive Machine Learning Services can be accessed using a proxy.
To check whether a proxy was enabled and make sure it was configured properly:
- Open the Computer or Policy editor.
- On the left, click Settings.
- In the main pane, click the General tab.
- Find the heading titled, Network Setting for Census, Good File Reputation Service, and Predictive Machine Learning.
- If a proxy was specified, click Edit and make sure its Proxy Protocol, Address, Port and optional User Name and Password are accurate.
Blocked?
If your ISP address has been blocked but you are not the administrator of the IP address(es) in any of the Email Reputation Services lists, contact your ISP to resolve the problem. Trend Micro Email Reputation Services cannot resolve issues regarding any of the blocked lists with end-users or those who are not directly responsible for the particular network on the blocked lists.
If you are the ISP provider and your IP address, or your subscriber’s IP address has been blocked, refer to Step 3: Send a Removal Request.
Trend Micro will only remove IP addresses at the request of the valid owner of the IP space.
There are several reasons why an IP address may need to be removed from the blocked lists:
If an ISP, especially a smaller one with a single or more Class C networks to its name, reorganizes its IP address pool so its fixed servers and dial-ups change places.
If you inherited an address pool that had previously been or are still being blocked.
Because IP addresses are dynamic, some IP addresses might have been added to the blocked lists incorrectly.
But why is your address being blocked? Here are some reasons why.
If your IP address is in the DUL list and:
If you use a standard mail client, it is probably because your mail program is set to use a mail server other than the one your current ISP provided you.
If you use a mail (SMTP) server on your own computer, or you share your Internet connection with several other people on a local network with a proxy server, it is probably because your recipients cannot tell the difference between your legitimate mail delivery and a spammer’s trespassing on their equipment.
If your IP address is in the Known Spam Source List, your IP address may be getting blocked because the IP address:
May be a known spam source
May supports a service that sends spam
May use multi-hop open relay
May be using a compromised host
If your IP address is in the QIL list, there might be some unauthorized activities happening on your computer or server. This might mean that your computer has been hacked or compromised.