Trend Micro: File extention, Hash Value, IP& URL block through Apex One & Apex Central

Apex One:

In order to block varios file through Apex One do the following step by step Details Given below:

· First Log in to the Apex One Console & click on the Agents

· In thius step select the "Predictive Machine Learning Settings" from the drop down menu
On the Behavior Monitoring Settings Page Click on the exception Optuion

· In order to block any file Extention Please add the file path under "Type the full Program Path"
As an Example, Lets say we have a program as in 7 Zip installed in our Workstation, Which we would like
to block through this fetaure. To do that following demostration has described below:

· Copy the full path & Along with the *.EXE of the Program:

In this step paste the copied path of an program under this field as illustrated below:

Once the program path has been added, then press the Add to Blocked list to block the program & press
save from the bottom
AS you can see 7-Zip has been blocked
Pre-requisite of Behavior Monitoring Settings

Following pre-requisite has to met, in order to Behavior Monitoring Settings to take effect

· Click open the "additional Service Settings" in order to enable the following feature:

Unauthorized "Change Prevention Service"

Advanced Protection Service

As per the below illustration, please enable all the feature apart from the "Only enable services required
by Security Agent Self-protection features"
In this step, go to the Suspicious Connection Settings
Select all the feature as per the below Image & configured the both to Log Only.

-------------------------------------------------------------------------------------------------------------------

IP and URL block

-------------------------------------------------------------------------------------------------------------------

Please go to the Web Reputation Settings under Settings

Click the External Agents tab to configure a policy for external agents or the Internal Agents tab to
configure a policy for internal agents

Under Enable Web Reputation on the following operating systems, select the types of Windows
platforms to protect (Windows desktop platforms and Windows Server platforms).

Tip:

Trend Micro recommends disabling Web Reputation for internal agents if you already use a Trend Micro
product with the web reputation capability, such as InterScan Web Security Virtual Appliance.
Configure the approved and blocked lists. Please Use the wild card as an example:

Note:

The approved list takes precedence over the blocked list. When a URL matches an entry in the
approved list, agents always allow access to the URL, even if it is in the blocked list.
Select Enable approved/blocked list.

Type a URL.

You can add a wildcard character (*) anywhere on the URL.

For example:

Typing www.trendmicro.com/* means that Web Reputation approves all pages in the Trend Micro
website.

Typing *.trendmicro.com/* means that Web Reputation approves all pages on any sub-domain of
trendmicro.com.

You can type URLs containing IP addresses. If a URL contains an IPv6 address, enclose the address in
parentheses.

Click Add to Approved List or Add to Blocked List.

-------------------------------------------------------------------------------------------------------------------

Blocking the IP Address

-------------------------------------------------------------------------------------------------------------------

The User-defined Approved and Blocked IP lists allow further control over whether endpoints can access
specific IP addresses. Configure these lists when you want to allow access to an address blocked by the
Global C&C IP list or block access to an address that may pose a security risk.

Configuring Global User-defined IP List Settings

Administrators can configure Apex One to allow, block, or log all connections between agents and user-
defined C&C IP addresses.

Note:

The User-defined IP Lists only support IPv4 addresses.

Go to Agents > Global Agent Settings.

Click the Security Settings tab.

Go to the Suspicious Connections Settings section.

Click Edit User-defined IP List.

On the Approved List or Blocked List tab, add the IP addresses that you want to monitor.
Tip:

You can configure Apex One to only log connections made to addresses in the User-defined Blocked IP
list. To only log connections made to the addresses in the User-defined Blocked IP list, see Configuring
Suspicious Connection Settings.

Click Add.

On the new screen that appears, type the IP address, IP address range, or IPv4 address and subnet mask
for Apex One to monitor.

Click Save.

To remove IP addresses from the list, select the check box next to the address and click Delete.

After configuring the lists, click Close to return to the Global Agent Settings screen.

Click Save to deploy the updated list to agents.

==================================================================================

1. TrendMicro: hash value(both SHA-I and SHA-256) block.

==================================================================================

2. Log on to Trend Micro Apex Central.

3. Go to Threat Intel > Customer Intelligence.

4. Click Add.
Enter the SHA-1 hash value or MD5 and configure the scan action.

· Log

· Block