Configure agents that have no internet access

If your agents or relays don't have access to the internet (also called "air-gapped agents"), then they won't be able to access several of the security services provided by the Trend Micro Smart Protection Network. These security services are necessary for the full and successful operation of the Workload Security Anti-Malware and Web Reputation features.

The Trend Micro Smart Protection Network security services are:

Service name Required for these features
Smart Scan Service Smart Scan
Web Reputation Service Web Reputation
Global Census Service Behavior monitoring, predictive machine learning
Good File Reputation Service Behavior monitoring, predictive machine learning, process memory scans
Predictive Machine Learning Service Predictive machine learning

In addition to the above services, the agent and relay-enabled agent also need access to the Trend Micro Update Server (also called Active Update), which is not part of the Smart Protection Network, but is a component that is hosted by Trend Micro and accessed over the internet.

If any of your agents or relay-enabled agents can't reach the services above, you have several solutions, described below.

Solutions

Use a proxy

If your agents or relay-enabled agents can't connect to the internet, you can install a proxy that can. Your Deep Security Agents and relays connect to the proxy, and the proxy then connects outbound to the Trend Micro security services in the Smart Protection Network.

With a proxy, each Smart Scan or Web Reputation request goes out over the internet to the Smart Protection Network. Consider instead using a Smart Protection Server inside your LAN to keep these requests within your network and reduce extranet bandwidth usage.

To use a proxy, see Connect agents behind a proxy.

Install a Smart Protection Server locally

If your agents and relay-enabled agents can't connect to the internet, you can install a Smart Protection Server in your local area network (LAN) to which they can connect. The local Smart Protection Server periodically connects outbound over the internet to the Smart Protection Network to retrieve the latest Smart Scan Anti-Malware patterns and Web Reputation information. This information is cached on the Smart Protection Server and disseminated to your agents and relay-enabled agents.

If you decide to use this solution, remember that:

To deploy a Smart Protection Server:

Disable the features that use Trend Micro security services

You can disable the features that use Trend Micro security services. Doing so improves performance because the air-gapped agent no longer tries (and fails) to query the services.

Without Trend Micro security services, your malware detection is downgraded significantly, ransomware is not detected at all, and process memory scans are also affected. It is therefore strongly recommended that you use one of the other solutions to allow access to Trend Micro security services. If this is impossible, only then should you disable features to realize performance gains.

  • To disable Smart Scans:
    1. Open the Computer or Policy editor .
    2. On the left, click Anti-Malware.
    3. In the main pane, click Smart Protection.
    4. Under Smart Scan, deselect Inherited (if it is selected) and then select Off.
    5. Click Save.
  • To disable web reputation:
    1. Open the Computer or Policy editor.
    2. On the left, click Web Reputation.
    3. In the main pane, make sure the General tab is selected.
    4. From the Configuration drop-down list, select Off.
    5. Click Save.
  • To disable Smart Feedback:
    1. In the Workload Security console, click Administration at the top.
    2. Click System Settings on the left.
    3. In the main pane, click the Smart Feedback tab.
    4. Deselect Enable Trend Micro Smart Feedback (recommended).
    5. Click Save.
  • To disable process memory scans:
    1. In the Workload Security console, click Policies at the top.
    2. On the left, expand Common Objects > Other and then click Malware Scan Configurations.
    3. Double-click a malware scan configuration with a SCAN TYPE of Real-Time.
    4. On the General tab, under Process Memory Scan, deselect Scan process memory for malware.
    5. Click OK.
  • To disable predictive machine learning:
    1. Make sure you still have a real-time malware scan configuration open.
    2. On the General tab, under Predictive Machine Learning, deselect Enable Predictive Machine Learning.
    3. Click OK.
  • To disable behavior monitoring:
    1. Make sure you still have a real-time malware scan configuration open.
    2. On the General tab, under Behavior Monitoring, deselect both options, namely, Detect suspicious activity and unauthorized changes (incl. ransomware) and Back up and restore ransomware-encrypted files.
    3. Click OK.