Table of contents

Detect emerging threats with Predictive Machine Learning

Predictive Machine Learning is supported with version 11.0 and later agents. For information on which platforms support this feature, see Supported features by platform.

Use Predictive Machine Learning to detect unknown or low-prevalence malware. For more information, see Predictive Machine Learning.

Predictive Machine Learning uses the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the Predictive Machine Learning engine on the Trend Micro Smart Protection Network.

As with all detected malware, Predictive Machine Learning logs an event when it detects malware. For more information, see Events collection in Workload Security. You can also create an exception for any false positives. For more information, see Create anti-malware exceptions.

Enable Predictive Machine Learning

Predictive Machine Learning is configured as part of a real-time scan configuration that is applied to a policy or individual computer. For more information, see Configure malware scans. After you configure the scan configuration, apply it to a policy or computer.

Predictive Machine Learning protects only the files and directories that real-time scan is configured to scan. For more information, see Specify the files to scan.

These settings can only be applied to real-time scan configurations.

You can enable Predictive Machine Learning as follows:

  1. Go to Policies > Common Objects > Other > Malware Scan Configurations.

  2. Select the real-time scan configuration to configure and click Details.

    You can also create a new real-time scan configuration.

  3. On the General tab, under Predictive Machine Learning, select Enable Predictive Machine Learning.

  4. Use the Detection Level and Protection Level fields to configure the level of detection and protection by assigning the degree of vigilance and strictness that Predictive Machine Learning applies while responding to potential threats:

    • 1 - Cautious: Detection or prevention is executed only when predictive machine learning is highly confident that an activity is malicious in nature.
    • 2 - Moderate: Detection or prevention is executed when predictive machine learning is moderately confident that an activity is malicious in nature. Trend Micro recommends using this level for most cases. The Moderate level also detects and prevents activity that would be detected or prevented by the Cautious level.
    • 3 - Aggressive: Detection or prevention is executed when predictive machine learning has low confidence in the fact that an activity is malicious in nature. The Aggressive level also detects and prevents activity that would be detected or prevented by the Moderate and Cautious levels.
    • 4 - Extra Aggressive: Detection or prevention is executed when predictive machine learning has the lowest confidence in the fact that an activity is malicious in nature. The Extra Aggressive level also detects and prevents activity that would be detected or prevented by the Aggressive, Moderate, and Cautious levels.

    Prevention level must be the same or less aggressive than the detection level.

    Prevention level determines if the action should be taken while prevention level is more aggressive or as aggressive as the detection level of the scan result.

  5. In the Action to take list, select the remediation action that you want Workload Security to take when it detects malware:

    • Quarantine (recommended): Moves the infected file to the quarantine directory on the protected computer. The quarantined file can be viewed and restored via Events & Reports > Events > Anti-Malware Events > Identified Files.
    • Pass: Allows full access to the infected file without doing anything to the file. An Anti-Malware Event is still recorded.
    • Delete: On Linux, the infected file is deleted without a backup. On Windows, the infected file is backed up and then deleted. Windows backup files can be viewed and restored via Events & Reports > Events > Anti-Malware Events > Identified Files.

    Note that the preceding actions are not supported for macOS agents.

  6. Click OK.

  7. Open the policy or computer editor to which you want to apply the scan configuration and go to Anti-Malware > General.

  8. Ensure that Anti-Malware State is On or Inherited (On).

  9. In the Real-Time Scan section, select the malware scan configuration.

  10. Click Save.