Table of contents

Configure Web Reputation

The Web Reputation module protects against web threats by blocking access to malicious URLs. Workload Security uses Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of websites that users are attempting to access. The website's reputation is correlated with the specific Web Reputation policy enforced on the computer. Depending on the security level being enforced, Workload Security either blocks or allows access to the URL.

The Web Reputation module does not block HTTPS traffic.

For a list of operating systems where Web Reputation is supported, see Supported features by platform.

You can enable and configure Web Reputation by performing the following steps:

  1. Enable the Web Reputation module
  2. Enable the Trend Micro Toolbar
  3. Switch between inline and tap mode
  4. Enforce the security level
  5. Create exceptions
  6. Configure the Smart Protection Server
  7. Edit advanced settings
  8. Test Web Reputation

For information on how to suppress messages that appear to users of agent computers, see Configure notifications on the computer.

Enable the Web Reputation module

You can enable the Web Reputation module as follows:

  1. Navigate to Policies.
  2. Double-click the policy for which you want to enable Web Reputation.
  3. Click Web Reputation > General.
  4. For Web Reputation State, select On.
  5. Click Save.

Enable the Trend Micro Toolbar

After enabling the Trend Micro Toolbar, when you use your web browser to visit a dangerous, highly suspicious, or suspicious website, you will see both a blocking page in the main window of your web browser and a message in the notification area. In addition, attempts to access a URL rated as dangerous, highly suspicious, or suspicious are logged in Workload Security's Web Reputation Events tab.

On macOS, the message may not always appear in the notification area, depending on the notifications configuration in the System Preferences.

When the Trend Micro Toolbar is included in your browser extensions, a small Trend Micro logo appears in your browser:

  • In Chrome and Firefox, the logo appears to the right of the website address field.

  • In Safari, the logo appears to the left of the website address field.

Install the toolbar for macOS

Before deploying the toolbar, ensure that you have configured the macOS agent, as described in Configure Mobile Device Management on Workload Security for the macOS agent.

Depending on the web browser you are using, download one of the following extensions:

Once the extension has been downloaded, you can enable the toolbar on your macOS computer running the macOS agent by clicking Enable Extension on the Agent Update: Action Required dialog displayed in the browser.

It is possible to configure the Trend Micro Toolbar from macOS Mobile Device Management, as described in Configure browser plugin extension.

Install the toolbar for Windows

The Trend Micro Toolbar extension for Windows is supported only on certain Windows platforms. It is currently supported with Chrome and Microsoft Edge browsers. See supported features by platform for more information.

The Trend Micro Toolbar for Windows is downloaded automatically when the Web Reputation module is enabled. The toolbar is installed the next time the web browser is restarted.

Switch between inline and tap mode

Web Reputation uses the Workload Security Network Engine which can operate in one of the following modes:

  • Inline: Packet streams pass directly through the Workload Security network engine. All rules are applied to the network traffic before they proceed up the protocol stack.
  • Tap mode: Packet streams are not modified. The traffic is still processed by Web Reputation if it is enabled. However, any issues detected do not result in packet or connection drops. When in Tap mode, Workload Security offers no protection beyond providing a record of events.

In tap mode, the live stream is not modified. All operations are performed on the replicated stream. When in tap mode, Workload Security offers no protection beyond providing a record of events.

To switch between inline and tap mode, open the Computer or Policy editor and navigate to Settings > Advanced > Network Engine Mode.

For more on the network engine, see Test firewall rules before deploying them.

Enforce the security level

Web addresses that are known to be or are suspected of being malicious are assigned one of the following risk levels:

  • Dangerous: Verified to be fraudulent or known sources of threats
  • Highly suspicious: Suspected to be fraudulent or possible sources of threats
  • Suspicious: Associated with spam or possibly compromised

Security levels determine whether Workload Security allows or blocks access to a URL based on the associated risk level. For example, if you set the security level to low, Workload Security will only block URLs that are known to be web threats. As you set the security level higher, the web threat detection rate improves but the possibility of false positives also increases.

Configure the security level

  1. Navigate to Policies.
  2. Double-click the policy that you want to edit.
  3. Click Web Reputation > General.
  4. Select one of the following security levels:

    • High: Blocks pages that are:

      • Dangerous
      • Highly suspicious
      • Suspicious
    • Medium: Blocks pages that are:

      • Dangerous
      • Highly Suspicious
    • Low: Blocks pages that are:

      • Dangerous
  5. Click Save.

Create exceptions

You can override the block and allow behavior dictated by the Smart Protection Network's assessments with your lists of URLs that you want to block or allow.

The Allowed list takes precedence over the Blocked list. URLs that match entries in the Allowed list are not checked against the Blocked list.

Create URL exceptions

  1. Navigate to Policies.
  2. Double-click the policy that you want to edit.
  3. Click Web Reputation > Exceptions.
  4. To allow URLs:

    1. Navigate to the Allowed section.
    2. In the blank under URLs to be added to the Allowed list (one per line), enter your desired URL. Multiple URLs can be added at once but they must be separated by a line break.
    3. Select one of the following:
      • Allow URLs from the domain: Allow all pages from the domain. Subdomains are supported. Only include the domain (and, optionally, subdomain) in the entry. For example, example.com and another.example.com are valid entries.
      • Allow the URL: The URL as entered are allowed. Wildcards are supported. For example, example.com/shopping/coats.html and example.com/shopping/* are valid entries.
    4. Click Add.
  5. To block URLs:

    1. Navigate to the Blocked section.
    2. In the area under URLs to be added to the Blocked list (one per line), enter your desired URL. Multiple URLs or keywords can be added at once but they must be separated by a line break.
    3. Select one of the following:
      • Block URLs from the domain: Block all pages from the domain. Subdomains are supported. Only include the domain (and optionally subdomain) in the entry. For example, example.com and another.example.com are valid entries.
      • Block the URL: The URL as entered are blocked. Wildcards are supported. For example, example.com/shopping/coats.html, and example.com/shopping/* are valid entries.
      • Block URLs containing this keyword: Any URL containing the keyword is blocked.
    4. Click Add.
  6. Click Save.

Configure the Smart Protection Server

Smart Protection Service for Web Reputation supplies web information required by the Web Reputation module. For more information, see Smart Protection Network - Global Threat Intelligence.

You can configure Smart Protection Server as follows:

  1. Navigate to Policies.
  2. Double-click the policy you would like to edit.
  3. Click Web Reputation > Smart Protection.
  4. Select whether or not to connect directly to Trend Micro's Smart Protection service, as follows:

    1. Select Connect directly to Global Smart Protection Service.
    2. Optionally, select When accessing Global Smart Protection Service, use proxy, then select New from the menu and enter your desired proxy.

    Or to connect to one or more locally installed Smart Protection Servers, as follows:

    1. Select Use locally installed Smart Protection Server (ex: "http://[server]:5274").
    2. Enter the Smart Protection Server URL into the field and click Add. To find the Smart Protection Server URL, perform one of the following:

      • Log in to the Smart Protection Server, and in the main pane, look under Real Time Status. The Smart Protection Server's HTTP and HTTPS URLs are listed in the Web Reputation row. The HTTPS URL is only supported with agent versions 11.0 and later. If you have 10.3 or earlier agents, use the HTTP URL.

      • If you deployed the Smart Protection Server in AWS, go to the AWS CloudFormation service, select the Smart Protection Server stack, and in the bottom pane, select Outputs. The Smart Protection Server's HTTP and HTTPS URLs appear in the WRSurl and WRSHTTPSurl fields. The WRSHTTPSurl is only supported with agent versions 11.0 and later. If you have 10.3 or earlier agents, use the WRSurl URL.

    3. Optionally, select When off domain, connect to global Smart Protection Service. (Windows only).

  5. Click Save.

Smart Protection Server connection warning

This option determines whether or not error events are generated and alerts are raised if a computer loses its connection to the Smart Protection Server. Select either Yes or No and click Save.

Note that if you have a locally installed Smart Protection Server, this option should be set to Yes on at least one computer so you are notified if there is a problem with the Smart Protection Server itself.

Edit advanced settings

Blocking Page

When users attempt to access a blocked URL, they are redirected to a blocking page. In the blank for Link, provide a link that users can use to request access to the blocked URL.

Alert

Decide to raise an alert when a Web Reputation event is logged by selecting either Yes or No.

Ports

Select specific ports to monitor for potentially harmful web pages from the Ports to monitor for potentially harmful web pages list.

Test Web Reputation

Before continuing, test that the Web Reputation is working correctly, as follows:

  1. Ensure Web Reputation is enabled.
  2. Navigate to Computer or Policy editor > Web Reputation > Exceptions.
  3. Under Blocked, enter http://www.speedtest.net and select Add.
  4. Select Save.
  5. Open a browser and attempt to access the website. A message denying the access should appear.
  6. Navigate to Events & Reports > Web Reputation to verify the record of the denied web access. If the detection is recorded, the Web Reputation module is working correctly.