Scribd
Upload
208 views419 pages

EMS - Administrators Guide

EMS - Administrators Guide

Uploaded by

Nelson Macedo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
208 views419 pages

EMS - Administrators Guide

EMS - Administrators Guide

Uploaded by

Nelson Macedo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 419

Trend Micro Incorporated reserves the right to make changes to this

document and to the service described herein without notice. Before


installing and using the service, review the readme files, release notes,
and/or the latest version of the applicable documentation, which are
available from the Trend Micro website at:
https://docs.trendmicro.com/en-us/enterprise/email-security.aspx
Trend Micro, the Trend Micro t-ball logo, Remote Manager, Apex Central,
Cloud App Security, and Hosted Email Security are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2022. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM09478/220118
Release Date: January 20, 2022
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the service and/or
provides installation instructions for a production environment. Read
through the documentation before installing or using the service.
Detailed information about how to use specific features within the service
may be available at the Trend Micro Online Help Center and/or the Trend
Micro Knowledge Base.
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please contact us at docs@trendmicro.com.
Evaluate this documentation on the following site:
https://www.trendmicro.com/download/documentation/rating.asp
Privacy and Personal Data Collection Disclosure
Certain features available in Trend Micro products collect and send feedback
regarding product usage and detection information to Trend Micro. Some of
this data is considered personal in certain jurisdictions and under certain
regulations. If you do not want Trend Micro to collect personal data, you
must ensure that you disable the related features.
The following link outlines the types of data that Trend Micro Email Security
collects and provides detailed instructions on how to disable the specific
features that feedback the information.
https://success.trendmicro.com/data-collection-disclosure
Data collected by Trend Micro is subject to the conditions stated in the Trend
Micro Privacy Notice:
https://www.trendmicro.com/privacy
Table of Contents
About Trend Micro Email Security .......................................... 1
What's New ..................................................................... 1
Service Requirements .................................................... 12
Features and Benefits ..................................................... 14
Available License Versions ............................................. 17
Data Center Geography .................................................. 19
Inbound Message Protection .......................................... 20
Inbound Message Flow ............................................ 21
Outbound Message Protection ........................................ 22
Integration with Trend Micro Products ........................... 23
Apex Central ........................................................... 23
Trend Micro Remote Manager .................................. 25
Getting Started with Trend Micro Email Security ................... 26
Accessing the Trend Micro Email Security Administrator
Console ......................................................................... 26
Resetting Local Account Passwords .......................... 30
Selecting a Serving Site for First Time Use ....................... 31
Provisioning a Trend Micro Business Account ................. 32
Setting Up Trend Micro Email Security ...................... 34
Working with the Dashboard ................................................ 34
Threats Tab ................................................................... 38
Ransomware Details Chart ....................................... 39
Threats Chart .......................................................... 39
Threats Details Chart ............................................... 42
Virtual Analyzer File Analysis Details Chart ............... 44
Virtual Analyzer URL Analysis Details Chart .............. 45
Virtual Analyzer Quota Usage Details ........................ 47
Domain-based Authentication Details Chart .............. 48
Blocked Message Details .......................................... 49
Top Statistics Tab ........................................................... 52
Top BEC Attacks Detected by Antispam Engine Chart
............................................................................... 52

i
Trend Micro Email Security Administrator's Guide

Top BEC Attacks Detected by Writing Style Analysis


Chart ...................................................................... 52
Top Targeted High Profile Users ................................ 53
Top Analyzed Advanced Threats (Files) Chart ............ 54
Top Analyzed Advanced Threats (URLs) Chart ........... 54
Top Malware Detected by Predictive Machine Learning
Chart ...................................................................... 55
Top Malware Detected by Pattern-based Scanning Chart
............................................................................... 55
Top Spam Chart ....................................................... 56
Top Data Loss Prevention (DLP) Incidents Chart ........ 56
Other Statistics Tab ........................................................ 57
Volume Chart .......................................................... 57
Bandwidth Chart ..................................................... 58
Time-of-Click Protection Chart ................................. 59
Managing Domains .............................................................. 60
Adding a Domain ........................................................... 62
Configuring a Domain .................................................... 64
Adding SPF Records ................................................. 71
Adding Office 365 Inbound Connectors ..................... 72
Adding Office 365 Outbound Connectors ................... 75
Editing or Deleting Domains .......................................... 78
Inbound and Outbound Protection ....................................... 79
Managing Recipient Filter .............................................. 79
Managing Sender Filter .................................................. 79
Sender Filter Settings ............................................... 80
Configuring Approved and Blocked Sender Lists ........ 82
Transport Layer Security (TLS) Peers .............................. 88
Adding Domain TLS Peers ........................................ 91
Editing Domain TLS Peers ........................................ 93
Understanding IP Reputation ......................................... 93
About Quick IP List .................................................. 94
About Standard IP Reputation Settings ...................... 96
About Approved and Blocked IP Addresses ................ 97
IP Reputation Order of Evaluation ............................ 98
Troubleshooting Issues ............................................ 99
Managing Reverse DNS Validation ................................. 100

ii
Table of Contents

Configuring Reverse DNS Validation Settings ........... 101


Configuring the Blocked PTR Domain List ............... 104
Domain-based Authentication ...................................... 105
Sender IP Match .................................................... 106
Sender Policy Framework (SPF) .............................. 108
DomainKeys Identified Mail (DKIM) ........................ 114
Domain-based Message Authentication, Reporting &
Conformance (DMARC) .......................................... 121
How DMARC Works with SPF and DKIM .................. 128
File Password Analysis ................................................. 129
Configuring File Password Analysis ......................... 130
Adding User-Defined Passwords .............................. 131
Importing User-Defined Passwords ......................... 131
Configuring Scan Exceptions ........................................ 132
Scan Exception List ................................................ 132
Configuring "Scan Exceptions" Actions .................... 134
High Profile Users ........................................................ 136
Configuring High Profile Users ............................... 137
High Profile Domains ................................................... 139
Configuring High Profile Domains .......................... 139
Configuring Time-of-Click Protection Settings ............... 141
Data Loss Prevention .................................................... 142
Data Identifier Types .............................................. 143
DLP Compliance Templates .................................... 155
Configuring Policies ........................................................... 158
Policy Rule Overview .................................................... 160
Default Policy Rules ............................................... 161
Managing Policy Rules ................................................. 164
Reordering Policy Rules ............................................... 166
Naming and Enabling a Rule ......................................... 167
Specifying Recipients and Senders ................................ 168
Inbound Policy Rules ............................................. 168
Outbound Policy Rules ........................................... 170
About Rule Scanning Criteria ........................................ 173
Configuring Virus Scan Criteria .............................. 175
Configuring Spam Filtering Criteria ........................ 178
Configuring Data Loss Prevention Criteria ............... 187

iii
Trend Micro Email Security Administrator's Guide

Configuring Content Filtering Criteria ..................... 188


About Rule Actions ....................................................... 208
Specifying Rule Actions .......................................... 209
Intercept Actions ................................................... 209
Modify Actions ...................................................... 213
Monitor Actions ..................................................... 222
Encrypting Outbound Messages .............................. 223
About the Send Notification Action ......................... 226
Understanding Quarantine ................................................. 227
Querying the Quarantine .............................................. 228
Configuring End User Quarantine Settings ..................... 233
Quarantine Digest Settings ........................................... 234
Adding or Editing a Digest Rule ............................... 236
Adding or Editing a Digest Template ........................ 238
Logs in Trend Micro Email Security .................................... 241
Understanding Mail Tracking ....................................... 241
Social Engineering Attack Log Details ..................... 248
Business Email Compromise Log Details ................. 252
Understanding Policy Events ........................................ 252
Predictive Machine Learning Log Details ................. 261
Understanding URL Click Tracking ............................... 262
Understanding Audit Log .............................................. 264
Configuring Syslog Settings .......................................... 265
Syslog Forwarding .................................................. 267
Syslog Server Profiles ............................................. 268
Content Mapping Between Log Output and CEF Syslog
Type ...................................................................... 270
Reports ............................................................................. 277
My Reports .................................................................. 277
Scheduled Reports ....................................................... 278
Configuring Administration Settings ................................... 279
Policy Objects .............................................................. 279
Managing Address Groups ...................................... 280
Managing the URL Keyword Exception List .............. 282
Managing the Web Reputation Approved List ........... 284
Keyword Expressions ............................................. 285

iv
Table of Contents

Managing Notifications .......................................... 295


Managing Stamps ................................................... 296
Email Continuity .......................................................... 299
Adding an Email Continuity Record ........................ 300
Editing an Email Continuity Record ........................ 301
Administrator Management .......................................... 301
Account Management ............................................ 302
Logon Methods ...................................................... 312
End User Management ................................................. 328
Local Accounts ...................................................... 328
Managed Accounts ................................................. 331
Logon Methods ...................................................... 333
Logon Access Control ................................................... 349
Configuring Access Control Settings ........................ 350
Configuring Approved IP Addresses ........................ 352
Directory Management ................................................. 352
Synchronizing User Directories ............................... 353
Importing User Directories ..................................... 354
Exporting User Directories ..................................... 357
Installing the Directory Synchronization Tool .......... 358
Co-Branding ................................................................ 359
Service Integration ....................................................... 361
API Access ............................................................. 362
Log Retrieval ......................................................... 363
Apex Central .......................................................... 363
Remote Manager .................................................... 365
License Information .................................................... 365
Activating Sandbox as a Service .............................. 367
Migrating Data from Hosted Email Security ................... 368
Data That Will Be Migrated ..................................... 370
Data That Will Not Be Migrated ............................... 372
Setting Up Trend Micro Email Security After Data
Migration .............................................................. 373
Migrating Data from IMSS or IMSVA ............................. 375
Data That Will Be Migrated ..................................... 375
Data That Will Not Be Migrated ............................... 382
Prerequisites for Data Migration ............................. 386

v
Trend Micro Email Security Administrator's Guide

Migrating Data to Trend Micro Email Security ......... 388


Verifying Data After Migration ................................ 390
FAQs and Instructions ........................................................ 392
About MX Records and Trend Micro Email Security ....... 398
Feature Limits and Capability Restrictions ..................... 399
Viewing Your Service Level Agreement ......................... 400
Technical Support .............................................................. 401
Contacting Support ...................................................... 401
Using the Support Portal ......................................... 401
Speeding Up the Support Call ................................. 402
Sending Suspicious Content to Trend Micro ................... 403
Email Reputation Services ...................................... 403
File Reputation Services ......................................... 403
Web Reputation Services ........................................ 403
Troubleshooting Resources ........................................... 404
Threat Encyclopedia .............................................. 404
Download Center ................................................... 404
Documentation Feedback ....................................... 405

Index
Index ............................................................................... IN-1

vi
About Trend Micro Email Security
Trend Micro Email Security is an enterprise-class solution that delivers
continuously updated protection to stop phishing, ransomware, Business
Email Compromise (BEC) scams, spam and other advanced email threats
before they reach your network. It provides advanced protection for
Microsoft™ Exchange Server, Microsoft Office 365, Google™ Gmail, and other
cloud or on-premises email solutions.

Using Trend Micro Email Security, mail administrators set up policies to


handle email messages based on the threats detected. For example,
administrators can remove detected malware from incoming messages
before they reach the corporate network or quarantine detected spam and
other inappropriate messages.

Furthermore, Trend Micro Email Security delivers Email Continuity against


planned or unplanned downtime events, which allows end users to continue
sending and receiving email messages in the event of an outage.

What's New
The following new features are available in Trend Micro Email Security.
Table 1. New Features in This Release (Available on July 26, 2022)

Feature Description

Support for EUC Local Account Management Trend Micro Email Security allows you to
manage EUC local accounts from a centralized
location on the administrator console.
For details, see Local Accounts on page 328.

More Secure Password Reset for Trend Micro Email Security uses verification
Administrators codes in place of simple CAPTCHA codes to
verify administrators when they reset
passwords on the administrator console.
For details, see Resetting Local Account
Passwords on page 30.

1
Trend Micro Email Security Administrator's Guide

Feature Description

More Secure Registration and Password Reset Trend Micro Email Security uses verification
for End Users codes in place of security questions and
simple CAPTCHA codes to verify end users
during account registration and password
reset on the End User Console.
For details, see "Registering Your Account"
and "Resetting Your Password" in the "Local
Account Management" chapter of the End
User Console Online Help.

Blank Message Body Detection Trend Micro Email Security enhances content
filtering policies to detect and take action on
messages with a blank body.
For details, see Using Body Is Blank Criteria on
page 202.

Table 2. New Features Available on June 27, 2022

Feature Description

Quarantined Message Download in Encrypted In addition to the original email file, Trend
ZIP Package Micro Email Security provides another option
for downloading a quarantined message: a
password-protected ZIP file.
For details, see Querying the Quarantine on
page 228.

Removal of Mobile Number from Contact Trend Micro Email Security removes the
Information mobile number from the administrator's
contact information on the administrator
console. It's no longer necessary to provide
your mobile number during provisioning and
profile configuration.

2
About Trend Micro Email Security

Table 3. New Features Available on May 26, 2022

Feature Description

Spoofing Detection Enhancement As a supplement to the existing spoofing


detection methods, Trend Micro Email
Security adds anti-spoofing checks on the
envelope sender and message header sender
in content filtering.
For details, see Configuring Content Filtering
Criteria on page 188.

Support for Multiple Entries in Quarantine Trend Micro Email Security allows you to
Search Boxes specify multiple senders, recipients, and
reasons when searching for quarantined
messages.
For details, see Querying the Quarantine on
page 228.

More Granular Quarantine Permission Control When you assign the read-only quarantine
permissions to a subaccount, Trend Micro
Email Security allows you to control whether
to include the permissions for viewing
quarantined message details and
downloading quarantined messages.
For details, see Adding and Configuring a
Subaccount on page 306.

Table 4. New Features Available on April 25, 2022

Feature Description

More Granular True File Type Detection for Trend Micro Email Security allows you to
Microsoft Office Files separately control true file type detection for
Microsoft Office 97-2003 files (such
as .doc, .ppt, .xls) and Microsoft Office files of
later versions (such as .docx, .pptx, .xlsx).
For details, see Using Attachment True File
Type Criteria on page 199.

3
Trend Micro Email Security Administrator's Guide

Table 5. New Features Available on March 28, 2022

Feature Description

Reverse DNS Validation Trend Micro Email Security supports reverse


DNS validation at the connection setup stage
by performing PTR record lookup based on
the email sending IP address. Besides,
administrators can configure a list of blocked
PTR domains to directly reject email
messages from them.
For details, see Managing Reverse DNS
Validation on page 100.

Table 6. New Features Available on February 24, 2022

Feature Description

Sender Filter Enhancement Trend Micro Email Security redesigned the


Sender Filter feature under Inbound
Protection by providing the following
enhancements:
• Supporting more wildcard formats in
approved or blocked sender addresses.
• Allowing you to apply approved or
blocked senders to all recipients in your
organization.
• Synchronizing approved or blocked
sender lists between the administrator
console and End User Console so that
administrators can manage the approved
or blocked senders added from the End
User Console or quarantine digest mails.
For details, see Managing Sender Filter on
page 79.

4
About Trend Micro Email Security

Table 7. New Features Available on January 20, 2022

Feature Description

New Account Type: Superadmin Account Trend Micro Email Security introduces a new
local account type, namely superadmin
account, to ease the administrative burden of
the Trend Micro Business Account.
Superadmin accounts have all administrative
permissions inherited from the Business
Account and can perform actions on behalf of
the Business Account when necessary.
For details, see Account Management on page
302.

Support for Attaching the Original Message in In addition to writing style analysis detection,
Notifications for All Policy Violation Trend Micro Email Security provides an option
Detections to attach the original message in notifications
for all policy violation detections.
For details, see Managing Notifications on
page 295.

Table 8. New Features Available on December 14, 2021

Feature Description

Mail Tracking Log Enhancement For deleted or delivered quarantined


messages, Trend Micro Email Security enables
you to check from mail tracking logs who took
the action and the time when the action was
completed.

Table 9. New Features Available on November 29, 2021

Feature Description

Log Export Enhancement Trend Micro Email Security now can export all
queried mail tracking logs and policy event
logs to CSV files from the log result page.
For details, see Understanding Mail Tracking
on page 241 and Understanding Policy Events
on page 252.

5
Trend Micro Email Security Administrator's Guide

Feature Description

IP-based Control of Access to Trend Micro IP-based access control is available to restrict
Email Security access to Trend Micro Email Security. With
this feature enabled, Trend Micro Email
Security verifies the IP address from which
the access request originates, and takes the
preconfigured actions if the request originates
from an unapproved IP address.
For details, see Logon Access Control on page
349.

Table 10. New Features Available on October 28, 2021

Feature Description

Quarantine Digest Template Enhancement Trend Micro Email Security enhances its
quarantine digest template by refining
template text and providing a new token for
your use.
For details, see Adding or Editing a Digest
Template on page 238.

Table 11. New Features Available on September 9, 2021

Feature Description

Support for Authenticated Received Chain Trend Micro Email Security adds support for
(ARC) ARC in DMARC authentication. If ARC is
enabled and an ARC chain is present and
validated, some legitimate messages that fail
DMARC authentication due to intermediate
processing will pass the authentication.
For details, see Domain-based Message
Authentication, Reporting & Conformance
(DMARC) on page 121.

Policy Event Log Enhancement Trend Micro Email Security enhances its
policy event logs by providing more details
about Virtual Analyzer scan exceptions.

6
About Trend Micro Email Security

Table 12. New Features Available on August 19, 2021

Feature Description

Email Attachment Sanitizing Trend Micro Email Security supports email


attachment sanitizing for both incoming and
outgoing messages. When configuring a
content filtering policy, you can choose
whether to set actions specifically for email
messages that contain active content such as
macros in Microsoft Office attachments.
For details, see Sanitizing Attachments on
page 216.

Layout Optimization for Quarantine Digest Trend Micro Email Security is optimized to
Notifications make the layout for quarantine digest
notifications more mobile-friendly.

Table 13. New Features Available on June 30, 2021

Feature Description

Stamp Enhancement Trend Micro Email Security further supports


HTML stamps besides already supported plain
text stamps. You can customize HTML stamps
based on predefined styles, and view an
automatic plain text version of the
customized stamps in real time.
For details, see Managing Stamps on page
296.

7
Trend Micro Email Security Administrator's Guide

Table 14. New Features Available on May 31, 2021

Feature Description

Quarantined Message Management Trend Micro Email Security allows you to


Enhancement configure settings for end users to view
quarantined messages and take action on the
End User Console and in the quarantine
digest notifications. In addition, quarantined
message query is optimized to provide a
reasonable and consistent user experience.
For details, see Configuring End User
Quarantine Settings on page 233.

Support for Wildcard Domain in Address Trend Micro Email Security supports wildcard
Groups domains for email addresses in hybrid
address groups. In addition, when you search
for address groups by email address, wildcard
search is used instead of partial search.
For details, see Managing Address Groups on
page 280.

Keyword Expression Test Support Trend Micro Email Security now enables you
to test the keyword expression functionality
when you add a new keyword expression.
For details, see Adding Keyword Expressions
on page 293

Log Search Enhancement Trend Micro Email Security enhances its log
search feature by allowing you to search mail
tracking logs by sender IP address and
destination IP address.
For details, see Understanding Mail Tracking
on page 241.

8
About Trend Micro Email Security

Table 15. New Features Available on May 14, 2021

Feature Description

Keyword Expression Enhancement Trend Micro Email Security is enhanced to add


another match condition to the Keywords and
Expressions feature under Administration >
Policy Objects. With this enhancement,
Trend Micro Email Security will trigger actions
when the combined score of all matched
keyword expressions reaches the specified
threshold.
For details, see Adding Keyword Expressions
on page 293.

Redirect Page Customization Support for Trend Micro Email Security enhances Time-of-
Time-of-Click Protection Click Protection settings by allowing you to
customize redirect pages for suspicious,
dangerous, and untested URLs in inbound
messages. The redirect page customization
settings apply to incoming messages of the
entire organization.
For details, see Configuring Time-of-Click
Protection Settings on page 141.

Table 16. New Features Available on April 22, 2021

Feature Description

High Profile Domains Trend Micro Email Security allows you to add
high profile domains, for example, your
partners' domains or domains of famous
brands, to leverage the improved Trend Micro
Antispam Engine to detect cousin domains. A
cousin domain looks deceptively similar to a
legitimate target domain and is often used in
phishing attacks to steal sensitive or
confidential information from users.
For details, see High Profile Domains on page
139.

9
Trend Micro Email Security Administrator's Guide

Feature Description

Renaming from "Business Email Compromise With the launch of the High Profile Domains
(BEC)" to "High Profile Users" feature, Trend Micro Email Security renames
the Business Email Compromise (BEC)
menu under Inbound Protection to High
Profile Users to provide a more accurate
description of the feature.

Support for Enabling/Disabling Log Retrieval Trend Micro Email Security allows you to
decide whether to retrieve policy event logs
and mail tracking logs via REST APIs for third-
party SIEM application integration.
For details, see Log Retrieval on page 363.

File Password Analysis Result Visibility in Mail Trend Micro Email Security shows the
Tracking Logs password analysis result of email attachments
in mail tracking logs.

Support for %HEADERS% Trend Micro Email Security now supports the
%HEADERS% token, which will be replaced
with message headers in stamps and
notification body.

Table 17. New Features Available on March 30, 2021

Feature Description

DNS-Based Authentication of Named Entities Trend Micro Email Security now supports
(DANE) Support for Outgoing TLS Connections DANE for outgoing TLS connections.
For details, see Transport Layer Security (TLS)
Peers on page 88.

10
About Trend Micro Email Security

Feature Description

SPF Action Enhancement Trend Micro Email Security enhances its SPF
feature by allowing you to:
• Tag the email subject and send a
notification for email messages with a
specific SPF check result (except Pass)
• Use a new token in the notification
template to represent the SPF check
result
For details, see Adding SPF Settings on page
110.

License Information Optimization Trend Micro Email Security is optimized to


show all the licenses that you have purchased
under Administration > License
Information. In addition, a grace end date is
provided in the license information.

Table 18. New Features Available on February 27, 2021

Feature Description

Organization-Level Policy Trend Micro Email Security is enhanced to


allow you to create inbound and outbound
protection policies at the organization level.
These policies automatically apply to all
domains in your organization including the
new ones added in the future. Organization-
level policies make policy management easier
than otherwise.
For details, see Configuring Policies on page
158.

Predictive Machine Learning Support in Trend Micro Email Security adds support for
Outbound Protection Predictive Machine Learning in outbound
protection, allowing you to specify Predictive
Machine Learning settings in virus scan rules.

11
Trend Micro Email Security Administrator's Guide

Feature Description

Syslog Enhancement In addition to detection logs, audit logs and


mail tracking logs, Trend Micro Email Security
can now forward URL click tracking logs to
syslog servers.

Table 19. New Features Available on January 28, 2021

Feature Description

Quarantine Digest Template Enhancement Trend Micro Email Security enhances its
quarantine digest template by allowing you
to:
• Use two more actions: "Approve Sender
Domain" and "Block Sender Domain"
• Customize inline actions that are
available in digest notifications
• Send a test digest mail based on the
configured digest template
For details, see Adding or Editing a Digest
Template on page 238.

Log Search Enhancement Trend Micro Email Security enhances its log
search feature by allowing you to search
policy event logs by message header address
and threat name, and search mail tracking
logs by message header address.
For details, see Understanding Mail Tracking
on page 241 and Understanding Policy Events
on page 252.

Service Requirements
Trend Micro Email Security does not require hardware on your premises. All
scanning is performed in the cloud. To access your web-based Trend Micro
Email Security administrator console, you need a computer with access to
the Internet.

12
About Trend Micro Email Security

The following are required before Trend Micro Email Security can be
activated:
• An existing mail gateway or workgroup SMTP connection
For example:
• A local MTA or mail server
• A cloud-based MTA solution
• Access to domain MX records (DNS mail exchanger host records) for
repointing MX records to the Trend Micro Email Security MTA
(Contact your service provider, if necessary, for more information or
configuration help.)
If you have trouble accessing the site, confirm that you are using the correct
web address. For details, see Accessing the Trend Micro Email Security
Administrator Console on page 26.
If you have trouble using the site or with the way the website displays,
confirm that you are using a supported browser with JavaScript enabled.
Supported browsers include:
• Microsoft Internet Explorer 11
• Microsoft Edge 91
• Mozilla Firefox 60.0 or later
• Google Chrome 67.0 or later
The Trend Micro Email Security administrator console and End User Console
support the following languages. Change the locale in your browser
according to your region.

13
Trend Micro Email Security Administrator's Guide

Administrator Console End User Console

• English • English
• Japanese • French
• Spanish
• German
• Italian
• Japanese
• Portuguese

Features and Benefits


Trend Micro Email Security provides the following features and benefits:
Sender Filter
Trend Micro Email Security allows you to filter senders of incoming email
messages. You can specify the senders to allow or block using specific email
addresses or entire domains and specify the type of sender addresses
collected to match the approved and blocked sender lists.
For details, see Managing Sender Filter on page 79.
Email Reputation Services
Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service. Email Reputation
Services use a standard IP reputation database and an advanced and dynamic
IP reputation database (a database updated in real time). These databases
have distinct entries, allowing Trend Micro to maintain a very efficient and
effective system that can quickly respond to new sources of spam.
For details, see Understanding IP Reputation on page 93.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
As an email validation system to detect and prevent email spoofing, Domain-
based Message Authentication, Reporting and Conformance (DMARC) is

14
About Trend Micro Email Security

intended to fight against certain techniques used in phishing and spam, such
as email messages with forged sender addresses that appear to originate
from legitimate organizations. DMARC fits into the inbound email
authentication process of Trend Micro Email Security, allowing you to define
DMARC policies, including the actions to take on messages that fail DMARC
authentication.
For details, see Domain-based Message Authentication, Reporting &
Conformance (DMARC) on page 121.
Multitiered Virus, Spam and Content Filtering

Trend Micro Email Security leverages the Trend Micro Virus Scan Engine to
compare the files with the patterns of known viruses and integrates
Predictive Machine Learning to detect new, previously unidentified, or
unknown malware through advanced file feature analysis. Trend Micro
Email Security also supports integration with Virtual Analyzer, a cloud-based
virtual environment designed for manage and analyze objects submitted by
Trend Micro products.
Furthermore, Trend Micro Email Security detects phishing, spam, Business
Email Compromise (BEC) scams, graymail and social engineering attacks
and examines the message contents to determine whether the message
contains inappropriate content.
You can configure domain-level and organization-level policies to detect
various security risks by scanning email messages and then performing a
specific action for each security risk detected.
For details, see Configuring Policies on page 158.
Virtual Analyzer

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files


and URLs. Sandbox images allow observation of files and URLs in an
environment that simulates endpoints on your network without any risk of
compromising the network.
Trend Micro Email Security sends suspicious files or URLs to Virtual
Analyzer when a file or URL exhibits suspicious characteristics and
signature-based scanning technologies cannot find a known threat. Virtual

15
Trend Micro Email Security Administrator's Guide

Analyzer performs static analysis and behavior simulation in various


runtime environments to identify potentially malicious characteristics.
During analysis, Virtual Analyzer rates the characteristics in context and
then assigns a risk level to the sample based on the accumulated ratings.
For details on Virtual Analyzer settings, see Configuring Virus Scan Criteria on
page 175 and Configuring Web Reputation Criteria on page 182.
Data Loss Prevention
Data Loss Prevention (DLP) safeguards an organization's digital assets against
accidental or deliberate leakage. DLP evaluates data against a set of rules
defined in policies to determine the data that must be protected from
unauthorized transmission and the action that DLP performs when it detects
transmission. With DLP, Trend Micro Email Security allows you to manage
your incoming email messages containing sensitive data and protects your
organization against data loss by monitoring your outbound email messages.
For details, see Data Loss Prevention on page 142.
File Password Analysis
Based on user-defined passwords, Trend Micro Email Security can extract
password-protected archive files and open password-protected document
files in email messages to investigate any malicious or suspicious content in
those messages.
For details, see File Password Analysis on page 129.
Suspicious Objects
Suspicious objects are objects with the potential to expose systems to danger
or loss. After Trend Micro Email Security is registered to Trend Micro Apex
Central, Apex Central synchronizes the suspicious object lists consolidated
from its managed Trend Micro products with Trend Micro Email Security at a
scheduled time interval.
For details, see Apex Central on page 363.
Email Continuity
Trend Micro Email Security provides protection against email loss if your
email server goes down. If your server becomes unavailable due to a crash or

16
About Trend Micro Email Security

network connectivity problem, Trend Micro Email Security automatically


transfers inbound traffic to a backup server until your server is back online.
This enables end users to read, forward, download and reply to email
messages on the End User Console.
For details, see Email Continuity on page 299.
Logs and Reports
Trend Micro Email Security provides detailed logs to help you analyze system
security and improve protection solutions. You can view and search logs to
track messages for inbound and outbound traffic, and to track all messages
for a specific sender, recipient, rule or detection. Trend Micro Email Security
allows you to forward syslog messages to an external syslog server in a
structured format, which allows third-party application integration.
For details, see Logs in Trend Micro Email Security on page 241.
Trend Micro Email Security provides reports to assist in mitigating threats
and optimizing system settings. You can generate reports based on a daily,
weekly, monthly or quarterly schedule.
For details, see Reports on page 277.
Message Quarantine
Quarantined messages are blocked as detected spam or other inappropriate
content before delivery to an email account. Messages held in quarantine
can be reviewed and manually deleted or delivered on the administrator
console. Furthermore, end users can view and manage their own
quarantined messages on the End User Console.
For details, see Understanding Quarantine on page 227.

Available License Versions


Starting from October 31, 2019, Trend Micro Email Security Standard is
available in addition to Trend Micro Email Security Advanced.
Trend Micro Email Security Standard includes a subset of features available
in Trend Micro Email Security Advanced to deliver essential email protection

17
Trend Micro Email Security Administrator's Guide

for cloud or on-premises email solutions. Trend Micro Email Security


Advanced includes all the features of the standard version and provides more
advanced and enhanced functionality.
The following table summarizes the feature differences between the two
license versions.

Note
The features that are common to both versions are not listed here.

Table 20. Feature differences

Trend Micro Email Trend Micro Email


Feature
Security Standard Security Advanced

Virtual Analyzer No Yes (both URL and file


analysis)

Email continuity No Yes

Writing style analysis for No Yes


Business Email Compromise
(BEC) threat detection

File password analysis No Yes

Virtual Analyzer scan No Yes


exceptions

Virtual Analyzer submission No Yes


quota exceptions

Sliding window for mail 30 days 60 days


tracking log search

Sliding window for policy 30 days 60 days


event log search

Message size limit 50 MB 150 MB

The features of Trend Micro Email Security Standard and Trend Micro Email
Security Advanced are controlled by the license applied. There are two ways
to manage your license:

18
About Trend Micro Email Security

• From the Licensing Management Platform


The Licensing Management Platform allows partners to self-provision
and auto-renew licenses. Contact your reseller or MSP to add, renew or
extend your licenses.
• From the Customer Licensing Portal
Visit the Customer Licensing Portal website at https://
clp.trendmicro.com and activate, register and manage your products on
the portal. For details, see the supporting documentation at:
http://docs.trendmicro.com/en-us/smb/customer-licensing-portal.aspx
If you have purchased the standard version and want to upgrade to Trend
Micro Email Security Advanced, do the following:
1. Log on to the Customer Licensing Portal website (https://
clp.trendmicro.com).
2. From the Customer Licensing Portal page, click Provide Key.
3. Provide your activation code and click Continue.
Your version will then be upgraded to Trend Micro Email Security
Advanced.

Data Center Geography


Trend Micro Email Security is hosted on Amazon AWS data centers, and its
cloud sandbox service is hosted in different regions based on each Trend
Micro Email Security serving site.
The following table lists the geographic location of data centers for each
Trend Micro Email Security site.

Trend Micro Email Amazon Data Center Cloud Sandbox Data


Security Site Location / Region Center Location / Region

North America, Latin America Northern Virginia / US East Northern Virginia / US East
and Asia Pacific

19
Trend Micro Email Security Administrator's Guide

Trend Micro Email Amazon Data Center Cloud Sandbox Data


Security Site Location / Region Center Location / Region

Europe, the Middle East and Frankfurt / Germany Frankfurt / Germany


Africa

Australia and New Zealand Sydney / Australia Northern Virginia / US East

Japan Tokyo / Asia Pacific Tokyo / Asia Pacific

Singapore Singapore / Asia Pacific Singapore / Asia Pacific

India Mumbai / South Asia Pune / Central India

Inbound Message Protection


Trend Micro Email Security provides inbound message protection by
evaluating email messages in the following order:

• Connection filtering

Provides the recipient filter, sender filter, Transport Layer Security (TLS)
check, and IP Reputation settings.

• Domain-based authentication

Provides authentication methods such as Sender IP Match, Sender


Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and
Domain-based Message Authentication, Reporting & Conformance
(DMARC) to protect against email spoofing.

• Virus scan

Allows you to configure virus policies and scan exceptions.

• Spam filtering

Allows you to configure spam policies, high profile users for BEC
policies and Time-of-Click Protection settings.

• Content filtering

20
About Trend Micro Email Security

Allows you to configure content filtering policies to take actions on


messages based on the conditions matched.
• Data Loss Prevention
Allows you to create Data Loss Prevention (DLP) policies to manage your
incoming email messages containing sensitive data.

Inbound Message Flow


Trend Micro Email Security will first scan incoming email messages before
final delivery to the “example.com” Inbound Server.

The flow of messaging traffic from the Internet, through the Trend Micro
Email Security, and then to the “example.com” Inbound Server, or local
MTA.

Evaluation is done in the following order:


1. The originating MTA performs a Domain Name Service (DNS) lookup of
the MX record for “example.com” to determine the location of the
“example.com” domain.

21
Trend Micro Email Security Administrator's Guide

The MX record for “example.com” points to the IP address of the Trend


Micro Email Security instead of the original “example.com” Inbound
Server.
2. The originating MTA routes messages to Trend Micro Email Security.
3. The Trend Micro Email Security accepts the connection from the
originating mail server.
4. Trend Micro Email Security performs connection-based filtering at the
MTA connection level to decide on an action to take. Actions include the
following:
• Trend Micro Email Security terminates the connection, rejecting
the messages.
• Trend Micro Email Security accepts the messages and filters them
using content-based policy filtering.
5. Trend Micro Email Security examines the message contents to
determine whether the message contains malware or any other threats.
6. Assuming that a message is slated for delivery according to the policies,
the Trend Micro Email Security routes the message to the original
“example.com” Inbound Server.

Outbound Message Protection


Trend Micro Email Security scans outgoing email messages before delivery if
outbound filtering is enabled. Trend Micro Email Security applies the
following policies for filtering:
• Malware (viruses, spyware, and so on)
• Spam and phishing
• Web reputation
• Data Loss Prevention (DLP)
• Transport Layer Security (TLS) check

22
About Trend Micro Email Security

• DomainKeys Identified Mail (DKIM) signing


In addition, outbound encryption is seamlessly integrated with the content-
filtering capabilities of Trend Micro Email Security, using policy-based
encryption to secure email messages. The service does not automatically
encrypt email messages. When outbound filtering is enabled, outbound
encryption appears as a policy option within the Trend Micro Email Security
administrator console. You will need to configure rules that apply encryption
as a rule action.
To learn about the policy rule used to encrypt outbound messages, see
Encrypting Outbound Messages on page 223. To learn more about how to enable
outbound protection for a managed domain, see step 5 in Adding a Domain
on page 62.
Trend Micro Email Security evaluates outgoing messages against regulatory
compliance templates defined in DLP policies to prevent data leakage. For
details about DLP, see Data Loss Prevention on page 142.

Integration with Trend Micro Products


For seamless integration, make sure that the Trend Micro products or
services that integrate with Trend Micro Email Security run the required or
recommended versions.
Table 21. Trend Micro Products that Integrate with Trend Micro Email Security

Product/Service Version

Apex Central 2019

Control Manager 7.0 with hot fix HF2964

Apex Central
Apex Central™ is a central management console that manages Trend Micro
products and services at the gateway, mail server, file server, and corporate
desktop levels. The Apex Central web-based management console provides a
single monitoring point for managed products and services throughout the
network.

23
Trend Micro Email Security Administrator's Guide

Apex Central allows system administrators to monitor and report on


activities such as infections, security violations, or virus entry points. System
administrators can download and deploy components throughout the
network, helping ensure that protection is consistent and up-to-date. Apex
Central allows both manual and pre-scheduled updates, and the
configuration and administration of products as groups or as individuals for
added flexibility.

If Trend Micro Email Security is managed from Apex Central, you can use
single sign-on to access the Trend Micro Email Security administrator
console and check the connection status of registered Trend Micro Email
Security servers.

Registering to Apex Central

Make sure you have a Customer Licensing Portal account and your account
has been bound both with Trend Micro Email Security and Apex Central.

Procedure

1. Open the Apex Central management console.

2. Go to Administration > Managed Servers > Server Registration.

3. On the screen that appears, select Trend Micro Email Security as Server
Type.

4. Click Cloud Service Settings.

5. Specify your Customer Licensing Portal account credentials and click


OK.

The Trend Micro Email Security server appears in the server list.

You can click the server address to single sign-on to the Trend Micro
Email Security administrator console.

24
About Trend Micro Email Security

Checking Trend Micro Email Security Server Status

Procedure

1. Go to Dashboard.

2. Click the Summary tab.

3. Scroll down and find the Product Connection Status widget.

You can check the status of any Trend Micro Email Security server
registered with Apex Central.

Unregistering from Apex Central

Procedure

1. Go to Administration > Managed Servers > Server Registration.

2. Click Cloud Service Settings.

3. Click Stop managing services with Apex Central.

4. In the dialog box that appears, click Yes.

The Trend Micro Email Security server disappears from the server list.

Trend Micro Remote Manager


Trend Micro Remote Manager is a robust console that works in parallel with
the Customer Licensing Portal and the Licensing Management Platform to
provide managed security services to small and medium businesses.

Remote Manager enables you to monitor the health of multiple managed


networks through multiple, managed products and services. Remote
Manager allows reseller administrators to issue commands to manage
critical aspects of network security.

25
Trend Micro Email Security Administrator's Guide

Trend Micro Email Security is one of the products that Remote Manager
monitors and manages.
• If you are using Licensing Management Platform accounts, contact your
reseller to connect to or disconnect from Remote Manager.
• If you are using Customer Licensing Portal accounts, you can connect to
or disconnect from Remote Manager on the Trend Micro Email Security
administrator console.
For details, see Remote Manager on page 365.

Getting Started with Trend Micro Email Security

Accessing the Trend Micro Email Security Administrator


Console
Choose the proper way to access the Trend Micro Email Security
administrator console based on your licensing agreement with Trend Micro.

26
About Trend Micro Email Security

Table 22. Accessing the Trend Micro Email Security administrator console

Account Type Logon Method

Customer Licensing Portal account Log on directly to your administrator console


at the following web address for your region:
• North America, Latin America and Asia
Pacific:
https://tm.tmes.trendmicro.com
• Europe, the Middle East and Africa:
https://tm.tmes.trendmicro.eu
• Australia and New Zealand:
https://tm.tmes-anz.trendmicro.com
• Japan:
https://tm.tmems-jp.trendmicro.com
• Singapore:
https://tm.tmes-sg.trendmicro.com
• India:
https://tm.tmes-in.trendmicro.com

Note
Customer Licensing Portal helps you
manage your accounts, customer
information, and subscriptions. You
can directly access the web consoles of
Trend Micro solutions including Trend
Micro Email Security.
For details about how to log on to,
register and manage Trend Micro Email
Security using Customer Licensing
Portal, see the Customer Licensing
Portal documentation at http://
docs.trendmicro.com/en-us/smb/
customer-licensing-portal.aspx.

27
Trend Micro Email Security Administrator's Guide

Account Type Logon Method

Licensing Management Platform account For Licensing Management Platform resellers,


substitute your Tenant ID for <tenant-id> in
the following web address for your region:
• North America, Latin America and Asia
Pacific:
https://<tenant-
id>.tmes.trendmicro.com

• Europe, the Middle East and Africa:


https://<tenant-
id>.tmes.trendmicro.eu

• Australia and New Zealand:


https://<tenant-id>.tmes-
anz.trendmicro.com

• Japan:
https://<tenant-id>.tmems-
jp.trendmicro.com

• Singapore:
https://<tenant-id>.tmes-
sg.trendmicro.com

• India:
https://<tenant-
id>.tmessg.trendmicro.com

28
About Trend Micro Email Security

Account Type Logon Method

Local subaccounts added by the • North America, Latin America and Asia
administrator Pacific:
https://ui.tmes.trendmicro.com
• Europe, the Middle East and Africa:
https://ui.tmes.trendmicro.eu
• Australia and New Zealand:
https://ui.tmes-anz.trendmicro.com
• Japan:
https://ui.tmems-jp.trendmicro.com
• Singapore:
https://ui.tmes-sg.trendmicro.com
• India:
https://ui.tmes-in.trendmicro.com

Note
If you forget your local account
password, reset the password by
referring to Resetting Local Account
Passwords on page 30.

SSO accounts Log on to the administrator console at the


URL generated in Step 4 in Configuring Single
Sign-On on page 315.

From the Trend Micro Email Security administrator console, administrators


can create reports, view logs, perform administrative tasks, and configure
security policies against different types of threats.
The Trend Micro Email Security administrator console provides the
following features:
• Chart-based dashboard

29
Trend Micro Email Security Administrator's Guide

• Domain management
• Inbound and outbound protection settings
• Quarantined message query and quarantine digest settings
• Mail tracking, policy event, URL click tracking and syslog settings
• Daily, weekly, monthly and quarterly reports
• Centralized administration settings, including:
• Policy objects
• Suspicious objects
• Email continuity settings
• Administrator management
• End user management
• Directory management
• License information

Resetting Local Account Passwords

Procedure
1. Access the administrator console.
The logon screen for the Trend Micro Email Security administrator
console appears.
2. Click Forgot your Password.
The Reset Password screen appears.
3. Type the user name and email address of your local account.
4. Click Send verification code.
A verification code is sent to the above specified email address.

30
About Trend Micro Email Security

5. Specify the verification code.


6. Specify and confirm your new password.
7. Click Finish.
You can use the new password to log on to the administrator console.

Selecting a Serving Site for First Time Use


For the customers who use Trend Micro Email Security for the first time,
Trend Micro Email Security allows you to choose a serving site, regardless of
the registration key or activation code you have purchased. A serving site is
the geographical location where Trend Micro Email Security provides you
services and stores your service data.

Note
This feature is available for customers from the Customer Licensing Portal.
Customers from the Licensing Management Platform cannot select a serving
site for first time use, because their serving site has been specified during
registration.

You cannot modify the serving site setting after the initial configuration
completes. Your Trend Micro Email Security service data will always stay
within your selected site and will not be transferred to other sites for data
privacy and sovereignty considerations.
The steps outlined below detail how to select a Trend Micro Email Security
serving site from the Customer Licensing Portal during first time use.

Procedure
1. Log on to the Customer Licensing Portal management console.
2. Go to Products/Services, locate Trend Micro Email Security, and then
click Open console under Action.
The Initial Configuration screen appears.

31
Trend Micro Email Security Administrator's Guide

3. Select a site, click OK after confirming your selection, and click Save.
Trend Micro Email Security uses an Amazon AWS data center to host
your data at each serving site. For more information, see Data Center
Geography on page 19.
The Trend Micro Email Security management console opens after the
initial configuration is complete.
Check the URL of your Trend Micro Email Security management console
logon page in the address bar, which is determined based on your
selected serving site. For example, if you are at the Europe, the Middle
East and Africa site, the URL of your Trend Micro Email Security
management console logon page is https://tm.tmes.trendmicro.eu.

Provisioning a Trend Micro Business Account


After you have selected a serving site on the administrator console, Trend
Micro Email Security launches a provisioning wizard for you to provision
your Trend Micro Business Account.

Procedure
1. Provide your administrator profile information.
Keep your information current because Trend Micro will send you
important maintenance plans, urgent incidents and new features.
a. Type your first name and last name.
b. Specify your email address.
c. Click Next.
An email message will be sent to your registered email address.
Check your mailbox and click the verification link in the message to
verify your email address. Verifying the email address proves that
you own it and ensures that you will receive important system
notifications from Trend Micro Email Security.

32
About Trend Micro Email Security

2. Set your company identifier.

Note
Trend Micro generates a custom subdomain for your company based on
the company identifier you set. For example, if your company identifier is
"example", your MX record for incoming email messages will be generated
based on your location.

• North America, Latin America and Asia Pacific:

example.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:

example.in.tmes.trendmicro.eu

• Australia and New Zealand:

example.in.tmes-anz.trendmicro.com

• Japan:

example.in.tmems-jp.trendmicro.com

• Singapore:

example.in.tmes-sg.trendmicro.com

• India:

example.in.tmes-in.trendmicro.com

3. Add a domain you want to manage through Trend Micro Email Security.

Note
For details about adding domains, see Adding a Domain on page 62.

You still need to perform further setup tasks to get Trend Micro Email
Security up and running. For details, see Setting Up Trend Micro Email
Security on page 34.

33
Trend Micro Email Security Administrator's Guide

Setting Up Trend Micro Email Security


To ensure your organization achieves effective email security protection,
Trend Micro recommends you perform the following tasks:
1. Configure the domain you added and add additional domains if needed.
Check the status of the domain you added for provisioning and make
sure the domain has been configured properly. Add more domains if
necessary.
For details, see Managing Domains on page 60.
2. Import user directories that will be applied by policies.
Trend Micro Email Security provides multiple ways to import user
directories. Choose the proper way that suits your organization.
For details, see Directory Management on page 352.
3. Configure policies to design your organizational protection solution.
Trend Micro Email Security provides robust email management options,
enabling you to customize your email security protection and configure
policies to meet the needs of your organization. Trend Micro Email
Security is preconfigured with several default domain-level policies (if
configured) and default organization-level policies to provide immediate
protection upon deployment.
For details, see Configuring Policies on page 158.

Working with the Dashboard


The Dashboard screen displays charts for email traffic relayed through
Trend Micro Email Security.

Note
The time zone of the browser accessing Trend Micro Email Security is used.

34
About Trend Micro Email Security

Select the data shown in charts and their corresponding thumbnail charts on
the Threats, Top Statistics, or Other Statistics tab of Dashboard using the
following controls and settings.
Table 23. Controls and settings

Control Settings

Domain and direction Select a domain and mail traffic direction using specific controls.
of traffic

Tip
To select all domains, select all my domains from the
Managed domain drop-down list.

Settings Click the settings icon on the right of the tabs to select widgets to
show on each tab as needed.

35
Trend Micro Email Security Administrator's Guide

Control Settings

Time periods Select a time period at the top of each chart. The following are the
definitions of time periods:
• Date: The most recent eight (8) days. Days are split into hours
from 0:00 to 23:59. Because days start at midnight, charts with a
time period of the current day will never show a full 24 hours of
data.
• Week: The most recent eight (8) weeks. Weeks are the days from
Sunday to Saturday. Because weeks start on Sunday, charts with
a time period of the current week will never show a full seven (7)
days of data.
• Month: The most recent two (2) months. Months are days from
the first to the last day of the calendar month. Because months
start on the first, charts with a time period of the current month
will never show the full month of data.
• Last 12 months: The data for the last twelve months plus all days
of the current month. Always shows more than one year of data.

Note
The specified time period only affects the data shown on the
current chart and its corresponding thumbnail chart on the
Summary tab. Changing the selection on a chart does not
affect other charts.

36
About Trend Micro Email Security

Table 24. Specific Charts

Chart Settings

Ransomware Details Select a time period by Date, Week, Month, or Last 12 months to
show data for the selected time period.
Threats
Threats Details
Virtual Analyzer File
Analysis Details
Virtual Analyzer URL
Analysis Details
Virtual Analyzer
Quota Usage Details
Domain-based
Authentication
Details

37
Trend Micro Email Security Administrator's Guide

Chart Settings

Top Business Email Select a time period by Date, Week, Month, or Last 12 months to
Compromise (BEC) show the total percentage of messages by value for the selected time
Threats period.
Top Analyzed Use the Top violators drop-down list to select the number of email
Advanced Threats addresses that display on the chart.
(Files)
Top Analyzed
Advanced Threats
(URLs)
Top Malware
Detected by
Predictive Machine
Learning
Top Malware
Detected by
Pattern-based
Scanning
Top Spam
Top Data Loss
Prevention (DLP)
Incidents

Volume Select a time period by Date, Week, or Month to show data for the
selected time period.
Bandwidth
Time-of-Click
Protection

Threats Tab
The Threats tab of Dashboard provides the information about the threats
processed by Trend Micro Email Security.

38
About Trend Micro Email Security

Ransomware Details Chart


The Ransomware Details chart on the Threats tab of Dashboard displays the
number of incoming messages detected as ransomware by different
components of Trend Micro Email Security.

Note
This widget is available for incoming mail traffic only.

Hover over Malware Scanning detections above the chart to view the
number of threats detected by Predictive Machine Learning and the number
of threats detected by pattern-based scanning.
Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

Threats Chart
The Threats chart on the Threats tab of Dashboard displays the total
percentage of messages detected as threats.
Select a time period by Date, Week, Month, or Last 12 months to show the
total percentage of messages by value for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The following is the specific data displayed:

39
Trend Micro Email Security Administrator's Guide

Table 25. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Ransomware The number of email messages The number of email messages


containing attachments that are containing attachments that are
detected as ransomware or the URL detected as ransomware or the URL
of sites that directly or indirectly of sites that directly or indirectly
facilitate the distribution of facilitate the distribution of
ransomware ransomware

Malware The number of email messages that The number of email messages that
(Pattern-based) pattern-based scanning detected as pattern-based scanning detected as
containing a malware threat containing a malware threat

Malware (PML The number of email messages that The number of email messages that
Detected) Predictive Machine Learning Predictive Machine Learning
detected as containing a malware detected as containing a malware
threat threat

Suspicious Files The number of suspicious files The number of suspicious files
detected during spam scanning detected during spam scanning

Analyzed The number of email messages Not available


Advanced containing suspected file threats
Threats (Files) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Analyzed The number of email messages Not available


Advanced containing suspected URL threats
Threats (URLs) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Probable The number of email messages Not available


Advanced containing suspected file threats
Threats detected by the Advanced Threat
Scan Engine but not analyzed by
Virtual Analyzer

40
About Trend Micro Email Security

Detected
For Incoming Mail For Outgoing Mail
Values

BEC The number of email messages Not available


detected as Business Email
Compromise (BEC) attacks

Phishing The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as phishing based filtering detected as phishing
threats threats

Suspicious The number of suspicious URLs The number of suspicious URLs


URLs detected during spam scanning detected during spam scanning

Web Reputation The number of email messages The number of email messages
containing URLs that pose security containing URLs that pose security
risks risks

Spam The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as spam based filtering detected as spam

Domain-based The number of messages that failed Not available


Authentication Sender IP Match, SPF, DKIM, and
DMARC authentication

Graymail The number of email messages Not available


detected as graymail

Data Loss The number of email messages that The number of email messages that
Prevention triggered Data Loss Prevention triggered Data Loss Prevention
incidents regardless of the action incidents regardless of the action
taken (block or pass) taken (block or pass).

Other The number of email messages The number of email messages


detected as virus scan exceptions or detected as virus scan exceptions or
containing content filtering containing content filtering
violations violations

Total The total number of email messages processed

41
Trend Micro Email Security Administrator's Guide

Threats Details Chart


The Threat Details chart on the Threats tab of Dashboard displays the
number of messages detected as threats and the total percentage of blocked
messages.

The Threat Details table allows you to drill down from overall metrics into
policy event logs for more granular data. The drill-down actions are available
only for threats detected within the past 30 days.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The following is the specific data displayed:


Table 26. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Ransomware The number of email messages The number of email messages


containing attachments that are containing attachments that are
detected as ransomware or the URL detected as ransomware or the URL
of sites that directly or indirectly of sites that directly or indirectly
facilitate the distribution of facilitate the distribution of
ransomware ransomware

Malware The number of email messages that The number of email messages that
(Pattern-based) pattern-based scanning detected as pattern-based scanning detected as
containing a malware threat containing a malware threat

Malware (PML The number of email messages that The number of email messages that
Detected) Predictive Machine Learning Predictive Machine Learning
detected as containing a malware detected as containing a malware
threat threat

Suspicious Files The number of suspicious files The number of suspicious files
detected during spam scanning detected during spam scanning

42
About Trend Micro Email Security

Detected
For Incoming Mail For Outgoing Mail
Values

Analyzed The number of email messages Not available


Advanced containing suspected file threats
Threats (Files) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Analyzed The number of email messages Not available


Advanced containing suspected URL threats
Threats (URLs) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Probable The number of email messages Not available


Advanced containing suspected file threats
Threats detected by the Advanced Threat
Scan Engine but not analyzed by
Virtual Analyzer

BEC The number of email messages Not available


detected as Business Email
Compromise (BEC) attacks

Phishing The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as phishing based filtering detected as phishing
threats threats

Suspicious The number of suspicious URLs The number of suspicious URLs


URLs detected during spam scanning detected during spam scanning

Web Reputation The number of email messages The number of email messages
containing URLs that pose security containing URLs that pose security
risks risks

Spam The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as spam based filtering detected as spam

43
Trend Micro Email Security Administrator's Guide

Detected
For Incoming Mail For Outgoing Mail
Values

Domain-based The number of messages that failed Not available


Authentication Sender IP Match, SPF, DKIM, and
DMARC authentication

Graymail The number of email messages Not available


detected as graymail

Data Loss The number of email messages that The number of email messages that
Prevention triggered Data Loss Prevention triggered Data Loss Prevention
incidents regardless of the action incidents regardless of the action
taken (block or pass) taken (block or pass).

Other The number of email messages The number of email messages


detected as virus scan exceptions or detected as virus scan exceptions or
containing content filtering containing content filtering
violations violations

Total The total number of email messages processed

Virtual Analyzer File Analysis Details Chart


The Virtual Analyzer File Analysis Details chart on the Threat tab of
Dashboard displays the number and level of file threats detected by Virtual
Analyzer based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The following is the specific data displayed:

44
About Trend Micro Email Security

Table 27. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

High Risk The number of email messages Not available


containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as high
risk by Virtual Analyzer

Medium Risk The number of email messages Not available


containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as
medium risk by Virtual Analyzer

Low Risk The number of email messages Not available


containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as low
risk by Virtual Analyzer

No Risk The number of email messages Not available


containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as safe by
Virtual Analyzer

Risk Rating The number of email messages Not available


Unavailable containing suspected file threats
detected by the Advanced Threat
Scan Engine but not analyzed by
Virtual Analyzer

Total The total number of email messages processed

Virtual Analyzer URL Analysis Details Chart


The Virtual Analyzer URL Analysis Details chart on the Threat tab of
Dashboard displays the number and level of URL threats detected by Virtual
Analyzer based on the selected mail traffic direction.

45
Trend Micro Email Security Administrator's Guide

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The following is the specific data displayed:


Table 28. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

High Risk The number of email messages Not available


containing suspected URL threats
detected during spam scanning and
rated as high risk by Virtual Analyzer

Medium Risk The number of email messages Not available


containing suspected URL threats
detected during spam scanning and
rated as medium risk by Virtual
Analyzer

Low Risk The number of email messages Not available


containing suspected URL threats
detected during spam scanning and
rated as low risk by Virtual Analyzer

No Risk The number of email messages Not available


containing suspected URL threats
detected during spam scanning and
rated as safe by Virtual Analyzer

Risk Rating The number of email messages Not available


Unavailable containing suspected URL threats
detected during spam scanning but
not analyzed by Virtual Analyzer

46
About Trend Micro Email Security

Detected
For Incoming Mail For Outgoing Mail
Values

Total The total number of email messages processed

Virtual Analyzer Quota Usage Details


The Virtual Analyzer Quota Usage Details chart on the Threats tab of
Dashboard displays the usage of the Virtual Analyzer submission quota.

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The following is the specific data displayed:


Table 29. Values on Charts

Value For Incoming Mail For Outgoing Mail

File submission The total number of file submissions Not available


quota to Virtual Analyzer allowed by the
allocated quota

URL submission The total number of URL Not available


quota submissions to Virtual Analyzer
allowed by the allocated quota

Files over quota The number of file submissions over Not available
quota

URLs over quota The number of URL submissions Not available


over quota

47
Trend Micro Email Security Administrator's Guide

Value For Incoming Mail For Outgoing Mail

Total The total number of file and URL submissions over quota

Domain-based Authentication Details Chart


The Domain-based Authentication Details chart on the Threat tab of
Dashboard displays the number of messages that failed Sender IP Match,
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and
Domain-based Message Authentication, Reporting & Conformance (DMARC)
authentication based on the selected mail traffic direction.

Sender IP Match is a way that readily enables you to simultaneously allow all
inbound email traffic from a particular domain while equally preventing
spoofing by manually defining the allowed IP ranges. SPF, DKIM and DMARC
are three email authentication systems to protect against email spoofing.

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The following is the specific data displayed:


Table 30. Detected Values on Charts

Detected Values For Incoming Mail

Sender IP Match The total number of messages that failed the


Sender IP Match check.

SPF The total number of messages that failed SPF


check.

48
About Trend Micro Email Security

Detected Values For Incoming Mail

DKIM The total number of messages that failed


DKIM verification.

DMARC The total number of messages that failed


DMARC authentication.

DMARC - SPF The total number of messages that failed SPF


check of DMARC authentication.

DMARC - DKIM The total number of messages that failed


DKIM signature check of DMARC
authentication.

DMARC - Alignment The total number of messages that failed


alignment check of DMARC authentication.

DMARC - Availability The total number of messages that failed


availability check of DMARC authentication
because the sending domain does not have
any DMARC record.

Blocked Message Details


The Blocked Message Details chart on the Threats tab of Dashboard
displays the number of messages blocked for different reasons.
Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The following is the specific data displayed:

49
Trend Micro Email Security Administrator's Guide

Table 31. Values on Charts

Value Description

Sender IP found in The number of messages blocked because the sender IP address was
QIL detected in the Quick IP List (QIL)

Sender IP found in The number of messages blocked because the sender IP address was
KSSL found in the Known Spam Source List (KSSL)

Sender IP found in The number of messages blocked because the sender IP address was
DUL found in the Dynamic User List (DUL)

Sender IP found in The number of messages blocked because the sender IP address was
ETL found in the Emerging Threat List (ETL)

Sender IP found in The number of messages blocked because the sender IP address was
block list found in the customized block list

Recipient invalid The number of messages blocked because the recipient was not in the
Valid Recipient list when Recipient Directory Management is enabled

Sender IP not The number of messages blocked because the sender IP address was
allowed not in the Outbound Servers under Domain Management

Sender domain not The number of messages blocked because the sender domain was not
found found in the public DNS system

Recipient domain not The number of messages blocked because the recipient domain was
found not found in the public DNS system

TLS not available The number of messages blocked because the email client did not use
TLS

Message too big The number of messages blocked because the message size exceeded
the maximum

Rate limit exceeded The number of messages blocked because the total number of
messages exceeded the maximum limit in a certain period

Rate limit exceeded - The number of messages blocked because the total number of
message count (by IP messages sent from a single IP address exceeded the maximum limit
address) in a certain period

50
About Trend Micro Email Security

Value Description

Rate limit exceeded - The number of messages blocked because the total number of
message count (by messages sent from or to a single email address exceeded the
email address) maximum limit in a certain period

Rate limit exceeded - The number of messages blocked because the accumulated data size
data size (by IP from a single IP address exceeded the maximum limit in a certain
address) period

Rate limit exceeded - The number of messages blocked because the accumulated data size
data size (by email from or to a single email address exceeded the maximum limit in a
address) certain period

Rate limit exceeded - The number of messages blocked because the accumulated data size
data size (by domain) from or to a single domain exceeded the maximum limit in a certain
period

Recipient blocked The number of messages blocked because the recipient email address
was found in the internal global block list

Sender IP blocked The number of messages blocked because the sender IP address was
found in the internal global block list

Sender blocked The number of messages blocked because the sender email address
was found in the blocked sender list or the internal global block list

Policy matching error The number of messages blocked because an error occurred during
policy matching

Sender domain The number of messages blocked because the sender’s DNS record
malformed was found malformed

Recipient domain The number of messages blocked because the recipient’s DNS record
malformed was found malformed

Other The number of messages blocked due to other reasons

Total The total number of email messages blocked

51
Trend Micro Email Security Administrator's Guide

Top Statistics Tab


The Top Statistics tab of Dashboard provides the top 20 recipients of spam,
malware, Business Email Compromise threats, and analyzed advanced
threats.

Top BEC Attacks Detected by Antispam Engine Chart


The Top BEC Attacks Detected by Antispam Engine chart on the Top
Statistics tab of Dashboard displays the email recipients that received the
most messages containing Business Email Compromise (BEC) attacks as
detected by the Antispam Engine based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top BEC Attacks Detected by Writing Style Analysis Chart


The Top BEC Attacks Detected by Writing Style Analysis chart on the Top
Statistics tab of Dashboard displays the email recipients that received the
most messages containing Business Email Compromise (BEC) attacks as
detected by writing style analysis based on the selected mail traffic direction.

52
About Trend Micro Email Security

Note
For details about writing style analysis, see Configuring Business Email
Compromise Criteria on page 179.
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.


Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Targeted High Profile Users


The Top Targeted High Profile Users chart on the Top Statistics tab of
Dashboard displays the high profile users that were most frequently targeted
for BEC attacks through email and detected by writing style analysis during
selected time period.

Note
For details about high profile users, see Configuring High Profile Users on page
137.
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.


Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

53
Trend Micro Email Security Administrator's Guide

Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Analyzed Advanced Threats (Files) Chart


The Top Analyzed Advanced Threats (Files) chart on the Top Statistics tab
of Dashboard displays the email addresses that received the most messages
containing advanced file threats based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.


Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Analyzed Advanced Threats (URLs) Chart


The Top Analyzed Advanced Threats (URLs) chart on the Top Statistics tab
of Dashboard displays the email addresses that received the most messages
containing advanced URL threats based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.


Select a time period by Date, Week, or Month to show data for the selected
time period.

54
About Trend Micro Email Security

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Malware Detected by Predictive Machine Learning Chart


Trend Micro Predictive Machine Learning uses advanced machine learning
technology to correlate threat information and perform in-depth file analysis
to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. For details, see About
Predictive Machine Learning on page 178.
The Top Malware Detected by Predictive Machine Learning chart on the
Top Statistics tab of Dashboard displays the email addresses that sent or
received the most messages containing malware threats, as detected by
Predictive Machine Learning.
Hover over a bar to see details.
Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Malware Detected by Pattern-based Scanning Chart


The Top Malware Detected by Pattern-based Scanning chart on the Top
Statistics tab of Dashboard displays the email addresses that sent or
received the most messages containing malware threats based on the
selected mail traffic direction, as detected by traditional pattern-based
scanning.

55
Trend Micro Email Security Administrator's Guide

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Spam Chart


The Top Spam chart on the Top Statistics tab of Dashboard displays the
email addresses that sent or received the most spam messages based on the
selected mail traffic direction.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Data Loss Prevention (DLP) Incidents Chart


The Top Data Loss Prevention (DLP) Incidents chart on the Top Statistics
tab of Dashboard displays the email addresses that sent or received the most
messages triggering DLP incidents regardless of the action taken (block or
pass) based on the selected mail traffic direction.

Select a time period by Date, Week, or Month to show data for the selected
time period.

56
About Trend Micro Email Security

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Other Statistics Tab


The Other Statistics tab of Dashboard provides volume and bandwidth of
messages processed by Trend Micro Email Security.

Volume Chart
The Volume chart on the Summary tab of Dashboard displays the total
number of accepted and blocked messages and the total percentage of
blocked messages.
Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The following is the specific data displayed:

57
Trend Micro Email Security Administrator's Guide

Table 32. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Blocked The number of email messages The number of messages blocked


blocked by connection-based using Trend Micro Email Security
filtering at the MTA connection level relay mail service filtering
or by Trend Micro Email Security
incoming security filtering Possible reasons for blocking
include:
• Recipient address is not
Note
resolvable (such as
This value does not include someone@???.com).
messages blocked by
content-based filtering. • Spammers forged the mail
sender address so the message
appears to be coming from the
customer domain.
• The customer's MTA is
compromised and is sending
spam messages (for example, it
is an open relay).

Accepted The number of email messages The number of messages passed by


passed by connection-based Trend Micro Email Security relay
filtering at the MTA connection level mail service filtering
or by Trend Micro Email Security
incoming security filtering

Blocked % The percentage of email messages The percentage of messages


blocked by connection-based blocked by Trend Micro Email
filtering at the MTA connection level Security relay mail service filtering
or by Trend Micro Email Security
incoming security filtering

Total The total number of email messages processed

Bandwidth Chart
The Bandwidth chart on the Other Statistics tab of Dashboard displays the
total size of email messages scanned by Trend Micro Email Security.

58
About Trend Micro Email Security

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The traffic direction does not change the data displayed on charts. The
following is the specific data displayed:
Table 33. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Not The total size of email messages that Trend Micro Email Security did not
Quarantined quarantine

Quarantined The total size of email messages that Trend Micro Email Security
quarantined

Note
By default, no messages are quarantined. To begin using the
quarantine, select a quarantine action for one or more policy rules.

Total Size The total size of email messages scanned by Trend Micro Email Security

Time-of-Click Protection Chart


The Time-of-Click Protection chart on the Other Statistics tab of Dashboard
displays the total number of URL clicks, number of clicks allowed and
blocked, number of clicks warned and stopped, and number of clicks warned
but clicked through.

Select a time period by Date, Week or Month to show daily, weekly or


monthly data for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

59
Trend Micro Email Security Administrator's Guide

Note
If you select Outgoing from Direction, this chart will be hidden because Time-
of-Click Protection applies only to incoming messages.

The following is the specific data displayed:


Table 34. Detected Values on Charts

Detected Values For Incoming Mail

Blocked The total number of URL clicks analyzed and blocked by Trend
Micro Email Security at the time of click.

Allowed The total number of URL clicks analyzed and allowed by Trend
Micro Email Security at the time of click.

Warned and stopped The total number of URL clicks collected where Trend Micro
Email Security warned users and users stopped their access to
the URLs.

Warned but accessed The total number of URL clicks collected where Trend Micro
Email Security warned users but users continued to access the
URLs.

Total The total number of URL clicks collected where Trend Micro
Email Security provides Time-of-Click Protection.

Managing Domains
Use the Domains screen to add, modify, or delete domains.
Table 35. Fields on the Domains screen

Field Description

Domain name Name of a domain you added.

60
About Trend Micro Email Security

Field Description

Inbound Servers Recipient: Recipient can be a wildcard (*) or an exact email address.
IP address or FQDN: Fully qualified domain name (FQDN) is a unique
name, which includes both host name and domain name, and resolves to
a single IP address.
• For example: hostmaster1.example.com or
mailhost.example.com

• Not valid: example.com


Port: Port is a number from 1 to 65535 that an inbound server listens on.
These ports vary based on server configuration.
Preference: Preference, sometimes referred to as distance, is a value from
1 to 100. The lower the preference value, the higher the priority.

Note
If more than one mail server is available, delivery is prioritized to
servers with lower values. Using the same value will balance
delivery to each server.

Outbound If outbound protection is enabled, this is the information for the MTA(s)
Servers that Trend Micro Email Security relays your outbound messages from.
The following options are available:
Office 365: Relays your outbound messages from your Office 365
solution.
Google Workspace: Relays your outbound messages from your Google
Workspace solution.
User-defined mail servers: Relays your outbound messages from the
mail servers you specified for your managed domain.

Time Added Time when a domain was added.

61
Trend Micro Email Security Administrator's Guide

Field Description

Status Status of a domain, which can be one of the following:


• Completed: All required information and operations have been
completed. The domain is successfully added.
• Configuration Required: Certain required information or
configurations are missing or incorrect.

Adding a Domain

Procedure
1. Click Domains.
2. On the Domains screen, click Add.
The Add Domain screen appears.
3. In the General section, specify the following:
• Domain name: Includes everything to the right of the at sign (@) in
email addresses managed by the server(s) being added.
• Skip default domain-level policy creation: By default, this check
box is selected.
Trend Micro recommends that you skip creating default domain-
level policy rules. The preconfigured default organization-level
policy rules have the same rule scanning criteria as the default
domain-level policy rules and will automatically apply to the new
domain.
If your account was provisioned before the release of the
organization-level policy feature, no default organization-level
policy rules were available. Trend Micro recommends that you
manually create organization-level policy rules to provide
organization-level protection.
4. In the Inbound Servers section, specify the following:

62
About Trend Micro Email Security

• Recipient: Recipient can be a wildcard (*) or an exact email address.


Specify the local part of an email address.
• IP address or FQDN: Fully qualified domain name (FQDN) is a
unique name, which includes both host name and domain name,
and resolves to a single IP address.
• Port: Port is a number from 1 to 65535 that an inbound server
listens on. These ports vary based on server configuration.
• Preference: Preference, sometimes referred to as distance, is a
value from 1 to 100. The lower the preference value, the higher the
priority.
If more than one mail server is available, delivery is prioritized to
servers with lower values. Using the same value will balance
delivery to each server.

Note
You can specify up to 30 inbound servers and 30 outbound servers.
Use the add and the remove buttons to manage additional
entries.

Here is an example to explain how messages are routed to inbound


servers based on preference values.
Table 36. Message routing example

Recipient IP Address or FQDN Preference

*@test.com 1.2.3.4 10

recipient1@test.com 1.2.3.5 11

recipient2@test.com 1.2.3.6 9

If a message is sent to recipient1@test.com, Trend Micro Email


Security routes the message to the server (IP address: 1.2.3.4) with
lower preference value (10), and then the server (IP address: 1.2.3.5)
if the first server is unavailable.

63
Trend Micro Email Security Administrator's Guide

If a message is sent to recipient2@test.com, Trend Micro Email


Security routes the message to the server (IP address: 1.2.3.6) with
lower preference value (9), and then the server (IP address: 1.2.3.4)
if the first server is unavailable.
• Send test message to: (optional) Email address used to confirm
email delivery from Trend Micro Email Security.
5. In the Outbound Servers section, specify the following:
• Select Enable outbound protection.

WARNING!
Enabling outbound protection without specifying outbound servers
will prevent the delivery of any outbound traffic routed through the
service.

• Configure outbound servers using the following options:


• Office 365: Relays your outbound messages from your Office
365 solution.
• Google Workspace: Relays your outbound messages from your
Google Workspace solution.
• User-defined mail servers: Relays your outbound messages
from the mail servers you specified for your managed domain.
6. Click Add Domain.
If the domain is valid and an MX record for the domain exists, the
domain appears on the Domains screen.
After adding a domain, Trend Micro sends a welcome message to the
administrative email address on record.

Configuring a Domain
After adding a domain, perform required configurations to finish
provisioning the domain. On the Domains screen, any domain missing

64
About Trend Micro Email Security

required configurations is in the “Configuration required” status, and a red


exclamation mark will be shown next to the field that requires your
operation or reports any problem. You can hover over the exclamation mark
to view the detailed error message.
After you finish all required operations, the status of the domain will change
from “Configuration required” into “Completed.”

Procedure
1. In the General section, verify your domain.
a. Add the TXT record provided on the console to your domain's DNS
configuration to prove that you own the domain.
b. Click Verify.
The message “Domain verified” appears if the domain verification is
successful.
If your domain dose not pass verification, the built-in policy rule "Global
Anti-Virus Rule (Enforced on Unverified Domains)" will be forcibly
applied to incoming messages sent to the domain.
If you have difficulty adding the TXT record, you can add an MX record
for your domain instead:
Add an MX record for the Trend Micro Email Security server with the
highest preference value.
• North America, Latin America and Asia Pacific:
<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =


<company_identifier>.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:


<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

65
Trend Micro Email Security Administrator's Guide

<your_domain> MX preference = 32767, mail exchanger =


<company_identifier>.in.tmes.trendmicro.eu

• Australia and New Zealand:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =


<company_identifier>.in.tmes-anz.trendmicro.com

• Japan:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =


<company_identifier>.in.tmems-jp.trendmicro.com

• Singapore:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =


<company_identifier>.in.tmes-sg.trendmicro.com

• India:

<your_domain> MX preference = 20, mail exchanger


=<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger


=<company_identifier>.in.tmes-in.trendmicro.com

Note
In the preceding MX record, the second preference value 32767 is only
used as an example. When setting the second preference value, make sure
it is larger than the first preference value, which means this route has
lower priority than the first one.

66
About Trend Micro Email Security

To learn more about MX records, see About MX Records and Trend Micro
Email Security on page 398.

Tip
DNS propagation can take up to 48 hours. The status of the domain you are
adding does not change until DNS propagation is complete. During this
period, do not turn off any on-premises security. While waiting for DNS
propagation, you can use the administrator console to customize the
domain settings for features such as Policy, Recipient Filter, Sender
Filter, Policy Objects, BEC, and IP Reputation.
If the domain stays as unverified for more than 48 hours, confirm that the
TXT record or MX record for the domain is correct.
• For Linux, run one of the following commands:
dig txt <domain_name>

dig mx <domain_name>

• For Windows, run one of the following commands:


nslookup -q=txt <domain_name>

nslookup -q=mx <domain_name>

2. In the Inbound Servers section, complete the following configurations:


a. Configure your firewall to accept email messages from the following
Trend Micro Email Security IP addresses or CIDR blocks:
• North America, Latin America and Asia Pacific:
18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

18.188.239.128/26

• Europe, the Middle East and Africa:


18.185.115.0/25

67
Trend Micro Email Security Administrator's Guide

18.185.115.128/26

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:

13.238.202.0/25

13.238.202.128/26

• Japan:

18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

• Singapore:

13.213.174.128/25

13.213.220.0/26

• India:

3.110.59.128/25

3.110.71.192/26

Note
If you are using a third-party IP reputation service, add the preceding
Trend Micro Email Security IP addresses or CIDR blocks to the
approved list of the IP reputation service, or disable the third-party
service and enable Trend Micro Email Security to perform IP
reputation-based filtering for you.

b. Click Test Connection.

68
About Trend Micro Email Security

c. Point the MX record of your domain to the Trend Micro Email


Security server with the lowest preference value.

• North America, Latin America and Asia Pacific:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =


<company_identifier>.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =


<company_identifier>.in.tmes.trendmicro.eu

• Australia and New Zealand:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =


<company_identifier>.in.tmes-anz.trendmicro.com

• Japan:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =


<company_identifier>.in.tmems-jp.trendmicro.com

• Singapore:

<your_domain> MX preference = 20, mail exchanger =


<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =


<company_identifier>.in.tmes-sg.trendmicro.com

69
Trend Micro Email Security Administrator's Guide

• India:
<your_domain> MX preference = 20, mail exchanger
=<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger


=<company_identifier>.in.tmes-in.trendmicro.com

To learn more about MX records, see About MX Records and Trend


Micro Email Security on page 398.
d. Click Verify to verify the inbound servers you added.
The message “Inbound servers verified” appears if the inbound
server verification is successful.
e. Type an email address next to Send test message to to verify that
messages are being delivered from Trend Micro Email Security.
3. In the Outbound Servers section, complete the following
configurations:
a. If your domain has SPF records, make sure the SPF record under
the Outbound Servers section is also included.
For details about adding SPF records, see Adding SPF Records on page
71.
b. Click Verify.
c. Route your outbound mail server to the following Trend Micro
Email Security MTA for your region:
• North America, Latin America and Asia Pacific:
<company_identifier>.relay.tmes.trendmicro.com

• Europe, the Middle East and Africa:


<company_identifier>.relay.tmes.trendmicro.eu

• Australia and New Zealand:


<company_identifier>.relay.tmes-anz.trendmicro.com

70
About Trend Micro Email Security

• Japan:
<company_identifier>.relay.tmems-jp.trendmicro.com

• Singapore:
<company_identifier>.relay.tmes-sg.trendmicro.com

• India:
<company_identifier>.relay.tmes-in.trendmicro.com

4. If you currently use Office 365, configure Office 365 connectors to allow
email traffic to or from Trend Micro Email Security MTAs.
See Adding Office 365 Inbound Connectors on page 72.
See Adding Office 365 Outbound Connectors on page 75.

Adding SPF Records


Sender Policy Framework (SPF) is an open standard to prevent sender
address forgery. An SPF record is a type of Domain Name Service (DNS)
record that identifies which mail servers are permitted to send email
messages on behalf of your domain. The purpose of an SPF record is to
prevent spammers from sending messages with forged addresses at your
domain.

Procedure
1. Access your DNS hosting provider's website.
2. Edit the existing SPF record or create a new TXT record for SPF.
If you have an SPF record for your domain, add required values to the
current record for Trend Micro. For example, change the following TXT
record:
v=spf1 ip4:x.x.x.x include:spf.example.com ~all

Into:

71
Trend Micro Email Security Administrator's Guide

v=spf1 ip4:x.x.x.x include:<SPF record under the Outbound


Servers section> include:spf.example.com ~all

Important
A domain cannot have more than one TXT record for SPF. If your domain
has more than one SPF record, a message delivery or spam classification
issue may occur.

Adding Office 365 Inbound Connectors


Before you begin

Before integrating your Office 365 managed domain name with Trend Micro
Email Security, perform all steps recommended by Microsoft to complete
configuration of Office 365 email management for your domain.
To configure inbound connectors, ensure that you have an Office 365
administrator account.
Some organizations use Office 365 to remotely host their email architecture,
allowing Microsoft to manage the day-to-day aspects of maintaining their
email servers. Trend Micro Email Security integrates with Office 365 to
provide additional security and benefits.
Configure Office 365 connectors to allow email traffic to and from Trend
Micro Email Security MTAs.

Important
Consult the Office 365 help for information about adding connectors. Some
Office 365 plans do not offer connectors.
http://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx

Procedure
1. Log on to your Office 365 administration center.

72
About Trend Micro Email Security

2. In the navigation on the left, go to Admin > Admin centers > Exchange
The Exchange admin center screen appears.
3. In the navigation on the left, go to mail flow, and then click connectors
in the top navigation.
4. Do the following to add an Inbound Connector to Office 365:

Note
By adding an inbound connector, you can configure Office 365 to accept
mail filtered by Trend Micro Email Security for delivery to email accounts
in your Office 365 managed domain.

a. Click the plus (+) icon.


A new connector configuration screen appears.
b. In the From field, select Partner organization.
c. In the To field, select Office 365.
d. Click Next.
e. In the Name field, type a descriptive name for the connector.
For example, type Trend Micro Email Security (Inbound).
f. Select the Turn it on check box.
g. Click Next.
h. Select Use the sender's IP address, and then click Next.
i. In the Specify the sender IP address range. field, add the following
Trend Micro Email Security IP addresses:
• North America, Latin America and Asia Pacific:
18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

73
Trend Micro Email Security Administrator's Guide

18.188.239.128/26

• Europe, the Middle East and Africa:


18.185.115.0/25

18.185.115.128/26

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:


13.238.202.0/25

13.238.202.128/26

• Japan:
18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

• Singapore:
13.213.174.128/25

13.213.220.0/26

• India:
3.110.59.128/25

3.110.71.192/26

j. Click Next.
k. Select Reject email messages if they aren't sent over TLS, and then
click Next.
The New connector confirmation screen appears, displaying all the
settings that you have configured.

74
About Trend Micro Email Security

l. Click Save.

Adding Office 365 Outbound Connectors


Before you begin

To configure outbound connectors, ensure that you have an Office 365


administrator account.

Some organizations use Office 365 to remotely host their email architecture,
allowing Microsoft to manage the day-to-day aspects of maintaining their
email servers. Trend Micro Email Security integrates with Office 365 to
provide additional security and benefits.

Configure Office 365 connectors to allow email traffic to and from Trend
Micro Email Security MTAs.

Important
Consult the Office 365 help for information about adding connectors. Some
Office 365 plans do not offer connectors.

http://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx

Procedure

1. Log on to your Office 365 administration center.

2. In the navigation on the left, go to Admin > Admin centers > Exchange

The Exchange admin center screen appears.

3. In the navigation on the left, go to mail flow, and then click connectors
in the top navigation.

4. Do the following to add an Outbound Connector to Office 365:

75
Trend Micro Email Security Administrator's Guide

Note
By adding an outbound connector, you can configure Office 365 to relay
outbound mail to Trend Micro Email Security for filtering and delivery to
recipients outside of your Office 365 managed domain.

a. Click the plus (+) icon.


A new connector configuration screen appears.
b. In the From field, select Office 365.
c. In the To field, select Partner organization.
d. Click Next.
e. In the Name field, type a descriptive name for the connector.
For example, type Trend Micro Email Security (Outbound).
f. Select the Turn it on check box.
g. Click Next.
h. Select Only when I have a transport rule set up that redirects
messages to this connector, and then click Next.
i. Select Route email through these smart hosts, click the plus (+)
icon, and then add the following host to the list:
<company_identifier>.relay.<domain_name>

76
About Trend Micro Email Security

Note
In the preceding information, replace <company_identifier> and
<domain_name> with actual values. The value of <domain_name>
varies according to your location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

j. Click Next.
k. Keep the default settings on the screen that appears, and click Next.
The New connector confirmation screen appears, displaying all the
settings that you have configured.
l. Click Next.
m. Add an email address to the field provided, and then click Validate.
After the validation process completes, the Validation Result screen
displays.
n. Click Save.
5. Add an email flow rule to use the outbound connector you created.

77
Trend Micro Email Security Administrator's Guide

a. In the navigation on the left, go to mail flow, and then click rules in
the top navigation.
b. Click the plus (+) icon and click Create a new rule.
c. In the Name field, type a name for the rule, for example, Trend
Micro Email Security (Outbound).

d. Under Apply this rule if..., select The recipient is located and then
Outside the organization and click OK.
e. Click More Options at the bottom to show more settings.
f. Under Do the following..., select Redirect the message to and then
the following connector and choose the outbound connector you
created for message redirection.
g. Configure the remaining fields if necessary; otherwise, keep the
default settings for them.
h. Click Save.

Editing or Deleting Domains

Procedure
1. On the Domains screen, select domains by doing one of the following:
• To select one or more domains, select the check box to the left of
each entry.
• To select all domains, select the check box to the left of the Domain
Name column title.
2. To edit information for a domain, do the following:
a. Click the domain name in the Domain Name column.
The Edit Domain screen appears, with fields pre-filled with the
information on record for that domain.

78
About Trend Micro Email Security

b. Modify the fields as needed.

3. To delete domains, select one or multiple domain records and click


Delete.

Inbound and Outbound Protection

Managing Recipient Filter


The Recipient Filter screen displays the list of available domains. You can
enable or disable these domains to check valid recipients and export the
domain recipient lists to local storage.
Table 37. Recipient Filter Tasks

Tasks Steps

Enable All Filters On the Recipient Filter screen, click Enable All to enable all filters
in all domains.

Disable All Filters On the Recipient Filter screen, click Disable All to disable all
filters in all domains.

Export All On the Recipient Filter screen, click Export All to export all filters
in all domains to the local storage.

Export A Filter List On the Recipient Filter screen, click the

icon under the Export column to export the filter list in a domain.

Managing Sender Filter


Trend Micro Email Security allows you to configure the following to filter
senders of incoming messages for the entire organization, a managed
domain, or a specific recipient address in your managed domains:

79
Trend Micro Email Security Administrator's Guide

• Approved senders
Specifies the senders to allow using specific email addresses or entire
domains.
• Blocked senders
Specifies the senders to block using specific email addresses or entire
domains.
• Sender filter settings
• Specifies the type of sender addresses collected to match the
approved and blocked sender lists.
• Specifies whether to insert an X-Header in the message header for
email messages matching approved senders.
Trend Micro Email Security achieves a two-way synchronization between the
following data:
• Senders configured for a specific end user on the administrator console
• Senders added by that user through the End User Console or quarantine
digest notifications
Any changes made to the approved or blocked senders of an end user either
on the administrator console or End User Console should be reflected to the
other location.

Sender Filter Settings


Just like physical letters, an email message has two sets of addresses: the
envelope address and the message header address. The envelope address,
like the address on the outside of an envelope, is used by the MTA to route
and deliver the email message; the message header address, which is part of
the message header, is similar to the address attached to a salutation at the
start of a physical letter.
The Settings tab on the Sender Filter screen enables you to choose the type
of sender addresses Trend Micro Email Security uses to match the approved
or blocked sender list.

80
About Trend Micro Email Security

The following options are available:


• Envelope addresses
• Message header addresses
By default, both options are selected. Trend Micro Email Security uses both
addresses for matching. The Message header addresses option can be
modified while the Envelope addresses option cannot.

Note
If Message header addresses is selected on the Quarantine > End User
Quarantine Settings screen, Trend Micro recommends you also select it on the
Sender Filter Settings screen. Otherwise, the approved or blocked senders
added by end users will not work as expected.

Trend Micro Email Security provides the capability of inserting an X-Header


in the message header for email messages matching approved senders. If you
select the Insert an X-Header in the message header if an approved sender
matches check box, you can do extra actions based on the message header
on your own MTA or mail server.
• The following X-Header is inserted in the message header once an
approved sender's envelope address matches:
X-TM-Approved-Sender: envelope-sender

• The following X-Header is inserted in the message header if an approved


sender's envelope address does not match but the message header
address matches:
X-TM-Approved-Sender: header-sender

81
Trend Micro Email Security Administrator's Guide

Note
Unless specified otherwise, Trend Micro Email Security considers the envelope
address as the common sender address.
Regardless of your sender address settings, IP reputation-based filtering and
unknown sender domain check will always use Envelope addresses rather than
Message header addresses to match the approved or blocked sender list.
Unknown sender domain check refers to the check that verifies if the sender's
envelop address has a valid DNS A or MX record.

Configuring Approved and Blocked Sender Lists


Configure the Approved Senders and Blocked Senders lists to control which
email messages Trend Micro Email Security scans. Specify the senders to
allow or block using specific email addresses or entire domains.
For example, *@example.com specifies all senders from the example.com
domain.
Evaluation is done in the following order:
1. Blocked sender list of an end user's email address
2. Blocked sender list of managed domains or the entire organization
3. Approved sender list of an end user's email address
4. Approved sender list of managed domains or the entire organization

Note
Approved senders of an end user's email address will not override blocked
senders for the corresponding domain or organization. For example, assume
that *@example.com is in the blocked sender list of the administrator console,
and john@example.com is in the approved sender list of an end user. Messages
from john@example.com will still be blocked.
IP reputation-based filters use only IP address data to filter messages. You can
also use sender email address and domain to filter incoming messages.
Approved senders bypass IP reputation-based filtering at the MTA connection
level.

82
About Trend Micro Email Security

Lists of approved or blocked senders are managed using the following tabs
on the Inbound Protection > Connection Filtering > Sender Filter screen:

• Approved Senders

Trend Micro Email Security will not perform the following checks on
email messages from senders added to this list:

• IP reputation-based filtering

• Unknown sender domain check

• Spam

• BEC

• Phishing

• Social engineering attack

• Web reputation

• Graymail

Trend Micro Email Security still performs virus scanning and content
filtering on all messages received and takes the action configured in
policy rules once detecting any virus or content filtering violation.

• Blocked Senders

Trend Micro Email Security automatically blocks messages sent from


addresses or domains added to the blocked list without submitting the
messages to any scanning.

The Approved Senders and Blocked Senders tables display the following
information:

• Status: Specifies whether the senders added to a recipient are enabled

• Recipient: The recipient for which you approved or blocked the


specified sender. The options include the entire organization, a managed
domain, or a specific recipient address in a managed domain.

83
Trend Micro Email Security Administrator's Guide

Note
To view the approved or blocked senders added to the Recipient, click the
recipient name.

• Modified: The date and time that you last modified the senders of the
recipient

Adding Senders
Trend Micro Email Security approves or blocks email messages from the
specified sender for the entire organization, a managed domain, or a specific
recipient address in your managed domains.

For example, after adding spammerbob@examplespamdomain.com to the


blocked list for your managed domain mydomain.com, Trend Micro Email
Security only blocks the email messages sent from
spammerbob@examplespamdomain.com to addresses in the mydomain.com
domain. Trend Micro Email Security still scans and possibly passes email
messages sent from spammerbob@examplespamdomain.com to your other
managed domains.

Procedure

1. Click the Approved Senders or Blocked Senders tab, and click Add.

2. On the Specify Target Recipient dialog box that appears, specify the
target recipient of the sender you want to add and click Next.

• My organization

• Managed domain

• Email address

3. In the Add Approved Senders dialog box, type a sender in the second
field. A sender can be a specific email address or all addresses from a
specific domain or subdomain.

• Filter a specific email address by typing that email address.

84
About Trend Micro Email Security

• Filter all addresses from a domain by using an asterisk (*) to the left
of the at sign (@) in the email address. For example, *@example.com
will filter all email addresses in the example.com domain.

• Filter all addresses from a subdomain by using an asterisk (*) to the


left of the at sign (@) and also using an asterisk (*) in place of the
subdomain in the email address. For example, *@*.example.com
will filter all email addresses in all subdomains of the example.com
domain.

The following table displays format examples that are valid or not valid:
Table 38. Format Examples for Approved Senders and Blocked Senders

Valid Not Valid

name@example.com name@info.*.example.com

name@info.example.com name@example.com.*

name@*.example.com *name@info.example.com

name@* *@*

*@example.com

*@server.example.com

*@*.example.com

4. Click Add.

Trend Micro Email Security validates the sender address and adds it to
the list.

Editing Senders

Procedure

1. On the Approved Senders or Blocked Senders tab, click the recipient


name for which you want to edit the senders.

85
Trend Micro Email Security Administrator's Guide

2. Optionally type a sender address and click Search to search for specific
senders.

3. Click the email address of a sender.

The email address becomes editable, and buttons labeled Save or Cancel
appear.

4. Make and confirm your changes or corrections.

• Filter a specific email address by typing that email address.

• Filter all addresses from a domain by using an asterisk (*) to the left
of the at sign (@) in the email address. For example, *@example.com
will filter all email addresses in the example.com domain.

• Filter all addresses from a subdomain by using an asterisk (*) to the


left of the at sign (@) and also using an asterisk (*) in place of the
subdomain in the email address. For example, *@*.example.com
will filter all email addresses in all subdomains of the example.com
domain.

The following table displays format examples that are valid or not valid:
Table 39. Format Examples for Approved Senders and Blocked Senders

Valid Not Valid

name@example.com name@info.*.example.com

name@info.example.com name@example.com.*

name@*.example.com *name@info.example.com

name@* *@*

*@example.com

*@server.example.com

*@*.example.com

86
About Trend Micro Email Security

Importing Senders
Trend Micro Email Security allows you to import approved and blocked
senders in batches from a properly-formatted CSV file.

Procedure
1. Click the Approved Senders or Blocked Senders tab.
2. Display the import dialog box by using either of the following methods:
• To import senders and recipients in pairs, click Import on the tab.
• To import senders for a specific recipient, click a recipient name,
and click Import in the dialog box that appears.
3. From the import dialog box, click Choose File to locate the file to
import.
4. Select one of the following import options:
• Merge: append the sender email addresses or domains to the
existing list.
• Overwrite: replace the existing list with the sender email addresses
or domains in the file.
You can click Download sample file to view a sample of a properly
formatted file.
Trend Micro Email Security checks all the entries in the selected file to
identify any invalid, duplicate, conflict, excessive email addresses or
email addresses from unmanaged domains.
5. Click Preview.
6. After you confirm all the entries to be imported, click Import.

Exporting Senders
Trend Micro Email Security allows you to export the existing approved and
blocked senders to the local storage.

87
Trend Micro Email Security Administrator's Guide

Procedure

1. Click the Approved Senders or Blocked Senders tab.

2. Export senders by using either of the following methods:

• To export senders and recipients in pairs, select one or more


recipient records, and click Export.

• To export all senders of a specific recipient, click the recipient


name, and click Export All in the dialog box that appears.

The selected senders are exported to the local storage.

Transport Layer Security (TLS) Peers


Transport Layer Security (TLS) is a protocol that helps to secure data and
ensure communication privacy between endpoints. Trend Micro Email
Security allows you to configure TLS encryption policies between Trend
Micro Email Security and specified TLS peers. Trend Micro Email Security
supports the following TLS protocols in descending order of priority: TLS
1.3, TLS 1.2, TLS 1.1 and TLS 1.0.

To prevent against man-in-the-middle attacks on TLS connections, DNS-


based Authentication of Named Entities (DANE) is introduced to bind X.509
digital certificates, commonly used for TLS, to domain names using Domain
Name System Security Extensions (DNSSEC). With the authentication
inherently in DNSSEC, DANE enables a domain administrator to affirm TLS
credentials to mitigate certificate authority (CA) vulnerabilities and
breaches.

Trend Micro Email Security allows you to use DANE authentication between
Trend Micro Email Security and specified TLS peers during outbound mail
delivery.

The Transport Layer Security (TLS) Peers screen uses the following
important terms:

88
About Trend Micro Email Security

Term Details

Managed Domain list

Status (Managed • Enabled: Domain is enabled


Domain)
• Disabled: Domain is disabled

Default (for This configuration applies to all domains that are not in the managed
unspecified domain list
domains)

Domain TLS Peers list

Status (TLS Peer) • Enabled: Trend Micro Email Security applies your specified TLS
configuration to the peer
• Disabled: Trend Micro Email Security does not apply your
specified TLS configuration to the peer
Instead, the “Default (for unspecified peers)” TLS configuration
applies.

TLS peer Trend Micro Email Security can apply your specified TLS configuration
with this peer during network communications.

89
Trend Micro Email Security Administrator's Guide

Term Details

Security level • Opportunistic TLS:


• Communicates using encryption if the peer supports and
elects to use TLS
• Communicates without encryption if the peer does not
support TLS
• Communicates without encryption if the peer supports TLS
but elects not to use TLS
• Mandatory TLS:
• Communicates using encryption if the peer supports and
elects to use TLS
• Does not communicate if the peer does not support TLS
• Does not communicate if the peer supports TLS but elects
not to use TLS
• Opportunistic DANE TLS (Outbound protection only)
• When remote SMTP server has usable DANE TLSA record(s):
• Communicates using encryption if the peer DANE
authentication succeeds
• Does not communicate if the peer does not pass DANE
authentication
• When all TLSA record(s) are unusable due to unsupported
parameters or malformed data:
Downgrades to Mandatory TLS
• In other cases:
Downgrades to Opportunistic TLS
• Mandatory DANE TLS (Outbound protection only)
• Communicates using encryption if the peer DANE
authentication succeeds
• Does not communicate if the peer does not pass DANE
authentication

90
About Trend Micro Email Security

Term Details

Default (for This configuration applies to all peers that meet any of the following
unspecified peers) criteria:
• Peer is not in the peer list
• Peer is in the peer list, but is not enabled

Adding Domain TLS Peers

Procedure
1. Go to Inbound Protection > Connection Filtering > Transport Layer
Security (TLS) Peers or Outbound Protection > Transport Layer
Security (TLS) Peers.
2. Click Add.
3. On the Add Domain TLS Peers screen, configure TLS peers for a
managed domain.
a. In the Basic Information section, select a managed domain.
b. In the Domain TLS Peers section, click Add to add a TLS peer for
the selected domain.
c. For inbound protection, specify a sender domain, IP address, or
CIDR block as TLS Peer. For outbound protection, specify a
recipient domain as TLS Peer.
d. Set the Security level.
Note that the security levels Opportunistic DANE TLS and
Mandatory DANE TLS are available only for outbound delivery.

91
Trend Micro Email Security Administrator's Guide

Important
To ensure messages can be received from the Trend Micro Email
Security MTA, configure your firewall to accept email messages from
the following Trend Micro Email Security IP address / CIDR blocks:
• North America, Latin America and Asia Pacific:
18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

18.188.239.128/26

• Europe, the Middle East and Africa:


18.185.115.0/25

18.185.115.128/26

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:


13.238.202.0/25

13.238.202.128/26

• Japan:
18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

• Singapore:
13.213.174.128/25

13.213.220.0/26

• India:
3.110.59.128/25

3.110.71.192/26

92
About Trend Micro Email Security

e. Select Enabled to have Trend Micro Email Security apply your


specified TLS security level to the new peer.

f. (Optional) For inbound protection, type an email address local part


for TLS test. For outbound protection, type a domain name for
DANE test if you set Security level to Opportunistic DANE TLS or
Mandatory DANE TLS in substep d.

4. Click Save.

5. Click Submit.

Editing Domain TLS Peers

Procedure

1. Go to Inbound Protection > Connection Filtering > Transport Layer


Security (TLS) Peers or Outbound Protection > Transport Layer
Security (TLS) Peers.

2. Click the name of a managed domain.

3. Find the TLS peer that you want to edit, and click the peer name.

4. Edit the peer information as required.

5. Click Save.

Understanding IP Reputation
Trend Micro Email Security offers two tiers of protection. Connection-based
filtering at the MTA connection level, including IP reputation-based filtering
provided by Trend Micro Email Reputation Services (ERS), is the first tier.
The second is content-based filtering at the message level.

93
Trend Micro Email Security Administrator's Guide

Tip
IP reputation-based filters use only IP address data to filter messages. You can
also use sender email address and domain to filter incoming messages.
Approved senders bypass IP reputation-based filtering at the MTA connection
level.
See IP Reputation Order of Evaluation on page 98.

Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service. Email Reputation
Services use a standard IP reputation database and an advanced, dynamic IP
reputation database (a database updated in real time). These databases have
distinct entries, allowing Trend Micro to maintain a very efficient and
effective system that can quickly respond to new sources of spam.
Configure the following settings on the Settings tab of the IP Reputation
screen:
• Quick IP List, which is also known as dynamic IP reputation settings,
controls how Trend Micro Email Security uses the dynamic IP
reputation database from Email Reputation Services Advanced Service.
• Standard IP Reputation Settings control how Trend Micro Email
Security uses the standard IP reputation database from Email
Reputation Services Standard Service.
The other tabs of the IP Reputation screen are as follows:
• Approved IP Address
• Blocked IP Address
• Approved Country/Region
• Blocked Country/Region

About Quick IP List


Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service.

94
About Trend Micro Email Security

Quick IP List uses Trend Micro Email Reputation Services Advanced Service,
a real-time antispam solution. The Trend Micro network of automated expert
systems, along with Trend Micro spam experts, continuously monitor
network and traffic patterns and immediately update the dynamic IP
reputation database as new spam sources emerge, often within minutes. As
evidence of spam activity increases or decreases, the dynamic IP reputation
database is updated accordingly.

The dynamic IP reputation database includes the following blocking levels:

• Level 0: Off

Queries the dynamic reputation database but does not block any IP
addresses.

• Level 1: Least aggressive

Trend Micro Email Security allows the same amount of spam from a
sender with a good rating as in Level 2. The length of time that the IP
address stays in the database is generally shorter than for more
aggressive settings.

• Level 2: (the default setting)

Trend Micro Email Security allows a larger volume of spam from a


sender with a good rating than more aggressive settings. However, if an
increase in spam above the allowable threshold is detected, it adds the
sender to the dynamic reputation database. The length of time that the
IP address stays in the database is generally shorter than for more
aggressive settings.

• Level 3:

Trend Micro Email Security allows a small volume of spam from senders
with a good rating. However, if an increase in spam beyond the
allowable threshold is detected, it adds the sender to the dynamic
reputation database. The length of time that the IP address stays in the
database depends on whether additional spam from the sender is
detected.

• Level 4: Most aggressive

95
Trend Micro Email Security Administrator's Guide

If even a single spam message from a sender IP address is detected,


Email Reputation Services adds the sender to the dynamic reputation
database and Trend Micro Email Security blocks all messages from the
sender. The length of time that the IP address stays in the database
depends on whether additional spam from the sender is detected.

If legitimate email is being blocked, select a less aggressive setting. If too


much spam is reaching your network, select a more aggressive setting.
However, this setting might increase false positives by blocking connections
from legitimate email senders.

Note
To avoid false positives from a trusted partner company, go to Inbound
Protection > Connection Filtering > IP Reputation, and add the IP address for
their MTA to the Approved IP Address list.

The IP addresses in the approved lists bypass other IP reputation-based


filtering. This list is useful for ensuring all messages from a partner company
or other MTA are allowed, no matter their status with the standard IP
reputation databases or with the Trend Micro Email Reputation Services (ERS)
dynamic IP reputation database. When using the IP reputation approved lists,
you may experience lower overall spam catch rates.

About Standard IP Reputation Settings


Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service.

Standard IP Reputation Settings use Trend Micro Email Reputation Services


Standard Service, which helps block spam by validating requested IP
addresses against the Trend Micro standard IP reputation database, powered
by the Trend Micro Threat Prevention Network. This ever-expanding
database currently contains over a billion IP addresses with reputation
ratings based on spamming activity. Trend Micro spam investigators
continuously review and update these ratings to ensure accuracy.

Trend Micro Email Security makes a query to the standard IP reputation


database server whenever it receives an email message from an unknown

96
About Trend Micro Email Security

host. If the host is listed in the standard IP reputation database, that message
is reported as spam.
You can choose which lists to enable from the standard IP reputation
database. By default, all lists are enabled. The default setting is the most
effective for reducing spam levels, and it meets the needs of most customers.

Note
If you disable some portions of the standard IP reputation database, you may
see an increase in the amount of spam messages that reach your internal mail
server for additional content filtering.

The standard IP reputation database includes the following lists:


• Known Spam Source List: The Known Spam Source List (KSSL) is a list
of IP addresses of mail servers that are known to be sources of spam.
• Dynamic User List: The Dynamic User List (DUL) is a list of dynamically
assigned IP addresses, or those with an acceptable use policy that
prohibits public mail servers. Most entries are maintained in
cooperation with the ISP owning the network space. IP addresses in this
list should not be sending email directly but should be using the mail
servers of their ISP.
• Emerging Threat List: The Emerging Threat List (ETL) is a list of IP
addresses identified as involved in active ransomware, malware, or other
email threat campaigns.

Note
To avoid false positives from a trusted partner company, go to Inbound
Protection > Connection Filtering > IP Reputation, and add the IP address for
their MTA to the Approved IP Address list.

About Approved and Blocked IP Addresses


To manually override IP reputation-based filtering at the MTA connection
level:

97
Trend Micro Email Security Administrator's Guide

• Configure the Approved IP Address list


• Configure the Blocked IP Address list
• Configure the Approved Country/Region list
• Configure the Blocked Country/Region list

Tip
The Approved IP Address and Blocked IP Address lists support both IP
addresses and Classless Inter-Domain Routing (CIDR) blocks.
To add a CIDR block to the list, type the IPv4 address / CIDR block. The
following is the only valid format: x.x.x.x/z

These lists override the Quick IP List and Standard IP Reputation Settings
and allow for customization of which addresses are subjected to IP
reputation-based filtering.
The IP addresses in the approved lists bypass other IP reputation-based
filtering as well as reverse DNS validation. This list is useful for ensuring all
messages from a partner company or other MTA are allowed, no matter their
status with the standard IP reputation databases or with the Trend Micro
Email Reputation Services (ERS) dynamic IP reputation database. When
using the IP reputation approved lists, you may experience lower overall
spam catch rates.
The IP addresses in the blocked lists are not subject to other IP reputation-
based filtering. Trend Micro Email Security permanently rejects connection
attempts from such IP addresses by responding with a 550 error (a rejection
of the requested connection).

IP Reputation Order of Evaluation


Message sender IP addresses go through IP reputation-based filtering. IP
addresses are evaluated until the first match is found.
Messages from approved sender IP addresses bypass IP reputation-based
filtering at the MTA connection level. Messages from blocked sender IP
addresses are blocked.

98
About Trend Micro Email Security

Evaluation is done in the following order:


1. IP addresses
a. In the Approved IP Address list
b. In the Blocked IP Address list
2. Countries/regions
a. In the Approved Country/Region list
b. In the Blocked Country/Region list
3. The Emerging Threat List (ETL) in the IP Reputation settings
4. The Known Spam Source (KSS) in the IP Reputation settings
5. The Dynamic User List (DUL) in the IP Reputation settings
6. The Quick IP List (QIL) in the IP Reputation settings
An IP address added to the Approved IP Address list will not be blocked even
if that IP address is also in a CIDR block listed in the Blocked IP Address list.
Furthermore, that IP address will not be blocked even if it is also in the
Known Spam Source standard IP reputation database list.

Important
IP reputation-based filters use only IP address data to filter messages. You can
also use sender email address and domain to filter incoming messages.
Approved senders bypass IP reputation-based filtering at the MTA connection
level.
See Managing Sender Filter on page 79.

Troubleshooting Issues
If you encounter unexpected errors while trying to save your settings on the
IP Reputation screen, you may be able to resolve the issue on your own.
Consult the following table for guidance on resolving the problem before
contacting technical support.

99
Trend Micro Email Security Administrator's Guide

Table 40. IP Reputation Settings: Issues and Solutions

Issue Possible Cause Possible Solution

The Save button is You do not have a valid Activation Obtain a valid Activation Code
disabled. Code. from your vendor.

You have applied for an Activation Try again later.


Code, but it has not yet been added
to the Trend Micro Email Security
system.

A temporary network issue is Try again later.


preventing Trend Micro Email
Security from validating the
Activation Code.

I cannot save my IP There is a temporary network Try again later.


Reputation settings. issue.
Log off, log on, and try again.

There is more than one browser Close the other windows and try
window open to the Trend Micro again.
Email Security administrator
console, and the session in one of Log off, log on, and try again.
the other windows has expired.

Managing Reverse DNS Validation


Trend Micro Email Security adds a layer of protection by validating the
reverse DNS (rDNS) records for inbound email messages.
With the reverse DNS validation feature, an administrator can configure the
following:
• Validation settings: whether to reject an email message when the
corresponding PTR record is missing or invalid
• Block list: a list of PTR domains for message blocking
During the SMTP connection setup stage, Trend Micro Email Security uses
the email sending IP address to perform rDNS lookup. If the query result
matches the criteria in any rDNS validation settings or the PTR domain block

100
About Trend Micro Email Security

list, Trend Micro Email Security rejects the email message before the
message body is sent over.

Note
If the IP address sending an email message matches the Approved IP address
list of IP reputation, the email message bypasses revere DNS validation.

Configuring Reverse DNS Validation Settings


Trend Micro Email Security allows you to configure rules for reverse DNS
validation based on the sender domain, namely the domain in the envelope
address of the email sender.
For each rule, Trend Micro Email Security supports two levels of reverse DNS
validation:
• Whether there is a PTR record for the email sending IP address
• If a PTR record exists, whether the PTR record for the email sending IP
address has a matching Address record (A record)
If the sender domain of an incoming message meets multiple rules, Trend
Micro Email Security uses the most matched rule. For example, if you have
configured the following three rules:
• Rule 1 for subdomain.example.com
• Rule 2 for *.example.com
• Rule 3 for *.subdomain.example.com
The match results for different incoming sender domains are as follows:

Incoming Sender Domain Matched Rule

subdomain.example.com Rule 1

a.example.com Rule 2

a.subdomain.example.com Rule 3

101
Trend Micro Email Security Administrator's Guide

Incoming Sender Domain Matched Rule

a.b.com Default rule

Adding Reverse DNS Validation Settings


Trend Micro Email Security allows you to add reverse DNS validation for
sender domains.

Procedure
1. Go to Inbound Protection > Connection Filtering > Reverse DNS
Validation.
2. Click the Settings tab, and click Add to configure reverse DNS validation
rules for sender domains.
Two rules are pre-configured:
• Default (for unspecified domains): applies to all sender domains,
except those for which you have configured a new reverse DNS
validation rule.
• Empty sender: applies to email messages with no envelope address
specified.
3. On the Add Reverse DNS Validation Settings screen, specify a sender
domain in one of the following formats:
• example.com
• subdomain.example.com
• *.example.com
This format matches all the subdomains under the example.com
domain, for example, a.example.com, a.b.example.com.
4. Select Reject for missing PTR and/or Reject for invalid PTR.
• Reject for missing PTR: Reject a message when its sending IP
address has no PTR record.

102
About Trend Micro Email Security

• Reject for invalid PTR: Reject a message when its sending IP


address has a PTR record, but for the PTR record, there is no
mapping A record, or the IP address in the A record does not match
the sending IP address.

5. Click Save.

The reverse DNS validation rule appears in the list on the Settings tab.

What to do next

To remove a rule, select a rule and click Delete. You can also select the
checkbox in the table heading row to select all rules except the default rule
and Empty sender rule, which you cannot delete.

Editing Reverse DNS Validation Settings

Procedure

1. Go to Inbound Protection > Connection Filtering > Reverse DNS


Validation.

2. Click the Settings tab.

3. From the list of reverse DNS validation domains, click a sender domain
that you want to edit.

4. Modify the reverse DNS validation settings as required.

Note
For details about the settings, see Adding Reverse DNS Validation Settings on
page 102.

5. Click Save.

103
Trend Micro Email Security Administrator's Guide

Configuring the Blocked PTR Domain List


When the domain in the PTR record of a sending IP address matches the
blocked PTR domain list, Trend Micro Email Security rejects email messages
from this IP address.

Adding PTR Domains

Procedure

1. Go to Inbound Protection > Connection Filtering > Reverse DNS


Validation.

2. Click the Blocked PTR Domains tab and click Add.

3. On the Add Blocked PTR Domain screen, configure information about


the PTR domain from which you want to block messages.

a. Specify a domain name in one of the following formats:

• example.com

• subdomain.example.com

• *.example.com

This format matches all the subdomains under the


example.com domain, for example, a.example.com,
a.b.example.com.

b. Type a description for the domain.

c. In the Exception(s) section, specify exceptions to the blocked PTR


domain and click Add.

The domains in the exception list must be subdomains of the


blocked PTR domain. Trend Micro Email Security does not block
messages from these subdomains.

To delete an exception, select the exception item and click Delete.

104
About Trend Micro Email Security

d. Click Save.

The blocked PTR domain appears in the blocked PTR domain list.

What to do next

To remove a blocked PTR domain, select a PTR domain and click Delete. You
can also select the checkbox in the table heading row to select all rules.

Editing PTR Domains

Procedure

1. Go to Inbound Protection > Connection Filtering > Reverse DNS


Validation.

2. Click the Blocked PTR Domains tab.

3. From the list of PTR domains, click a PTR domain that you want to edit.

You can type the PTR domain name in the search box to find a PTR
domain.

4. Modify the PTR domain settings as required.

Note
For details about the settings, see Adding PTR Domains on page 104.

5. Click Save.

Domain-based Authentication
Trend Micro Email Security provides authentication methods such as Sender
IP Match, Sender Policy Framework (SPF), DomainKeys Identified Mail
(DKIM) verification, and Domain-based Message Authentication, Reporting
& Conformance (DMARC) to protect against email spoofing.

105
Trend Micro Email Security Administrator's Guide

If all these methods are enabled, Trend Micro Email Security evaluates email
messages in the following order:

1. Sender IP Match

2. SPF check

3. DKIM verification

4. DMARC authentication

Trend Micro Email Security keeps evaluating and scanning an email message
in the preceding order until encountering an “Intercept” action. If an email
message passes the Sender IP Match check, Trend Micro Email Security
skips its own SPF check as well as the SPF check of DMARC authentication
for this message.

Note
For details about intercept actions, see “Intercept” Actions on page 209.

Sender IP Match
Trend Micro Email Security allows you to specify an IP address or a range of
addresses within a sender domain identified by the message header address
to allow email messages only from those addresses. Sender IP Match is a way
that readily enables you to simultaneously allow all inbound email traffic
from a particular domain while equally preventing spoofing by manually
defining the allowed IP ranges.

If an email message passes the Sender IP Match check, Trend Micro Email
Security skips its own SPF check as well as the SPF check of DMARC
authentication for this message.

Adding Sender IP Match Settings

To prevent sender forgery, you can specify a sender domain within the
message header address and the allowed IP addresses for the domain.

106
About Trend Micro Email Security

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Sender IP
Match.
2. Click Add.
The Add Sender IP Match Settings screen appears.
3. Select a specific recipient domain from the Managed domain drop-
down list.
4. Select Enable Sender IP Match.
5. Under Sender Domain-IP Paris, add one or multiple domain-IP pairs.
a. Specify a sender domain using one of the following formats:
• example.com
• subdomain.example.com
• *.example.com
b. Specify one or multiple IP addresses or IP/CIDR blocks to pair with
the domain.
c. Click Add.
6. Under Intercept, specify the action to take if the sender IP address does
not match the sender domain as you specified.
• Delete entire message

107
Trend Micro Email Security Administrator's Guide

• Quarantine
7. Under Notify, choose to send notifications and select at least one
notification template.
8. Click Add.

Editing Sender IP Match Settings

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Sender IP
Match
2. From the list of Sender IP Match rules, click a managed domain to edit
its settings.
3. Modify the Sender IP Match settings as required.

Note
For details about the settings, see Adding Sender IP Match Settings on page
106.

4. Click Save.

Sender Policy Framework (SPF)


Sender Policy Framework (SPF) is an open standard to prevent sender
address forgery. SPF protects the envelope address of a sender, which is
used for the delivery of email messages. Trend Micro Email Security allows
you to verify the sender's authenticity using SPF settings.
SPF requires the owner of a domain to publish the email sending policy (for
example, which email servers are used to send email messages from that
domain) in an SPF record in the Domain Name System (DNS).
When Trend Micro Email Security receives an email message claiming to
come from that domain, Trend Micro Email Security checks the SPF record

108
About Trend Micro Email Security

to verify whether the email message complies with the domain's stated
policy. For example, if the message comes from an unknown server, the
email message can be considered as fake.
Evaluation of an SPF record can return any of the following results.

Result Explanation Default Action

Pass The SPF record designates the host to be allowed to Accept (reserved)
send.

Fail The SPF record has designated the host as not being Delete
allowed to send. (customizable)

SoftFail The SPF record has designated the host as not being Accept
allowed to send but is in transition. (customizable)

Neutral The SPF record specifies explicitly that nothing can be Accept
said about validity. (customizable)

None The domain does not have an SPF record or the SPF Accept
record does not evaluate to a result. (customizable)

PermError A permanent error has occurred (for example, badly Accept


formatted SPF record). (customizable)

TempError A transient error has occurred. Accept


(customizable)

Note
By default, if an email message gets a "Pass" result, Trend Micro Email Security
will bypass the SPF check and skip the remaining SPF settings for the message.
Trend Micro Email Security will then continue scanning the message according
to policy rules.
If an email message passes the Sender IP Match check, the message is also
considered as passing its own SPF check.

109
Trend Micro Email Security Administrator's Guide

Adding SPF Settings


Trend Micro Email Security allows you to add SPF settings to validate an
inbound message comes from the authorized IP address stated in the DNS
record for the sender domain within the envelope address.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Sender
Policy Framework (SPF).
2. Click Add.
The Add SPF Settings screen appears.
3. Select a specific recipient domain from the Managed domain drop-
down list.
4. Select Enable SPF to enable SPF check in Trend Micro Email Security.
5. Optionally select Insert an X-Header into email messages to add the
SPF check result into the email message's X-Header.
Trend Micro Email Security adds messages similar to the following in
email message's X-Header named X-TM-Received-SPF:

110
About Trend Micro Email Security

Status X-Header

Pass X-TM-Received-SPF: Pass (domain of


example_address@example.com
designates 10.64.72.206 as permitted
sender) client-ip=10.64.72.206;
envelope-
from=example_address@example.com;
helo=mailserver.example.com

Fail X-TM-Received-SPF: Fail (domain of


example_address@example.com does not
designates 10.64.72.206 as permitted
sender) client-ip=10.64.72.206;
envelope-
from=example_address@example.com;
helo=mailserver.example.com

SoftFail X-TM-Received-SPF: SoftFail (domain


of transitioning
example_address@example.com
discourages use of 10.64.72.206 as
permitted sender) client-
ip=10.64.72.206; envelope-
from=example_address@example.com;
helo=mailserver.example.com

Neutral X-TM-Received-SPF: Neutral


(10.64.72.206 is neither permitted
nor denied by domain of
example_address@example.com) client-
ip=10.64.72.206; envelope-
from=example_address@example.com;
helo=mailserver.example.com

None X-TM-Received-SPF: None (domain of


example_address@example.com does not
designate permitted sender hosts)
client-ip=10.64.72.206; envelope-
from=example_address@example.com;
helo=mailserver.example.com

111
Trend Micro Email Security Administrator's Guide

Status X-Header

PermError X-TM-Received-SPF: PermError (domain


of example_address@example.com uses
mechanism not recognized by this
client) client-ip=10.64.72.206;
envelope-
from=example_address@example.com;
helo=mailserver.example.com

TempError X-TM-Received-SPF: TempError (error


in processing during lookup of
example_address@example.com) client-
ip=10.64.72.206; envelope-
from=example_address@example.com;
helo=mailserver.example.com

Note
If the value of envelope-from is blank, the value of helo will be used
instead for the SPF check.

6. Under Actions, specify the action to take based on the SPF check result
and select whether to tag the subject or send a notification for the
message that fails SPF check.

7. Under Tag and Notify, customize the tag and select Do not tag digitally
signed messages if necessary.

Note
The Tag subject action may destroy the existing DKIM signatures in email
messages, leading to a DKIM verification failure by the downstream mail
server. To prevent tags from breaking digital signatures, select Do not tag
digitally signed messages.

8. Under Ignored Peers, do any of the following:

• To add ignored peers to skip SPF check for a specific sender, specify
the sender's domain name, IP address or CIDR block in the text box
and click Add.

112
About Trend Micro Email Security

Note
Trend Micro Email Security will not implement SPF check for email
messages from the specific domain, IP address or CIDR block. The
email messages will continue to the next step in the regular delivery
process.
However, this does not mean the email messages have passed SPF
check. They will fail subsequent DMARC authentication if they do not
actually meet specific criteria of the SPF standard.

• To search for existing ignored peers, type a keyword and click


Search.
• To import ignored peers from a CSV file, click Import.
The following import options are available:
• Merge: append the ignored peers to the existing list.
• Overwrite: replace the existing list with the ignored peers in
the file.
• To export all ignored peers to a CSV file, click Export.
9. Click Add to finish adding the SPF settings.

Note
All the settings you added take effect only when you click Add.

Editing SPF Settings

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Sender
Policy Framework (SPF).
2. From the list of domains to perform SPF record check, click a domain
that you want to edit.

113
Trend Micro Email Security Administrator's Guide

3. Modify the SPF settings as required.

Note
For details about the settings, see Adding SPF Settings on page 110.

4. Click Save.

DomainKeys Identified Mail (DKIM)


DomainKeys Identified Mail (DKIM) is an email validation system that
detects email spoofing by validating a domain name identity associated with
a message through cryptographic authentication. In addition, DKIM is used
to ensure the integrity of incoming messages or ensure that a message has
not been tampered with in transit.

To ensure the validity and integrity of email messages, DKIM uses a public
and private key pair system. A public and private key pair is created for the
sending domain. The private key is stored securely on the mail server and
used to sign outgoing messages. The public key is stored and published in
DNS as a TXT record of the domain. When an email message is sent, the mail
server uses the private key to digitally sign it, which is a part of the message
header. When the email message is received, the DKIM signature can be
verified against the public key on the domain's DNS.

Trend Micro Email Security implements DKIM authentication only in the


following scenarios:

• Verifies DKIM signatures in incoming messages only when the domain


specified in the “d=” tag of the DKIM signature header field belongs to
the same organizational domain as the domain part of the “From” field
in the message header.

• Adds DKIM signatures to outgoing message headers to prevent spoofing


only when the domain part of the “From” field in the message header
belongs to the same organizational domain as the MAIL FROM address
(envelope sender).

114
About Trend Micro Email Security

Adding DKIM Verification Settings


Trend Micro Email Security verifies DKIM signatures in incoming email
messages and allows administrators to take actions on messages that fail to
pass signature verification. If a message's DKIM signature passes
verification, the message will continue to the next step in the regular delivery
process.
The DKIM verification settings apply only to the selected recipient domain.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure
1. Go to Inbound Protection > Domain-based Authentication >
DomainKeys Identified Mail (DKIM) Verification.
2. Click Add.
The Add DKIM Verification Settings screen appears.
3. Select a specific recipient domain from the Managed domain drop-
down list.
4. Select Enable DKIM verification.
5. Optionally select Skip DKIM verification for email messages with no
envelope sender addresses.
6. Optionally select Insert an X-Header into email messages.
X-Header is added to indicate whether DKIM verification is successful or
not.
Here are some examples of X-Header:

115
Trend Micro Email Security Administrator's Guide

X-TM-Authentication-Results:dkim=pass; No signatures and


verification is not enforced

X-TM-Authentication-Results:dkim=pass; No processed
signatures and verification is not enforced

X-TM-Authentication-Results:dkim=fail; No processed
signatures but verification is enforced

X-TM-Authentication-Results:dkim=pass; Contain verified


signature, header.d=test.com, header.s=TM-
DKIM_201603291435, header.i=sender@test.com

X-TM-Authentication-Results:dkim=fail; No verified
signatures

7. Under Intercept, select an action that you want to take on a message


that fails DKIM verification.
• Do not intercept messages
• Delete entire message
• Quarantine
8. Under Tag and Notify, select further actions that you want to take on the
message.
• Tag subject

Note
Tags can be customized. When selecting the Tag subject action, note
the following:
• This action may destroy the existing DKIM signatures in email
messages, leading to a DKIM verification failure by the
downstream mail server.
• To prevent tags from breaking digital signatures, select Do not
tag digitally signed messages.

• Send notification

116
About Trend Micro Email Security

9. Under Ignored Peers, do any of the following:


• To add ignored peers to skip DKIM verification for specific sender
domains, specify one or multiple sender domain names and click
Add.

Note
Trend Micro Email Security uses senders' envelop addresses to match
the domain names.
Trend Micro Email Security will not implement DKIM verification for
email messages from the specific domain. The email messages will
continue to the next step in the regular delivery process.
However, this does not mean the email messages have passed DKIM
verification. They will fail subsequent DMARC authentication if they
do not actually meet specific criteria of the DKIM standard.

• To search for existing ignored peers, type a keyword and click


Search.
• To import ignored peers from a CSV file, click Import.
The following import options are available:
• Merge: append the ignored peers to the existing list.
• Overwrite: replace the existing list with the ignored peers in
the file.
• To export all ignored peers to a CSV file, click Export.
10. Under Enforced Peers, do any of the following:
• To add enforced peers to enforce DKIM verification for specific
sender domains, specify one or multiple sender domain names and
click Add.
Each email message from the specified domain must meet specific
criteria of the DKIM standard; otherwise, an action will be taken on
the message.
The following criteria must be met:

117
Trend Micro Email Security Administrator's Guide

• The sender domain must have a DKIM record.

• There is at least one verified signature in the message.

• To search for, import or export enforced peers, perform similar


operations as described in the previous step.

Note
Trend Micro Email Security uses senders' envelop addresses to match the
domain names.

If a sender domain is specified in both the ignored peer list and enforced
peer list, Trend Micro Email Security skips DKIM verification for email
messages from this domain.

11. Click Add to finish adding the DKIM verification settings.

Note
All the settings you added take effect only when you click Add.

Editing DKIM Verification Settings

Procedure

1. Go to Inbound Protection > Domain-based Authentication >


DomainKeys Identified Mail (DKIM) Verification.

2. From the list of DKIM verification domains, click a domain that you
want to edit.

3. Modify the DKIM verification settings as required.

Note
For details about the settings, see Adding DKIM Verification Settings on page
115.

118
About Trend Micro Email Security

4. Click Save.

Adding DKIM Signing Settings


Trend Micro Email Security supports DKIM signing for all outgoing messages
from a specific domain. Recipients can verify that the email messages from
the domain are authorized by the domain's administrator and that the
messages, including attachments, have not been modified during transport.

The DKIM signing settings apply only to the selected sender domain.

Procedure

1. Go to Outbound Protection > DomainKeys Identified Mail (DKIM)


Signing.

2. Click Add.

The Add DKIM Signing Settings screen appears.

3. Select a specific sender domain from the Managed domain drop-down


list.

4. Select Enable DKIM signing.

5. Optionally select Sign email messages with no envelope sender


addresses.

For email messages with no envelope sender addresses (such as auto-


reply messages or bounced messages), Trend Micro Email Security
attempts to find the sender domain from the email header From and
applies DKIM signing settings of the sender domain.

6. Configure general settings for DKIM signing.

• SDID: select a signing domain identifier from the drop-down list.

• Selector: selector to subdivide key namespace. Retain the default


value.

119
Trend Micro Email Security Administrator's Guide

• Headers to sign: select one or multiple headers to sign and


customize more headers if necessary.

• Wait time: specify how long it takes for a key pair to take effect.
Trend Micro Email Security starts to count the wait time once if
finds the public key in the DNS.

• Key pair: select a key length and click Generate to generate a key
pair.

Note
Use the generated DNS TXT record name and DNS TXT record value
to publish the key pair to your DNS server.

If your domain provider supports the 2048-bit domain key length but
limits the size of the TXT record value to 255 characters, split the key
into multiple quoted text strings and paste them together in the TXT
record value field.

7. Configure advanced settings for DKIM signing.

• Header canonicalization: select Simple or Relaxed.

• Body canonicalization: select Simple or Relaxed.

Note
Two canonicalization algorithms are defined for each of the email
header and the email body: a "simple" algorithm that tolerates almost
no modification and a "relaxed" algorithm that tolerates common
modifications such as whitespace replacement and header field line
rewrapping.

• Signature expiration: set the number of days that the signature will
be valid.

• Body length: set the number of bytes allowed for the email body.

• AUID: specify the Agent or User Identifier on behalf of which SDID


is taking responsibility.

120
About Trend Micro Email Security

8. Click Add to finish adding the DKIM signing settings.

Editing DKIM Signing Settings

Procedure
1. Go to Outbound Protection > DomainKeys Identified Mail (DKIM)
Signing.
2. From the list of DKIM signing domains, click a domain that you want to
edit.
3. Modify the DKIM signing settings as required.

Note
For details about the settings, see Adding DKIM Signing Settings on page
119.
If you regenerate a key pair, remember to publish it to your DNS server.

4. Click Save.

Domain-based Message Authentication, Reporting &


Conformance (DMARC)
Domain-based Message Authentication, Reporting and Conformance
(DMARC) is an email validation system designed to detect and prevent email
spoofing. It is intended to combat certain techniques often used in phishing
and email spam, such as email messages with forged sender addresses that
appear to originate from legitimate organizations. It provides a way to
authenticate email messages for specific domains, send feedback to senders,
and conform to a published policy.
DMARC fits into the inbound email authentication process of Trend Micro
Email Security. The way it works, is to help email recipients to determine if
the purported message aligns with what the recipient knows about the

121
Trend Micro Email Security Administrator's Guide

sender. If not, DMARC provides guidance on how to handle the non-aligned


messages. DMARC requires either of the following:
• A message passes the SPF check, and its identifier domain is in
alignment.
• A message passes the DKIM signature check, and its identifier domain is
in alignment.
Identifier alignment requires that the domain authenticated by SPF or DKIM
be the same as or belong to the same organizational domain as the message
header domain. If the alignment mode is “s” (strict), the two domains must
be exactly the same; if the alignment mode is “r” (relaxed), they must belong
to the same organizational domain.

Note
If an email message passes the Sender IP Match check, the message is also
considered as passing the SPF check of DMARC authentication.

However, some services like mailing lists or account forwarding (also known
as intermediaries) might make changes to a legitimate message before
sending it on, potentially resulting in SPF, DKIM, and/or DMARC alignment
failure. Therefore, the message may not get delivered despite of its
legitimacy.
Authenticated Received Chain (ARC) was designed to address such problem.
ARC preserves email authentication results across subsequent
intermediaries (“hops”) that may modify the message, and thus would cause
email authentication measures to fail to verify when that message reaches its
final destination. But if an ARC chain were present and validated, a receiver
who would otherwise discard the messages might choose to evaluate the ARC
results and make an exception, allowing legitimate messages to be delivered.
ARC-enabled intermediaries generally act as both ARC validators (when
receiving messages) and ARC sealers (when sending messages onward, not
originated locally).
When evaluating ARC results for validity as an ARC validator, Trend Micro
Email Security currently evaluates only the following third-party ARC
sealers:

122
About Trend Micro Email Security

• Google
• Microsoft
When signing the messages' validation results as an ARC sealer, Trend Micro
Email Security uses the domain name "d=tmes.trendmicro.com" in the ARC
headers. If the next hop intermediary is ARC-enabled, Trend Micro suggests
that you enable the intermediary to add Trend Micro to its ARC sealer trust
list.

Adding DMARC Settings


Trend Micro Email Security authenticates incoming email messages of the
selected domain and allows administrators to take actions on messages that
fail to pass DMARC authentication. If DMARC authentication passes, the
messages will be delivered normally. If DMARC authentication fails, the
messages will be quarantined, rejected or delivered according to the DMARC
settings.
The DMARC settings apply only to the selected recipient domain.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Domain-
based Message Authentication, Reporting and Conformance
(DMARC).
2. Click Add.
The Add DMARC Settings screen appears.

123
Trend Micro Email Security Administrator's Guide

3. Select a specific recipient domain from the Managed domain drop-


down list.
4. Select Enable DMARC.
5. Optionally select Skip DMARC for email messages with no envelope
sender addresses.
6. Optionally select Enable Authenticated Received Chain (ARC).
Trend Micro Email Security will successfully authenticate the email
messages that fail DMARC authentication but pass ARC validation, and
will also insert a set of ARC headers into these email messages.
Here is an example of a set of ARC headers:

ARC-Authentication-Results: i=2; tmes.trendmicro.com;


spf=temperror (sender IP address: 10.135.11.245) smtp.mailfrom=examp
dkim=none (no processed signatures) header.d=none;
dmarc=fail action=none header.from=test.com; arc=pass

ARC-Message-Signature: i=2; a=rsa-sha256; d=tmes.trendmicro.com;


s=TM-DKIM-20200223173148; t=1628750516; c=relaxed/relaxed;
bh=5ffn1pIbUBxx6CFHIVuU2HzEpEvAtzhWZ1Jz7ddgWws=;
h=Date:From:To:Subject:Message-ID:Content-Type;
b=cAaAR+7GtaByy8iSJiWo7GIf8T28Pjod3W2vWKcQWLH/7YA4n0X51cSBlPwtTygfX
otqfftTsCNIO1/Xx5LtdE2KdVYZbVgrFo+WpDgtCXCLLw6sO7OsdsPSSPbcpEq8r6q
ERfAqu5TNDLaj2+cR197bBhUFYVDJDe7pbfNaAy2g8GL3gOGrkWQcYw1DrRWXeOSEi
3i59afFHqH3LOY4cmlyWDpZxyDhhn7Rhb3ZNlw9aUuQtMj7iaXkxQaC1M/T6bxLEAE
XXV4jczaONiJ/5XmsPlR0gvHr0SpC42isWxElyXr2J1C93HgeAmK1Db4JAOGV2mXMF
I3fzA7jbSSLag==

ARC-Seal: i=2; a=rsa-sha256; d=tmes.trendmicro.com; s=TM-DKIM-20200223173148


t=1628750516; cv=pass;
b=LKQY/mrwXnJKLJIclybRcGQyWziCvHqIFBAZAYtTlz1aYQ2EiHaXaLbkmokgF8ibC
zj5UwsJrIj20lpm0aB+qKDoy4Psme/I3JZNDa5B1OeLHvkcubfUq9bzfSZadkN/dWC
N9FfbNSQwiZ0++SOLVwYCcIqh9PkWcfIJa7bo4sP7aUZjJkcXutfcm0q94J9j4fIgz
HWxEh58pvjtuMrSKCVCyMIODGoEYa1EbD2EbiTI7iZ54VfPXHjR79b0+21xppZbVEN
0QZGWYuuCoLUrIWDhPzS0kyYyIumPIh4RLe8sMKaBrKECo89XU+BjfNuwZpAPJs/id
Q6RbaHHVtp8XA==

7. Optionally select Insert an X-Header into email messages.

124
About Trend Micro Email Security

X-Header is added to indicate whether DMARC authentication is


successful or not.
Here are some examples of X-Header:
X-TM-Authentication-Results: spf=pass (sender IP address:
10.210.128.20) smtp.mailfrom=example.com; dkim=pass
(signatures verified) header.d=example.com; dmarc=pass
action=none header.from=example.com; arc=none

X-TM-Authentication-Results: spf=fail (sender IP address:


10.204.148.40) smtp.mailfrom=example.com; dkim=fail (no
verified signatures found) header.d=example.com; dmarc=fail
action=none header.from=example.com; arc=none

X-TM-Authentication-Results: spf=fail (sender IP address:


10.204.148.40) smtp.mailfrom=example.com; dkim=pass
(signatures verified) header.d=example.com; dmarc=pass
action=none header.from=example.com; arc=pass

X-TM-Authentication-Results: spf=pass (sender IP address:


10.204.128.20) smtp.mailfrom=example.com; dkim=fail (no
verified signatures found) header.d=example.com; dmarc=pass
action=none header.from=example.com; arc=pass

8. Optionally select Deliver daily reports to senders.


If you select this option, aggregated reports will be generated daily for
authentication failures and sent back to email senders.
9. Under Intercept, specify actions to take on messages that fail DMARC
authentication.
A DMARC tag instructs recipients how to handle email messages that fail
DMARC authentication. There are three values for the tag: "none",
"quarantine", and "reject". Trend Micro Email Security enables you to
specify the action to take in each scenario based on the instructions:
• None: select the action to take when the DMARC tag value is "none".
• Quarantine: select the action to take when the DMARC tag value is
"quarantine".

125
Trend Micro Email Security Administrator's Guide

• Reject: select the action to take when the DMARC tag value is
"reject".
• No DMARC records: select the action to take when there is no
DMARC records.
10. Under Tag and Notify, select further actions that you want to take on the
messages.
• Tag subject

Note
Tags can be customized. When selecting the Tag subject action, note
the following:
• This action may destroy the existing DKIM signatures in email
messages, leading to a DKIM verification failure by the
downstream mail server.
• To prevent tags from breaking digital signatures, select Do not
tag digitally signed messages.

• Send notification
11. Under Ignored Peers, do any of the following:
• To add ignored peers to skip DMARC authentication for specific
sender domains, specify one or multiple sender domain names and
click Add.

Note
Trend Micro Email Security uses senders' envelop addresses to match
the domain names.
Trend Micro Email Security will not implement DMARC
authentication for email messages from the specific domain. The
email messages will continue to the next step in the regular delivery
process.

• To search for existing ignored peers, type a keyword and click


Search.

126
About Trend Micro Email Security

• To import ignored peers from a CSV file, click Import.

The following import options are available:

• Merge: append the ignored peers to the existing list.

• Overwrite: replace the existing list with the ignored peers in


the file.

• To export all ignored peers to a CSV file, click Export.

12. Under Enforced Peers, do any of the following:

• To add enforced peers to enforce DMARC authentication for specific


sender domains, specify one or multiple sender domain names and
click Add.

Note
Trend Micro Email Security uses senders' envelop addresses to match
the domain names.

Each email message from the specified domain must meet specific
criteria of the DMARC standard; otherwise, an action will be taken
on the message.

The following criteria must be met:

• The sender domain has a DMARC record.

• The message passes the SPF check, and its identifier domain is
in alignment. Alternatively, the message passes DKIM
verification, and its identifier domain is in alignment.

• To search for, import or export enforced peers, perform similar


operations as described in the previous step.

13. Click Add to finish adding the DMARC settings.

127
Trend Micro Email Security Administrator's Guide

Note
All the settings you added take effect only when you click Add.

Editing DMARC Settings

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Domain-
based Message Authentication, Reporting and Conformance
(DMARC).
2. From the list of DMARC authentication domains, click a domain that you
want to edit.
3. Modify the DMARC settings as required.

Note
For details about the settings, see Adding DMARC Settings on page 123.

4. Click Save.

How DMARC Works with SPF and DKIM


SPF, DKIM and DMARC are three independent features in Trend Micro Email
Security. You can enable or disable those features based on your
requirements.
The following are typical scenarios for your reference:
• DMARC enabled only
Trend Micro Email Security performs its own SPF check and DKIM
signature check before alignment check.
• SPF check, DKIM verification and DMARC authentication enabled at the
same time

128
About Trend Micro Email Security

Trend Micro Email Security checks the sender domain for each inbound
email message. If a message does not pass the SPF check, the message
will be deleted, quarantined or delivered depending on the action
configured.
If the message passes the SPF check, Trend Micro Email Security verifies
DKIM signatures in the message. If the message does not pass DKIM
verification, the message will be deleted, quarantined or delivered
depending on the action configured.
If the message continues to the next step in the delivery process, Trend
Micro Email Security implements DMARC authentication on the
message.

File Password Analysis


By leveraging a combination of user-defined passwords and message content
(subject, body and attachment names), Trend Micro Email Security can
heuristically extract or open password-protected files, namely, archive files
and document files, in email messages to detect any malicious payload that
may be embedded in those files.
You can add or import user-defined passwords to help Trend Micro Email
Security efficiently extract or open password-protected files for further
scanning.

Note
File password analysis is only applied for virus scan, and not for DLP or content
filtering.

Trend Micro Email Security supports the following password-protected


archive file types:
• 7z
• rar
• zip

129
Trend Micro Email Security Administrator's Guide

Trend Micro Email Security supports the following password-protected


document file types:

• doc

• docx

• pdf

• pptx

• xls

• xlsx

Configuring File Password Analysis

Procedure

1. Choose Inbound Protection > Virus Scan > File Password Analysis.

2. In the File Password Analysis Settings section, select Enable file


password analysis.

3. Optionally select Hold on a message to associate later messages for


password analysis and specify a certain amount of time for Analysis
timeout.

Note
This step is required if you want Trend Micro Email Security to associate
later email messages to further analyze the file password for the current
email message. The current message will not be released for delivery
during the analysis timeout period.

4. Click Save.

To help Trend Micro Email Security crack file passwords more


efficiently, you can add or import passwords that are commonly used by
your organization as the user-defined passwords. Trend Micro Email

130
About Trend Micro Email Security

Security will try the user-defined passwords first before any other ways
to extract or open files.

Adding User-Defined Passwords


A maximum of 100 passwords is allowed.

Procedure

1. In the User-Defined Passwords section, click Add.

The Add Password dialog box appears.

2. Type a priority value next to Priority for the new password.

Note
The priority value ranges from 1 to 100.

The lower the priority value, the higher the priority.

3. Type a password with only ASCII characters.

4. Click Save.

The password you added appears in the user-defined password list.

If there are multiple passwords, you can click the up or down arrow next
to Priority to sort the passwords by priority level. To delete one or
multiple passwords, select the check box of each password and click
Delete.

Importing User-Defined Passwords


A maximum of 100 passwords is allowed.

131
Trend Micro Email Security Administrator's Guide

Procedure
1. In the User-Defined Passwords section, click Import.
The Import Passwords dialog box appears.
2. Next to File location, browse and select a TXT file to import.
You can click Download sample file to view a sample of a properly
formatted file.
Trend Micro Email Security checks all the entries in the selected file to
identify any invalid, duplicate or conflicting passwords.
3. After you confirm all the entries to be imported, click Import.

Configuring Scan Exceptions


Under certain circumstances, you may want to prevent Trend Micro Email
Security from scanning certain types of messages that may pose security
risks. For example, compressed files provide a number of special security
concerns since they can harbor security risks or contain numerous
compression layers. Scan exceptions are configured to instruct Trend Micro
Email Security to take actions on these messages.

Note
If an email message triggers the scan exception "Malformed messages", Trend
Micro Email Security stops scanning and takes the corresponding actions.
If any other scan exception is triggered, Trend Micro Email Security takes the
specified actions and will not stop scanning until encountering a terminal scan
action. For details about terminal actions, see “Intercept” Actions on page 209.

Scan Exception List


Trend Micro Email Security allows you to configure different types of
exceptions. If an email message meets any of the following conditions, Trend
Micro Email Security will trigger an exception and take the specified actions:

132
About Trend Micro Email Security

• The number of files in a compressed file exceeds 353.

• The decompression ratio of a compressed file exceeds 100.

Note
The decompression ratio refers to the ratio between a decompressed file's
size and its original compressed size. For example, for a 1 MB compressed
file, if the decompressed file size is 100 MB, the ratio would be 100 to 1,
which is equivalent to 100.

• The number of decompression layers in a compressed file exceeds 20.

Trend Micro Email Security checks for malware "smuggled" within


nested compressions and supports scanning up to 20 recursive
compression layers.

• The size of a single decompressed file exceeds 60 MB.

• An Office 2007/2010/2013/2016 file contains more than 353 subfiles.

Note
An Office 2007/2010/2013/2016 file is actually a zip archive of XML files.
Therefore, Trend Micro Email Security treats such an Office file as a
compressed file and triggers an exception when the Office file consists of
more than 353 files.

• An Office 2007/2010/2013/2016 file contains a subfile whose


decompression ratio exceeds 100.

• Malformed messages.

• Virtual Analyzer scan exception.

Possible scenarios include:

• Cloud sandbox analysis timed out.

• Unable to connect to the cloud sandbox.

• The available sandbox images do not support the file format.

133
Trend Micro Email Security Administrator's Guide

• The extracted or downloaded file exceeds the file size limit.


• Unable to access the URL.
• The URL is invalid.
• Virtual Analyzer submission quota exception.

Note
The Virtual Analyzer scan exception and submission quota exception are
available only in inbound protection.
These settings are not included in the Trend Micro Email Security Standard
license.
For details about different license versions, see Available License Versions on page
17.

Configuring "Scan Exceptions" Actions


To configure centralized scan exception settings, go to the following paths:
• Inbound Protection > Virus Scan > Scan Exceptions
• Outbound Protection > Virus Scan > Scan Exceptions
Scan exceptions under Inbound Protection apply to incoming messages,
while scan exceptions under Outbound Protection apply to outgoing
messages. The scan actions configured for each exception apply to all
senders and recipients.
Specify actions for Trend Micro Email Security to take on email messages
that meet the scan exception criteria.

Procedure
1. On the Scan Exceptions screen, click the action name for an exception
in the Actions column.
The Select Scan Exception Actions screen appears.

134
About Trend Micro Email Security

2. Configure Intercept settings.

Option Description

Do not intercept Trend Micro Email Security does not take action on the message
messages and processes the message using other rules if other rules apply.

Delete entire Trend Micro Email Security deletes the message, including its
message attachments.

Quarantine Trend Micro Email Security moves the message into quarantine.

3. Configure Modify settings.

a. Select the Tag subject action to insert configurable text into the
message subject line.

b. Type a tag in the Tag field, for example, Spam.

c. Optionally select Do not tag digitally signed messages. to prevent


tags from breaking digital signatures.

4. Configure Monitor settings.

a. Select the Send notification action.

b. Click the message to people link.

The Notifications screen appears.

c. Select a notification message from the Available pane on the left


side and click Add>.

The Add, Edit, Copy and Delete buttons under Available are
provided for managing notification messages. For details about
managing notifications, see Managing Notifications on page 295.

d. Click Save to save the notification setting.

Note
The Modify and Monitor settings are not mandatory.

135
Trend Micro Email Security Administrator's Guide

5. Click Save.

Note
If multiple scan exceptions are triggered for one email message, Trend
Micro Email Security chooses the action with the highest priority from the
configured “Intercept” actions, combines the action with the “Modify” and
“Monitor” actions, and performs those actions together on the message.

“Intercept” actions are listed as follows in descending order of priority:

• Delete entire message

• Quarantine

• Do not intercept messages

High Profile Users


In Business Email Compromise (BEC) scams, a fraudster impersonates a
high profile executive, for example, the CEO or CFO, and attempts to trick an
employee, a customer, or a vendor into transferring funds or sensitive
information to the fraudster.

Trend Micro Email Security allows you to add high profile users who are
likely to be impersonated for detection and classification.

Trend Micro Email Security also integrates with Trend Micro's Writing Style
DNA as an additional layer of protection for your organization's users against
BEC threats. For more information, see Configuring Business Email
Compromise Criteria on page 179.

Note
Writing Style DNA is not included in the Trend Micro Email Security Standard
license.

For details about different license versions, see Available License Versions.

136
About Trend Micro Email Security

Configuring High Profile Users


Specify the email display names of the high profile users who might be
frequently forged. Trend Micro Email Security will check incoming email
messages claimed to be sent from those users and apply fraud checking
criteria to identify forged messages. Trend Micro Email Security enables you
to take actions on the BEC attacks that are detected or suspected by the
Antispam Engine or detected by writing style analysis.
The specified high profile users are applicable to all BEC policies of your
domains as the global settings.

Procedure
1. Go to Inbound Protection > Spam Filtering > High Profile Users.
2. From the Source drop-down list, select either of the following:
• Synchronize users from Directory: select this option to
synchronize users from your directory.
• Click Select Groups to select a user group that you want to
synchronize.
A maximum of 500 users can be synchronized from one or
multiple directory groups. If there are more than 500 users,
Trend Micro Email Security sorts all users alphanumerically in
ascending order and applies BEC policies only to the first 500
users.

137
Trend Micro Email Security Administrator's Guide

Note
The Directory Synchronization Tool is required to synchronize
user information from the directory server. For details about
installing and updating the tool, see the Directory
Synchronization Tool User's Guide. To download the tool and the
guide, do the following:

a. Go to Administration > Directory Management.

b. On the Directory Synchronize tab, find the tool and guide


under Downloads.

If you select Microsoft AD Global Catalog for synchronization in


the Directory Synchronization Tool, make sure the givenName,
initials and sn attributes have been replicated. By default,
these attributes are not replicated to the global catalog server by
Microsoft. If they are not replicated, use the Active Directory
Schema snap-in in the Microsoft Management Console for
replication.

• Click Export to export the directory user list to a CSV file.

• Click Refresh to refresh the current user list.

• Custom: select this option to create a customized list of high profile


users.

• Click Add to add a high profile user. Specify the first name,
middle name (optional), last name and email addresses
(optional) of the user.

• Click Delete to delete a high profile user.

• Click Import to import multiple users from a CSV file.

The following import options are available:

• Merge: append the users to the existing list.

• Overwrite: replace the existing list with the users in the


file.

138
About Trend Micro Email Security

• Click Export to export the customized user list to a CSV file.

High Profile Domains


Trend Micro Email Security allows you to specify high profile external
domains, for example, your partners' domains or domains of famous brands,
which are likely to be forged into cousin domains for spam, phishing, and
BEC attacks, for example, vendor frauds.
A cousin domain (or look-alike domain) is a domain that looks deceptively
similar to a legitimate target domain, which is well-known or familiar to
users. Cousin domains are often used in phishing attacks to steal sensitive or
confidential information from users. Cousin domains are usually created by
replacing one or more characters (for example, replacing the letter "l" with
the number "1") or adding or removing an extra character in the domain
name. Without careful inspection of the email addresses, users may not
notice the trick and think that an email message is sent from a legitimate
domain being forged.
By leveraging the Trend Micro Antispam Engine, Trend Micro Email Security
can scan domains in email messages (the from and replyto headers) based
on the settings you configure to detect cousin domains of these high profile
domains and prevent users from spam, phishing and BEC messages.

Configuring High Profile Domains


Specify legitimate sender domains that might be frequently forged into
cousin domains for spam, phishing, and BEC attacks. Trend Micro Email
Security will detect email messages from cousin domains of the specified
high profile domains.

Procedure
1. Go to Inbound Protection > Spam Filtering > High Profile Domains.
2. In the High Profile Domain Settings section, enable high profile
domains, select a detection threshold, and click Save.

139
Trend Micro Email Security Administrator's Guide

• Aggressive: This option provides the most number of detections


based on fuzzy matches. This is the most rigorous level of spam,
phishing, and BEC detection.
• Normal: This is the default and recommended setting. This option
provides a moderate number of detections.
• Conservative: This option provides the most accurate detections
based on near-exact matches.
3. In the High Profile Domains section, maintain a list of legitimate sender
domains.
• Click Add to add a high profile domain. Specify the domain name,
for example, domain.com for the high profile domain.
Wildcard characters and regular expressions are not supported.

Note
You can add a maximum of 100 high profile domains.

• Click Delete to delete a high profile domain.


• Click Import to import high profile domains from a TXT file.
The following import options are available:
• Merge: append the high profile domains to the existing list.
• Overwrite: replace the existing high profile domain list with
the domains in the file.
• Click Export to export the high profile domain list to a TXT file.
4. In the Exception List section, maintain a list of domains that Trend
Micro Email Security excludes from scanning for cousin domains.

Note
You can add a maximum of 1,000 domains to the exception list.

140
About Trend Micro Email Security

Configuring Time-of-Click Protection Settings


If you enable Time-of-Click Protection when creating a spam policy, Trend
Micro Email Security rewrites URLs in email messages for further analysis.
Trend Micro analyzes those URLs at the time of click, and will block access to
them or show a warning page (depending on your settings) if they are
malicious.
You can choose to use the default blocking and warning pages or customize
the blocking and warning pages according to your preference.

Procedure
1. Go to Inbound Protection > Spam Filtering > Time-of-Click Protection.
2. In the Actions section, do the following:
• Dangerous: Select an action (Allow, Warn or Block) to take on
dangerous URLs. The default value is Block.
Dangerous URLs are verified to be fraudulent or known sources of
threats.
• Highly Suspicious: Select an action (Allow, Warn or Block) to take
on highly suspicious URLs. The default value is Block.
Highly suspicious URLs are suspected to be fraudulent or possible
sources of threats.
• Suspicious: Select an action (Allow, Warn or Block) to take on
suspicious URLs. The default value is Warn.
Suspicious URLs are associated with spam or possibly
compromised.
• Untested: Select an action (Allow, Warn or Block) to take on
untested URLs. The default value is Warn.
While Trend Micro actively tests URLs for safety, users may
encounter untested pages when visiting new or less popular
websites. Blocking access to untested pages can improve safety but
can also prevent access to safe pages.

141
Trend Micro Email Security Administrator's Guide

3. In the Blocking and Warning Pages section, select whether to use the
default blocking and warning pages or to customize your own ones.

• Use default redirect pages: The default blocking page or warning


page will appear when a malicious URL in the email message is
clicked.

• Customize redirect pages: Customize your own blocking page and


warning page if you do not want to use the default ones.

a. Type a title for Browser Tab Title.

b. Next to Content, click the

icon next to the strings on the Dangerous tab and customize


the strings.

Repeat the customization settings on the Highly Suspicious,


Suspicious, and Untested tabs in sequence.

c. Type the click-through link text.

The click-through link text you customize apply to the warning


pages for malicious URLs at each of the preceding risk levels.

Note
The click-through link appears on the warning page only.

4. Click Save.

Data Loss Prevention


Data Loss Prevention (DLP) safeguards an organization's confidential and
sensitive data, referred to as digital assets, against accidental disclosure and
intentional theft. DLP allows you to:

• Identify the digital assets to protect

142
About Trend Micro Email Security

• Create policies that limit or prevent the transmission of digital assets


through email
• Enforce compliance to established privacy standards
DLP evaluates data against a set of rules defined in policies. Policies
determine the data that must be protected from unauthorized transmission
and the action that DLP performs when it detects transmission.
With DLP, Trend Micro Email Security allows you to manage your incoming
email messages containing sensitive data and protects your organization
against data loss by monitoring your outbound email messages.

Data Identifier Types


Digital assets are files and data that an organization must protect against
unauthorized transmission. Administrators can define digital assets using
the following data identifiers:
• Expressions: Data that has a certain structure.
For details, see Expressions on page 143.
• File attributes: File properties such as file type and file size.
For details, see File Attributes on page 152.
• Keyword lists: A list of special words or phrases.
For details, see Keywords on page 148.

Note
Administrators cannot delete a data identifier that a DLP template is using.
Delete the template before deleting the data identifier.

Expressions
An expression is data that has a certain structure. For example, credit card
numbers typically have 16 digits and appear in the format "nnnn-nnnn-
nnnn-nnnn", making them suitable for expression-based detections.

143
Trend Micro Email Security Administrator's Guide

Administrators can use predefined and customized expressions.


For details, see Predefined Expressions on page 144 and Customized Expressions
on page 144.

Predefined Expressions

Data Loss Prevention comes with a set of predefined expressions. These


expressions cannot be modified or deleted.
Data Loss Prevention verifies these expressions using pattern matching and
mathematical equations. After Data Loss Prevention matches potentially
sensitive data with an expression, the data may also undergo additional
verification checks.
For a complete list of predefined expressions, see the Data Protection Lists
document at http://docs.trendmicro.com/en-us/enterprise/data-protection-
reference-documents.aspx.

Customized Expressions

Create customized expressions if none of the predefined expressions meets


the company's requirements.
Expressions are a powerful string-matching tool. Become comfortable with
expression syntax before creating expressions. Poorly written expressions
can dramatically impact performance.
When creating expressions:
• Refer to the predefined expressions for guidance on how to define valid
expressions. For example, when creating an expression that includes a
date, refer to the expressions prefixed with "Date".
• Note that Data Loss Prevention follows the expression formats defined
in Perl Compatible Regular Expressions (PCRE). For more information
on PCRE, visit the following website:
http://www.pcre.org/
• Start with simple expressions. Modify the expressions if they are causing
false alarms or fine tune them to improve detections.

144
About Trend Micro Email Security

Administrators can choose from several criteria when creating expressions.


An expression must satisfy the chosen criteria before Data Loss Prevention
subjects it to a DLP policy. For details about the different criteria options, see
Criteria for Customized Expressions on page 145.

Criteria for Customized Expressions

Table 41. Criteria Options for Customized Expressions

Criteria Rule Example

None None All - Names from US Census Bureau


• Expression: [^\w]([A-Z][a-z]{1,12}
(\s?,\s?|[\s]|\s([A-Z])\.\s)[A-Z][a-z]
{1,12})[^\w]

Specific characters An expression must include US - ABA Routing Number


the characters you have
specified. • Expression: [^\d]([0123678]\d{8})[^
\d]
In addition, the number of
characters in the expression • Characters: 0123456789
must be within the minimum • Minimum characters: 9
and maximum limits.
• Maximum characters: 9

Suffix Suffix refers to the last All - Home Address


segment of an expression. A
suffix must include the • Expression: \D(\d+\s[a-z.]+\s([a-z]+
characters you have specified \s){0,2} (lane|ln|street|st|avenue|ave|
and contain a certain number road|rd|place|pl|drive|dr|circle| cr|
of characters. court|ct|boulevard|blvd)\.? [0-9a-z,#
\s\.]{0,30}[\s|,][a-z]{2}\ s\d{5}(-
In addition, the number of \d{4})?)[^\d-]
characters in the expression
must be within the minimum • Suffix characters: 0123456789-
and maximum limits. • Number of characters: 5
• Minimum characters in the
expression: 25
• Maximum characters in the
expression: 80

145
Trend Micro Email Security Administrator's Guide

Criteria Rule Example

Single- character An expression must have two All - Email Address


separator segments separated by a
character. The character • Expression: [^\w.]([\w\.]{1,20}@[a-
must be 1 byte in length. z0-9]{2,20}[\.][a-z]{2,5}[a-z\.]{0,10})
[^\w.]
In addition, the number of
characters left of the • Separator: @
separator must be within the • Minimum characters to the left: 3
minimum and maximum
limits. The number of • Maximum characters to the left: 15
characters right of the
• Maximum characters to the right: 30
separator must not exceed
the maximum limit.

Creating a Customized Expression

Procedure

1. Go to Administration > Policy Objects > DLP Data Identifiers.

2. Click the Expression tab.

3. Click Add.

A new screen displays.

4. Type an expression name that does not exceed 256 characters in length.

5. Type a description that does not exceed 256 characters in length.

6. Type the displayed data.

For example, if you are creating an expression for ID numbers, type a


sample ID number. This data is used for reference purposes only and
will not appear elsewhere in the product.

7. Choose one of the following criteria and configure additional settings


for the chosen criteria (see Criteria for Customized Expressions on page
145):

146
About Trend Micro Email Security

• None

• Specific characters

• Suffix

• Single-character separator

8. Optional: Select a validator for the expression.

Note
Data units follow semantic rules. Not every 9-digit number is a valid social
security number and not every 15- or 16-digit number is a valid credit card
number. To reduce false positives, expression validators check if the
extracted data units follow these rules.

9. Test the expression against an actual data.

For example, if the expression is for a national ID, type a valid ID


number in the Test data text box, click Test, and then check the result.

10. Click Save if you are satisfied with the result.

Note
Save the settings only if the testing was successful. An expression that
cannot detect any data wastes system resources and may impact
performance.

Importing Customized Expressions

Use this option if you have a properly-formatted .xml file containing the
expressions. You can generate the file by exporting the expressions from the
Trend Micro Email Security administrator console.

Procedure

1. Go to Administration > Policy Objects > DLP Data Identifiers.

147
Trend Micro Email Security Administrator's Guide

2. Click the Expression tab.


3. Click Import and then locate the .xml file containing the expressions.
4. Click Open.
A message appears, informing you if the import was successful.

Note
Every customized expression is identified by its name field in the .xml file.
This name is a unique internal name that does not display on the
administrator console.
If the file contains a customized expression that already exists, Trend
Micro Email Security overwrites the existing expression. If the file
contains any predefined expression, Trend Micro Email Security skips the
predefined expression while importing the remaining customized
expressions.

Keywords
Keywords are special words or phrases. You can add related keywords to a
keyword list to identify specific types of data. For example, "prognosis",
"blood type", "vaccination", and "physician" are keywords that may appear in
a medical certificate. If you want to prevent the transmission of medical
certificate files, you can use these keywords in a DLP policy and then
configure Data Loss Prevention to block files containing these keywords.
Commonly used words can be combined to form meaningful keywords. For
example, "end", "read", "if", and "at" can be combined to form keywords
found in source codes, such as "END-IF", "END-READ", and "AT END".
You can use predefined and customized keyword lists. For details, see
Predefined Keyword Lists on page 148 and Customized Keyword Lists on page 149.

Predefined Keyword Lists

Data Loss Prevention comes with a set of predefined keyword lists. These
keyword lists cannot be modified or deleted. Each list has its own built-in
conditions that determine if the template should trigger a policy violation.

148
About Trend Micro Email Security

For details about the predefined keyword lists in Data Loss Prevention, see
the Data Protection Lists document at http://docs.trendmicro.com/en-us/
enterprise/data-protection-reference-documents.aspx.

Customized Keyword Lists

Create customized keyword lists if none of the predefined keyword lists


meets your requirements.
There are several criteria that you can choose from when configuring a
keyword list. A keyword list must satisfy your chosen criteria before Data
Loss Prevention subjects it to a policy. Choose one of the following criteria
for each keyword list:
• Any keyword
• All keywords
• All keywords within <x> characters
• Combined score for keywords exceeds threshold
For details regarding the criteria rules, see Customized Keyword List Criteria
on page 149.

Customized Keyword List Criteria

Table 42. Criteria for a Keyword List

Criteria Rule

Any keyword A file must contain at least one keyword in the keyword list.

All keywords A file must contain all the keywords in the keyword list.

149
Trend Micro Email Security Administrator's Guide

Criteria Rule

All keywords A file must contain all the keywords in the keyword list. In addition, each
within <x> keyword pair must be within <x> characters of each other.
characters
For example, your 3 keywords are WEB, DISK, and USB and the number of
characters you specified is 20.
If Data Loss Prevention detects all keywords in the order DISK, WEB, and
USB, the number of characters from the "D" (in DISK) to the "W" (in WEB)
and from the "W" to the "U" (in USB) must be 20 characters or less.
The following data matches the criteria: DISK####WEB############USB
The following data does not match the criteria:
DISK*******************WEB****USB(23 characters between "D" and "W")
When deciding on the number of characters, remember that a small
number, such as 10, usually results in a faster scanning time but only covers
a relatively small area. This may reduce the likelihood of detecting sensitive
data, especially in large files. As the number increases, the area covered also
increases but scanning time might be slower.

Combined A file must contain one or more keywords in the keyword list. If only one
score for keyword was detected, its score must be higher than the threshold. If there
keywords are several keywords, their combined score must be higher than the
exceeds threshold.
threshold
Assign each keyword a score of 1 to 10. A highly confidential word or phrase,
such as "salary increase" for the Human Resources department, should have
a relatively high score. Words or phrases that, by themselves, do not carry
much weight can have lower scores.
Consider the scores that you assigned to the keywords when configuring the
threshold. For example, if you have five keywords and three of those
keywords are high priority, the threshold can be equal to or lower than the
combined score of the three high priority keywords. This means that the
detection of these three keywords is enough to treat the file as sensitive.

Creating a Keyword List

Procedure

1. Go to Administration > Policy Objects > DLP Data Identifiers.

150
About Trend Micro Email Security

2. Click the Keyword tab.

3. Click Add.

A new screen displays.

4. Type a keyword list name that does not exceed 256 characters in length.

5. Type a description that does not exceed 256 characters in length.

6. Choose one of the following criteria and configure additional settings


for the chosen criteria:

• Any keyword

• All keywords

• All keywords within <x> characters

• Combined score for keywords exceeds threshold

7. To manually add keywords to the list:

a. Type a keyword that is 3 to 40 characters in length and specify


whether it is case-sensitive.

b. Click Add.

8. To edit a keyword, click a keyword in the list, edit it in the Keyword text
box, and then click Update.

9. To delete keywords, select the keywords and click Delete.

10. Click Save.

Importing a Keyword List

Use this option if you have a properly-formatted .xml file containing the
keyword lists. You can generate the file by exporting the keyword lists from
the Trend Micro Email Security administrator console.

151
Trend Micro Email Security Administrator's Guide

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the Keyword tab.
3. Click Import and then locate the .xml file containing the keyword lists.
4. Click Open.
A message appears, informing you if the import was successful.

Note
Every customized keyword list is identified by its name field in the .xml
file. This name is a unique internal name that does not display on the
administrator console.
If the file contains a customized keyword list that already exists, Trend
Micro Email Security overwrites the existing keyword list. If the file
contains any predefined keyword list, Trend Micro Email Security skips
the predefined keyword list while importing the remaining customized
keyword lists.

File Attributes
File attributes are specific properties of a file. You can use two file attributes
when defining data identifiers, namely, file type and file size. For example, a
software development company may want to limit the sharing of the
company's software installer to the R&D department, whose members are
responsible for the development and testing of the software. In this case, the
Trend Micro Email Security administrator can create a policy that blocks the
transmission of executable files that are 10 to 40 MB in size to all
departments except R&D.
By themselves, file attributes are poor identifiers of sensitive files.
Continuing the example in this topic, third-party software installers shared
by other departments will most likely be blocked. Trend Micro therefore
recommends combining file attributes with other DLP data identifiers for a
more targeted detection of sensitive files.

152
About Trend Micro Email Security

For a complete list of supported file types, see the Data Protection Lists
document at http://docs.trendmicro.com/en-us/enterprise/data-protection-
reference-documents.aspx.

Predefined File Attributes List

Data Loss Prevention comes with a predefined file attributes list. This list
cannot be modified or deleted. The list has its own built-in conditions that
determine if the template should trigger a policy violation.

Creating a File Attribute List

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the File Attribute tab.
3. Click Add.
A new screen displays.
4. Type a file attribute list name that does not exceed 256 characters in
length.
5. Type a description that does not exceed 256 characters in length.
6. Select either of the following:
• Not selected: The selected file types will be excluded.
• Selected: The selected file types will be included.
7. Select your preferred true file types.
8. If a file type you want to include is not listed, select File extensions and
then type the file type’s extension. Data Loss Prevention checks files
with the specified extension but does not check their true file types.
Guidelines when specifying file extensions:
• Each extension must start with an asterisk (*), followed by a period
(.), and then the extension. The asterisk is a wildcard, which

153
Trend Micro Email Security Administrator's Guide

represents a file’s actual name. For example, *.pol matches


12345.pol and test.pol.

• You can include wildcards in extensions. Use a question mark (?) to


represent a single character and an asterisk (*) to represent two or
more characters. See the following examples:
- *.*m matches the following files: ABC.dem, ABC.prm, ABC.sdcm
- *.m*r matches the following files: ABC.mgdr, ABC.mtp2r,
ABC.mdmr

- *.fm? matches the following files: ABC.fme, ABC.fml, ABC.fmp


• Be careful when adding an asterisk at the end of an extension as this
might match parts of a file name and an unrelated extension. For
example: *.do* matches abc.doctor_john.jpg and
abc.donor12.pdf.

• Use semicolons (;) to separate file extensions. There is no need to


add a space after a semicolon.
9. Type the minimum and maximum file sizes in bytes. Both file sizes must
be whole numbers larger than zero.
10. Click Save.

Importing a File Attribute List

Use this option if you have a properly-formatted .xml file containing the file
attribute lists. You can generate the file by exporting the file attribute lists
from the Trend Micro Email Security administrator console.

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the File Attribute tab.
3. Click Import and then locate the .xml file containing the file attribute
lists.

154
About Trend Micro Email Security

4. Click Open.
A message appears, informing you if the import was successful.

Note
Every file attribute list is identified by its name field in the .xml file. This
name is a unique internal name that does not display on the administrator
console.
If the file contains a customized file attribute list that already exists, Trend
Micro Email Security overwrites the existing file attribute list. If the file
contains any predefined file attribute list, Trend Micro Email Security
skips the predefined file attribute list while importing the remaining
customized file attribute lists.

DLP Compliance Templates


A DLP compliance template combines DLP data identifiers and logical
operators (And, Or, Except) to form condition statements. Only files or data
that satisfy a certain condition statement will be subject to a DLP policy.
You can create your own templates if you have configured DLP data
identifiers. You can also use predefined templates. For details, see Customized
DLP Templates on page 156 and Predefined DLP Templates on page 155.

Note
It is not possible to delete a template that is being used in a DLP policy. Remove
the template from the policy before deleting it.

Predefined DLP Templates


Trend Micro comes with a set of predefined templates that you can use to
comply with various regulatory standards. These templates cannot be
modified or deleted.
For a detailed list on the purposes of all predefined templates, and examples
of data being protected, see the Data Protection Lists document at http://

155
Trend Micro Email Security Administrator's Guide

docs.trendmicro.com/en-us/enterprise/data-protection-reference-
documents.aspx.

Customized DLP Templates

Create your own templates if you have configured data identifiers. A template
combines data identifiers and logical operators (And, Or, Except) to form
condition statements.

For more information and examples on how condition statements and


logical operators work, see Condition Statements and Logical Operators on page
156.

Condition Statements and Logical Operators

Data Loss Prevention evaluates condition statements from left to right. Use
logical operators carefully when configuring condition statements. Incorrect
usage leads to an erroneous condition statement that will likely produce
unexpected results.

See the examples in the following table.


Table 43. Sample Condition Statements

Condition Statement Interpretation and Example

[Data Identifier1] And [Data A file must satisfy [Data Identifier 1] and [Data Identifier 2] but
Identifier 2] Except [Data not [Data Identifier 3].
Identifier 3]
For example:
A file must be [an Adobe PDF document] and must contain [an
email address] but should not contain [all of the keywords in
the keyword list].

[Data Identifier 1] Or [Data A file must satisfy [Data Identifier 1] or [Data Identifier 2].
Identifier 2]
For example:
A file must be [an Adobe PDF document] or [a Microsoft Word
document].

156
About Trend Micro Email Security

Condition Statement Interpretation and Example

Except [Data Identifier 1] A file must not satisfy [Data Identifier 1].
For example:
A file must not be [a multimedia file].

As the last example in the table illustrates, the first data identifier in the
condition statement can have the "Except" operator if a file must not satisfy
all of the data identifiers in the statement. In most cases, however, the first
data identifier does not have an operator.

Creating a Template

Procedure

1. Go to Administration > Policy Objects > DLP Compliance Templates.

2. Click Add.

A new screen displays.

3. Type a template name that does not exceed 256 characters in length.

4. Type a description that does not exceed 256 characters in length.

5. Select data identifiers and then click the "add" icon.

6. If you selected an expression, type the number of occurrences, which is


the number of times an expression must occur before Data Loss
Prevention subjects it to a policy.

7. Choose a logical operator for each definition.

Note
Use logical operators carefully when configuring condition statements.
Incorrect usage leads to an erroneous condition statement that will likely
produce unexpected results. For examples of correct usage, see Condition
Statements and Logical Operators on page 156.

157
Trend Micro Email Security Administrator's Guide

8. To remove a data identifier from the list of selected identifiers, click the
trash bin icon.
9. Click Save.

Importing Templates

Use this option if you have a properly-formatted .xml file containing the
templates. You can generate the file by exporting the templates from the
Trend Micro Email Security administrator console.

Procedure
1. Go to Administration > Policy Objects > DLP Compliance Templates.
2. Click Import and then locate the .xml file containing the templates.
3. Click Open.
A message appears, informing you if the import was successful.

Note
Every customized template is identified by its name field in the .xml file.
This name is a unique internal name that does not display on the
management console.
If the file contains a customized template that already exists, Trend Micro
Email Security overwrites the existing template. If the file contains any
predefined template, Trend Micro Email Security skips the predefined
template while importing the remaining customized templates.

Configuring Policies
The virus policy, spam policy, content filtering policy and Data Loss
Prevention (DLP) policy screens all show a list of the currently defined policy
rules and their status. From each screen, you can add a new rule and query,
reorder, edit, copy, or delete existing rules.

158
About Trend Micro Email Security

Note
If a policy rule applies to multiple domains and your account only has
permission to manage a part of these domains, the rule is only visible. You
cannot reorder, edit, copy, or delete the rule.

The policy screens under Inbound Protection and Outbound Protection are
technically separate and can be managed independently.

The rules are displayed in a table, sorted by the order in which the rules were
created by default.
Table 44. Policy Terminology

Column Description

Order Order in which the rules are executed.

Status : A rule is enabled.

: A rule is disabled.

: A rule is locked.

Rules Name of the rule.

Migration Status Status of the rule migrated from external


systems.

Action Action taken if the rule's criteria are met.

Organization Level Whether the rule applies to all email


messages sent to or from your organization.
• Yes: The rule applies to all email
messages sent to or from your
organization.
• No: The rule applies to email messages
sent to or from specific users or groups in
your organization.
For details about the policy rule levels, see
Policy Rule Overview on page 160.

159
Trend Micro Email Security Administrator's Guide

Column Description

Modified Timestamp when the rule was last modified.

Last Used Timestamp of when the rule was last used. If


the rule has not yet been triggered, the value
in this column will be “Never”.

Each column's heading can be clicked to sort the list. For example, to re-sort
the list alphabetically by Action, click the Action column heading.

Policy Rule Overview


Trend Micro Email Security supports policy rules at the following levels in
your organization: organization, group, and user.

• An organization-level policy rule applies to all of your organization's


domains added to Trend Micro Email Security.

Organization-level policy rules ease your policy management by


automatically applying to all of your organization's domains including
the new ones added in the future. With organization-level policy rules,
you do not need to manually create new policy rules in case that a new
domain is added.

Trend Micro recommends that you configure organization-level policy


rules under Inbound Protection and Outbound Protection to provide
organization-level protection.

• A group-level policy rule applies to one or more specific groups


(including domains, LDAP groups and address groups) in your
organization.

Tip
If an existing domain-level policy rule is applying to all or the great
majority of your organization's domains, you are advised to convert it into
an organization-level policy rule and configure the rest of the domains as
an exception list of the rule. This will simplify your policy management.

160
About Trend Micro Email Security

• A user-level policy rule applies to discrete email addresses that are or


may be used by single users in your organization.
A policy rule level is determined by the Recipients or Senders addresses
(depending on the mail traffic direction) that the policy applies to. The
following table describes how to configure Recipients or Senders addresses
for the policy rules at different levels. For more information, see Specifying
Recipients and Senders on page 168.

Policy Rule
Inbound Protection Outbound Protection
Level

Organization Select My organization for Select My organization for


Recipients addresses on the Senders addresses on the
Recipients and Senders tab. Recipients and Senders tab.

Group Specify domains, LDAP groups or Specify domains, LDAP groups or


address groups, or type email address groups, or type email
addresses in the format addresses in the format
*@example.com for Recipients *@example.com for Senders
addresses on the Recipients and addresses on the Recipients and
Senders tab. Senders tab.

User Type one or more discrete email Type one or more discrete email
addresses for Recipients addresses addresses for Senders addresses
on the Recipients and Senders on the Recipients and Senders
tab. tab.

Default Policy Rules


Trend Micro Email Security comes with a set of default policy rules at the
organization level and domain level, as listed in the following tables.

161
Trend Micro Email Security Administrator's Guide

Table 45. Default Organization-Level Rules

Policy Rule Type Inbound Rules Outbound Rules

Virus scan {{License account name}}: • {{License account name}}:


Organization: Virus Organization: Global
Outbound Policy (Virus)

Note
This rule is not
editable.

• {{License account name}}:


Organization: Outbound -
Virus

Spam filtering • {{License account name}}: • {{License account name}}:


Organization: Spam or Phish Organization: Global
Outbound Policy (Spam or
• {{License account name}}: Phish)
Organization: Newsletter or
spam-like
Note
• {{License account name}}:
Organization: Probable BEC This rule is not
threat editable.

• {{License account name}}: • {{License account name}}:


Organization: Writing style Organization: Outbound -
BEC threat Spam or Phish

Note
This rule is only
available in Trend
Micro Email Security
Standard.

162
About Trend Micro Email Security

Policy Rule Type Inbound Rules Outbound Rules

Content filtering • {{License account name}}: • {{License account name}}:


Organization: High-risk Organization: Outbound -
attachment High-risk attachment
• {{License account name}}: • {{License account name}}:
Organization: Exceeding msg Organization: Outbound -
size or # of recipients Exceeding msg size or # of
recipients
• {{License account name}}:
Organization: Password
protected

Table 46. Default Domain-Level Rules

Policy Type Inbound Rules Outbound Rules

Virus scan {{License account name}}: {{License account name}}:


{{Domain name}}: Virus {{Domain name}}: Outbound -
Virus

Spam filtering • {{License account name}}: {{License account name}}:


{{Domain name}}: Spam or {{Domain name}}: Outbound -
Phish Spam or Phish
• {{License account name}}:
{{Domain name}}: Newsletter
or spam-like
• {{License account name}}:
{{Domain name}}: Probable
BEC threat
• {{License account name}}:
{{Domain name}}: Writing
style BEC threat

Note
This rule is only
available in Trend
Micro Email Security
Standard.

163
Trend Micro Email Security Administrator's Guide

Policy Type Inbound Rules Outbound Rules

Content filtering • {{License account name}}: • {{License account name}}:


{{Domain name}}: High-risk {{Domain name}}: Outbound
attachment - High-risk attachment
• {{License account name}}: • {{License account name}}:
{{Domain name}}: Exceeding {{Domain name}}: Outbound
msg size or # of recipients - Exceeding msg size or # of
recipients
• {{License account name}}:
{{Domain name}}: Password
protected

Besides the preceding default rules, Trend Micro Email Security also presets
a built-in policy rule "Global Anti-Virus Rule (Enforced on Unverified
Domains)", which is forcibly applied to inbound messages sent to unverified
domains.

Note
This rule does not appear on the policy screen, and is visible only in mail
tracking logs, policy event logs, and quarantine query details.

Managing Policy Rules


Rules are the means by which messaging policies are applied to message
traffic in Trend Micro Email Security. At any time, administrators can see the
rules that apply to their organizations, and make changes to the rules that
comprise their policy, rename the rules, query the rules, reorder the rules,
and create new rules. Each rule can be disabled if desired without losing its
definition, and re-enabled at a later time.

164
About Trend Micro Email Security

Table 47. Policy Rule Tasks

Task Step

Adding Policy Rules Click Add.


1. Define the basic information about the rule (rule name,
Tip whether it is enabled or not, and notes about the rule).
A new rule may See Naming and Enabling a Rule on page 167.
be similar to the
one you already 2. Select the address(es), domains(s) or group(s) that the rule
have. In this case, applies to.
it is easier to copy See Specifying Recipients and Senders on page 168.
the rule and edit
it rather than 3. Select and configure criteria.
create a new rule
from scratch. See About Rule Scanning Criteria on page 173.
4. Select and configure actions.
See About Rule Actions on page 208.

Copying Policy Rules In the rule list, select the rule or rules to copy. Click Copy.

Editing Policy Rules In the rule list, click the name of the rule you want to edit and
follow the procedures in the “Adding Policy Rules” task.

Reordering Policy Rules In the rule list, do either of the following to reorder policy rules:
• Click the up or down arrow button to move rules up or down.
• Double-click the order number of a rule in the Order column
and specify a new order number for the rule.
See Reordering Policy Rules on page 166.

Enabling or Disabling In the rule list, click the icon to the left of the rule name to enable
Policy Rules or disable the rule.

Deleting Policy Rules In the rule list, select the rule or rules to delete. Click Delete.

165
Trend Micro Email Security Administrator's Guide

Task Step

Querying Policy Rules Use the following criteria to perform a rule query:
• Sender: Specify a sender address to search for rules that
match this address.
• Recipient: Specify a recipient address to search for rules that
match this address.

Note
For Sender and Recipient, the supported formats are
name@info.example.com, *@example.com and
*@info.example.com. Wildcard domain is not
supported in query.

• Rule: Specify a rule name to search for rules that match this
name.
• Status: Select Enabled or Disabled to search for rules in the
specific status.

Note
For content filtering policy rules, Criteria type is
provided to narrow down the search results by certain
types of criteria.

• Level: Select Organization or User/Group to search for rules


at the specific level.
• Migration status: Select Error, Warning, or Fixed/
Confirmed/Successful to search for rules in the specific
status.

Reordering Policy Rules


For each type of policy, the policy rules for all domains in your organization
are arranged and prioritized uniformly from the organization's perspective.
Meanwhile, the order of policy rules for each domain is retained. For
example, for virus policy rules of a single domain, the original order will still
be applied.

166
About Trend Micro Email Security

Policy rules can be reordered when they are sorted by Order. If they are
sorted by another column heading, the reorder function is unavailable.

Procedure
1. Do either of the following to reorder policy rules:
• Click the up or down arrow button to move rules up or down.
• Double-click the order number of a rule in the Order column and
specify a new order number for the rule.
Policy rules will be reordered as you configured, and email messages
will be scanned based on the new rule order.

Naming and Enabling a Rule


Name and enable the rule you have just created. You can also add notes
about the rule.

Procedure
1. On the Basic Information tab on the left side:
a. Select Enable to put the rule into effect, or clear this option to
disable it.
b. Name the rule.

Note
Trend Micro recommends using a descriptive name that will allow
administrators to easily identify this rule from the rule list. For
instance, if you are creating a spam rule that applies to the
one.example.com domain, you might name it something like “One
Example Spam Rule”.

c. Type any note information for this rule.

167
Trend Micro Email Security Administrator's Guide

2. Proceed to the next screen to specify recipients and senders.

Specifying Recipients and Senders


Configure senders, recipients, and exception lists with your organization or
specific users and groups on the Recipients and Senders tab. This tab differs
slightly depending on which direction the messages are routed and whether
Sender or Recipient addresses are being selected.

Inbound Policy Rules

Procedure

1. In the Recipients section, choose either of the following ways to add


recipient addresses from the drop-down list:

• My organization: Select it to configure an organization-level policy.

Note
This option is available only if My organization was specified for your
subaccount during subaccount creation. For details, see Adding and
Configuring a Subaccount on page 306.

• Specify:

• My domains: Select domains from the available domains and


click Add.

• My LDAP groups: Select user groups from the available


directory groups and click Add.

• My address groups: Select address groups from the available


address groups and click Add.

• Type address or domain: Type a specific domain or wildcard


address and click Add.

168
About Trend Micro Email Security

2. In the Senders section, choose one of the following ways to specify


sender addresses:

• Anyone: Select it to apply any sender addresses for the rule.

• My organization: Select it to apply email addresses sent from your


organization for the rule.

• Specify:

• My domains: Select domains from the available domains and


click Add.

• My address groups: Select address groups from the available


address groups and click Add.

• Type address or domain: Type a specific domain or wildcard


address and click Add.

3. In the Exceptions section, specify one or multiple exceptions, each of


which consists of a sender part and a recipient part.

a. Next to Sender, choose one of the following ways to specify the


sender part of an exception:

• Anyone

• My organization

• My domains

• My address groups

• Type address or domain

b. Next to Recipient, choose one of the following ways to specify the


recipient part of an exception:

• Anyone

• My organization

• My domains

169
Trend Micro Email Security Administrator's Guide

• My LDAP groups
• My address groups
• Type address or domain
c. Click Add to add an exception composed of both the sender and
recipient parts.
The exception you added appears in the exception list.
For example, if you select Anyone for the sender part and specify a
specific email address for the recipient part, Trend Micro Email
Security considers email messages sent from any senders to this
recipient safe and bypasses the rule on these messages.
d. Add more exceptions if necessary.

Note
The import and export functions are available for recipients, senders and
exception lists. Click Import to import groups, addresses or domains from
a local file. Click Export to export groups, addresses or domains as a local
file for future use.
A maximum of 500 records can be imported, and there is no upper limit
for export.

4. Proceed to the next screen to specify rule scanning criteria.

Outbound Policy Rules

Procedure
1. In the Recipients section, choose one of the following ways to specify
recipient addresses:
• Anyone: Select it to apply any recipient addresses for a rule.
• My organization: Select it to apply email addresses sent to your
organization for the rule.

170
About Trend Micro Email Security

• Specify: Choose any of the following ways to add selected


addresses:
• My domains: Select domains from the available domains and
click Add.
• My address groups: Select address groups from the available
address groups and click Add.
• Type address or domain: Type a specific domain or wildcard
address and click Add.
2. In the Senders section, choose either of the following ways to add
sender addresses from the drop-down list:
• My organization: Select it to configure an organization-level policy.

Note
This option is available only if My organization was specified for your
subaccount during subaccount creation. For details, see Adding and
Configuring a Subaccount on page 306.

• Specify:
• My domains: Select domains from the available domains and
click Add.
• My LDAP groups: Select user groups from the available
directory groups and click Add.
• My address groups: Select address groups from the available
address groups and click Add.
• Type address or domain: Type a specific domain or wildcard
address and click Add.
3. In the Exceptions section, specify one or multiple exceptions, each of
which consists of a sender part and a recipient part.
a. Next to Sender, choose one of the following ways to specify the
sender part of an exception:

171
Trend Micro Email Security Administrator's Guide

• Anyone
• My organization
• My domains
• My LDAP groups
• My address groups
• Type address or domain
b. Next to Recipient, choose one of the following ways to specify the
recipient part of an exception:
• Anyone
• My organization
• My domains
• My address groups
• Type address or domain
c. Click Add to add an exception composed of both the sender and
recipient parts.
The exception you added appears in the exception list.
For example, if you specify a specific email address for the sender
part and select Anyone for the recipient part, Trend Micro Email
Security considers email messages sent from this sender to any
recipients safe and bypasses the rule on these messages.
d. Add more exceptions if necessary.

172
About Trend Micro Email Security

Note
The import and export functions are available for recipients, senders and
exception lists. Click Import to import groups, addresses or domains from
a local file. Click Export to export groups, addresses or domains as a local
file for future use.
A maximum of 500 records can be imported, and there is no upper limit
for export.

4. Proceed to the next screen to specify rule scanning criteria.

About Rule Scanning Criteria


Rule scanning criteria allow you to specify the conditions that the rule
applies to messages scanned by Trend Micro Email Security.
The available criteria are shown in a list in the center of the screen. Some of
these criteria have links to screens where you specify the associated details.
Table 48. Basic Criteria

Criteria Filter Based on Available in

Virus Scan > “Specify at least Detected malware, worms, and Inbound and
Virus Policy one detection other threats by pattern-based outbound
type” scanning. protection

“Specify Detected unknown threats by Inbound and


Predictive Predictive Machine Learning. outbound
Machine protection
Learning
settings”

“Specify Detected threats by the Inbound


advanced Advanced Threat Scan Engine. protection
settings”

173
Trend Micro Email Security Administrator's Guide

Criteria Filter Based on Available in

Spam Filtering > “ Spam ” Detected spam. Inbound and


Spam Policy outbound
protection

“Business Email Detected BEC attacks. Inbound


Compromise protection
(BEC)”

“ Phishing and Detected phishing and other Inbound and


other suspicious suspicious content. outbound
content ” protection

“ Graymail ” Detected graymail messages. Inbound


protection

“Web reputation” Detected URLs on the web or Inbound and


embedded in email messages outbound
that pose security risks. protection

“ Social Detected social engineering Inbound


engineering attacks. protection
attack ”

Content Filtering No criteria All messages. Inbound and


outbound
protection

“ All Match ” Specific attribute and content Inbound and


targets. outbound
“ Any Match ” protection
See Configuring Advanced
Criteria on page 188.

Data Loss “ Select fields to Detected DLP incidents. Inbound and


Prevention (DLP) scan ” outbound
> DLP Policy protection
“ Selected
Templates ”

174
About Trend Micro Email Security

Configuring Virus Scan Criteria


The virus scan criteria allow you to create rules that take actions on
messages that contain malware, worms, or other malicious code.

Procedure

1. Click Scanning Criteria.

2. Specify at least one of the following detection types under the Specify at
least one detection type section.

Option Description

Cleanable Apply the rule to messages or attachments that contain cleanable


malware or malware. Cleanable malware are those that can be safely removed
malicious code from the contents of the infected file, resulting in an uninfected
copy of the original message or attachment.

WARNING!
Selecting Cleanable malware or malicious code as a rule
criterion, and then selecting a rule action other than Delete or
Clean, can result in infected messages or attachments entering
your messaging environment. By default, Trend Micro Email
Security is configured with malware rules to appropriately handle
threats when it is installed.

Uncleanables Apply the rule to messages that contain uncleanable malware,


with mass- worms, or other threats that cannot be removed from messages or
mailing behavior attachments, and that propagate by mass-mailing copies of
themselves.

Uncleanables Apply the rule to messages that contain the following:


without mass-
mailing behavior • Spyware
• Dialers
• Hacking tools
• Password cracking applications
• Adware

175
Trend Micro Email Security Administrator's Guide

Option Description
• Joke programs
• Remote access tools
• All others

3. Configure Predictive Machine Learning settings to leverage the


Predictive Machine Learning engine to detect emerging unknown
security risks.
a. Select Enable Predictive Machine Learning under the Specify
Predictive Machine Learning settings section.
For details, see About Predictive Machine Learning on page 178.
b. Optionally select the Allow Trend Micro to collect suspicious files
to improve its detection capabilities check box.

Note
By default, this option is selected.
If you enable this option, Trend Micro only checks potentially risky
messages and encrypts all content before transferring any
information.

4. Specify advanced settings.

Note
These settings are not included in the Trend Micro Email Security
Standard license.
For details about different license versions, see Available License Versions on
page 17.

a. Select Submit files to Virtual Analyzer and select the security level
from the drop-down list to perform further observation and
analysis on the submitted files.
Virtual Analyzer performs observation and analysis on samples in a
closed environment. It takes 3 minutes on average to analyze and

176
About Trend Micro Email Security

identify the risk of a file, and the time could be as long as 30


minutes for some files.

Note
There is a submission quota limiting the number of files that can be
sent to Virtual Analyzer within 24 hours. The quota is calculated
based on a 24-hour sliding window as follows:
File submission quota = Seat count * 0.1
For example, if you have 1,000 seats, a total of 100 files can be
submitted to Virtual Analyzer for analysis within 24 hours. The
default quota will be 5 if your seat count is less than 50. Note that the
submission quota mentioned here is subject to change without
notice.
In addition, the following cases will not be taken into account for
quota measurement:
• Samples hit the local or cloud cache.
• Samples are in unsupported file format.
• Other unexpected scan exceptions.
Once the quota is used up, no more files can be sent to Virtual
Analyzer. Nevertheless, the quota will be restored as the 24-hour
sliding window moves forward.
You can configure scan exception actions for the file submissions
over quota. For details, see Configuring "Scan Exceptions" Actions on
page 134.

b. Select Include macro, JSE and VBE scanning to include macro


threats during observation and analysis.
5. Click Submit.

About Advanced Threat Scan Engine


The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-
based scanning and heuristic scanning to detect document exploits and

177
Trend Micro Email Security Administrator's Guide

other threats used in targeted attacks. By default, this engine is enabled for
virus scanning policies.
Its major features include:
• Detection of zero-day threats
• Detection of embedded exploit code
• Detection rules for known vulnerabilities
• Enhanced parsers for handling file deformities

About Predictive Machine Learning


Trend Micro Predictive Machine Learning uses advanced machine learning
technology to correlate threat information and perform in-depth file analysis
to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. Predictive Machine
Learning is a powerful tool that helps protect your environment from
unidentified threats and zero-day attacks.
After detecting an unknown or low-prevalence file, Trend Micro Email
Security scans the file using the Advanced Threat Scan Engine to extract file
features and sends the report to the Predictive Machine Learning engine.
Through use of malware modeling, Predictive Machine Learning compares
the sample to the malware model, assigns a probability score, and
determines the probable malware type that the file contains.

Configuring Spam Filtering Criteria


The Spam, Phishing, Graymail, Web Reputation, or Social engineering
attack criteria allow you to create rules that take actions on these types of
potentially unwanted messages.

178
About Trend Micro Email Security

Note
Trend Micro Email Security does not apply content-based heuristic spam, BEC,
phishing, graymail, Web reputation, or social engineering attack rules to email
messages received from email addresses and domains listed on the Approved
Senders screen.

Configuring Spam Criteria

Procedure

1. Select “Spam”.

2. Choose a baseline spam catch rate.

• Lowest (most conservative)

• Low

• Moderately low (the default setting)

• Moderately high

• High

• Highest (most aggressive)

Configuring Business Email Compromise Criteria


The BEC criteria are configured to detect and take actions on BEC email
messages.

Procedure

1. Select Business Email Compromise (BEC).

2. Click High Profile Users to add high profile users for detection and
classification.

179
Trend Micro Email Security Administrator's Guide

Note
Add high profile users as the global BEC settings so that Trend Micro
Email Security will check incoming email messages claimed to be sent
from those users and apply fraud checking criteria to identify forged
messages.
For details about high profile users, see Configuring High Profile Users on
page 137.

3. Choose the type of email messages to apply this rule to:


• Detected as BEC attacks by Antispam Engine: apply this rule to
email messages that are verified to be BEC attacks by the Antispam
Engine.
• Detected as BEC attacks by writing style analysis: apply this rule to
email messages that are verified to be BEC attacks by writing style
analysis.
Trend Micro's Writing Style DNA technology scans email messages
of a desired individual to learn the particular writing style and
generate a writing style model. The writing style model is a set of
properties or features explored with automated methods that
uniquely identify the way an individual composes email messages.
By leveraging the writing style model trained in Cloud App Security
for high profile users, Trend Micro Email Security compares the
incoming email messages claimed to be sent from the individual
with the model to identify BEC attacks.
To ensure that the writing style model of a high profile user is
available for analysis, Trend Micro Email Security runs a scheduled
task every five minutes to synchronize the status of writing style
models trained in Cloud App Security.

Note
These settings are not included in the Trend Micro Email Security
Standard license.
For details about different license versions, see Available License
Versions on page 17.

180
About Trend Micro Email Security

Note
In this release, writing style analysis applies to email messages
written in English, Japanese, German, French, Spanish, Swedish,
Danish, Norwegian, and Finnish.

To enable writing style analysis, the license for Cloud App Security is
required.

• BEC attacks suspected by Antispam Engine: apply this rule to


email messages that are suspected to be BEC attacks by the
Antispam Engine.

Configuring Phishing Criteria

Procedure

1. Select “Phishing and other suspicious content”.

Note
Trend Micro Email Security leverages Trend Micro Antispam Engine to
filter email messages for spam and phishing incidents. Email messages
will be categorized as phishing threats if Trend Micro Antispam Engine
detects phishing and other suspicious content in those messages.

Configuring Graymail Criteria


Graymail refers to solicited bulk email messages that do not fit the definition
of spam email messages. Trend Micro Email Security detects marketing
messages and newsletters, social network notifications, forum notifications,
and bulk email messages as graymail messages.

Procedure

1. Select “Graymail”.

181
Trend Micro Email Security Administrator's Guide

2. Click Graymail.

The Graymail Detection Setting screen appears.

3. Select at least one graymail category from the following:

• Marketing message and newsletter

• Social network notification

• Forum notification

• Bulk email message

4. To omit the IP addresses of specific mail servers from this rule, select
Enable the graymail exception list under Graymail Exception List.

5. Specify IP addresses that you want to bypass graymail scanning.

Note
The rule will not apply to graymail messages from IP addresses in this
exception list. The list is specific just to the rule being edited.

6. Click Save.

Configuring Web Reputation Criteria

Trend Micro web reputation technology helps break the infection chain by
assigning websites a "reputation" based on an assessment of the
trustworthiness of a URL, derived from an analysis of the domain. Web
reputation protects against web-based threats including zero-day attacks,
before they reach the network. Trend Micro web reputation technology
tracks the lifecycle of hundreds of millions of web domains, extending
proven Trend Micro antispam protection to the Internet.

The Web reputation criteria are configured to prevent access to malicious


URLs in email messages.

182
About Trend Micro Email Security

Procedure

1. Click Scanning Criteria.

2. Select and click Web reputation.

The Web Reputation Settings screen appears.

3. Complete web reputation security settings.

a. Select a baseline web reputation catch rate from the Security level
drop-down list:

• Lowest (most conservative)

• Low

• Moderately low

• Moderately high (the default setting)

• High

• Highest (most aggressive)

b. Optionally select Take action on messages containing URLs that


have not been tested by Trend Micro to block websites that might
pose threats.

Note
Web pages change frequently, and it is difficult to find data or follow a
link after the underlying page is modified. Such websites are usually
used as vehicles for transporting malware and carrying out phishing
attacks.

If you select this check box, Trend Micro Email Security will take
actions on all email messages containing URLs that have not been
tested by Trend Micro. These URLs might include some legitimate
URLs.

4. Under Virtual Analyzer, do the following:

183
Trend Micro Email Security Administrator's Guide

Note
These settings are not included in the Trend Micro Email Security
Standard license.
For details about different license versions, see Available License Versions on
page 17.

a. Select Submit URLs to Virtual Analyzer.


b. Select a security level from the drop-down list to perform further
observation and analysis on the submitted URLs.
Virtual Analyzer performs observation and analysis on samples in a
closed environment. It takes 3 minutes on average to analyze and
identify the risk of a URL, and the time could be as long as 30
minutes for some URLs.

184
About Trend Micro Email Security

Note
There is a submission quota limiting the number of URLs that can be
sent to Virtual Analyzer within 24 hours. The quota is calculated
based on a 24-hour sliding window as follows:
URL submission quota = Seat count * 8
For example, if you have 1,000 seats, a total of 8,000 URLs can be
submitted to Virtual Analyzer for analysis within 24 hours. Note that
the submission quota mentioned here is subject to change without
notice.
In addition, the following cases will not be taken into account for
quota measurement:
• Samples hit the local or cloud cache.
• Sample URLs are unreachable.
• Other unexpected scan exceptions.
Once the quota is used up, no more URLs can be sent to Virtual
Analyzer. Nevertheless, the quota will be restored as the 24-hour
sliding window moves forward.
You can configure scan exception actions for the URL submissions
over quota. For details, see Configuring "Scan Exceptions" Actions on
page 134.

5. Under Time-of-Click Protection, do the following:


a. Select Enable Time-of-Click Protection and click one of the
following:
• Apply to URLs that have not been tested by Trend Micro
• Apply to URLs marked by Web Reputation Services as
possible security risks
• Apply to all URLs

185
Trend Micro Email Security Administrator's Guide

Note
Time-of-Click Protection is available only in inbound protection.
Web Reputation Services mark URLs as possible security risks if the
URLs host or redirect to malicious files. For example, untested
websites, file sharing websites and shortened URLs are marked as
possible security risks.

b. Optionally select Apply to URLs in digitally signed messages if


necessary.

Note
Enabling Time-of-Click Protection for digitally signed messages is not
recommended because digital signatures might be destroyed.

6. Select Enable the Web Reputation Approved List to exclude URLs


matching the specified domains or IP addresses from Web Reputation,
Time-of-Click Protection, and Virtual Analyzer scanning.

Note
To manage the Web Reputation Approved List, navigate to the following
path:
Administration > Policy Objects > Web Reputation Approved List
For details, see Managing the Web Reputation Approved List on page 284.

7. Optionally select Enable the URL keyword exception list to exclude


URLs containing specified keywords from both Time-of-Click Protection
and Virtual Analyzer scanning.

Note
To manage the URL keyword exception list, navigate to the following path:
Administration > Policy Objects > URL Keyword Exception List
The protocol and domain parts of an URL will not be used for keyword
match.
For details, see Managing the URL Keyword Exception List on page 282.

186
About Trend Micro Email Security

8. Click Save.

Configuring Social Engineering Attack Criteria


Social Engineering Attack Protection detects suspicious behavior related to
social engineering attacks in email messages.

For more information about social engineering attack detections, see Social
Engineering Attack Log Details on page 248.

Procedure

1. Select Social engineering attack.

Configuring Data Loss Prevention Criteria


Trend Micro Email Security evaluates email messages, including their
content and attachments, against a set of rules defined in Data Loss
Prevention (DLP) policies. Policies determine files or data that requires
protection from unauthorized transmission and the action that Trend Micro
Email Security performs after detecting a transmission.

Create DLP policies after you have configured data identifiers and organized
them in templates. For details about the data identifiers and templates, see
Data Loss Prevention on page 142.

Procedure

1. Choose a correct path to create your DLP policy for the proper mail
traffic direction:

• Inbound Protection > Data Loss Prevention (DLP)

• Outbound Protection > Data Loss Prevention (DLP)

2. Click Add to add a DLP policy.

187
Trend Micro Email Security Administrator's Guide

3. Click the Scanning Criteria tab.


4. Select fields to scan, for example, Subject and Body. To add a
customized message header field, select Other and specify the field in
the text box.
5. Select at least one compliance templates from the Available Templates
list and click the right arrow button.

Note
A maximum of 255 compliance templates can be selected for each DLP
policy.

Configuring Content Filtering Criteria


On the Scanning Criteria tab, select Advanced to display the advanced
criteria.
From the drop-down list, do one of the following:
• Select “All Match” to trigger the rule only when all selected “Advanced”
criteria are matched.
• Select “Any Match” to do the following:
• Trigger the rule when any selected “Advanced” criteria are matched

188
About Trend Micro Email Security

• Display the Attachment is “password protected”, Attachment


contains “active content”, and Recipient number criteria in the
“Advanced” criteria list

The following tables all contain the same information sorted differently. Use
the following sorted tables to find appropriate “Advanced” criteria to filter
messages by your desired rule targets:

189
Trend Micro Email Security Administrator's Guide

Table 49. Advanced Criteria Sorted by Display Order

Rule Targets Criteria Filter Based On

Sorted by display Envelope sender "blank" Envelope sender


order is

Message header "envelope Message header sender and


sender differs sender" envelope sender
from

Message header "header Reply- Message header sender and


sender differs To" message header Reply-To
from

Specified header “ keyword Keywords in headers and


matches expressions ” content

Message size is >, <= Size


<number>
KB, MB

Subject matches “ keyword Keywords in headers and


expressions ” content

Subject is “ blank ”

Body matches “ keyword


expressions ”

Body is "blank"

Attachment is “ file name or Attachment file name or


extension ” extension

“ MIME content Attachment MIME content type


type ”

“ true file type ” Attachment true file type

Note
For Microsoft Office files
of version 2007 or later,
Trend Micro Email
Security supports
attachment true file type
detection only when the
190 files are not encrypted.

Attachment “ keyword Keywords in headers and


content matches expressions ” content
About Trend Micro Email Security

Table 50. Advanced Criteria Sorted by Attribute and Content Targets

Rule Targets Criteria Filter Based On

Envelope sender Envelope sender "blank" Envelope sender


and message is
header sender
Message header "envelope Message header sender and
sender differs sender" envelope sender
from

Message header "header Reply- Message header sender and


sender differs To" message header Reply-To
from

Name and type Attachment is “ file name or Attachment file name or


attributes extension ” extension

“ MIME content Attachment MIME content type


type ”

“ true file type ” Attachment true file type

Note
For Microsoft Office files
of version 2007 or later,
Trend Micro Email
Security supports
attachment true file type
detection only when the
files are not encrypted.

Size attributes Message size is >, <= Size


<number>
KB, MB

Attachment size >, <= Attachment size


is
<number>
B, KB, MB

191
Trend Micro Email Security Administrator's Guide

Rule Targets Criteria Filter Based On

Keyword content Subject matches “ keyword Keywords in headers and


expressions ” content

Subject is “ blank ”

Body matches “ keyword


expressions ”

Body is "blank"

Specified header “ keyword


matches expressions ”

Attachment “ keyword
content matches expressions ”

Active content Attachment “ active content ” Active content in Microsoft


contains Word, Excel and PowerPoint
attachments

Quantity Attachment >, <= Number of attachments


attributes number is
<number>

Recipient >, <= Number of recipients


number
<number>

Compressed, Attachment is “ password Zipped, signed, or password-


signed, or protected ” protected attachment
encrypted
attributes

192
About Trend Micro Email Security

Table 51. Advanced Criteria Sorted by Message-Only or Attachment-Only Targets

Rule Targets Criteria Filter Based On

Message-only Envelope sender "blank" Envelope sender


is

Message header "envelope Message header sender and


sender differs sender" envelope sender
from

Message header "header Reply- Message header sender and


sender differs To" message header Reply-To
from

Message size is >, <= Size


<number>
KB, MB

Subject matches “ keyword Keywords in headers and


expressions ” content

Subject is “ blank ”

Body matches “ keyword


expressions ”

Body is "blank"

Specified header “ keyword


matches expressions ”

Recipient >, <= Number of recipients


number
<number>

193
Trend Micro Email Security Administrator's Guide

Rule Targets Criteria Filter Based On

Attachment-only Attachment is “ file name or Attachment file name or


extension ” extension

“ MIME content Attachment MIME content type


type ”

“ true file type ” Attachment true file type

Note
For Microsoft Office files
of version 2007 or later,
Trend Micro Email
Security supports
attachment true file type
detection only when the
files are not encrypted.

Attachment “ keyword Keywords in headers and


content matches expressions ” content

Attachment size >, <= Attachment size


is
<number>
B, KB, MB

Attachment >, <= Number of attachments


number is
<number>

Attachment is “ password Zipped, signed, or password-


protected ” protected attachment

Attachment “ active content ” Active content in Microsoft


contains Word, Excel and PowerPoint
attachments

Using Envelope Sender Is Blank Criteria

Spoofing messages often have envelope senders (specified by the envelope


field "MAIL FROM") set to blank to evade sender verification. Trend Micro

194
About Trend Micro Email Security

Email Security allows you to scan messages for empty envelope senders to
help you combat spoofing.

Note
• Some normal messages may also have empty envelope senders, such as
bounce messages or notification messages. Selecting this criteria will affect
these messages.
• This criteria is available for inbound protection only.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Envelope sender is blank.

Using Message Header Sender Differs from Envelope Sender Criteria


Spoofed messages often have mismatched message header senders (specified
by the header "From") and envelope senders (specified by the envelope field
"MAIL FROM"). Trend Micro Email Security provides an anti-spoofing check
to detect messages with a message header sender different from the
envelope sender.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Message header sender differs from envelope sender.

Using Message Header Sender Differs from Header Reply-To Criteria


One common sign of spoofed messages is mismatched message header
sender (specified by the header "From") and header Reply-To. Trend Micro
Email Security can detect messages with the header sender different from
header Reply-To to protect you against spoofing.

195
Trend Micro Email Security Administrator's Guide

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Message header sender differs from header Reply-To.

Using Attachment File Name or Extension Criteria


The Attachment is “file name or extension” criteria allows you to create
rules that take actions on messages based on the name or the extension of
attachments a message contains. If a message contains a compressed
attachment, the criteria can further match the name or extension of the files
included in the compressed attachment.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select the Attachment is “file name or extension” criteria.
3. Click the “file name or extension” link.
The Attachment File Name or Extension screen appears.
4. From the drop-down list, select either Selected file names or extensions
or Not selected file names or extensions.
5. If you want to block attachment names by file extension:
a. Select File extensions potentially dangerous and/or File
extensions commonly exchanged at work.

196
About Trend Micro Email Security

Note
The File extensions potentially dangerous category contains those
whose file types commonly act as containers for malware and are not
types that are normally exchanged via email in an organization. This
list includes extensions such as COM, DLL, and EXE. The commonly
exchanged category includes file types that are commonly sent
between members of an organization.
The File extensions commonly exchanged at work category includes
the DOC extension used by Microsoft Word documents. These files
are often used to propagate VB macro viruses, but they are also often
commonly exchanged within organizations.

b. Click the open arrow buttons to drop-down the lists of standard file
extensions.
c. Select the file extensions for Trend Micro Email Security to trigger
on for this rule.
d. Click the close arrow button to collapse the list.
6. If you want to block attachments with your own specified names:
a. Select File names.
b. Type a file name to block.

197
Trend Micro Email Security Administrator's Guide

Tip
Make sure the file name matches the full name of your target file,
including the extension. For example, to match a file named
"abc.doc", specify "abc.doc" or use an asterisk, such as "*.doc";
specifying only "abc" does not work.

You can use an asterisk (*) as a substitute for any part of a file name.

The following examples are valid file names:

• *.docx

• *.doc*

• LOVE-LETTER*.vbs

• LOVE-LETTER-FOR-YOU.TXT.vbs

c. Click Add.

The file name is added to the list just below.

Tip
If there are any names in the list that you want to delete, select them and
click Delete.

Using Attachment MIME Content Type Criteria

The Attachment is “MIME content type” criteria allows you to create rules
that take actions on messages based on the MIME content-type of
attachments a message contains.

Note
Where the Attachment is “MIME content type” criteria makes decisions based
on the MIME content-type indicated, the Attachment is “true file type” criteria
scans the headers of the actual attached files themselves for the identifying
signatures.

198
About Trend Micro Email Security

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select the Attachment is “MIME content type” criteria.

3. Click the “MIME content type” link.

The Attachment MIME Content Type screen appears.

4. From the drop-down list, select Selected MIME content types or Not
selected MIME content types.

5. Select the MIME content types for Trend Micro Email Security to match
on.

6. If you want to block attachments by explicit MIME content types, type


the names of the MIME content types to block, under the Other MIME
content types text field.

Tip
The following examples are valid:

• 3dm or *.3dm

• 3dmf or *.3dmf

Using Attachment True File Type Criteria


The Attachment is “true file type” criteria allows you to create rules that
take actions on messages based on the true file type of attachments a
message contains.

Note
Where the Attachment is “file name or extension” criteria makes decisions
based on just file names and/or extensions, the Attachment is “true file type”
criteria scans the headers of the files themselves for the identifying signatures.

199
Trend Micro Email Security Administrator's Guide

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select the Attachment is “true file type” criteria.
3. Click the “true file type” link.
The Attachment True File Type screen appears.
4. From the drop-down list, select Selected true file types or Not selected
true file types.
5. Select the true file types for Trend Micro Email Security to match on.

Note

• For Microsoft Office files of version 2007 or later, Trend Micro Email
Security supports attachment true file type detection only when the
files are not encrypted.
• The Compressed file type of other includes only the following file
types: ar, arc, amg, lzw, cab, lha, pklite, diet, lzh, and lz.

Using Message Size Criteria

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Message size is in the criteria list.
3. Select > or <= from the comparison drop-down list.
• Select > to apply the rule to messages that are larger than the
specified size.
• Select <= to apply the rule to messages that are smaller than or
equal to the specified size.

200
About Trend Micro Email Security

For example, <= 10 MB applies the rule to all messages that are smaller
than or equal to 10 megabytes.
4. Type a number for the size.
5. Select a unit of measurement from the following choices:
• KB: Kilobytes
• MB: Megabytes

Note
The Message size is criteria is applied to the total size of a message,
including any attachments it might contain.

For example, if a message contained two attachments, one a 3 MB


attachment and the other a 1 MB attachment, a rule that deletes
messages over 2 MB would delete the entire message, including both
attachments.

Using Subject Matches Criteria


Trend Micro Email Security can scan the message subject for keyword
expressions.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Subject matches “keyword expressions”.
3. Click the “keyword expressions” link.
4. Configure keywords.

Using Subject is Blank Criteria


Trend Micro Email Security can scan the message for a blank subject line.

201
Trend Micro Email Security Administrator's Guide

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Subject is “blank”.

Using Body Matches Criteria


Trend Micro Email Security can scan the message body for keyword
expressions.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Body matches.
3. Click the “keyword expressions” link.
4. Configure keywords.

Using Body Is Blank Criteria


Trend Micro Email Security can scan messages for blank bodies.

Note
Trend Micro Email Security detects any of the following cases as blank bodies:
• Bodies with no text nor HTML tags
• Bodies with only white space characters
• No body entity

Procedure
1. On the Scanning Criteria tab, click Advanced.

202
About Trend Micro Email Security

2. Select Body is "blank".

Using Specified Header Matches Criteria

Trend Micro Email Security can scan the message headers for keyword
expressions.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select Specified header matches.

3. Click the “keyword expressions” link.

4. Configure keywords.

Using Attachment Content Matches Keyword Criteria

The Attachment content matches “keyword expressions” criteria allows


you to create rules that take actions on messages based on keyword
expressions contained in a message.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select the Attachment content matches “keyword expressions”


criteria.

3. Click the “keyword expressions” link.

The Attachment Content Keyword Expressions screen appears.

4. Configure the keywords.

203
Trend Micro Email Security Administrator's Guide

Using Attachment Size Criteria

The Attachment size is criteria allows you to create rules that take actions on
messages based on the size of any attachments to the message.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select the Attachment size is criteria.

3. Select > or <= from the comparison drop-down list.

• Select > to apply the rule to attachments that are larger than the
specified size.

• Select <= to apply the rule to attachments that are smaller than or
equal to the specified size.

For example, <= 10 MB applies the rule to all messages that are equal to
or smaller than 10 megabytes.

4. Type a value for the size.

5. Select a unit of measurement from the following choices:

• B: Bytes

• KB: Kilobytes

• MB: Megabytes

Note
The Attachment size is criteria is applied to the total size of each
attachment.

For example, if a message contained two attachments, one a 3 MB


attachment and the other a 1 MB attachment, a rule that deletes

204
About Trend Micro Email Security

attachments over 2 MB would delete only the 3 MB attachment. The


other attachment would not be deleted.

Using Attachment Number Criteria


The Attachment number is criteria allow you to create rules that take
actions on messages based on the number of attachments the message
contains.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select the Attachment number is criteria.
3. Select > or <= from the comparison drop-down list.
• Select > to apply the rule to messages that are sent with more than
the specified number of attachments.
• Select <= to apply the rule to messages that have the same number
or fewer than the specified number of attachments.
For example:
> 10 applies the rule to all messages that have more than 10 recipients.
<= 10 applies the rule to all messages that have 10 or fewer recipients.
4. Type the number of attachments to evaluate.

Using Attachment is Password Protected Criteria


Trend Micro Email Security can scan messages for attachments of the
following types:
• .7z

• .ace

205
Trend Micro Email Security Administrator's Guide

• .arj

• .docx

• .pptx

• .rar

• .xlsx

• .zip

• .pdf

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select “Any Match”.
The Attachment is “password protected”, Attachment contains “active
content”, and Recipient number criteria become available.
3. Select Attachment is “password protected”.

Using Attachment Contains Active Content Criteria


Trend Micro Email Security can scan messages for the following attachments
that contain active content such as macros:
• Microsoft Word files
• Microsoft Excel files
• Microsoft PowerPoint files
• Compressed Microsoft Word, Excel, or PowerPoint files

Note
The Microsoft Office version must be Office 2007 (12.0) or later.

206
About Trend Micro Email Security

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select “Any Match”.

The Attachment is “password protected”, Attachment contains “active


content”, and Recipient number criteria become available.

3. Select Attachment contains “active content”.

Using the Number of Recipients Criteria


The Recipient Number criteria allows you to create rules that take actions on
messages based on the number of recipients the message is addressed to.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select “Any Match”.

The Attachment is “password protected”, Attachment contains “active


content”, and Recipient number criteria become available.

3. Select Recipient number.

4. Select > or <= from the comparison drop-down list.

• Select > to apply the rule to messages that are sent to more than the
specified number of recipients.

• Select <= to apply the rule to messages that have the same number
or fewer than the specified number of recipients.

For example:

> 10 applies the rule to all messages that have more than 10 recipients.

<= 10 applies the rule to all messages that have 10 or fewer recipients.

207
Trend Micro Email Security Administrator's Guide

5. Type a value for the number of recipients.

About Rule Actions


Rule actions allow you to specify what happens to messages that satisfy the
conditions of the rule's criteria.
Actions fall into these classes:
• “Intercept” actions: Actions in this class intercept the message,
preventing it from reaching the original recipient. Intercept actions
include deleting the entire message and re-addressing the message.
• “Modify” actions: Actions in this class change the message or its
attachments. Modify actions include cleaning cleanable viruses, deleting
message attachments, inserting a stamp in the message body, or tagging
the subject line.
• “Monitor” actions: Actions in this class allow administrators to monitor
messaging. Monitor actions include sending a notification message to
others or sending a BCC (blind carbon copy) of the message to others.
• “Encrypt Email Message” actions: Actions in this class encrypt the
message and then queue it for delivery. This is a non-intercept action,
but no other actions can be taken on the target message after this rule is
triggered. This action has the lowest priority of all actions, but when
triggered it is always the final rule run before the message is queued for
delivery. If more than one rule in the rule set is triggered, the rule that
uses the encrypt email action will always be triggered last.

Note
This action only applies to outbound rules.

Each rule can contain:


• One and only one intercept action, and
• Any combination of modify or monitor actions

208
About Trend Micro Email Security

Specifying Rule Actions

Procedure
• To add actions to a rule definition, select the desired action.
• To specify details of an action (where required), select the drop-down
list, text field, or link that provides more detail for the rule.
For example, if the quarantine action is desired, you need to select
which quarantine to send messages to when they trigger this rule. You
also might want to create a new quarantine based on an existing one.
You can click Edit there to begin that process.

“Intercept” Actions
“Intercept” actions prevent a message from being delivered to the mailbox of
the original recipient. Instead, the message is deleted, quarantined, or sent
to a different recipient.
“Intercept” actions are "terminal" actions. Once a terminal action executes,
processing of that rule stops and no further action takes place for that rule.
Terminal actions execute following a strict priority order:
1. Delete the entire message.
2. Deliver the message now.

209
Trend Micro Email Security Administrator's Guide

WARNING!
The Deliver now action is not recommended for use as the only action. If
you choose Deliver now as the only action for Spam mail, for example, all
of that mail will simply be delivered to your recipients, as if there were no
spam filter in place.

If you use Deliver now with a virus rule, ensure that you also have a Delete
action for the virus rule. Only the Delete action takes higher priority than
Deliver now and so would be processed before it (and then terminate the
processing of that rule).

If you chose Deliver now as the only action for a virus rule, mail
containing viruses would leak through unblocked.

3. Quarantine the message.

4. Change recipient.

Using the Delete Action


This action deletes the message and all attachments. The message is
recorded as deleted in the Trend Micro Email Security logs, but once deleted,
the message cannot be recovered. It is one of the “intercept” category of
actions. To configure a rule action to delete a message:

Procedure

• Select the Delete entire message action from the “Intercept” section.

Using the Deliver Now Action


Trend Micro Email Security provides two options for the Deliver Now action:

• Deliver the email message to the default mail server

If you choose this option, Trend Micro Email Security delivers the email
message to the default mail server without executing any more rules for
the affected email message.

210
About Trend Micro Email Security

By default, all rules are automatically ordered for security and execution
efficiency. Administrators are relieved of determining the order of rule
execution. This option bypasses the automatic order of execution so that
Trend Micro Email Security can deliver the email message immediately.

WARNING!
This option of Deliver now is not recommended for use as the only action.
If you choose this option of Deliver now as the only action for spam, for
example, all of that email message will simply be delivered to your
recipients, as if there were no spam filter in place.
If you use this option of Deliver now with a malware rule, ensure that you
also have a Delete action for the malware rule. Only the Delete action
takes higher priority than this option and so would be processed before it
(and then terminate the processing of that rule).
If you chose this option of Deliver now as the only action for a malware
rule, email messages containing malware would leak through unblocked.

• Deliver the email message to a specific mail server


If you choose this option, Trend Micro Email Security delivers the email
message to the specific mail server that you have configured. This option
is recommended if you have a secure messaging server on your network
that can process or handle the message.

Note
Trend Micro Email Security can track an email message only before it is
delivered. After the delivery, the message is no longer traceable as it is not
under the control of Trend Micro Email Security.

Procedure
1. Select the Deliver now action from the Intercept section.
• Click To the default mail server.
• Click To a specific mail server. Specify the FQDN or IP address as
well as the listening port number for a specific mail server.

211
Trend Micro Email Security Administrator's Guide

Click Test to check the connection between Trend Micro Email


Security and the mail server you specified.

Note
The corresponding TLS peer settings will still apply to the communication
between Trend Micro Email Security and the mail server you choose.

2. Click Submit.

3. Click OK on the Deliver now warning message that appears.

Using the Quarantine Action

Quarantined items are now stored in a directory structure created by Trend


Micro Email Security. This structure allows for increased performance when
the service is saving items into quarantines or when users view them through
the End User Console. Quarantined messages are indexed in the Trend Micro
Email Security database to provide you with queries and improved search
tools.

Procedure

1. In the “Intercept” section of the Action tab, select the Quarantine


action.

Using the Change Recipient Action

The Change recipient action intercepts messages and sends them to a new
recipient. This means that the original message recipient will not receive a
copy of the message. It is one of the “intercept” class of actions. You can only
select a recipient address that is in your domain.

212
About Trend Micro Email Security

Note
The Change recipient action does not change the recipient address in the
message header. The message will be routed to the new address and the
original recipient will not receive the message. The new recipient, however,
will see the original recipient's address in the message header. To have a copy
of the message sent to a different address while allowing the original message
to go to the original recipient, select the BCC action.

WARNING!
Redirected messages may contain viruses or malicious code. Trend Micro
recommends against redirecting messages to external addresses unless you
have configured an outbound virus policy.

Procedure
1. From the “Intercept” section of the Action page, select the Change
recipient action.
2. Type the email address of the recipient in the field. If you have more
than one email address, enter them in the field separated by commas or
semicolons.

“Modify” Actions
“Modify” actions change the message or its attachments. The original sender
will still receive the modified message, assuming that the message does not
trigger other rules with “Intercept” actions.

Note
Note that the "Modify" actions may destroy the existing DKIM signatures in
email messages. If this occurs, the messages cannot pass DKIM verification by
the downstream mail server.

For more information about specific “Modify” actions, select from the
following:

213
Trend Micro Email Security Administrator's Guide

• Clean cleanable Viruses, delete those that cannot be cleaned Action


See Cleaning Cleanable Viruses on page 214.
• Delete matching attachments Action
See Deleting Matching Attachments on page 215.
• Sanitize attachments Action
See Sanitizing Attachments on page 216.
• Insert X-Header Action
See Inserting an X-Header on page 217.
• Insert stamp in body Action
See Inserting a Stamp on page 217.
• Tag subject Action
See Tagging the Subject Line on page 220.

Tip
Terminal “Modify” actions have higher execution priority over non-terminal
actions. When a terminal “Modify” action is triggered, there is no need to
perform any other actions. However, non-terminal actions can be combined,
such as Delete matching attachments and Insert stamp in body.

Cleaning Cleanable Malware


This action will clean cleanable malware (or other configured threats)
contained in message attachments. If the threat cannot be cleaned, the
message attachment that contains it will be deleted. Clean cleanable
malware is one of the “Modify” class of actions.

214
About Trend Micro Email Security

Important
The Clean cleanable malware, delete those that cannot be cleaned action is
only available in policies with the target criteria of Message contains “malware
or malicious code”. If the Clean cleanable malware, delete those that cannot
be cleaned action is used in the rule, and a message contains an uncleanable
malware, the attachment will be deleted.

The Delete matching attachments and Clean cleanable malware, delete those
that cannot be cleaned actions cannot be used in the same rule.

To configure a rule action to clean malware-infected attachments:

Procedure

• From the “Modify” section of the Action page, select the Clean
cleanable malware, delete those that cannot be cleaned action.

Deleting Matching Attachments


This action deletes any attachments that match the rule criteria. It is one of
the “Modify” category of actions.

Important
The Delete matching attachments and Clean cleanable malware, delete those
that cannot be cleaned actions cannot be used in the same rule.

The Delete matching attachments action is invoked only when one or more
of the following criteria trigger a rule:

• Message contains “ malware or malicious code ”

• Attachment is “ name or extension ”

• Attachment is “ MIME content-type ”

• Attachment is “ true file type ”

215
Trend Micro Email Security Administrator's Guide

• Attachment is “ password protected ”


• Attachment size is
• Attachment content matches “ keyword expressions ”
For example, if a “Message size is” rule (by default, greater than 10 MB) is
triggered with an action of Delete matching attachments, all attachments
will be deleted.
To configure a rule action to delete attachments that match certain criteria:

Procedure
• Select Delete matching attachments from the “Modify” section.

Sanitizing Attachments
This action removes active content from the Microsoft Word, Excel, and
PowerPoint attachments that match the rule criteria. If the active content
cannot be removed, you can configure whether to delete the attachment
containing the active content. Sanitize attachments is one of the “Modify”
category of actions.

Important
The Sanitize attachments action is only available in policies with the target
criteria of Attachment contains “active content”. If the Sanitize attachments
action is used in the rule, and the email attachment contains active content, the
active content will be removed.

To configure a rule action to remove active content from the attachments


that match certain criteria:

216
About Trend Micro Email Security

Procedure
• Select Sanitize attachments from the “Modify” section, and optionally
select Delete attachment if unable to remove active content.

Inserting an X-Header
The Insert X-Header action adds an X-Header to the message header before
sending a message to the intended recipients. An X-Header consists of a
name field and a body field, which can be customized according to your
requirements.
Insert X-Header is one of the "Modify" class of actions.

Procedure
1. Select Insert X-Header from the Modify section.
2. Type the X-Header name and body.

Note
Do not use or start your X-Header name (case-insensitive) with the
following since they are reserved for Trend Micro Email Security:
• X-TM
• X-MT
The reserved X-Headers might be adjusted dynamically if necessary.

Inserting a Stamp
The Insert stamp in body action inserts some standard confidentiality
statement or a similar block of text into the message body. The stamps are
maintained as named objects in the database and are selected from a list.
The stamp definitions contain the stamp name, stamp content, whether they
are to be inserted at the beginning or the end of the message body, and

217
Trend Micro Email Security Administrator's Guide

whether or not to avoid stamping TNEF and digitally signed messages to


prevent breakage.

Trend Micro Email Security recognizes messages signed using the S/MIME
standard.

Procedure

1. Select Insert stamp in body.

2. Select from the drop-down list of available stamps.

3. To configure stamps in the list, click Edit.

For more information on how to configure a stamp, see Managing


Stamps on page 296.

Configuring Stamps

You can edit or add a new message stamp. Stamps are inserted into messages
when they trigger the rule. Typically they contain some standard
confidentiality statement or a similar block of text. Rule Tokens/Variables
(for example, the name of an attached file) can also be included in the text.

To edit or add a new message stamp:

Procedure

1. On the Actions page, select Insert stamp in body.

2. Click Edit.

The Stamps screen appears, showing a list of available stamps.

3. Click Add or select a stamp from the list and click Edit.

The Stamps screen appears, showing details for the stamp.

4. Type a name in the Name field, or edit the exiting name if desired.

218
About Trend Micro Email Security

5. To exclude TNEF and digitally signed messages from stamping, select Do


not stamp message formats that might become corrupted or
unreadable, such as digitally signed and Outlook TNEF.

Note
Trend Micro Email Security recognizes messages signed using the S/MIME
standard.
The Microsoft TNEF format is used when sending rich text email using the
Outlook client. If Trend Micro Email Security tries to insert a stamp into a
TNEF-formatted email, the message might become corrupted or
unreadable. To prevent this, if your organization uses Outlook to send rich
text formatted messages, Trend Micro Email Security enables you to
exempt TNEF messages from those actions that might corrupt the
message.

6. Select whether to insert the stamp at the beginning or the end of the
message body.
7. Specify the stamp content and style as needed with the rich text editor.
Trend Micro Email Security provides a predefined style for the stamp
indicating Information, Suspicious, or Dangerous risk level. You can
either select a risk level and modify the corresponding HTML stamp, or
customize your own HTML stamp.
As you specify the stamp text and style, Trend Micro Email Security
offers a preview of the stamp and generates an automatic plain text
version below the rich text editor in real time. The plain text version
shows you how the stamp appears to end users who cannot see the
HTML version.
Trend Micro Email Security provides a predefined style for the stamp
that indicates Information, Suspicious, or Dangerous risk level. You
can either select a risk level and modify the corresponding HTML
stamp, or customize your own HTML stamp.

Note
Optionally, include variables in your stamps by using the tokens listed in
Rule Tokens/Variables on page 220.

219
Trend Micro Email Security Administrator's Guide

As you customize the HTML stamp, Trend Micro Email Security offers a
preview of the stamp and automatically generates the corresponding
plain text stamp below the rich text editor in real time.
When a message triggers the rule, the HTML stamp will be inserted into
HTML content of the message, and the plain text stamp will be inserted
into Plain text content of the message.

Tagging the Subject Line


The Tag Subject action inserts configurable text into the message subject
line. It is one of the “Modify” class of actions.

Procedure
1. Select the Tag Subject action.
2. Type a tag in the Tag field.
3. Optionally select Do not tag digitally signed messages.

Note
Trend Micro Email Security recognizes messages signed using the S/MIME
standard.

Rule Tokens/Variables
Use the following tokens to include variables in notifications and stamps:
Table 52. Tokens and Variables

Token Variable

%SENDER% Message sender

%RCPTS% Message recipients

%SUBJECT% Message subject

220
About Trend Micro Email Security

Token Variable

%DATE&TIME% Date and time of incident

%HEADERS% Message headers, including the original header and the headers
added by Trend Micro Email Security
This token is supported only in stamps and notification body.

%MAILID% Mail ID

%RULENAME% Name of the rule that contained the triggered filter

%RULETYPE% Type of a rule: Content Filter, Message Size Filter, and others

%DETECTED% Current filter scan result in other task

%FILENAME% Names of files that were affected by the rule

%DEF_CHARSET% Default character set of the notification message

%MSG_SIZE% Total size of the message and all attachments

%ATTACH_SIZE% Total size of the attachment(s) that triggered the rule

%ATTACH_COUNT% Number of attachments that triggered the rule

%TACTION% Terminal action taken by Trend Micro Email Security

%ACTION% All other (non-terminal) actions taken by Trend Micro Email


Security

%VIRUSNAME% Name of any malware detected


This token will be empty if the message did not trigger a malware
action.

%VIRUSACTION% Action taken on any malware detected in the message


This token will be empty if the message did not trigger a malware
action.

%HPU_CONFIRMED_URL% Option selected by a high profile user to confirm that he or she is


the real sender of an email message

%HPU_DENIED_URL% Option selected by a high profile user to deny that he or she is the
real sender of an email message

221
Trend Micro Email Security Administrator's Guide

Token Variable

%SPFRESULT% SPF check result returned when SPF check is enabled

“Monitor” Actions
“Monitor” actions do not change the original message or its attachments. The
original sender will still receive the message, assuming that the message
does not trigger other rules with intercept actions.

There are two “Monitor” actions:

• Send notification action

• BCC action

You can combine the first action with any other kind of action. You can
combine the BCC action with "modify" actions (and with the first "monitor"
action). However, the BCC action cannot be combined with terminal
“intercept” actions.

Tip
The notification email message sent to “monitor” actions can be customized
using the variables shown in Rule Tokens/Variables on page 220.

Using the Bcc Action

The BCC action sends a Bcc (blind carbon copy) to a recipient or recipients
configured in the rule. It is one of the “monitor” class of actions. You can
only configure a notification to be sent to an address in your own domain.

Procedure

1. From the Monitor section of the Action page, select BCC.

222
About Trend Micro Email Security

2. Type the email address of the recipient in the field. If you have more
than one email address, enter them in the field separated by commas or
semicolons.

Encrypting Outbound Messages


The purpose of this rule action is to protect sensitive data in email messages
sent by users in your organization.

Note
This action only applies to outbound rules.

Actions in this class encrypt the message and then queue it for delivery. This
is a non-intercept action, but no other actions can be taken on the target
message after this rule is triggered. This action has the lowest priority of all
actions, but when triggered it is always the final rule run before the message
is queued for delivery. If more than one rule in the rule set is triggered, the
rule that uses the encrypt email action will always be triggered last.

In most cases, a rule to encrypt email messages will be based on one of the
following:

• Specific senders or recipients of the message (for example, a rule that


encrypts all email sent from Human Resources or the Legal department)

• Specific content in the message body

• Sensitive data contained in the message

Procedure

1. From the “Intercept” section of the Action page, select Do not intercept
messages

2. From the “Modify” section of the page, select the Encrypt email action.

223
Trend Micro Email Security Administrator's Guide

Reading an Encrypted Email Message


When an “Encrypt Email Message” action is triggered, the recipient can
decrypt the resulting encrypted message in the following way:
Use a web browser. Recipients of encrypted messages who are not using
Email Encryption Client receive an email notification that provides a website
link allowing the recipient to view the content of the message.

Note
Decrypting messages with Microsoft Outlook Web Access 2007 is not supported.
Microsoft Outlook 2016 mail client is supported for decrypting messages.

Below is a sample encrypted email notification message:

Procedure
1. Double-click the attached Encrypted_Message.htm file, which opens in
your default web browser, as shown below.

224
About Trend Micro Email Security

2. Click Open my email, and if not yet registered, fill in the registration
information on the subsequent pages. If you have already registered for
this service, the encryption site displays your decrypted email at this
point.

Note
The Open my email function may not work reliably with some web-based
email systems. If the button does not work, the customer can save the
attachment to a local computer and then open it again.
Recipients only need to register once. After registering with the Email
Encryption service, the recipient will be able to view decrypted email in a
browser window by clicking Open my email.

3. For enhanced security, match a CAPTCHA image, type and confirm a


pass phrase, and select and answer three security questions. Upon
successful registration, the email encryption site sends an activation
message to the registered email account.
4. Upon receipt of the activation message, click Please click here to
validate your identity. The Trend Micro email encryption site loads in
your browser and displays your decrypted message, as shown below:

225
Trend Micro Email Security Administrator's Guide

About the Send Notification Action


Notifications are messages that are sent when the rule is triggered. They are
one of the “Monitor” actions.
You can only send notification messages from addresses within your own
domain.

Configuring Send Notification Actions

Procedure
1. Select a message from the list of those available on the left side of the
screen.
2. Click the right arrow button (Add>).
The selected message appears in the Selected list on the right side.

Duplicating or Copying Send Notification Actions

Procedure
1. Select a message that you want to create a copy of from the list of those
available on the left side of the screen.

226
About Trend Micro Email Security

2. Click Copy.
The copy of the selected message appears in the Available list, with the
prefix Copy of in its original name.

Removing Notifications from Rule Actions

Procedure
1. Select the message you want to delete from the Selected list on the right
side.
2. Click Remove.

Deleting Notifications from Lists of Messages


To delete an existing notification message from the list of messages:

Procedure
1. Select the message you want to delete from the list of those available on
the left side of the screen.
2. Click Delete.

Understanding Quarantine
Quarantined messages are blocked as detected spam or other inappropriate
content before delivery to an email account. Messages held in quarantine
can be reviewed and manually deleted or delivered.

WARNING!
Trend Micro Email Security automatically deletes messages from the
quarantine after 30 days.

227
Trend Micro Email Security Administrator's Guide

Do any of the following to manage quarantined messages on the


administrator console:

• Use the Query screen to view a list of quarantined messages for your
managed domains. You can review the messages, delete them, or release
them for further scanning.

Queries include data for up to seven continuous days in one calendar


month. Use more than one query to search across calendar months.

• Use the End User Quarantine Settings screen to specify the type of
sender addresses shown on the End User Console and in the quarantine
digest notifications. On this screen, you can also configure settings for
end users to view and take action on email messages quarantined for a
specific reason.

• Use the Digest Settings screen to configure the rules and templates that
Trend Micro Email Security applies to automatically send quarantine
digest notifications. Intended digest recipients can either go to the End
User Console or use inline actions in the digest notifications if available
to manage quarantined messages.

Querying the Quarantine


Use the Query screen to view a list of quarantined messages for your
managed domains. You can review the messages, delete them, or release
them for further scanning.

Procedure

1. In the Period field, specify the time range for your query.

Note
Queries include data for up to 30 continuous days in one calendar month.
Use more than one query to search across calendar months.

2. In the Direction field, select a mail traffic direction.

228
About Trend Micro Email Security

3. Type your search criteria into one or more of the following fields:

• Recipient(s)

• Sender(s)

• Subject

You can specify up to 10 recipients or senders. Separate multiple


recipients or senders by pressing the ENTER or TAB key, or using a
semicolon (;).

A recipient or sender can be a specific email address or all addresses


from a specific domain.

• Query a specific email address by typing that email address.

• Query all addresses from a domain by using an asterisk (*) to the


left of the at sign (@) in the email address. For example,
*@example.com will search for all email addresses in the
example.com domain.

The following table displays format examples that are valid or not valid:
Table 53. Format Examples for Mail Tracking and Quarantine Query

Valid Not Valid

name@info.example.com name@*.example.com

*@example.com *@*.com

*@server.example.com *@*

*@*.example.com

4. In the Visibility field, specify whether to query quarantined messages


that end users have access to.

• All: Query all quarantined messages.

• Invisible to End Users: Query the quarantined messages that end


users do not have access to.

229
Trend Micro Email Security Administrator's Guide

• Visible to End Users: Query the quarantined messages that end


users have access to.

Quarantined incoming messages that end users have access to depend


on your setting based on quarantine reasons on the End User
Quarantine Settings screen. Quarantined outgoing messages are always
invisible to end users.

5. In the Reason field, select one or multiple reasons why the message was
quarantined.

• Sender IP Match: The message failed Sender IP Match check.

• SPF: The message failed SPF check.

• DKIM: The message failed DKIM verification.

• Ransomware: The message was identified as ransomware.

• Advanced Persistent Threat: The message triggered the advanced


threat policy.

• Analyzed Advanced Threats (Files): The message was


identified as advanced file threats according to Virtual Analyzer
and the policy configuration.

• Analyzed Advanced Threats (URLs): The message was


identified as advanced URL threats according to Virtual
Analyzer and the policy configuration.

• Probable Advanced Threats: The message was treated as


suspicious according to policy configuration or the message
was not sent to Virtual Analyzer due to exceptions that
occurred during analysis.

• Malware: The message triggered the malware criteria. The malware


may be detected by Predictive Machine Learning or traditional
pattern-based scanning.

• Suspicious Objects: The message contains suspicious files or


suspicious URLs.

230
About Trend Micro Email Security

• Scanning Exception: The message triggered scan exceptions.


• Spam: The message was identified as spam.
• BEC: The message triggered the Business Email Compromise (BEC)
criteria.
• Phishing: The message triggered the phishing criteria.
• Graymail: The message triggered the graymail criteria.
• Web Reputation: The message triggered the Web Reputation
criteria.
• Content Filtering - No Criteria: The message triggered the No
Criteria scanning criteria in the Content Filtering policy.
• Content: The message triggered the message content criteria. For
example, a message's header, body or attachment matches the
specified keywords or expressions.
• Attachment: The message triggered the message attachment
criteria.
• Data Loss Prevention: The message triggered the Data Loss
Prevention policy.
6. In the Rule field, specify the rule that was triggered by the quarantined
message.
The Rule field supports the following:
• A maximum of 20 rules in use will be listed for you to choose when
you click in this text box.
• Select from the rules listed or type keywords for a fuzzy match.
7. Click Search.
8. Select one or multiple messages to manage.
9. Click one of the following buttons to manage the selected messages:
• Delete: Cancel delivery and permanently delete the message

231
Trend Micro Email Security Administrator's Guide

• Deliver: Release from quarantine

Note
Released messages will no longer trigger the exact policy rule that
caused the messages to be quarantined, but they will continue to be
processed by Trend Micro Email Security. The following conditions
apply to delivery:
• If a message triggers a content-based policy rule with an
Intercept action of Quarantine, it will once again appear in the
quarantined message list.
• If a message triggers a content-based policy rule with an
Intercept action of Delete entire message or Change recipient,
it will not arrive at its intended destination.
The content-based policy rule mentioned above refers to any policy
rule that evaluates email messages based on message contents.
Typical content-based policy rules include virus policies, spam
policies, content filtering policies, and DLP policies.

10. Optionally click on the Date value to view the Quarantine Query Details
screen for a given message.
a. Check the summary and detailed information about the message.
b. Click Delete, Deliver, or Download to manage the message.
When you click Download, choose whether to download the
original email file or password-protected ZIP file to your local host.
When you download the ZIP file, Trend Micro Email Security
generates a password for decompressing the ZIP file. You can find
the password on the Quarantine Query Details screen or at the end
of the ZIP file name.

Note
The Download button is available only on the Quarantine Query
Details screen.

232
About Trend Micro Email Security

Configuring End User Quarantine Settings


By default, both envelope addresses and message sender addresses are
shown in the quarantine list on the End User Console and in the quarantine
digest notifications. Each envelope address is followed by the corresponding
message header address in parentheses, in the format
Envelope@example.com (Header@example.com).
For incoming email messages quarantined for a specific reason, you can
choose to let end users view them and take action on the End User Console
and in the quarantine digest notifications. Quarantined outgoing messages
are always invisible to end users.

Procedure
1. In the Sender Address Type section, specify the type of sender
addresses shown on the End User Console and in the quarantine digest
notifications.
• Envelope addresses
• Message header addresses

Note
If Message header addresses is selected on this screen, Trend Micro
recommends you also select it on the Inbound Protection > Connection
Filtering > Sender Filter > Sender Filter Settings screen. Otherwise, the
approved or blocked senders added by end users will not work as
expected.

2. In the Quarantined Message Permissions section, specify the


permissions that end users will have on the email messages quarantined
for a specific reason.
For more information about the quarantine reason, see Querying the
Quarantine on page 228.
By default, the “View” and “Take Action” permissions are selected for
Spam and Graymail.

233
Trend Micro Email Security Administrator's Guide

If you specify the “Take Action” permission for messages quarantined


for a specific reason, the “View” permission will be automatically
selected.

Note
The "Deliver", "Delete", and "Block Sender" actions are available for
messages quarantined for all reasons listed. The "Approve Sender" action,
however, is available only for messages quarantined for the reasons under
the Spam Filtering category. For more information, see Configuring
Approved and Blocked Sender Lists on page 82.

3. Click Save.

Quarantine Digest Settings

Note
Quarantine Digest is only available for inbound email messages that have been
assigned “View” permissions on the End User Quarantine Settings screen.

A quarantine digest notification is an email message Trend Micro Email


Security sends to inform end users of email messages that were temporarily
quarantined. The digest notification lists up to 100 of each end user's
quarantined messages.
You can customize digest rules and templates on the Digest Settings screen.
A digest notification contains the following information:
• A link to access quarantined messages through the End User Console
• The number of new email messages that have been quarantined since
the last notification was sent
• Digest of the new email messages that have been quarantined
• Quarantined: The time an email message was quarantined
• Sender: The sender address of the email message

234
About Trend Micro Email Security

• Recipient: The recipient address of the email message


• Subject: The email subject
• Manage Messages: The links that users can click to apply actions to
the quarantined message, including Deliver, Deliver & Approve
Sender, Block Sender, Approve Sender Domain, and Block Sender
Domain

WARNING!
Inline action links display only when you enable Inline actions in the
digest template.
Different quarantined messages in a digest notification may have
different inline actions. The inline actions available for each
quarantined message are determined by the following settings:
• Quarantined message permissions configured on the Quarantine
> End User Quarantine Settings screen
For more information, see Configuring End User Quarantine
Settings on page 233.
• Inline action settings configured in the digest notification
template
For more information, see Adding or Editing a Digest Template on
page 238.
Once inline actions are enabled, anyone receiving the digest
notification can take the actions on quarantined messages. Therefore,
administrators must warn digest recipients not to forward the digest
notification.

If an end user account manages multiple accounts, Trend Micro Email


Security sends digest notifications for the managed accounts as described in
the following table.

235
Trend Micro Email Security Administrator's Guide

Source of Managed Digest Notification


Condition
Accounts Recipients

Aliases synchronized End user has only one email Email address
from directories address

End user has email aliases but Each email alias


has not set the primary email
alias

End user has email aliases and Primary email alias


has set the primary email alias

Manually added End user has not set the Email address
accounts primary account

End user has set the primary Primary account


account

For details about the “Source of Managed Accounts”, refer to Configuring


Local Account Logon on page 335 for end user management.

Adding or Editing a Digest Rule


You can customize digest rules for different recipients. If there are multiple
rules, you can set or adjust the priority to apply each rule.

Procedure
1. Go to Quarantine > Digest Settings.
2. Click the Digest Rules tab.
3. Click Add or click the name of an existing rule.
4. In the General Information section, do the following:
a. Click the Status toggle button to enable the current rule.
b. Type the rule name and description.
5. In the Recipients section, select the recipients for digest notifications:

236
About Trend Micro Email Security

• All recipients: This option only applies to the default rule. All users
of your managed domains will receive digest notifications.
• Specified recipients: This option enables you to choose users from
both your LDAP groups and managed domains and add all of them
as intended recipients.
6. In the Schedule section, select the frequency to send digest
notifications:
• Daily: Specify the exact time to send the digest notifications.
Use the add and the remove buttons to manage additional
entries.
• Weekly: Specify the days of the week and time of the day to send the
digest notifications.

Note
The time zone of the browser accessing Trend Micro Email Security is
used.

7. In the Template section, select the digest template that you want to use
for the current rule.
8. Click Save.
The newly added or edited rule displays on the Digest Rules screen. You
can further change the rule status, set the rule priority, copy and delete
the rule.

237
Trend Micro Email Security Administrator's Guide

Note
If the recipient scope for different digest rules conflicts with each other, a
red exclamation mark icon will be shown next to the recipients of each
rule. Hover over the icon to view the current recipients, conflict rules and
conflict recipients. Digest notifications are sent to the conflict recipients
according to the rule with the higher priority. The smaller the priority
number, the higher the priority.

The following table is an example for your reference.

Digest Rule Priority Recipients

Rule1 1 domain1.com

Rule2 2 domain2.com;
usergroup1

If Rule1 and Rule2 are both enabled and usergroup1 contains some
recipients in domain1.com, this means the two rules have a recipient
conflict. In this case, Trend Micro Email Security applies Rule1 that has
the higher priority to send digest notifications to the conflict recipients.

Adding or Editing a Digest Template


You can create digest templates to define the format and content of
notification email messages that end users receive.

Procedure

1. Go to Quarantine > Digest Settings.

2. Click the Digest Templates tab.

3. Click Add or click the name of an existing template.

4. In the General Information section, specify the template name and


description.

5. In the Digest Notification Template section, configure the following:

238
About Trend Micro Email Security

Note
The digest notification template is available either in HTML or plain text
versions. Each version of the template can incorporate tokens to
customize output for digest recipients. You can right-click any of the
following fields to display a list of available and selectable tokens for the
field.

• From: Specify the email address that displays as the sender of the
digest notification.
Table 54. From field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the From


field of the received digest notification

• Subject: Specify the subject line for the digest notification.


Table 55. Subject field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the


subject line

%DIGEST_DATE% Digest date appears in the subject line

• HTML:

• Specify if Inline actions should be Enabled or Disabled using


the toggle button to the right of Inline actions.

• Select the language you want to use for inline actions from the
Language drop-down list.

• Customize the inline actions that digest recipients can take in


the digest notifications.

The following inline actions are available for your


customization and the first three ones are selected by default:

239
Trend Micro Email Security Administrator's Guide

• Deliver

• Deliver & Approve Sender

• Block Sender

• Approve Sender Domain

• Block Sender Domain

• Specify the HTML content of the digest notification if the email


client accepts HTML messages.
Table 56. HTML field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the HTML


body

%DIGEST_DATE% Digest date appears in the HTML body

%DIGEST_BODY_HTML% Digest summary in HTML table format appears in the


HTML body

%DIGEST_PAGE_COUNT% Total number of quarantined messages listed in the


digest summary (up to 100) appears in the HTML
body

%DIGEST_TOTAL_COUNT% Total number of new found messages in quarantine


appears in the HTML body

%EUC_HOST_SERVER% Web address of Trend Micro Email Security End User


Console appears in the HTML body

• Plain text: Specify the plain text content of the digest notification if
the email client only accepts plain text messages.
Table 57. Plain text field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the text


body

240
About Trend Micro Email Security

Token Content in Sent Digest Notifications

%DIGEST_DATE% Digest date appears in the text body

%DIGEST_BODY_TEXT% Digest summary in plain text format appears in the


text body

%DIGEST_PAGE_COUNT% Total number of quarantined messages listed in the


digest summary (up to 100) appears in the plain text
body

%DIGEST_TOTAL_COUNT% Total number of new found messages in quarantine


appears in the plain text body

%EUC_HOST_SERVER% Web address of Trend Micro Email Security End User


Console appears in the plain text body

6. In the Test Digest Mail section, specify the intended digest recipient and
click Test to test digest notification delivery.
The digest recipient receives a notification message. The sender, subject
and content of the notification and the available inline actions match the
configured settings.
7. Click Save.
The newly added or edited template displays on the Digest Templates
screen. You can further copy and delete the template if necessary.

Logs in Trend Micro Email Security

Understanding Mail Tracking

This screen is designed for you to track email messages that passed through
Trend Micro Email Security, including blocked or delivered messages. Trend
Micro Email Security maintains up to 90 days of mail tracking logs. The
sliding window for mail tracking log search is 60 continuous days that may
cross calendar months.

241
Trend Micro Email Security Administrator's Guide

Note
The sliding window for mail tracking log search is 30 days in the Trend Micro
Email Security Standard license.
For details about different license versions, see Available License Versions on page
17.

The Mail Tracking screen provides the following search criteria:


• Period: The time range for your query.
• Last 1 hour
• Last 24 hours
• Last 7 days
• Last 14 days
• Last 30 days
• Custom range
• Direction: The direction of messages.
• Incoming
• Outgoing
• Recipient: The envelope recipient address.
• Sender: The envelope sender address.
• Email Header (To): The recipient address in the message header.
• Email Header (From): The sender address in the message header.

242
About Trend Micro Email Security

Note
Pay attention to the following when setting the preceding four address
fields:
• Specify an exact email address or use wildcards (*) to substitute any
characters in a search. In the general format of an email address
(local-part@domain), be aware that:
• The local part must be a wildcard (*) or a character string that
does not start with *, for example, *@example.com or
test*@example.com.
• The domain must be a wildcard (*) or a character string that does
not end with *, for example, example@* or example@*.test.com.
• If this field is left blank, *@* is used by default.
• Use wildcards (*) strategically to expand or narrow your search
results. For example, put a wildcard (*) in the domain part to search
by a particular user account on all domains or in the local part to
match all accounts on a particular domain.

• Type: The type of email traffic that you want to query.


• Accepted traffic: The messages that were allowed in by Trend Micro
Email Security for further processing.
If you select Accepted traffic as your search condition, a summary
of email message traffic accepted by Trend Micro Email Security is
displayed. For a message that has multiple recipients, the result will
be organized as one recipient per entry.
• Blocked traffic: The attempts to send messages that were stopped
by connection-based filtering at the MTA connection level or by
Trend Micro Email Security incoming security filtering.
If you select Blocked traffic as your search condition, you can
further select a block reason. A summary of email message traffic
blocked by Trend Micro Email Security is displayed.

Note
Content-based filtering is not included in this category.

243
Trend Micro Email Security Administrator's Guide

• Action: The last action taken on the message.

• All: All the actions will be matched for your search.

• Bounced: Trend Micro Email Security bounced the message back to


the sender because the message was rejected by the downstream
MTA.

• Temporary delivery error: Trend Micro Email Security attempted


to deliver the message to the downstream MTA but failed due to
unexpected errors. This is a transient state of the message, and a
message should not remain in this state for an extended period of
time.

• Deleted: Trend Micro Email Security deleted the entire email


message according to the matched policy.

• Delivered: Trend Micro Email Security delivered the message to the


downstream MTA.

• Expired: Trend Micro Email Security bounced the message back to


the sender because the message had not been delivered successfully
for a long time.

• Quarantined: Trend Micro Email Security held the message in


quarantine awaiting actions because the message triggered a
certain policy rule. Quarantined messages can be reviewed and
manually deleted or delivered.

• Redirected: Trend Micro Email Security redirected the message to a


different recipient according to the matched policy.

• Submitted to sandbox: Trend Micro Email Security submitted the


message to Virtual Analyzer for further analysis. This is a transient
state of the message, and the state will change once the Virtual
Analyzer analysis result is returned or Virtual Analyzer scan
exception is triggered.

• Subject: The email message subject.

The Subject field supports the following:

244
About Trend Micro Email Security

• Fuzzy match
Type one or multiple keywords for a fuzzy match. If you type more
than one keyword, all keywords will be matched based on a logical
AND, which means the matched subject must contain every
keyword. Wildcards (*) will be automatically added before and after
each keyword for a fuzzy match.
• Exact keyword or phrase match
Enclose a keyword or phrase in quotes for an exact match. Only
records that contain the exact keyword or phrase will be matched.
For example, there are three email subjects:
• Subject1: Hello world
• Subject2: Hello new world
• Subject3: "Hello"
If you type Hello world in the Subject field, this is a fuzzy match, and
Subject1 and Subject2 will be matched. If you type "Hello world", this
is an exact match using quotes, and only Subject1 will be matched. If you
want to search for Subject3, be aware that quotes are contained by the
subject itself. In this particular case, use backslashes (\) as the escape
characters and type \"Hello\" for search.
• Message ID: The unique ID of an email message.
• Sender IP: The IP address of the host where the message was sent from.
• Delivered To: The IP address of the host where the message was
delivered to.

Note
Type an IPv4 address or an IPv4 address prefix for the preceding two IP
address fields.

• Upstream TLS: The version of the TLS protocol used by the upstream
server to connect to Trend Micro Email Security.

245
Trend Micro Email Security Administrator's Guide

• All

• TLS 1.0

• TLS 1.1

• TLS 1.2

• TLS 1.3

• None

• Downstream TLS: The version of the TLS protocol used by Trend Micro
Email Security to connect to the downstream server.

• All

• TLS 1.0

• TLS 1.1

• TLS 1.2

• TLS 1.3

• None

• Downstream DANE: Whether DANE authentication is applied to TLS


connections between Trend Micro Email Security and the downstream
server.

• All

• Yes

• No

• Attachment SHA256 Hash: The SHA256 hash value of a message


attachment. Specify a SHA256 hash value consisting of 64 hexadecimal
characters or leave it blank.

When a valid SHA256 hash value is specified, the Attachment Status


field displays with the following options:

246
About Trend Micro Email Security

• All: Query all messages containing the specified attachment. This is


the default option.

• Deleted: Query the messages with the specified attachment deleted.

• Cleaned: Query the messages with the specified attachment cleaned


for malware.

• Bypassed: Query the messages with the specified attachment


bypassed.

• Sanitized: Query the messages with the specified attachment


sanitized.

• Timestamp: The time a message was received.

Choose the ascending or descending order of time to sort the search


results.

When you query mail tracking information, use the various criteria fields to
restrict your searches. After a query is performed, Trend Micro Email
Security provides a list of log records that satisfy the criteria. Select one or
more records and click Export Selected to export them to a CSV file. Click
Export All to export all the queried log records if needed. If the number of
log records to export is large, the export task needs to take time to complete.
Go to Logs > Log Export Query to check the export status. Note that you can
export up to 50,000 log records at a time and the maximum number of times
of exporting all the queried log records is 5 per day.

The most efficient way to query mail tracking information is to provide both
sender and recipient email addresses within a time range that you want to
search. For an email message that has multiple recipients, the result will be
organized as one recipient per entry.

If the message you are tracking cannot be located using this strategy,
consider the following:

• Expand the result set by omitting the recipient.

If the sender is actually blocked by connection-based filtering, the


Blocked traffic results that do not match the intended recipient might

247
Trend Micro Email Security Administrator's Guide

indicate this. Provide only the sender and time range for a larger result
set.
• Look for other intended recipients of the same message.
If the sender IP address has a “bad” reputation, mail tracking
information will only be kept for the first recipient in a list of recipients.
Therefore, the remaining message recipient addresses will not be listed
when querying this sender.
• Expand the result set by omitting the sender.
If the sender IP address has a “bad” reputation, omit the sender and
provide only the recipient. If only the recipient email address is
provided, all the messages that pertain to the recipient will be listed.

Social Engineering Attack Log Details


Trend Micro Email Security provides detailed information for email
messages detected as possible social engineering attacks. To view social
engineering attack details, click the Details link beside Social engineering
attack on the Mail Tracking Details screen.
The following table lists the possible reasons for social engineering attack
detections.
Table 58. Possible reasons for social engineering attack detections

Email Characteristics Description

Inconsistent sender host The Message-ID host name (<host_name>) does not match the
names From host name (<host_name>).

Broken mail routing path Broken mail routing path from hop (<IP_address>) to hop
(<IP_address>).

Mail routing path contains The mail routing path contains mail server with bad
mail server with bad reputation (<IP_address>).
reputation

Significant time gap during Significant time gap (<duration>) detected during email
email message transit message transit between hops (<source> & <destination>)
from time (<date_time>) to time (<date_time>).

248
About Trend Micro Email Security

Email Characteristics Description

Inconsistent recipient Envelope recipient (<email_address>) is inconsistent with


accounts header recipient (<email_address>).

Inconsistent sender ASNs or The sender host (<host_address>) belongs to an ASN (<ASN>)
unexpected relay or forward that does not match the ASN (<ASN>) of the sender account
(<email_address>). This message may occur from an
unexpected server-side relay or forward.

Email message travels across The email message travels across time zones
multiple time zones (<time_zone_list>).

Possible social engineering Suspicious charsets (<character_set_list>) are identified in a


attack characterized by single email message, implying the email message originated
suspicious charsets in email from a foreign region. This behavior is an indicator of a social
entities engineering attack.

Violation of time headers Multiple time headers (<date_time>, <date_time>) exist in one
message, which violates RFC5322 section 3.6.

Malicious client IP address The client IP address (<IP_address>) has been associated with
known malicious activity

Possibly forged sender The email message claimed from Yahoo (<email_address>)
(Yahoo) lost required headers.

Executable files with Files in compressed attachment (<file_name>) may be


tampered extension names in executable files with modified extension names.
the attachment

Anomalous relationship Anomalous relationship between sender/recipient(s) related


between sender/recipient(s) email headers (<email_address>).
related email headers

Encrypted attachment Encrypted attachment (<file_name>) with password


intends to bypass antivirus (<password>) provided in email content possibly intends to
scan engines bypass antivirus scan engines.

Exploitable attachment The attached file (<file_name>) may contain exploits.

Email message might be sent Content-Transfer-Encoding (<encoding_type>) is abnormal in


from a self-written mail agent the email message. The email message might be sent from a
due to abnormal transfer self-written mail agent.
encoding in email entities

249
Trend Micro Email Security Administrator's Guide

Email Characteristics Description

Short message body The body text or the HTML text of the email is short. The text
length (<character_count> characters, for body text/HTML text
respectively) may suggest that the email content has little
meaning.

Replied or forwarded email The email message was claimed as a forwarded or replied
contains no corresponding message with subject-tagging (<email_subject>), but the
headers email message does not contain corresponding email headers
(RFC 5322).

Email message travels across The email message travels across multiple ASNs (<ASN_list>).
multiple ASNs

Email message travels across The email message travels across multiple countries
multiple countries (<country_code_list>).

Abnormal Content-type Content-type in email content should not have attributes


behavior in email message (<attribute_list>).

Executable files archived in The compressed attachment (<file_name>) contains


the compressed attachment executable files.

Exploitable file types The compressed attachment (<file_name>) contains


detected in the compressed exploitable file types.
attachment

Inconsistent host domains or The sender host (<host_address>) belongs to a different


unexpected relay or forward domain from the sender account (<email_address>). This
message may occur from an unexpected server-side relay or
forward.

Email nickname is The recipient account uses an email nickname (<nickname>)


inconsistent with email that is inconsistent with its email address (<email_address>).
address

Sender account is The sender account (<email_account>) is inconsistent with


inconsistent with reply-to the reply-to account (<email_account>).
account

Sender host name possibly The sender host name (<host_name>) has been associated
associated with targeted with one or more targeted attacks or performed behavior
attacks consistent with targeted attacks.

250
About Trend Micro Email Security

Email Characteristics Description

Sender IP address possibly The sender IP address (<ip_address>) has been associated
associated with targeted with one or more targeted attacks or performed behavior
attacks consistent with targeted attacks.

Sender account possibly The sender account (<email_account>) has been associated
associated with targeted with one or more targeted attacks or performed behavior
attacks consistent with targeted attacks.

Sender account header The email message was sent from an email client or service
potentially modified provider (<user_agent>) that allows modification of the
sender address or nickname.

Internal email with a public The reply-to domain (<domain_name>) belongs to a public
reply-to domain messaging service but the sender and recipient domains are
the same (<domain_name>). The email message may be
disguised to appear internal.

Internal email with a The reply-to domain (<domain_name>) has been disguised to
disguised reply-to domain be similar to the sender and recipient domains
(domain_name). The email message may be disguised to
appear internal.

Reply-to account disguised to The reply-to account (<email_account>) uses a different


be similar to sender account domain but similar information to the sender account
(<email_account>) to disguise the two accounts to be from the
same individual.

Conversation history in email The email message includes a conversation history between
body (<email_account>) and (<email_account>). This email
message may be part of a man-in-the-middle attack.

Nickname of company The sender header (<sender_header>) contains a nickname


executive with public domain that appears to be a company executive and an email address
address from a public messaging service.

Sender domain disguised to The sender domain (<domain_name>) is different but similar
be similar to recipient to the recipient domain (<domain_name>). The email
domain message may be disguised to appear internal.

Potentially deceptive Because (<header_text>) closely resembles (<header_text>),


message header text this message seems intended to deceive the recipient.

251
Trend Micro Email Security Administrator's Guide

Email Characteristics Description

Message contains suspicious Some text in the message meets the criteria for the
content (<category_name>) category, indicating a possible intent to
deceive the recipient.

Name of a protected sender The message uses the name (<sender_name>) in combination
used with a suspicious with an unfamiliar domain in an apparent attempt to deceive
domain the recipient.

Business Email Compromise Log Details


Trend Micro Email Security provides detailed information for email
messages detected as analyzed or probable Business Email Compromise
(BEC) attacks. To view BEC attack details, click the BEC Report link in the
Actions section on the Mail Tracking Details screen.

The possible reasons for BEC attack detections are the same as those for
social engineering attack detections. See Social Engineering Attack Log Details
on page 248 for details.

Understanding Policy Events


This screen enables you to track threat detections in email messages
received or sent by Trend Micro Email Security. Trend Micro Email Security
maintains up to 90 days of policy event logs. The sliding window for policy
event log search is 60 continuous days that may cross calendar months.

Note
The sliding window for policy event log search is 30 days in the Trend Micro
Email Security Standard license.

For details about different license versions, see Available License Versions on page
17.

The Policy Events screen provides the following search criteria:

252
About Trend Micro Email Security

• Period: The time range for your query.


• Last 1 hour
• Last 24 hours
• Last 7 days
• Last 14 days
• Last 30 days
• Custom range
• Direction: The direction of messages.
• Incoming
• Outgoing
• Recipient: The envelope recipient address.
• Sender: The envelope sender address.
• Email Header (To):: The recipient address in the message header.
• Email Header (From):: The sender address in the message header.

253
Trend Micro Email Security Administrator's Guide

Note
Pay attention to the following when setting the preceding four address
fields:

• Specify an exact email address or use wildcards (*) to substitute any


characters in a search. In the general format of an email address
(local-part@domain), be aware that:

• The local part must be a wildcard (*) or a character string that


does not start with *, for example, *@example.com or
test*@example.com.

• The domain must be a wildcard (*) or a character string that does


not end with *, for example, example@* or example@*.test.com.

• If this field is left blank, *@* is used by default.

• Use wildcards (*) strategically to expand or narrow your search


results. For example, put a wildcard (*) in the domain part to search
by a particular user account on all domains or in the local part to
match all accounts on a particular domain.

• Subject: The email message subject.

The Subject field supports the following:

• Fuzzy match

Type one or multiple keywords for a fuzzy match. If you type more
than one keyword, all keywords will be matched based on a logical
AND, which means the matched subject must contain every
keyword. Wildcards (*) will be automatically added before and after
each keyword for a fuzzy match.

• Exact keyword or phrase match

Enclose a keyword or phrase in quotes for an exact match. Only


records that contain the exact keyword or phrase will be matched.

For example, there are three email subjects:

• Subject1: Hello world

254
About Trend Micro Email Security

• Subject2: Hello new world

• Subject3: "Hello"

If you type Hello world in the Subject field, this is a fuzzy match, and
Subject1 and Subject2 will be matched. If you type "Hello world", this
is an exact match using quotes, and only Subject1 will be matched. If you
want to search for Subject3, be aware that quotes are contained by the
subject itself. In this particular case, use backslashes (\) as the escape
characters and type \"Hello\" for search.

• Rule Name: The name of the rule that was triggered by email messages.

The Rule Name field supports the following:

• A maximum of 20 rules in use will be listed for you to choose when


you click in this text box.

• Select from the rules listed or type keywords for a fuzzy match.

• Threat Type: The type of threats detected in email messages.

• All: Query all messages.

• Domain-based Authentication: Query the messages that failed to


pass domain-based authentication.

• All: Query the messages that failed Sender IP Match, SPF, DKIM
and DMARC authentication.

• Sender IP Match: Query the messages that failed Sender IP


Match check.

• SPF: Query the messages that failed SPF check.

• DKIM: Query the messages that failed DKIM verification.

• DMARC: Query the messages that failed DMARC


authentication.

• Ransomware: Query the messages that are identified as


ransomware.

255
Trend Micro Email Security Administrator's Guide

• Advanced Persistent Threat: Query the messages that triggered the


advanced threat policy.
• All: Query all messages triggering the advanced threat policy.
• Analyzed Advanced Threats (Files): Query the messages that
are identified as advanced file threats according to Virtual
Analyzer and the policy configuration
• Analyzed Advanced Threats (URLs): Query the messages that
are identified as advanced URL threats according to Virtual
Analyzer and the policy configuration
• Probable Advanced Threats: Query the messages that are
treated as suspicious according to policy configuration or the
messages that are not sent to Virtual Analyzer due to exceptions
that occurred during analysis.
• Malware: Query the messages that triggered the malware criteria.
When Malware is selected as the threat type, the Detected By field
displays with the following options:
• All: Query all messages triggering the malware criteria.
• Predictive Machine Learning: Query the messages containing
malware, as detected by Predictive Machine Learning.
• Pattern-based scanning: Query the messages containing
malware, as detected by traditional pattern-based scanning.
• Suspicious Objects: Query the messages that contain suspicious
files and URLs.
• All: Query all messages containing suspicious objects.
• Suspicious Files: Query all messages containing suspicious
files.
• Suspicious URLs: Query all messages containing suspicious
URLs.
• Scan Exception: Query the messages that triggered scan exceptions.

256
About Trend Micro Email Security

• Virtual Analyzer scan exception


• Virtual Analyzer submission quota exception
• Password protected attachment
• Other exceptions
• Spam: Query the messages that are identified as spam.
• Business Email Compromise (BEC): Query the messages that
triggered the Business Email Compromise (BEC) criteria.
• All: Query all messages triggering the BEC criteria.
• Detected by Antispam Engine: Query the messages that are
verified to be BEC attacks by the Antispam Engine.
• Detected by writing style analysis: Query the messages that
are verified to be BEC attacks by writing style analysis.
• Suspected by Antispam Engine: Query the messages that are
suspected to be BEC attacks by the Antispam Engine.
• Phishing: Query the messages that triggered the phishing criteria.
• Graymail: Query the messages that triggered the graymail criteria.
• All: Query all graymail messages.
• Marketing message and newsletter
• Social network notification
• Forum notification
• Bulk email message
• Web Reputation: Query the messages that triggered the Web
Reputation criteria.
• Content: Query the messages that triggered the message content
criteria. For example, a message's header, body or attachment
matches the specified keywords or expressions.

257
Trend Micro Email Security Administrator's Guide

• Attachment: Query the messages that triggered the message


attachment criteria.
• Data Loss Prevention: Query the messages that triggered the Data
Loss Prevention policy.
• Threat Name: The name of threats detected in email messages.
• Message ID: A unique identifier for the message.
When you query policy event information, use the various criteria fields to
restrict your searches. After a query is performed, Trend Micro Email
Security provides a list of log records that satisfy the criteria. Select one or
more records and click Export Selected to export them to a CSV file. Click
Export All to export all the queried log records if needed. If the number of
log records to export is large, the export task needs to take time to complete.
Go to Logs > Log Export Query to check the export status. Note that you can
export up to 50,000 log records at a time and the maximum number of times
of exporting all the queried log records is 5 per day.
The most efficient way to query policy event information is to provide both
sender and recipient email addresses, message subject and message ID
within a time range that you want to search. For an email message that has
multiple recipients, the result will be organized as one entry.
In addition to the search criteria, detailed policy event information provides
the following:
• Timestamp: The time the policy event occurred. Click on the
Timestamp value to view the event details for a given message.
• Message Size: The size of the message. This information is not always
available.
• Action: The action taken on the email message.
• Attachment sanitized: Removed active content contained in the
attachment.
• Attachment deleted upon failure to remove active content:
Deleted the attachment containing active content that failed to be
removed.

258
About Trend Micro Email Security

• Attachment deleted: Deleted the attachment from the message.

• BCC: Sent a blind carbon copy (BCC) to the recipient.

• Bypassed: Did not intercept the message.

• Cleaned: Cleaned the message for malware.

• Delivered: Delivered the message to the recipient.

• Message deleted: Deleted the entire email message.

• Notification sent: Sent a notification message to the recipient when


a policy was triggered.

• Quarantined: Held the message in quarantine awaiting user actions


on the End User Console. Messages held in quarantine can be
reviewed and manually deleted or delivered.

• Recipient changed: Changed the recipient and redirected the


message to a different recipient as configured in the policy
triggered.

• Rejected: Blocked the message before it arrived at Trend Micro


Email Security.

• Stamp inserted: Inserted a stamp into the message body.

• Subject tagged: Inserted configurable text into the message subject


line.

• Submitted for encryption: Submitted to the encryption server for


processing. After encryption is complete, Trend Micro Email
Security will queue the message for delivery.

• X-Header inserted: Inserted an X-Header to the message header.

• (Optional) Risk Rating: The risk rating of the message identified by


Virtual Analyzer.

• (Optional) Violating URLs: The URLs in the message that violated the
Web Reputation criteria.

259
Trend Micro Email Security Administrator's Guide

• (Optional) Violating Files: The files in the message that violated the
malware or ransomware criteria.
• (Optional) Malware: The specific malware detected in the message.
• (Optional) Scanned File Reports: The reports for the attached files in
messages. If a file is analyzed for advanced threats, the risk level for the
file is displayed here. If a report exists, click View Report to see the
detailed report.
Detailed reports are available only for suspicious files that are analyzed
by Virtual Analyzer.
• (Optional) Scanned URL Reports: The reports for the embedded URLs
in messages. If a URL is analyzed as advanced threats, the risk level of
the URL is displayed here. If a report exists, click View Report to see the
detailed report.
• (Optional) DLP Incident: The information about the DLP incident
triggered by the message. Click View Details to check the incident
details.
• (Optional) Analyzed Report: The information about BEC related
characteristics that were detected in the message.
• (Optional) Exception Details: The specific exception that was triggered
by the message.

260
About Trend Micro Email Security

Predictive Machine Learning Log Details


You can view a comprehensive report for each Predictive Machine Learning
log detection by clicking the Predictive Machine Learning Log Details link
on the Policy Event Details screen.

The Predictive Machine Learning Log Details screen consists of two


sections:
• Top banner: Specific details related to this particular log detection
• Bottom tab controls: Details related to the Predictive Machine Learning
threat, including threat probability scores and file information
The following table discusses the information provided in the top banner.

261
Trend Micro Email Security Administrator's Guide

Table 59. Log Details - Top Banner

Section Description

Detection name Indicates the name of the Predictive Machine Learning detection
Example: Ransom.Win32.TRX.XXPE1

Detection time / Indicates when this specific log detection occurred and the action
Action taken on the threat

File name Indicates the name of the file that triggered the detection

Recipient Displays the recipient of the email message that triggered the
detection

The following table discusses the information provided on the bottom tabs.
Table 60. Log Details - Tab Information

Tab Description

Threat Indicators Provides the results of the Predictive Machine Learning analysis
• Threat Probability: Indicates how closely the file matched the
malware model
• Probable Threat Type: Indicates the most likely type of threat
contained in the file after Predictive Machine Learning compared
the analysis to other known threats
• Similar Known Threats: Provides a list of known threat types
that exhibit similar file features to the detection

File Details Provides general details about the file properties for this specific
detection log

Understanding URL Click Tracking


The URL Click Tracking screen enables you to track the URL clicks where
Trend Micro Email Security provides Time-of-Click Protection.

Trend Micro Email Security maintains up to 30 days of URL click tracking log
information.

262
About Trend Micro Email Security

The URL Click Tracking screen provides the following search criteria:
• Dates: The time range for your query.
• Direction: The direction of messages.

Note
URL click tracking applies only to URL clicks protected by Trend Micro
Email Security using Time-of-Click Protection.

• Recipient: The recipient email address.


• Sender: The sender email address.
• URL: The URL contained in the message.
• Message ID: A unique identifier for the message.
When you query URL click tracking information, use the various criteria
fields to restrict your searches. After a query is performed, Trend Micro
Email Security provides a list of log records that satisfy the criteria. Select
one or more records and click Export to CSV to export them to a CSV file.
In addition to the search criteria, detailed URL click tracking information
provides the following:
• Time of Click: The time a URL was clicked.
• Action Applied: The action taken on the URL. For all the actions, see
Actions below.
• Blocked: Trend Micro Email Security blocked the URL that a user
wanted to access.
• Allowed: Trend Micro Email Security allowed a user to access the
requested URL.
• Warned and stopped: Trend Micro Email Security warned a user of
the threat, and the user stopped access to the URL.
• Warned but accessed: Trend Micro Email Security warned a user of
the threat, but the user continued to access the URL.

263
Trend Micro Email Security Administrator's Guide

Understanding Audit Log


The Audit Log screen enables you to track the administration and user
events occurred in Trend Micro Email Security.

Trend Micro Email Security maintains up to 30 days of audit log information.

The Audit Log screen provides the following search criteria:

• Account and Type: The account name and the type for which you want
to search the audit log.

• Dates: The time range for your query.

When you query audit logs, use the various criteria fields to restrict your
searches. After a query is performed, Trend Micro Email Security provides a
list of log records that satisfy the criteria. Select one or more records and
click Export to CSV to export them to a CSV file.

To see the detail of an event, click on the time under the Timestamp column.

The Audit Log Details screen displays the following information:

• User: The administrator or user name under which the event occurred.

• Event Type: The type of event that occurred.

• Timestamp: The date and time when the event occurred.

• Affected Domain(s): The domains (if any) that were affected by the
event.

• Fields:

• Field: The name of the fields that were affected by the event.

• New Value: The latest value of the field after the event occurred.

• Previous Value: The previous value of the field (if any) before the
event occurred.

264
About Trend Micro Email Security

Configuring Syslog Settings


When receiving events, Trend Micro Email Security stores the events in its
database and forwards syslog messages to an external syslog server in a
structured format, which allows third-party application integration.
The Syslog Settings screen is composed of the following tabs:
• Syslog Forwarding: Specifies the mapping between syslog servers and
different types of logs.
• Syslog Server Profiles: Enables you to add, edit or delete syslog servers
for syslog forwarding.

265
Trend Micro Email Security Administrator's Guide

Note
• To ensure Trend Micro Email Security can properly forward syslog
messages, configure your firewall to accept connections from the following
IP addresses or CIDR blocks:
• North America, Latin America and Asia Pacific:
18.208.22.64/26
18.208.22.128/25
18.188.9.192/26

18.188.239.128/26
• Europe, the Middle East and Africa:
18.185.115.0/25
18.185.115.128/26
34.253.238.128/26
34.253.238.192/26
• Australia and New Zealand:
13.238.202.0/25
13.238.202.128/26
• Japan:
18.176.203.128/26
18.176.203.192/26
18.177.156.0/26
18.177.156.64/26
• Singapore:
13.213.174.128/25
13.213.220.0/26
• India:
3.110.59.128/25
3.110.71.192/26
• Be aware that Trend Micro Email Security keeps syslog messages for 7 days
if your syslog server is unavailable. Messages older than 7 days will not be
restored when your syslog server recovers.
266
About Trend Micro Email Security

Syslog Forwarding
Configure the syslog server where Trend Micro Email Security forwards
different types of logs.

Procedure
1. Go to Logs > Syslog Settings.
The Syslog Forwarding tab appears by default.
2. From the Detection logs drop-down list, select a syslog server for Trend
Micro Email Security to forward syslog messages on threat detections.
a. Select from any of the following options:
• None: Select this option to disable syslog forwarding for this
type of logs.
• New: Select this option to add a new syslog server.
For details on syslog server profiles, see Syslog Server Profiles on
page 268.
• Any syslog server profile: select any profile you configured for
forwarding this type of logs.
b. Select the Include spam detections check box if you want to include
spam detection logs in syslog forwarding.
3. From the Audit logs drop-down list, select a syslog server for Trend
Micro Email Security to forward syslog messages for audit logs.
4. From the Mail tracking logs drop-down list, select a syslog server for
Trend Micro Email Security to forward syslog messages for mail tracking
logs, which are related to the accepted traffic that passed through Trend
Micro Email Security.

Note
For details about the accepted traffic defined in mail tracking logs, see
Understanding Mail Tracking on page 241.

267
Trend Micro Email Security Administrator's Guide

5. From the URL click tracking logs drop-down list, select a syslog server
for Trend Micro Email Security to forward syslog messages for URL click
tracking logs.

Syslog Server Profiles


Trend Micro Email Security allows you to add, edit or delete syslog server
profiles for syslog forwarding.

Procedure

1. Go to Logs > Syslog Settings.

The Syslog Forwarding tab appears by default.

2. Click the Syslog Server Profiles tab.

3. Click Add or click the name of an existing profile name.

The Add Syslog Server Profile or Edit Syslog Server Profile screen
appears.

4. Specify or edit the following for a syslog server:

• Profile name: Unique profile name for a syslog server.

• Description: Description of this profile.

• Server address: IP address or FQDN of the syslog server.

• Port: Port number of the syslog server.

• Protocol: Protocol to be used to transport logs to the syslog server.

• TCP

• TLS+TCP

This option applies the Transport Layer Security (TLS)


encryption for messages sent to the syslog server.

268
About Trend Micro Email Security

• Format: Format in which event logs are sent to the syslog server.
• Key value
• CEF
For details about the Common Event Format (CEF) format, see
Content Mapping Between Log Output and CEF Syslog Type on page
270.
• Severity: Severity level assigned to syslog messages.
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug
• Facility:
• user
• mail
• auth
• authpriv
• local0
• local1
• local2
• local3

269
Trend Micro Email Security Administrator's Guide

• local4
• local5
• local6
• local7
• Enable TLS authentication: Whether to enable TLS authentication
for the connection between the syslog server and Trend Micro
Email Security.
5. Click Save.
If you select the Enable TLS authentication check box, Trend Micro
Email Security starts to execute TLS authentication.
• If the TLS authentication is successful, the new syslog server profile
appears in the profile list on the Syslog Server Profiles tab or the
existing profile is updated.
• If the TLS authentication is unsuccessful, the Peer Certificate
Summary dialog box pops up, displaying peer certificate
information such as the certificate ID, subject, and subject key ID.
When detecting that the certificate is not issued by a known
Certificate Authority (CA), Trend Micro Email Security prompts you
to trust or not trust the certificate. In other cases, an error message
is displayed, instructing you how to fix the error.

Note
To test the connection between the syslog server and Trend Micro Email
Security, click Test under Connection.

Content Mapping Between Log Output and CEF Syslog Type


To enable flexible integration with third-party log management systems,
Trend Micro Email Security supports Common Event Format (CEF) as the
syslog message format.

270
About Trend Micro Email Security

Common Event Format (CEF) is an open log management standard created


by HP ArcSight. Trend Micro Email Security uses a subset of the CEF
dictionary.
The following tables outline syslog content mapping between Trend Micro
Email Security log output and CEF syslog types.

CEF Detection Logs


Table 61. CEF Detection Logs

CEF Key Description Value

Header (logVer) CEF format version CEF: 0

Header (vendor) Appliance vendor Trend Micro

Header (pname) Appliance product TMES

Header (pver) Appliance version Example: 1.0.0.0

Header (eventid) Signature ID 100101

Header (eventName) Description DETECTION

Header (severity) Email severity 6: Medium

rt Log generation time Example: 2018-06-28 03:22:31

cs1Label Event type eventType

cs1 Event type Example: ransomware

cs2Label Domain name domainName

cs2 Domain name Example: example1.com

suser Email sender Example: user1@example1.com

duser Email recipients Example: user2@example2.com

cs3Label Email message direction direction

271
Trend Micro Email Security Administrator's Guide

CEF Key Description Value

cs3 Email message direction • incoming


• outgoing

cs4Label Unique message identifier messageId

cs4 Unique message identifier Example:


201605181642138223747@trend.co
m

msg Email subject Example: hello

cn1Label Email message size messageSize

cn1 Email message size Example: 1809

cs5Label Violated event analysis policyName

cs5 Violated event analysis Example: Spam

cs6Label Violated event details details

cs6 Violated event details Example:

{"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"ab
"threatName":"Troj"}]}

272
About Trend Micro Email Security

CEF Key Description Value

act Action in the event • Quarantine


• Bypass
• Delete Attachment
• Insert Stamp
• Tag Subject
• Change Recipient
• Delete Message
• Send Notification
• Reject
• Clean
• BCC
• Deliver
• Insert X-Header
• Encryption in progress

Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2018-06-28 03:22:31
cs1Label=eventType cs1=virus cs2Label=domainName cs2=example1.com
suser=user1@example1.com duser=user2@example2.com cs3Label=direction
cs3=incoming cs4Label=messageId cs4=201605181642138223747@trend.com
msg=test sample cn1Label=messageSize cn1=1809 cs5Label=policyName
cs5=Test Rule act=Quarantine cs6Label=details cs6={"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606cea
"threatName":"Troj"}]}

CEF Audit Logs


Table 62. CEF Audit Logs

CEF Key Description Value

Header (logVer) CEF format version CEF: 0

273
Trend Micro Email Security Administrator's Guide

CEF Key Description Value

Header (vendor) Appliance vendor Trend Micro

Header (pname) Appliance product TMES

Header (pver) Appliance version Example: 1.0.0.0

Header (eventid) Signature ID 300101

Header (eventName) Description AUDIT

Header (severity) Email severity 4: Low

rt Log generation time Example: 2018-06-28 03:22:31

cs1Label Account type accountType

cs1 Account type • end user


• admin

suser Email sender Example:


user1@example1.com

cs2Label Event type eventType

cs2 Event type Example: End-User Actions

act Action in the event Example: User login to End


User Console

cs3Label Domain affected by the event affectedDomains

cs3 Domain affected by the event Example: example1.com

Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|300101|AUDIT|4|rt=2018-06-28 03:22:31
cs1Label=accountType cs1=end user suser=user1@example1.com cs2Label=eventType
cs2=End-User Actions act=User login to End User Console cs3Label=affectedDomains
cs3=

274
About Trend Micro Email Security

CEF Mail Tracking Logs (Accepted Traffic)


Table 63. CEF Mail Tracking Logs (Accepted Traffic)

CEF Key Description Value

Header (logVer) CEF format version CEF: 0

Header (vendor) Appliance vendor Trend Micro

Header (pname) Appliance product TMES

Header (pver) Appliance version Example: 1.0.0.0

Header (eventid) Signature ID 400101

Header (eventName) Description TRACKING

Header (severity) Email severity 4: Low

rt Log generation time Example: 2018-06-28 03:22:31

suser Email sender Example: user1@example1.com

duser Email recipients Example: user2@example2.com

msg Email subject Example: hello

src Source IP address Example: 10.1.144.199

deviceTranslatedAddress Relay MTA IP address Example: 204.92.31.146

cs1Label Internal email message ID mailUuid

cs1 Internal email message ID Example: 6965222B-13A6-


C705-89D4-6251B6C41E03

cs2Label Email message direction direction

cs2 Email message direction • incoming


• outgoing

cs3Label Unique message identifier messageId

275
Trend Micro Email Security Administrator's Guide

CEF Key Description Value

cs3 Unique message identifier Example:


201605181642138223747@trend.co
m

cs4Label Email attachments attachments

cs4 Email attachments Example: [["filename", "sha256"],


["filename", "sha256"], ...]

cn1Label Email message size messageSize

cn1 Email message size Example: 1809

act Action on an email • Bounced


message
• Temporary delivery error
• Deleted
• Delivered
• Expired
• Quarantined
• Redirected
• Submitted to sandbox
• Password analyzing

cs5Label TLS information tlsInfo

cs5 TLS information Example: upstreamTLS: None;


downstreamTLS: TLS 1.2

Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|400101|TRACKING|4|rt=2019-12-10T08:26:46.728Z
suser=user1@example1.com duser=user2@example2.com msg=DLP--test src=1.1.1.1
deviceTranslatedAddress=2.2.2.2 cs1Label=mailUuid
cs1=7ea8f636-c26e-4b78-a341-9b5becb83db7 cs2Label=direction cs2=incoming
cs3Label=messageId cs3=<201802061558581772031@example.com>
cn1Label=messageSize cn1=41438 act=Delivered cs4Label=attachments
cs4=[{"sha256":"f78960148721b59dcb563b9964a4d47e2a834a4259f46cd12db7c1cfe82ff32e"}]
cs5Label=tlsInfo cs5=upstreamTLS: None; downstreamTLS: TLS 1.2

276
About Trend Micro Email Security

Reports
Trend Micro Email Security provides reports to assist in mitigating threats
and optimizing system settings. Generate reports based on a daily, weekly,
monthly or quarterly schedule. Trend Micro Email Security offers flexibility
in specifying the content for each report.
The reports generate in PDF format.

My Reports
The My Reports tab shows all reports generated by Trend Micro Email
Security.
From the Type drop-down list, sort out the type of scheduled reports you
want to view.

Field Description

Period Time range that a report covers.

Type Type of the scheduled report listed.

Report File format of the report, which is PDF only.

Generated Time when the report is generated.

On the My Reports screen, you can also sort the reports by the time they
were generated and download reports to your local system for further
analysis.
The information displayed in a report could vary depending on the options
you select, and threat types included in reports are consistent with those
shown on the dashboard.

277
Trend Micro Email Security Administrator's Guide

Note
On the My Reports screen, you can save a maximum of 31 daily reports, 12
weekly reports, 12 monthly reports, and 4 quarterly reports. If the number of
reports reaches the maximum, the oldest report will be overwritten.

Scheduled Reports
Scheduled reports automatically generate according to the configured
schedules. The Schedules tab shows all the report schedules, and each
schedule contains settings for reports. Reports generate on a specified day of
each schedule, which is not configurable.
• Weekly reports generate on every Sunday.
• Monthly reports generate on the first calendar day of every month.
• Quarterly reports generate on the first calendar day of every quarter.

Note
This screen does not contain any generated reports. To view the generated
reports, go to Reports > My Reports.

Procedure
1. Go to Reports > Schedules.
2. Choose the type of scheduled reports you want to generate and click the
report type:
• Daily Report
• Weekly Report
• Monthly Report
• Quarterly Report
3. Complete settings for the scheduled reports.

278
About Trend Micro Email Security

• Status: Specifies whether to enable the scheduled reports.

• Report Content: Specifies the detailed information contained in the


scheduled reports.

• Sending schedule: Specifies how often and when scheduled reports


will be sent by email.

Note
When a monthly report schedule is set to send reports on the 29th,
30th, or 31st day, the report is delivered on the last day of the month
for months with fewer days. For example, if you select 31, the report
is delivered on the 28th (or 29th) in February, and on the 30th in
April, June, September, and November.

By default, quarterly reports are delivered at 8:00 a.m. on the first day
of each calendar quarter, and the default setting is not configurable.

• Notify: Specifies the recipients of the scheduled reports.

Note
Make sure the recipients' domains are your managed domains.
Separate multiple recipients with a semicolon.

4. Click Save.

Configuring Administration Settings

Policy Objects
Common policy objects, such as keyword expressions, notifications, stamps
and Web Reputation Approved List, simplifies policy management by storing
configurations that can be shared across all policies.

279
Trend Micro Email Security Administrator's Guide

Managing Address Groups


Creating an address group facilitates your policy management. You can use
Address Groups screen to manage address groups in Trend Micro Email
Security.
Table 64. Address Groups Screen

Tasks Steps

Querying Address 1. Specify an address group name, an email address, or a


Groups domain name.
2. Click Search.

Note
For Email, the supported formats are name@example.com,
*@example.com, name@*, name@*.example.com, and
*@*.example.com.

For example, searching for name@*.example.com will


return the following:
• name@info.example.com

• name@*.example.com

• name@*.com

• name@*

• *@info.example.com

• *@*.example.com

• *@*.com

280
About Trend Micro Email Security

Tasks Steps

Adding an Address Click Add.


Group
1. In the Basic Information section, provide the following
information:
• Name: A name for the address group.
• Description (optional): A description for the address
group.
• Internal Group (optional): An address group that only
contains managed domains or email addresses that
belong to managed domains.

Important
You must use internal groups when specifying
senders (or sender exceptions) in outbound
policies or recipients (or recipient exceptions) in
inbound policies.

• In the Email Addresses section, choose either of the


following ways to specify the email addresses in the
address group:
• Specify the email address in the text box and click
Add.

Note
Only one email address can be added at a
time.
For more information about the valid formats
of the email addresses, see the table below.

• Import email addresses.


a. Click Import.
b. Next to File location, browse and select a CSV
file to import.
You can click Download sample file to view a
sample of a properly formatted file.
Trend Micro Email Security checks all the
entries in the selected file to identify any invalid
and duplicate email addresses. 281
c. After you confirm all the entries to be imported,
click Import.
• Click Submit.
Trend Micro Email Security Administrator's Guide

Tasks Steps

Editing an Address In the Address Groups list, click the name of the group you want to
Group edit and follow the instructions in Adding an Address Group
procedure in this table.

Note
A hybrid address group cannot be changed into an internal
group if the group contains at least one wildcard domain
member.

Deleting Address Groups In the Address Groups list, select the groups to delete. Click
Delete, and click OK to confirm.

Note
Only address groups that are not referenced by any policies
can be deleted.

The following table displays format examples for address groups:


Table 65. Format Examples for Address Groups

Valid for Internal Address Group Valid for Hybrid Address Group

name@example.com name@example.com
name@info.example.com name@info.example.com

*@example.com *@example.com
*@info.example.com *@info.example.com

name@*

name@*.example.com

*@*.example.com

Managing the URL Keyword Exception List


URLs that contain any of the specified keywords will bypass Time-of-Click
Protection and Virtual Analyzer scanning. This bypass is useful, for example,

282
About Trend Micro Email Security

for one-click URLs, because subjecting such URLs to the two types of
scanning can possibly invalidate the links.
Note that the protocol and domain parts of an URL will not be used for
keyword match. The following is an example:

Keyword URL Keyword Match Result

registration http://example.com/ Match


registration

http:// Not match


registration.example.com/
Dashboard?T=XCdSN

You can manage keywords on the URL Keyword Exception List screen.
Table 66. URL Keyword Exception List Screen

Add keywords 1. Click Add.


2. Specify a keyword that consists of 3 to 256 alphanumeric
characters and underscores.
3. Click Save.
The new keyword appears in the keyword list.
4. Add multiple entries if necessary.

Note
If your Customer Licensing Portal or Licensing
Management Platform account has created multiple
administrator accounts, be aware that the total number
of entries added by all the accounts cannot exceed 100
entries.

Delete keywords Select the keywords you want to delete and click Delete.

283
Trend Micro Email Security Administrator's Guide

Managing the Web Reputation Approved List


The Web Reputation Approved List provides you a way to bypass scanning
and blocking of URLs that you considered safe. When URLs match the
domains or IP addresses specified in the Web Reputation Approved List, the
URLs will not be scanned by Web Reputation, Time-of-Click Protection, and
Virtual Analyzer.

Procedure

1. Enable the Web Reputation Approved List.

a. Create or edit an inbound or outbound policy.

For details about configuring a policy, see Configuring Policies on


page 158.

b. Click the Scanning Criteria tab.

c. Select and click Web reputation.

d. Under Web Reputation Approved List, select the Enable the Web
Reputation Approved List check box.

2. Manage the Web Reputation Approved List.

The Web Reputation Approved List is available in the following path:

Administration > Policy Objects > Web Reputation Approved List

Option Description

Add a record to the a. Click Add.


Web Reputation
Approved List The Add Domain or IP Address screen appears.
b. Type a domain name or an IP address.
Specify a domain in one of the following formats:
• example.com
• subdomain.example.com

284
About Trend Micro Email Security

Option Description
• *.example.com
This format matches all the subdomains under the
example.com domain, for example, a.example.com,
a.b.example.com.
c. Click OK.

Delete records a. Select one or multiple records from the existing list and click
from the Web Delete.
Reputation
Approved List b. Click OK to confirm your deletion.

Keyword Expressions
Keyword expressions can be:
• Groups of literal text characters
• Patterns, defined using symbols (regular expressions) that describe a
range of possible groupings of text
• A mixture of literal text and symbolic patterns
For example, a keyword expression might be a single word, a phrase, or even
a substring; or it might be a pattern that defines a more general grouping of
text, such as an asterisk used as a wildcard to stand in for any text of one or
more characters in length.
Regular expressions, often called regexes, are sets of symbols and syntactic
elements used to match patterns of text. The symbols stand in for character
patterns or define how the expression is to be evaluated. Using regular
expressions is sophisticated way to search for complex character patterns in
large blocks of text. For example, suppose you want to search for the
occurrence of an email address—any email address—in a block of text. You
can build a regular expression that will match any pattern of text that has
any valid name string, followed by an @ character, followed by any valid
domain name string, followed by a period, followed by any valid domain
suffix string.

285
Trend Micro Email Security Administrator's Guide

Trend Micro Email Security uses a subset of POSIX regular expression


syntax.

Tip
If your expression includes the characters \ | ( ) { } [ ] . ^ $ * + or ?, you must
escape them by using a \ immediately before the character. Otherwise, they will
be assumed to be regular expression operators rather than literal characters.

This help system contains a brief summary of common regex elements, but a
thorough guide to regular expression syntax is beyond the scope of this help
system. However, there are many sources of reference information available
on the Web or in books.

About Regular Expressions


Trend Micro Email Security treats all keyword expressions as regular
expressions. Trend Micro Email Security uses a subset of POSIX regular
expression syntax and supports the following regular expressions.

Characters

REGULAR EXPRESSION DESCRIPTION

. (dot) Any character (byte) except newline

x The character 'x'

\\ The character '\'

\a The alert (bell) character (ASCII 0x07)

286
About Trend Micro Email Security

REGULAR EXPRESSION DESCRIPTION

\b • If this meta-symbol is within square


brackets [] or by itself, it will be treated as
the backspace character (ASCII 0x08). For
example, [\b] or \b
• If this meta-symbol is at the beginning
(or end) of a regular expression, it means
any matched string of the regular
expression must check whether the left
(or right) side of the matched string is a
boundary. For example:
• \bluck > left side must be the
boundary
• luck\b > right side must be the
boundary
• \bluck\b > both sides must be the
boundary
• If this meta-symbol appears in the
middle of a regular expression, it will
cause a syntax error.

\f The form-feed character (ASCII 0x0C)

\n The newline (line feed) character (ASCII 0x0A)

\r The carriage-return character (ASCII 0x0D)

\t The normal (horizontal) tab character (ASCII


0x09)

\v The vertical tab character (ASCII 0x0B)

\n The character with octal value 0n (0 <= n <= 7)

\nn The character with octal value 0nn (0 <= n <=


7)

\mnn The character with octal value 0mnn (0 <= m


<= 3, 0 <= n <= 7)

287
Trend Micro Email Security Administrator's Guide

REGULAR EXPRESSION DESCRIPTION

\xhh The character with a hexadecimal value 0xhh,


for example, \x20 means the space character

Tip
If your expression includes the characters \ | ( ) { } [ ] . ^ $ * + or ?, you must
escape them by using a \ immediately before the character. Otherwise, they will
be assumed to be regular expression operators rather than literal characters.

Bracket Expression and Character Classes

Bracket expressions are a list of characters and/or character classes enclosed


in brackets []. Use bracket expressions to match single characters in a list, or
a range of characters in a list. If the first character of the list is the carat ^
then it matches characters that are not in the list.
For example:

EXPRESSION MATCHES

[abc] a, b, or c

[a-z] a through z

[^abc] Any character except a, b, or c

[[:alpha:]] Any alphabetic character (see below)

The following character classes must be within a bracket expression or it will


be treated as a common expression.

CHARACTER CLASS DESCRIPTION

[:alpha:] Alphabetic characters

[:digit:] Digits

[:alnum:] Alphabetic characters and numeric characters

[:cntrl:] Control character

288
About Trend Micro Email Security

CHARACTER CLASS DESCRIPTION

[:blank:] Space and tab

[:space:] All white space characters

[:graph:] Non-blank (not spaces, control characters, or


the like)

[:print:] Like [:graph:], but includes the space


character

[:punct:] Punctuation characters

[:lower:] Lowercase alphabetic character

[:upper:] Uppercase alphabetic character

[:xdigit:] Digits allowed in a hexadecimal number


(0-9a-fA-F)

For example:
• a[[:digit:]]b matches "a0b", "a1b", ..., "a9b".
• a[:digit:]b matches "a:b", "adb", …, "atb".
• [[:digit:]abc] matches any digit or any of "a", "b", and "c".
• [abc[:digit:]] matches any digit or any of "a", "b", and "c".
For a case-insensitive expression, [:lower:] and [:upper:] are equivalent to
[:alpha:].

Boundary Matches

EXPRESSION DESCRIPTION

^ Beginning of line

$ End of line

289
Trend Micro Email Security Administrator's Guide

Greedy Quantifiers

EXPRESSION DESCRIPTION

R? Matches R, once or not at all

R* Matches R, zero or more times

R+ Matches R, one or more times

R{n} Matches R, exactly n times

R{n,} Matches R, at least n times

R{n,m} Matches R, at least n but no more than m


times

R is a regular expression.

Trend Micro does not recommend using ".*" in a regular expression. ".*"
matches any length of letters and the large number of matches may increase
memory usage and affect performance.

For example:

If the content is 123456abc, the regular expression ".*abc" match results are:

• 12345abc

• 23455abc

• 3456abc

• 456abc

• 56abc

• 6abc

• abc

In this example, replace ".*abc" with "abc" to prevent excessive use of


resources.

290
About Trend Micro Email Security

Logical Operators

EXPRESSION DESCRIPTION

RS R followed by S (concatenation)

R|S Either R or S

(R) Grouping R

.REG. Indicates the following operand is a regular


expression

.WILD. Compares the operands, which follow it with


wildcard comparison

.NOT. Inverts the logic meaning

.AND. Logical AND


Both operands must appear in the entity to
trigger the expression.

.OR. Logical OR
At least one of the operands must appear in
the entity to trigger the expression.

R and S are regular expressions.

Shorthand and meta-symbol

Trend Micro Email Security provides the following shorthand for writing
complicated regular expressions. Trend Micro Email Security will pre-
process expressions and translate the shorthand into regular expressions.

For example, {D}+ would be translated to [0-9]+. If a shorthand expression is


enclosed in brackets (example: {}) or double-quotes, then Trend Micro Email
Security will not translate that shorthand expression to a regular expression.

SHORTHAND DESCRIPTION

{D} [0-9]

291
Trend Micro Email Security Administrator's Guide

SHORTHAND DESCRIPTION

{L} [A-Za-z]

{SP} [(),;\.\\<>@\[\]:]

{NUMBER} [0-9]+

{WORD} [A-Za-z]+

{CR} \r

{LF} \n

{LWSP} [ \t]

{CRLF} (\r\n)

{WSP} [ \t\f]+

{ALLC} .

Trend Micro Email Security also provides the following meta-symbols. The
difference between shorthand and meta-symbols is that meta-symbols can
be within a bracket expression.

META-SYMBOL DESCRIPTION

\s [[:space:]]

\S [^[:space:]]

\d [[:digit:]]

\D [^[:digit:]]

\w [_[:alnum:]]

\W [^_[:alnum:]]

292
About Trend Micro Email Security

Using Keyword Expressions


You can select existing keyword expressions from the list of those available.
New keyword expressions can be defined and saved, either from scratch or
by copying and editing an existing expression.

Procedure

1. Create or edit a content filtering policy.

2. Click the Scanning Criteria tab.

3. Select Advanced and click keyword expressions for each condition.

4. Select an existing keyword expression from the Available field.

5. Click the move button (Add>) to move the selected keyword expression
to the Selected field.

Note
You can also add, edit, copy, or delete keyword expressions.

6. Repeat until you have moved all the keyword expressions you want to
apply.

Adding Keyword Expressions


New keyword expressions can be defined and saved, and then applied to a
rule.

Procedure

1. Go to Administration > Policy Objects > Keywords and Expressions.

2. Click Add.

3. Type a name for the list of keyword expressions.

293
Trend Micro Email Security Administrator's Guide

4. Next to Match, select one of the following that specifies when Trend
Micro Email Security takes action:
• Select Any specified to match keywords based on a logical OR.
• Select All specified to match keywords based on a logical AND.
• Select Not the specified to apply the rule to messages that do not
contain the keywords.
• Select Only when combined score reaches threshold to apply the
rule to messages that contains one or more keywords whose
combined score reaches a threshold.
Next to Total message score to trigger action, specify a number
that represents the maximum score for allowed keyword
expressions. When you add an expression, you can set a value for
Score.

5. Create keyword expressions for the list.


a. Click Add.
b. Specify a keyword expression, set whether it is case sensitive,
specify a description for the added keyword expression, and click
Save.
c. In the Test Area section, test the keyword expression against actual
data.
For example, if the expression is for a national ID, type a valid ID
number in the Test data text box, click Test, and then check the
result.
d. Click Save if you are satisfied with the result.
6. Click Save.

Editing Keyword Expressions


Existing keyword expressions can be modified, or can be copied with a new
name.

294
About Trend Micro Email Security

Procedure
1. Go to Administration > Policy Objects > Keywords and Expressions.
2. Click the name of a keyword expression list.
3. Edit the keyword expression information as required.
4. Click Save.

Managing Notifications
You can use Notifications screen to manage notifications in Trend Micro
Email Security.
For information on using and configuring notifications, see About the Send
Notification Action on page 226.

295
Trend Micro Email Security Administrator's Guide

Table 67. Notifications Screen

Tasks Steps

Adding a Notification Click Add.


1. Provide the following information:
Tip
• Name: A name for the notification email message.
Often a new
notification will • From: The email addresses that you want to use to send
be very similar to notifications message from.
one you already • To: The recipient email address.
have. In that case,
it is usually easier • Subject: The notification email message subject. You can
to copy the also use variables in your notification email message. See
notification and Rule Tokens/Variables on page 220.
edit it rather than
create a new Optionally select the Attach the original message check
notification from box and specify when to attach the original message in
scratch. the notification. If the message content was altered due
to the policy actions you configured, Trend Micro Email
Security attaches the message that has been processed
rather than the original message.
• Body (optional): The email notification message body.
2. Click Save.

Copying Notifications In the Notifications list, select the notification to copy. Click Copy.

Editing Notifications In the Notifications list, click the name of the notification you want
to edit and follow the instructions in Adding a Notification
procedure in this table.

Deleting Notifications In the Notifications list, select the notifications to delete. Click
Delete, and click OK to confirm.

Managing Stamps
Trend Micro Email Security supports both HTML stamps and plain text
stamps.

You can use Stamps screen to manage stamps in Trend Micro Email Security.

296
About Trend Micro Email Security

For information on inserting and configuring stamps, see Inserting a Stamp


on page 217.

297
Trend Micro Email Security Administrator's Guide

Table 68. Stamps Screen

Tasks Steps

Adding a Stamp Click Add.


1. Provide the following information:
Tip
• Name: A name for the stamp.
Often a new
stamp will be very Optionally select Do not stamp message formats that
similar to one you might become corrupted or unreadable, such as
already have. In digitally signed and Outlook TNEF. if necessary.
that case, it is • Insert at: Select whether you want to insert the stamp at
usually easier to the beginning or at the end of the message body.
copy the stamp
and edit it rather • HTML: Specify the HTML content for the stamp as
than create a new desired.
stamp from
scratch. • Predefined style:
Trend Micro Email Security provides a predefined
style for HTML stamps that indicate Information,
Suspicious, or Dangerous risk level. Select a risk
level and modify the HTML content with the rich text
editor. Trend Micro Email Security offers a preview of
the stamp and automatically generates a plain text
stamp with same content in real time.
• Customized style:
Trend Micro Email Security allows you to specify
HTML stamp content and plain text stamp content
separately.

Note
Optionally include variables in your stamps by
using the tokens listed in Rule Tokens/Variables on
page 220.

When a message triggers the rule, the HTML stamp will be


inserted into HTML content of the message, and the plain
text stamp will be inserted into Plain text content of the
message.
2. Click Save.

298
About Trend Micro Email Security

Tasks Steps

Copying Stamps In the Stamps list, select the stamp to copy. Click Copy.

Editing Stamps In the Stamps list, click the name of the stamp you want to edit
and follow the instructions in Adding a Stamp procedure in this
table.

Deleting Stamps In the Stamps list, select the stamps to delete. Click Delete, and
click OK to confirm.

Email Continuity

Note
This feature is not included in the Trend Micro Email Security Standard license.

For details about different license versions, see Available License Versions on page
17.

With Email Continuity, Trend Micro Email Security provides a standby email
system that gives virtually uninterrupted use of email in the event of a mail
server outage. If a planned or unplanned outage occurs, Trend Micro Email
Security will keep your incoming email messages for 10 days. Once your
email server is back online within the 10-day period, these messages will be
restored to your email server.

A continuity mailbox is available instantly and automatically, providing end


users the ability to read, forward, download and reply to any email messages.
This enables end users to have continued email access during an outage
without requiring any action from IT.

In fact, Trend Micro Email Security will scan the email messages sent from
the continuity mailbox based on its default outbound policy.

Administrators can configure and manage Email Continuity records on the


Trend Micro Email Security administrator console, and end users will be
able to use the continuity mailbox to manage email messages on the End
User Console.

299
Trend Micro Email Security Administrator's Guide

Share the End User Console web address for your region with your end users:
• North America, Latin America and Asia Pacific:
https://euc.tmes.trendmicro.com
• Europe, the Middle East and Africa:
https://euc.tmes.trendmicro.eu
• Australia and New Zealand:
https://euc.tmes-anz.trendmicro.com
• Japan:
https://tm.tmems-jp.trendmicro.com
• Singapore:
https://tm.tmes-sg.trendmicro.com
• India:
https://tm.tmes-in.trendmicro.com

Adding an Email Continuity Record


Add Email Continuity records for specified recipient domains to provide
uninterrupted email access for end users on this domain during email server
outages.

Procedure
1. Go to Administration > Email Continuity.
2. Click Add.
The Add Email Continuity Record screen appears.
3. Select a specific recipient domain from the Domain name drop-down
list.

300
About Trend Micro Email Security

4. Select Enable Email Continuity to apply Email Continuity to the selected


domain.
5. Select Enable Email Sending.

Note
This option is disabled by default.
This option allows you to compose and send email messages directly from
the End User Console. If your domain has SPF records, make sure the
following record is included:
spf.tmes.trendmicro.com

6. Click Add.

Editing an Email Continuity Record

Procedure
1. Go to Administration > Email Continuity.
2. Click the domain name of the record that you want to edit.
The Edit Email Continuity Record screen appears.
3. Change your setting as required.
4. Click Save.

Administrator Management
Trend Micro Email Security allows you to perform the following
administrator management tasks:
• Creating and managing administrator subaccounts and superadmin
accounts

301
Trend Micro Email Security Administrator's Guide

• Configuring the way that administrator subaccounts and superadmin


accounts access the administrator console

Account Management
Use the Administration > Administrator Management > Account
Management screen to search for administrator subaccounts and
superadmin accounts under your control and perform actions on behalf of
those accounts.
Both administrator subaccounts and superadmin accounts are local
accounts, which can be created by an administrator account (Trend Micro
Business Account) and have the administrator account privileges. The
differences are as follows:
• A subaccount can perform privileged operations only within managed
domains. Even a subaccount created with Full Control permission over
all features may still not be able to perform certain operations. For
example, a subaccount with Full Control permission over domains
cannot add or delete domains.
• A superadmin account is created to ease the administrative burden of
the Business Account. The superadmin account owns all the
permissions of the Business Account, including creating subaccounts or
superadmin accounts. The superadmin account can perform operations
in all domains added to your organization and has unrestricted access to
all features on the administrator console.
For more information about the accessible features of the local accounts, see
Accessible Features of the Local Accounts on page 303.
After clicking Assume Control beside a local account in the list, you will be
able to perform privileged operations on behalf of the account.
To stop acting on behalf of the local account, click Release in the title bar
area.

302
About Trend Micro Email Security

Accessible Features of the Local Accounts


The following table lists the accessible features of administrator subaccounts
with Full Control permission and superadmin accounts on the administrator
console.
Table 69. Accessible features of administrator subaccounts with Full Control permission
and superadmin accounts

Subaccount
with Full Superadmin
Feature
Control Account
Permission

Dashboard All All

Domains Cannot add or All


delete domains

Inbound Connection Filtering All All


Protection
Domain-based Authentication Cannot edit default All
rules

Virus Scan All All

Spam Filtering All All

Content Filtering All All

Data Loss Prevention (DLP) All All

Outbound Protection All All

Quarantine Query All All

End User Console Settings All All

Digest Settings Cannot edit default All


digest rules

Logs Can only query All


audit logs of
themselves

303
Trend Micro Email Security Administrator's Guide

Subaccount
with Full Superadmin
Feature
Control Account
Permission

Reports All All

304
About Trend Micro Email Security

Subaccount
with Full Superadmin
Feature
Control Account
Permission

Administrati Policy Objects All All


on
Email Continuity All All

Administrator Management Cannot see this All


menu

End User Passwords All All


Managemen
t Managed All All
Accounts

Logon Methods Cannot see the All


Single sign-on
toggle button

Logon Access Control Cannot see this All


menu

Directory Management All All

Co-Branding All All

Service API Access All All


Integration
Log Retrieval All All

Apex Central All All

Remote Manager Cannot integrate All


with Remote
Manager

License Information All All

Hosted Email Security Migration Cannot see this All


Tool menu

IMSS/IMSVA Migration Tool Cannot see this All


menu

305
Trend Micro Email Security Administrator's Guide

Subaccount
with Full Superadmin
Feature
Control Account
Permission

Help All All

REST API Access All All

Administrator Profile Verification Cannot see the Cannot see the


notice of resending notice of resending
the email message the email message
for verification for verification

Change Password All All

Release Control All All

Log Off All All

Two-Factor Authentication All All

Logon to the Administrator Console through SSO All All

Adding and Configuring a Subaccount

Procedure
1. Go to Administration > Administrator Management > Account
Management.
2. Click Add Subaccount.
The Add Subaccount screen appears.
3. Configure the following information on the screen:
• Subaccount Basic Information: type the account name and email
address.

306
About Trend Micro Email Security

Note
If you want to enable single sign-on for this subaccount, the email
address specified here will be used to map to its equivalent from your
identity provider to verify the identity of this subaccount. Therefore,
set up the subaccount with the email address used by your identity
provider.

• Select Permission Types: select permissions from the Predefined


Permission Types drop-down list, or configure permissions for
each of the feature manually.

Note
• When you assign the read-only quarantine permissions, you can
control whether to include the permissions for viewing the
quarantined message details and downloading quarantined
messages. By default, these permissions are included.
• A subaccount has no permission to add or delete domains, even
if that subaccount has Full Control permission over the
domains. Only the Business Account can perform such
operations.

• Select Domains: select domains that the account can manage.


• My organization: select the entire organization for the
subaccount to manage.

Important
Selecting My organization does not grant the subaccount
permission to add or delete domains. It just enables the
subaccount to use organization-level features such as creating
an organization-level policy rule.

If My organization is selected, the subaccount can manage the


new domains added by the Business Account in the future.
• Specify: select one or more domains for the subaccount to
manage.

307
Trend Micro Email Security Administrator's Guide

4. Click Save.

Trend Micro Email Security sends an email message with logon


information to the newly created account owner.

Note
The Reset Password button resets the password and sends a new
notification message to the account owner.

Adding and Configuring a Superadmin Account

Procedure

1. Go to Administration > Administrator Management > Account


Management.

2. Click Add Superadmin Account.

The Add Superadmin Account screen appears.

3. Type the account name and email address.

Note
If you want to enable single sign-on for this superadmin account, the
email address specified here will be used to map to its equivalent from
your identity provider to verify the identity of this superadmin account.
Therefore, set up the superadmin account with the email address used by
your identity provider.

4. Click Save.

Trend Micro Email Security sends an email message with logon


information to the newly created account owner.

308
About Trend Micro Email Security

Note
The Reset Password button resets the password and sends a new
notification message to the account owner.

Editing a Subaccount

Procedure

1. Go to Administration > Administrator Management > Account


Management.

2. Click name of the subaccount that you want to edit.

The Edit Subaccount screen appears.

3. Modify the following information on the screen as required:

• Subaccount Basic Information: modify the email address if


necessary.

Note
The account name cannot be modified.

• Select Permission Types: select a predefined permission from the


Predefined Permission Types drop-down list, or configure
permissions for each of the feature manually.

Note that a subaccount has no permission to add or delete domains,


even if that subaccount has Full Control permission over the
domains. Only the Business Account can perform such operations.

• Select Domains: select the domains that the account can manage.

• My organization: select the entire organization for the


subaccount to manage.

309
Trend Micro Email Security Administrator's Guide

Important
Selecting My organization does not grant the subaccount
permission to add or delete domains. It just enables the
subaccount to use organization-level features such as creating
an organization-level policy rule.

If My organization is selected, the subaccount can manage the


new domains added by the Business Account in the future.

• Specify: select one or more domains for the subaccount to


manage.

4. Click OK.

Editing a Superadmin Account

Procedure

1. Go to Administration > Administrator Management > Account


Management.

2. Click name of the superadmin account that you want to edit.

The Edit Superadmin Account screen appears.

3. Modify the email address as required.

Note
The account name cannot be modified.

4. Click OK.

310
About Trend Micro Email Security

Deleting Subaccounts or Superadmin Accounts

Procedure

1. Go to Administration > Administrator Management > Account


Management.

2. Select the subaccounts or superadmin accounts that you want to delete,


and then click Delete.

3. Click OK in the confirmation dialog box.

Changing the Password of a Subaccount or Superadmin Account

Note
If you have a Business Account on the Customer Licensing Portal or Licensing
Management Platform, sign in to your account and follow the instructions
provided there to change your password. Trend Micro recommends changing
your password regularly.

The password cannot be changed for a disabled subaccount or superadmin


account.

Procedure

1. Go to Administration > Administrator Management > Account


Management.

2. Select the subaccount or superadmin account for which you want to


change the password, and then click Reset Password.

Trend Micro Email Security generates a new password for the


subaccount or superadmin account, and sends it to the account owner
through an email message.

311
Trend Micro Email Security Administrator's Guide

Enabling or Disabling a Subaccount or Superadmin Account

Procedure
1. Go to Administration > Administrator Management > Account
Management.
2. Click (enabled) or (disabled) to toggle the status of a subaccount
or superadmin account, and then click OK in the confirmation dialog
box.

Logon Methods
Trend Micro Email Security allows you to control the way that administrator
subaccounts and superadmin accounts access the administrator console.
On the Logon Methods screen, you can enable or disable the following logon
methods:
• Local Account Logon
If this method is enabled, subaccounts and superadmin accounts can log
on to the administrator console with their user name and password.
Enforcing two-factor authentication adds an extra layer of security to the
accounts.
• Single Sign-On
Once you enable single sign-on (SSO) and complete required settings,
subaccounts and superadmin accounts can log on to the administrator
console through SSO with their existing identity provider credentials.
You can create multiple SSO profiles so that different accounts can log
on to the administrator console from different identity provider servers
through SSO.
Trend Micro Email Security currently supports the following identity
providers for SSO:
• Microsoft Active Directory Federation Services (AD FS)

312
About Trend Micro Email Security

• Azure Active Directory (Azure AD)


• Okta

Configuring Local Account Logon

Procedure
1. Go to Administration > Administrator Management > Logon Methods.
2. In the Local Account Logon section, configure the settings for local
account logon.
a. Click the toggle button to enable local account logon.
This allows administrator subaccounts and superadmin accounts to
log on to the administrator console with their user name and
password.
b. Click the toggle button to enforce two-factor authentication.
Two-factor authentication adds an extra layer of security to the
accounts.
After enforcing two-factor authentication, the accounts must
provide the following authentication credentials each time they log
on to the administrator console:
• Local account and password
• A one-time password generated by the Google Authenticator
app

313
Trend Micro Email Security Administrator's Guide

Setting Up Two-Factor Authentication

Note
If your administrator has enforced two-factor authentication, it means that
two-factor authentication must be used every time you log on to the
administrator console and it cannot be disabled. Complete the following steps
to set up two-factor authentication before you can access the administrator
console.

The Trend Micro Email Security administrator console provides two-factor


authentication support. Two-factor authentication provides an added layer of
security for the local accounts and prevents unauthorized access to your
Trend Micro Email Security administrator console, even if your password is
stolen.
After enabling two-factor authentication, local accounts need to provide the
following authentication credentials each time they sign in:
• Local account and password
• A one-time password generated by the Google Authenticator app
This section describes how to set up two-factor authentication with a local
account.

Procedure
1. Log on to the Trend Micro Email Security administrator console with
your local account and password.
2. Click your account name in the top right corner and choose Two-Factor
Authentication to open the setup wizard.
3. Set up two-factor authentication in the wizard.
a. Click Get Started.
b. Verify your email address and click Next.
c. Obtain the verification code from the notification sent to your email
address.

314
About Trend Micro Email Security

Note
If you did not get the verification code, wait for at least 3 minutes
before clicking Resend Code.

d. Type the verification code and click Next.

e. Follow the instructions to set up two-factor authentication.

i. Download Google Authenticator either from Apple's App Store


or Google Play and install it on your mobile phone.

ii. Add your Trend Micro Email Security account to Google


Authenticator by scanning the QR code.

iii. Provide the 6-digit code generated by Google Authenticator to


verify that your authentication works properly.

f. Click Finish.

Your account will be presented with the two-factor authentication


when they try to log on.

If you want to disable two-factor authentication, click Disable on


the Two-Factor Authentication screen. If your administrator has
enforced two-factor authentication, click Reset to reset two-factor
authentication if necessary.

Configuring Single Sign-On

Before specifying single sign-on (SSO) settings on the administrator console,


configure the identity provider you choose for SSO, that is, AD FS 4.0, Azure
AD or Okta:

• Configuring Active Directory Federation Services on page 317

• Configuring Azure Active Directory on page 321

• Configuring Okta on page 324

315
Trend Micro Email Security Administrator's Guide

Note
Gather required settings from your identity provider before setting up the
administrator console.

Procedure
1. Go to Administration > Administrator Management > Logon Methods.
2. In the Single Sign-On section, click the toggle button to enable SSO.
3. Click Add to create an SSO profile.
4. Configure general information for SSO.
a. Specify an SSO profile name.
b. Specify an identifier that is globally unique at your site.
The administrator console URL is generated.
If you have to change the unique identifier due to conflict with
another identifier, make sure you also change it in your identity
provider configuration.
5. Select the accounts to which the current profile applies:
• All accounts: applies this profile to all accounts.

Note
You can create only one profile that is applied to all accounts.

• Specified accounts: applies this profile to specified accounts.


Select accounts from the Available pane and click Add > to add
them to the Selected pane.
6. Complete identity provider configuration for SSO.
a. Select your identity provider from the Identity provider drop-down
list.

316
About Trend Micro Email Security

b. Specify the logon and logoff URLs for your identity provider.

Note
Use the logon URL collected from AD FS, Azure AD or Okta
configurations.
The logoff URL logs you off and also terminates the current identity
provider logon session.

c. (For Okta only) Click Download Logoff Certificate to obtain the


certificate file to upload to your federation server.
d. Locate the certificate file you downloaded from AD FS, Azure AD or
Okta configurations and upload it for signature validation.
e. Specify the identity claim type based on the claim you configured
for AD FS, Azure AD or Okta. For example, if you use email as the
claim name, type email.
7. Click Save to save the profile.
8. Click Save to save SSO settings.
Once you have completed the configuration, log on with an account
using the administrator console URL generated in Step 4 to initiate SSO
from the identity provider to the Trend Micro Email Security
administrator console. The identity claim type specified in Step 6 is used
to get the mapping claim value from your identity provider. In this case,
Trend Micro Email Security obtains the email address of the logon
account and checks if it matches the account email address you set
before. If they are matched, you will be successfully logged on to the
administrator console with the account.

Configuring Active Directory Federation Services

Active Directory Federation Services (AD FS) provides support for claims-
aware identity solutions that involve Windows Server and Active Directory
technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.

317
Trend Micro Email Security Administrator's Guide

This section uses Windows 2016 as an example to describe how to configure


AD FS as a SAML server to work with Trend Micro Email Security. Make sure
you have installed AD FS successfully.

Procedure
1. Go to Start > All Programs > Windows Administrative Tools > AD FS
Management.
2. On the AD FS management console, go to AD FS, right-click Relying
Party Trusts, and then choose Add Relying Party Trust.
3. Complete settings for each screen in the Add Relying Party Trust wizard.
a. On the Welcome screen, select Claims aware and click Start.
b. On the Select Data Source screen, select Enter data about the
relying party manually and click Next.
c. On the Specify Display Name screen, specify a display name, for
example, Trend Micro Email Security Administrator
Console, and click Next.

d. On the Configure Certificate screen, click Next.

Note
No encryption certificate is required, and HTTPS will be used for
communication between Trend Micro Email Security and federation
servers.

e. On the Configure URL screen, select Enable support for the SAML
2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service
URL, and then click Next.

318
About Trend Micro Email Security

Note
Specify the SAML 2.0 SSO service URL for your region as follows:
https://ui.<domain_name>/uiserver/subaccount/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:


• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

f. On the Configure Identifiers screen, type the identifier for the


relying party trust, click Add, and then click Next.

Note
Specify the identifier for the relying party trust for your region as
follows:
https://ui.<domain_name>/uiserver/subaccount/ssoLogin

319
Trend Micro Email Security Administrator's Guide

g. On the Choose Access Control Policy screen, choose an access


control policy and click Next.
h. Continue clicking Next in the wizard and finally click Close.
4. From the Edit Claim Issuance Policy for Trend Micro Email Security
Administrator Console dialog box, click Add Rule in the Issuance
Transform Rules tab.
5. Complete settings for each screen in the Add Transform Claim Rule
wizard.
a. On the Select Rule Template screen, select Send LDAP Attributes
as Claims for Claim rule template and click Next.
b. On the Configure Rule screen, specify a claim rule name and select
Active Directory for Attribute store.
c. Select LDAP attributes and specify an outgoing claim type for each
attribute. For example, select E-Mail-Addresses and type email as
the outgoing claim type.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim type specified
here.

d. Click Finish.
e. Click OK to close the wizard.
6. From AD FS > Relying Party Trust, double-click the relying party trust
file you created earlier.
a. From the Test Properties dialog box, click the Advanced tab.
b. Select SHA1 from the Secure hash algorithm drop-down list and
click OK.
7. Collect the single sign-on logon and logoff URLs and obtain a certificate
for signature validation from AD FS.

320
About Trend Micro Email Security

a. On the AD FS management console, go to AD FS > Service >


Endpoints.
b. Look for the SAML 2.0/WS-Federation type endpoint and collect the
URL path.

Note
The URL path will be used when you configure logon and logoff URLs
on Trend Micro Email Security.
• Logon URL: <adfs_domain_name>/adfs/ls/
• Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0

c. Go to AD FS > Service > Certificates.


d. Look for the Token-signing certificate, right-click it, and then select
View Certificate.
e. Click the Details tab and click Copy to File.
f. Using the Certificate export wizard, select Base-64 Encoded X.509
(.CER).
g. Assign a name to the file to complete the export of the certificate
into a file.

Configuring Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based


directory and identity management service.
Make sure you have a valid subscription in Azure AD that handles the sign-in
process and eventually provides the authentication credentials of local
accounts to the administrator console.

Procedure
1. On the Azure AD management portal, select an active directory that you
want to implement SSO.

321
Trend Micro Email Security Administrator's Guide

2. Click Enterprise applications in the navigation area on the left and click
New application.
3. On the Browse Azure AD Gallery (Preview) screen, click Create your
own application.
4. On the Create your own application panel that appears on the right,
specify a name for your application, for example, Trend Micro Email
Security Administrator Console, and click Create.

5. Under Getting Started in the overview of your application, click 1.


Assign users and groups, click Add user/group, select a specific user or
group for this application and click Assign.
6. In the navigation area of your application, click Single sign-on.
7. Click SAML to configure the connection from your application to Azure
AD using the SAML protocol.
a. Under Basic SAML Configuration, click Edit, specify the identifier
and reply URL, and click Save.

322
About Trend Micro Email Security

Note
Specify the identifier for your region as follows:
https://ui.<domain_name>/uiserver/subaccount/ssoLogin

Specify the reply URL for your region as follows:


https://ui.<domain_name>/uiserver/subaccount/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:


• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

Click No, I'll test later when you are prompted to choose whether to
test single sign-on with Trend Micro Email Security
Administrator Console. You are advised to perform a test after all
SSO settings are complete.

323
Trend Micro Email Security Administrator's Guide

b. Under User Attributes & Claims, click Edit, and specify the identity
claim.

User attributes and claims are used to get the email addresses of
logon accounts to authenticate their identity. By default, the source
attribute user.mail is preconfigured to get the email addresses. If
the email addresses in your organization are defined by another
source attribute, do the following to add a new claim name:

Click Add new claim. On the Manage claim screen, specify the
claim name, leave Namespace empty, select Attribute as Source,
select a value from the Source attribute drop-down list, and click
Save.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim name specified
here.

c. Under SAML Signing Certificate, click Edit, specify an email


address for Notification Email Addresses, and click Save. Click
Download next to Certificate (Base64) to download a certificate file
for Azure AD signature validation on Trend Micro Email Security.

d. Under Set up Trend Micro Email Security Administrator Console,


record the login and logout URLs.

Configuring Okta

This section describes how to add Trend Micro Email Security as a new
application and configure SSO settings on your Okta Admin Console.

Procedure

1. Navigate to the Admin Console by clicking Admin in the upper-right


corner.

324
About Trend Micro Email Security

Note
If you are in the Developer Console, click < > Developer Console in the
upper-left corner and then click Classic UI to switch over to the Admin
Console.

2. In the Admin Console, go to Applications > Applications.


3. Click Add Application, and then click Create New App.
The Create a New Application Integration screen appears.
4. Select Web as the Platform and SAML 2.0 as the Sign on method, and
then click Create.
5. On the General Settings screen, type a name for Trend Micro Email
Security in App name, for example, Trend Micro Email Security
Administrator Console, and click Next.

6. On the Configure SAML screen, specify the following:


a. Type https://ui.<domain_name>/uiserver/subaccount/
ssoAssert?cmpID=<unique_identifier> in Single sign on URL
based on your serving site.

325
Trend Micro Email Security Administrator's Guide

Note
In the preceding and following URLs:
• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

b. Select Use this for Recipient URL and Destination URL.


c. Type https://ui.<domain_name>/uiserver/subaccount/ssoLogin
in Audience URI (SP Entity ID).
d. Select EmailAddress in Name ID format.
e. Select Okta username in Application username.
f. (Optional) Click Show Advanced Settings, specify the following:
This step is required only if you want to configure a logoff URL on
the Trend Micro Email Security administrator console. The logoff

326
About Trend Micro Email Security

URL is used to log you off and also terminate the current identity
provider logon session.

i. Next to Enable Single Logout, select the Allow application to


initiate Single Logout check box.

ii. Type https://ui.<domain_name>/uiserver/subaccount/


sloAssert?cmpID=<unique_identifier> in Single Logout URL.

iii. Type https://ui.<domain_name>/uiserver/subaccount/


ssoLogout in SP Issuer.

iv. Upload the logoff certificate in the Signature Certificate area.

You need to download the logoff certificate from the Trend


Micro Email Security administrator console in advance. Go to
Administration > Administrator Management > Logon
Methods. Click Add in the Single Sign-on section. On the pop-
up screen, locate the Identity Provider Configuration section,
select Okta as Identity provider and click Download Logoff
Certificate to download the certificate file.

v. Keep the default values for other settings.

g. Under ATTRIBUTE STATEMENTS (OPTIONAL), specify email in


Name, and select Unspecified in Name format and user.email in
Value.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the attribute name specified
here.

h. Click Next.

7. On the Feedback screen, click I'm an Okta customer adding an internal


app, and then click Finish.

The Sign On tab of your newly created Trend Micro Email Security
application appears.

327
Trend Micro Email Security Administrator's Guide

8. Click View Setup Instructions, and record the URL in Identity Provider
Single Sign-On URL and download the certificate in X.509 Certificate.

End User Management


Trend Micro Email Security allows you to perform the following
management tasks for end user accounts on Trend Micro Email Security End
User Console:

• Managing local end user accounts

• Managing end user account management relationships

• Configuring the way that end users access the End User Console

Local Accounts
Trend Micro Email Security supports management of End User Console local
accounts on the administrator console. You can add, delete, import, export,
enable, and disable end user accounts that belong to the managed domains.

Adding a Local End User Account

Note
Before adding local accounts for end users, make sure you have enabled local
account logon for end users. For details, see Configuring Local Account Logon on
page 335.

Procedure

1. Go to Administration > End User Management > Local Accounts.

2. Type an email address and click Add.

Make sure the email address meets the following requirements:

328
About Trend Micro Email Security

• Belongs to one of the managed domains


• Is a valid recipient of a managed domain when the recipient filter is
enabled for the domain
The email address appears in the local account list below.
The email address will receive a password reset message for the local
account. After the end user resets the password, they can use the
account to log on to the End User Console.

Deleting Local End User Accounts

Procedure
1. Go to Administration > End User Management > Local Accounts.
2. Select one or multiple local accounts and click Delete.

Note
To delete a primary account that manages other accounts, remove the
account management relationships first. For details, see Removing End
User Managed Accounts on page 333.

3. On the Delete End User screen, click OK.


The local accounts are removed from the local account lists and can no
longer log on to the End User Console.

Importing Local End User Accounts

Note
Before adding local accounts for end users, make sure you have enabled local
account logon for end users. For details, see Configuring Local Account Logon on
page 335.

329
Trend Micro Email Security Administrator's Guide

Procedure

1. Go to Administration > End User Management > Local Accounts.

2. Click Import.

3. (Optional) Click Download sample file to download the sample file for
reference or import.

4. On the Import End Users screen, click Choose File... and select a CSV
file that contains the end user accounts to import.

You can click Download sample file to download a sample CSV file for
reference or use it to import accounts.

Make sure the CSV file meet the following requirements:

• The file size does not exceed 1 MB.

• The email addresses belong to the managed domains.

• The email addresses are the valid recipients of a managed domain


when the recipient filter is enabled for the domain.

5. Click Preview to preview the import result.

6. Click Import.

The email addresses imported successfully appear in the local account


list below.

The email addresses will receive a password reset message for the local
accounts. After the end users reset the password, they can use the
accounts to log on to the End User Console.

Exporting Local End User Accounts

Procedure

1. Go to Administration > End User Management > Local Accounts.

330
About Trend Micro Email Security

2. Click Export All.


All local accounts are exported to a CSV file.

Enabling or Disabling Local End User Accounts

Procedure
1. Go to Administration > End User Management > Local Accounts.
2. Click (enabled) or (disabled) to toggle the status of a local
account, and then click OK in the confirmation dialog box.

Note
You cannot enable or disable managed accounts.

Enabled accounts can log on to the End User Console while disabled
accounts cannot.

Managed Accounts
End users can manage multiple Trend Micro Email Security End User
Console accounts by using a single account to log on. After an end user
begins managing an account, they can view the quarantined messages and
set the Approved Senders associated with that account.
End users log on with their primary account, and then specify one of their
managed accounts or All managed accounts at the top of the screen to view

331
Trend Micro Email Security Administrator's Guide

Quarantined messages and set Approved Senders for the specified account or
accounts.

Figure 1. Example of the Managed Account Control

After an end user begins managing an account, that managed account will be
unable to log on to the End User Console. The managed account will be able
to log on again only if the account management relationship is removed. To
allow the account to log on again, the primary account can remove the
managed account from the Managed Accounts screen of the End User
Console.
Adding a managed account does not change the credentials for that account.
Disabling the feature does not change the account management relationship
of accounts that end users have already added.
End users can always remove accounts from their list of managed accounts.
However, end users can only add management of accounts under the
following conditions:
• The account is a registered End User Console account.
• The account is not currently a managed account of another End User
Console account.
• The end user is able to open the confirmation email message sent to the
account address.

332
About Trend Micro Email Security

• The end user has the End User Console password for the account.

Removing End User Managed Accounts


The primary account can remove the managed account from the Managed
Accounts screen of the End User Console.
To remove an account management relationship using the Trend Micro
Email Security administrator console, use the following procedure.

Procedure
1. Go to Administration > End User Management > Managed Accounts.
2. Select the primary account and managed account pair or pairs in the
list.
3. Click Remove.

Logon Methods
Trend Micro Email Security allows you to control the way that end users
access the End User Console.
On the Logon Methods screen, you can enable or disable the following logon
methods:
• Local Account Logon
If this method is enabled, end users can log on to the End User Console
with their user name and password of the local managed accounts they
have registered on the End User Console. Enforcing two-factor
authentication adds an extra layer of security to the end user accounts.
• Single Sign-On
Once you enable single sign-on (SSO) and complete required settings,
end users can log on to the End User Console through SSO with their
existing identity provider credentials. You can create multiple SSO

333
Trend Micro Email Security Administrator's Guide

profiles so that different end users can log on to the End User Console
from different identity provider servers through SSO.
When creating an SSO profile, you need to specify the domains to which
the profile applies. Assume that subaccount A manages domain A, B and
C, subaccount B manages domain B and subaccount C manages domain
C. The relationship between SSO profiles, managed domains and
subaccount permissions are as follows:

SSO Profile Managed Domains Subaccount Permission

Profile 1 Domains A and B • Subaccount A: read


and edit
• Subaccount B: read
only
• Subaccount C: cannot
read, edit or delete

Profile 2 Domain C • Subaccount A: read


and edit
• Subaccount B: cannot
read, edit or delete
• Subaccount C: read
and edit

Profile 3 All domains • Subaccount A: read


only
• Subaccount B: read
only
• Subaccount C: read
only

Trend Micro Email Security currently supports the following identity


providers for SSO:
• Microsoft Active Directory Federation Services (AD FS)
• Azure Active Directory (Azure AD)

334
About Trend Micro Email Security

• Okta

Configuring Local Account Logon

Procedure

1. Go to Administration > End User Management > Logon Methods.

2. In the Local Account Logon section, configure the settings for local
account logon.

a. Click the toggle button to enable Local Account Logon.

This allows end users to log on to the End User Console with their
user name and password of the local managed accounts.

b. Click the toggle button to enforce two-factor authentication.

Two-factor authentication adds an extra layer of security to the end


user accounts.

After enforcing two-factor authentication, end user accounts must


provide the following authentication credentials each time they log
on to the End User Console:

• Local account and password

• A one-time password generated by the Google Authenticator


app

c. From the Source of managed accounts drop-down list, select the


source of accounts to be managed when end users log on to the End
User Console.

• Aliases synchronized from directories: If you select this


option, the logon users will have all the aliases synchronized
from LDAP directories as their managed accounts.

335
Trend Micro Email Security Administrator's Guide

• Manually added accounts: If you select this option, the logon


users will have all the accounts they added manually as their
managed accounts.

Configuring Single Sign-On


Before specifying SSO settings on the administrator console, configure the
identity provider you choose for single sign-on, that is, AD FS 4.0, Azure AD
or Okta:
• Configuring Active Directory Federation Services on page 339
• Configuring Azure Active Directory on page 343
• Configuring Okta on page 346

Note
Gather required settings from your identity provider before setting up the
administrator console.

Procedure
1. Go to Administration > End User Management > Logon Methods.
2. In the Single Sign-On section, click the toggle button to enable SSO.
3. Click Add to create an SSO profile.
4. Configure general information for SSO.
a. Specify an SSO profile name.
b. Specify an identifier that is globally unique at your site.
The End User Console URL is generated.
If you have to change the unique identifier due to conflict with
another identifier, make sure you also change it in your identity
provider configuration.

336
About Trend Micro Email Security

5. Select the domains to which the current profile applies:

• All domains: applies this profile to all domains.

Note
You can create only one profile that is applied to all domains.

• Specified domains: applies this profile to specified domains.

Select domains from the Available pane and click Add > to add
them to the Selected pane.

6. Complete identity provider configuration for SSO.

a. Select your identity provider from the Identity provider drop-down


list.

b. Specify the logon and logoff URLs for your identity provider.

Note
Use the logon URL collected from AD FS, Azure AD or Okta
configurations.

The logoff URL logs you off and also terminates the current identity
provider logon session.

c. (For Okta only) Click Download Logoff Certificate to obtain the


certificate file to upload to your federation server.

d. (Optional) Enable signature validation.

Note
A signature is returned from the identity provider server during SSO.
To avoid forgery logon by attackers, the signature must be checked
against the certificate file you obtained from your identity provider.

i. Click the Signature validation toggle button.

337
Trend Micro Email Security Administrator's Guide

ii. Locate the certificate file you downloaded from AD FS, Azure
AD or Okta configurations and upload it for signature
validation.

e. Specify the identity claim type based on the claim you configured
for AD FS, Azure AD or Okta. For example, if you use email as the
claim name, type email.

f. (Optional) Enable SSO management by group.

Note
If you enable this function, only end users with valid email addresses
in the specified group can be logged on to the End User Console
through SSO:

i. Click the Group allow list toggle button.

ii. Specify the group claim type based on the group claim you
configured for AD FS, Azure AD or Okta. For example, if you
use euc_group as the group attribute name, type euc_group.

iii. Specify group claim values based on the group claim you
configured for AD FS, Azure AD or Okta. If your identity
provider is AD FS or Okta, type group names; if your identity
provider is Azure AD, type group IDs.

7. Click Save to save the profile.

8. Click Save to save SSO settings.

Once you have completed the configuration, an end user can log on
using the End User Console URL generated in Step 4 to initiate SSO from
the identity provider to the End User Console. The identity claim type
and group claim type specified in Step 6 are used to get the mapping
claim values from your identity provider. In this case, Trend Micro
Email Security obtains the email address and user group of the logon
account to verify the identity of the end user. Once verified, the end user
will be successfully logged on to the End User Console.

338
About Trend Micro Email Security

Configuring Active Directory Federation Services

Active Directory Federation Services (AD FS) provides support for claims-
aware identity solutions that involve Windows Server and Active Directory
technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.
This section uses Windows 2016 as an example to describe how to configure
AD FS as a SAML server to work with Trend Micro Email Security. Make sure
you have installed AD FS successfully.

Procedure
1. Go to Start > All Programs > Windows Administrative Tools > AD FS
Management.
2. On the AD FS management console, go to AD FS, right-click Relying
Party Trusts, and then choose Add Relying Party Trust.
3. Complete settings for each screen in the Add Relying Party Trust wizard.
a. On the Welcome screen, select Claims aware and click Start.
b. On the Select Data Source screen, select Enter data about the
relying party manually and click Next.
c. On the Specify Display Name screen, specify a display name, for
example, Trend Micro Email Security End User Console, and
click Next.
d. On the Configure Certificate screen, click Next.

Note
No encryption certificate is required, and HTTPS will be used for
communication between Trend Micro Email Security and federation
servers.

e. On the Configure URL screen, select Enable support for the SAML
2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service
URL, and then click Next.

339
Trend Micro Email Security Administrator's Guide

Note
Specify the SAML 2.0 SSO service URL for your region as follows:
https://euc.<domain_name>/uiserver/euc/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:


• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

f. On the Configure Identifiers screen, type the identifier for the


relying party trust, click Add, and then click Next.

Note
Specify the identifier for the relying party trust for your region as
follows:
https://euc.<domain_name>/uiserver/euc/ssoLogin

340
About Trend Micro Email Security

g. On the Choose Access Control Policy screen, choose an access


control policy and click Next.

h. Continue clicking Next in the wizard and finally click Close.

4. From the Edit Claim Issuance Policy for Trend Micro Email Security
End User Console dialog box, click Add Rule in the Issuance Transform
Rules tab.

5. Complete settings for each screen in the Add Transform Claim Rule
wizard.

a. On the Select Rule Template screen, select Send LDAP Attributes


as Claims for Claim rule template and click Next.

b. On the Configure Rule screen, specify a claim rule name and select
Active Directory for Attribute store.

c. Select LDAP attributes and specify an outgoing claim type for each
attribute. For example, select E-Mail-Addresses and type email as
the outgoing claim type.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim type specified
here.

d. (Optional) Configure group claim type settings for user groups.

i. On the Select Rule Template screen, select Send Group


Membership as a Claim for Claim rule template and click
Next.

ii. On the Configure Rule screen, specify a claim rule name, click
Browse under User's group, and select AD groups.

iii. Specify the outgoing claim type and outgoing claim values. For
example, type euc_group and the AD group names.

341
Trend Micro Email Security Administrator's Guide

Important
When configuring the group claim type for an SSO profile on Trend
Micro Email Security, make sure you use the group claim type
specified here.

e. Click Finish.

f. Click OK to close the wizard.

6. From AD FS > Relying Party Trust, double-click the relying party trust
file you created earlier.

a. From the Test Properties dialog box, click the Advanced tab.

b. Select SHA1 from the Secure hash algorithm drop-down list and
click OK.

7. Collect the single sign-on logon and logoff URLs and obtain a certificate
for signature validation from AD FS.

a. On the AD FS management console, go to AD FS > Service >


Endpoints.

b. Look for the SAML 2.0/WS-Federation type endpoint and collect the
URL path.

Note
The URL path will be used when you configure logon and logoff URLs
on Trend Micro Email Security.

• Logon URL: <adfs_domain_name>/adfs/ls/

• Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0

c. Go to AD FS > Service > Certificates.

d. Look for the Token-signing certificate, right-click it, and then select
View Certificate.

e. Click the Details tab and click Copy to File.

342
About Trend Micro Email Security

f. Using the Certificate export wizard, select Base-64 Encoded X.509


(.CER).
g. Assign a name to the file to complete the export of the certificate
into a file.

Configuring Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based


directory and identity management service.
Make sure you have a valid subscription in Azure AD that handles the sign-in
process and eventually provides the authentication credentials of end users
to the End User Console.

Procedure
1. On the Azure AD management portal, select an active directory that you
want to implement SSO.
2. Click Enterprise applications in the navigation area on the left and click
New application.
3. On the Browse Azure AD Gallery (Preview) screen, click Create your
own application.
4. On the Create your own application panel that appears on the right,
specify a name for your application, for example, Trend Micro Email
Security End User Console, and click Create.

5. Under Getting Started in the overview of your application, click 1.


Assign users and groups, click Add user/group, select a specific user or
group for this application and click Assign.
6. In the navigation area of your application, click Single sign-on.
7. Click SAML to configure the connection from your application to Azure
AD using the SAML protocol.
a. Under Basic SAML Configuration, click Edit, specify the identifier
and reply URL, and click Save.

343
Trend Micro Email Security Administrator's Guide

Note
Specify the identifier for your region as follows:
https://euc.<domain_name>/uiserver/euc/ssoLogin

Specify the reply URL for your region as follows:


https://euc.<domain_name>/uiserver/euc/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:


• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

Click No, I'll test later when you are prompted to choose whether to
test single sign-on with Trend Micro Email Security End User
Console. You are advised to perform a test after all SSO settings are
complete.

344
About Trend Micro Email Security

b. Under User Attributes & Claims, click Edit, and specify the identity
claim.

User attributes and claims are used to get the email addresses of
logon accounts to authenticate their identity. By default, the source
attribute user.mail is preconfigured to get the email addresses. If
the email addresses in your organization are defined by another
source attribute, do the following to add a new claim name:

Click Add new claim. On the Manage claim screen, specify the
claim name, leave Namespace empty, select Attribute as Source,
select a value from the Source attribute drop-down list, and click
Save.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim name specified
here.

(Optional) Click Add a group claim. On the Group Claims screen,


specify the groups associated with the end user, select Group ID as
Source attribute, select Customize the name of the group claim,
specify the group claim name, for example, euc_group, and click
Save.

Important
When configuring the group claim type for an SSO profile on Trend
Micro Email Security, make sure you use the group claim name
specified here.

c. Under SAML Signing Certificate, click Edit, specify an email


address for Notification Email Addresses, and click Save. Click
Download next to Certificate (Base64) to download a certificate file
for Azure AD signature validation on Trend Micro Email Security.

345
Trend Micro Email Security Administrator's Guide

d. Under Set up Trend Micro Email Security End User Console,


record the login and logout URLs.

Configuring Okta

This section describes how to add Trend Micro Email Security as a new
application and configure SSO settings on your Okta Admin Console.

Procedure

1. Navigate to the Admin Console by clicking Admin in the upper-right


corner.

Note
If you are in the Developer Console, click < > Developer Console in the
upper-left corner and then click Classic UI to switch over to the Admin
Console.

2. In the Admin Console, go to Applications > Applications.

3. Click Add Application, and then click Create New App.

The Create a New Application Integration screen appears.

4. Select Web as the Platform and SAML 2.0 as the Sign on method, and
then click Create.

5. On the General Settings screen, type a name for Trend Micro Email
Security in App name, for example, Trend Micro Email Security End
User Console, and click Next.

6. On the Configure SAML screen, specify the following:

a. Type https://euc.<domain_name>/uiserver/euc/ssoAssert?
cmpID=<unique_identifier> in Single sign on URL based on your
serving site.

346
About Trend Micro Email Security

Note
In the preceding and following URLs:
• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:


tmes.trendmicro.eu

• Australia and New Zealand:


tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

• Singapore:
tmes-sg.trendmicro.com

• India:
tmes-in.trendmicro.com

b. Select Use this for Recipient URL and Destination URL.


c. Type https://euc.<domain_name>/uiserver/euc/ssoLogin in
Audience URI (SP Entity ID).
d. Select EmailAddress in Name ID format.
e. Select Okta username in Application username.
f. (Optional) Click Show Advanced Settings, specify the following:
This step is required only if you want to configure a logoff URL on
the Trend Micro Email Security administrator console. The logoff

347
Trend Micro Email Security Administrator's Guide

URL is used to log you off and also terminate the current identity
provider logon session.
i. Next to Enable Single Logout, select the Allow application to
initiate Single Logout check box.
ii. Type https://euc.<domain_name>/uiserver/euc/sloAssert?
cmpID=<unique_identifier> in Single Logout URL.

iii. Type https://euc.<domain_name>/uiserver/euc/ssoLogout


in SP Issuer.
iv. Upload the logoff certificate in the Signature Certificate area.
You need to download the logoff certificate from the Trend
Micro Email Security administrator console in advance. Go to
Administration > End User Management > Logon Methods.
Click Add in the Single Sign-on section. On the pop-up screen,
locate the Identity Provider Configuration section, select Okta
as Identity provider and click Download Logoff Certificate to
download the certificate file.
v. Keep the default values for other settings.
g. Under ATTRIBUTE STATEMENTS (OPTIONAL), specify email in
Name, and select Unspecified in Name format and user.email in
Value.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the attribute name specified
here.

h. (Optional) Under GROUP ATTRIBUTE STATEMENTS (OPTIONAL),


specify euc_group in Name, select Unspecified in Name format
and specify filter conditions.

348
About Trend Micro Email Security

Important
When configuring the group claim type for an SSO profile on the
Trend Micro Email Security, make sure you use the group attribute
name specified here.

i. Click Next.
7. On the Feedback screen, click I'm an Okta customer adding an internal
app, and then click Finish.
The Sign On tab of your newly created Trend Micro Email Security
application appears.
8. Click View Setup Instructions, and record the URL in Identity Provider
Single Sign-On URL and download the certificate in X.509 Certificate.

Logon Access Control


Trend Micro Business Account can determine the clients that are allowed to
access the administrator console, End User Console, and resources within
Trend Micro Email Security by specifying a list of approved IP addresses. The
Business Account can also specify the action to take on the access request
from an unapproved IP address.
With this feature enabled:
• Only administrator from the approved IP addresses can be authorized to
log on to the administrator console (either through local account or
SSO), verify their profiles, and complete API access.

Note
API access aims to perform operations on resources within Trend Micro
Email Security and synchronize user directories via REST APIs.
For more information, refer to the Trend Micro Email Security REST API Online
Help and Directory Synchronization Tool User's Guide at http://
docs.trendmicro.com/en-us/enterprise/trend-micro-email-security.aspx
for details.

349
Trend Micro Email Security Administrator's Guide

• Only end users from the approved IP addresses can be authorized to log
on to the End User Console (either through local account or SSO),
activate their accounts, and perform digest inline actions.
• For the access request from an unapproved IP address, Trend Micro
Email Security can allow access without IP address check, allow access
but record audit logs, or block access and record audit logs, depending
on your access control settings.
The Logon Access Control screen includes the following tabs:
• Access Control Settings: Displays the access control settings that you
want to apply to the access requests from unapproved IP addresses.
• Approved IP Addresses: Lists the IP addresses from which the access to
Trend Micro Email Security are always allowed.

Configuring Access Control Settings

Procedure
1. Go to Administration > Logon Access Control.
2. On the Access Control Settings tab, select whether to allow access to
Trend Micro Email Security from unapproved IP addresses.
• Administrator Console: Select an action (Bypass, Allow and log,
and Block and log) to take on the access request to the Trend Micro
Email Security administrator console from an unapproved IP
address. The default value is Bypass.
• Bypass: The request bypasses access control check. Trend
Micro Email Security allows the access without verifying the
client's IP address.
• Allow and log: Trend Micro Email Security allows the access
but records audit logs.
• Block and log: Trend Micro Email Security blocks the access
and records audit logs.

350
About Trend Micro Email Security

This setting also applies when administrators attempt to verify their


profiles from an unapproved IP address.
• End User Console: Select an action (Bypass, Allow and log, and
Block and log) to take on the access request to the Trend Micro
Email Security End User Console from an unapproved IP address.
The default value is Bypass.
This setting also applies when end users attempt to activate their
accounts from an unapproved IP address.
• API Access: Select an action (Bypass, Allow and log, and Block and
log) to take on the access request to Trend Micro Email Security
through REST APIs from an unapproved IP address. The default
value is Bypass.

Note
IP-based access control is enabled if you select Allow and log or Block and
log for any of the drop-down lists. In this case, at least one approved IP
address must be configured on the Approved IP Addresses tab; otherwise,
IP-based access control will not take effect.

3. Optionally select Also apply to digest inline action.


Selecting this check box applies the same setting configured for End
User Console to digest inline actions.
4. Optionally specify the email addresses to receive alerts on blocked or
logged access.
a. Type one or more email addresses as the alert recipients in the
Email Address field.
Use semicolons (;) to separate email addresses. There is no need to
add a space after a semicolon.
b. Specify the maximum number of alerts that can be sent within 24
hours.
5. Click Save.

351
Trend Micro Email Security Administrator's Guide

Configuring Approved IP Addresses

Procedure
1. Go to Administration > Logon Access Control.
2. On the Approved IP Addresses tab, click Add.
3. Specify the IP address and type a description.
Only IPv4 addresses are supported. Private IP addresses are not
supported.
4. Click Save.

Directory Management
You can import LDAP Data Interchange Format (LDIF) or comma-separated
values (CSV) files into Trend Micro Email Security. This helps Trend Micro
Email Security to better filter and process messages for valid email
addresses. Messages to invalid email addresses will be rejected.
Trend Micro Email Security uses user directories to help prevent backscatter
(or outscatter) spam and Directory Harvest Attacks (DHA). Importing user
directories lets Trend Micro Email Security know legitimate email addresses
and domains in your organization.
Trend Micro Email Security also provides a synchronization tool that enables
you to synchronize your current groups, email accounts and email aliases
from Open LDAP, Microsoft Active Directory, Microsoft AD Global Catalog,
Office 365/Azure Active Directory and IBM Domino servers to the Trend
Micro Email Security server.
The Directory Management screen includes the following tabs:
• Directory Synchronize
• Downloads: Displays the download paths or links to the Directory
Synchronization Tool, Directory Synchronization Tool User's Guide,
REST API Client, and REST API Online Help.

352
About Trend Micro Email Security

• Synchronization Summary: Displays the total number of email


aliases, groups, and valid recipients last synchronized from all
directory sources.

• Synchronization History: Displays the number of email aliases,


groups, and valid recipients synchronized each time.

• Directory Import

• Import User Directory: Selections for importing a new user


directory file.

• Imported User Directory History: The current user directory file(s)


that Trend Micro Email Security is using.

• Export

• Valid recipients: Exports the existing valid recipients to a CSV file.

• Groups: Exports the existing groups to a CSV file.

• Email aliases: Exports the existing email aliases to a CSV file.

Synchronizing User Directories


The Directory Synchronize tab displays downloads, synchronization
summary, and synchronization history. This screen consists of the following
sections:

• Downloads: Displays the download paths for the Directory


Synchronization Tool and Directory Synchronization Tool User's Guide.

• Synchronization Summary: Displays the total number of email aliases,


groups, and valid recipients last synchronized from all directory
sources.

• Synchronization History: Displays the number of email aliases, groups,


and valid recipients synchronized each time.

353
Trend Micro Email Security Administrator's Guide

Element Description

Timestamp Time when a synchronization happened

Sync Objects Objects that have been synchronized, such


as email aliases, groups, and valid
recipients

Note
Since version 2.0.10088 of the
Directory Synchronization Tool, the
number of email aliases, groups,
and valid recipients synchronized
every time has also been recorded
here.

Sync Tool Location Information about the machine where the


synchronization tool is installed, including
its IP address, FQDN or host name

Result Whether the synchronization is successful


or unsuccessful, or whether any groups,
email aliases or policies were added or
removed

Importing User Directories


You can import LDAP Data Interchange Format (LDIF) or comma-separated
values (CSV) files into Trend Micro Email Security. This helps Trend Micro
Email Security to better filter and process messages for valid email
addresses. Messages to invalid email addresses will be rejected.

354
About Trend Micro Email Security

Important
Before you import an LDIF or CSV directory file, note the following:

• Trend Micro Email Security only recognizes ANSI-encoded LDIF (with the
extension .ldf) and ANSI or UTF-8-encoded CSV (with the extension .csv)
files. Do not include blank lines or other irrelevant data in the file that you
import. Use caution when creating a file.

• When importing user directory files, Trend Micro Email Security replaces
all records for a managed domain at once. If any email addresses for a
managed domain are imported, all other email addresses for that domain
are removed. Newly imported email addresses for that domain, and
records for other managed domains, will be kept. If you import an updated
user directory file that does not have any information for one of your
domains, the entries for those domains remain the same and are not
overwritten.

Every time you import a directory file, it overwrites the old version. If you
import an updated directory file that has information for one of your
domains, all entries for those domains are overwritten. Use caution when
importing a directory.

• You can only see the directories that are associated with your
administrator account. If you are sharing your Trend Micro Email Security
service with another administrator (for example, a value-added reseller)
who logs on with his/her specific account information, Trend Micro Email
Security will not show the directories for that account.

• Every time you add more users to your network, you must import your
updated user directories; otherwise, Trend Micro Email Security will reject
email from newly added users.

WARNING!
Trend Micro strongly suggests that you do not import more than 24 directories
in a day. Doing so could overwhelm system resources.

Temporarily disable all valid recipients before import a file. When you are
confident that all entries are correct, re-enable all valid recipients. To disable or
enable valid recipients, go to Inbound Protection > Connection Filtering >
Recipient Filter and click Disable All or Enable All.

355
Trend Micro Email Security Administrator's Guide

Procedure
1. Next to Format, select the format type:
• LDIF
• CSV

Note
If you create a CSV file, divide the records into fields for
email_address and Firstname Lastname and separate them using a
comma and optional quotation marks. Use of spaces or other
delimiters is not supported. Use one record per line.
For example:

Valid

bob@example.com,Bob Smith
sally@example.com,Sally Jones

"bob@example.com","Bob Smith"
"sally@example.com","Sally Jones"

Not Valid

bob@example.com,Bob Smith,sally@example.com,Sally Jones

Microsoft Excel will save a two column chart as a CSV using valid
formatting.

2. Next to Name, type a descriptive name for the file.


3. Next to File location, type the file directory path and filename or click
Choose File and select the .ldf or .csv file on your computer.
4. Click Verify File to read the file and show a summary of how many email
addresses were found.
After the progress bar completes, a summary screen appears showing
the following:

356
About Trend Micro Email Security

• Import Summary: A summary of the information above

• Domains and Number of Users to Replace Current Users: The


domains that you specified when you subscribed to the Trend Micro
Email Security service

• Unauthorized Domains: Any domains that are included in your


directory file, but are not officially registered with your Trend Micro
Email Security service

Note
Trend Micro Email Security does not provide service for these
domains and their corresponding email addresses.

5. Click Import.

This will import and then enable the email address list.

Exporting User Directories


You can export valid recipients, groups and email aliases to a comma-
separated values (CSV) file.

Procedure

1. Choose to export valid recipients, groups or email aliases and do the


following:

• Select a domain from the Valid recipients drop-down list and click
Export to CSV.

• Select a group from the Groups drop-down list and click Export to
CSV.

• Next to Email aliases, click Export to CSV.

357
Trend Micro Email Security Administrator's Guide

Note
In the exported file, the primary email alias displays at the beginning
of each line.

Installing the Directory Synchronization Tool


The Directory Synchronization Tool automates the import of directory files
for valid recipient email addresses, user groups and email aliases. The
Directory Synchronization Tool provides functionality similar to the Import
User Directory feature on the Directory Import screen.

Procedure
1. Go to Administration > Service Integration.
2. On the API Access tab, click Add to generate a key.
The API Key is the global unique identifier for your Directory
Synchronization Tool to authenticate its access to Trend Micro Email
Security. It must be used together with the administrator account that
created it. A new API Key is enabled by default.
If you want to change your API Key later on, click Add to generate a new
key and use the new key in your requests. You can click the toggle button
under Status to disable the old key or delete it if both of the following
conditions are met:
• Requests can be sent successfully with the new key.
• The old key is not used by any other applications that have access to
Trend Micro Email Security.
A maximum of two API Keys are allowed at a time.

Important
The API Key allows your Directory Synchronization Tool to communicate
with Trend Micro Email Security. Keep the API Key private.

358
About Trend Micro Email Security

3. In the Downloads list, click download to download the desired items.

• Directory Synchronization Tool: Provided for synchronizing


accounts and groups between local directories and the Trend Micro
Email Security server.
• Directory Synchronization Tool User's Guide: Available for more
information on using the synchronization tool.
4. Save the tool on a local drive.
5. Follow the installation steps to install the tool.

Co-Branding
Trend Micro Email Security enables you to display a service banner, for
example, your company logo, on the top banner of the Trend Micro Email
Security administrator console and End User Console. This is a cost-effective
way to promote your company and brand awareness.
After configuring co-branding settings, provide your customers with the web
address to access their co-branded administrator console or End User
Console if you are a reseller. The web address may vary for different regions.
Table 70. Administrator Console Addresses

Account Type Console Address

Customer For these accounts, the web addresses of the administrator console still
Licensing Portal remain unchanged.
accounts and
Licensing For detailed web addresses, see Accessing the Trend Micro Email Security
Management Administrator Console on page 26.
Platform
accounts

359
Trend Micro Email Security Administrator's Guide

Account Type Console Address

Local Append /co-brand/ and the Trend Micro Email Security account name to
subaccounts the base URL.
added by the
administrator For example, to access the co-branded administrator console for the
account named “adminB”, type the following address for your region:
• North America, Latin America and Asia Pacific: https://
ui.tmes.trendmicro.com/co-brand/adminB

• Europe, the Middle East and Africa: https://


ui.tmes.trendmicro.eu/co-brand/adminB

• Australia and New Zealand: https://ui.tmes-


anz.trendmicro.com/co-brand/adminB

• Japan: https://ui.tmems-jp.trendmicro.com/co-brand/
adminB

• Singapore: https://ui.tmes-sg.trendmicro.com/co-brand/
adminB

• India: https://ui.tmes-in.trendmicro.com/co-brand/adminB

SSO accounts For these accounts, the console address is the URL generated in Step 4 in
Configuring Single Sign-On on page 315.

360
About Trend Micro Email Security

Table 71. End User Console Addresses

Account Type Console Address

Local accounts Append /euc-co-brand/ and the Trend Micro Email Security managed
domain to the base URL.
For example, to access the co-branded End User Console for the managed
domain “example.com”, type the following address for your region:
• North America, Latin America and Asia Pacific: https://
euc.tmes.trendmicro.com/euc-co-brand/example.com

• Europe, the Middle East and Africa: https://


euc.tmes.trendmicro.eu/euc-co-brand/example.com

• Australia and New Zealand: https://euc.tmes-


anz.trendmicro.com/euc-co-brand/example.com

• Japan: https://euc.tmems-jp.trendmicro.com/euc-co-
brand/example.com

• Singapore: https://euc.tmes-sg.trendmicro.com/euc-co-
brand/example.com

• India: https://ui.tmes-in.trendmicro.com/co-brand/adminB

SSO accounts For these accounts, the console address is the URL generated in Step 4 in
Configuring Single Sign-On on page 336.

Service Integration
Currently, Trend Micro Email Security integrates with the following Trend
Micro products:
• Apex Central
For more information about Apex Central, see Apex Central on page 23.
• Remote Manager
For more information about Remote Manager, see Trend Micro Remote
Manager on page 25.
Furthermore, Trend Micro Email Security supports API openness to allow
integration with external systems via APIs. For example, Trend Micro Email

361
Trend Micro Email Security Administrator's Guide

Security opens REST APIs to allow customers to query domains; query, add,
replace, and delete directory users; and retrieve policy event logs and mail
tracking logs for the purpose of third-party SIEM application integration.

API Access
Trend Micro Email Security allows connection from the Directory
Synchronization Tool to automate the import of directory files for valid
recipient email addresses, user groups and email aliases. Also, Trend Micro
Email Security provides programmatic access through REST APIs, allowing
customers to perform create, read, update and delete operations on
resources within Trend Micro Email Security.
To use these features, API Keys are required to authenticate the external
systems' access to Trend Micro Email Security.
The API Access tab lets you obtain and manage your API Keys.

Obtaining an API Key

Procedure
1. Go to Administration > Service Integration.
2. On the API Access tab, click Add to generate a key.
The API Key is the global unique identifier for your application to
authenticate its access to Trend Micro Email Security. It must be used
together with the administrator account that created it. A new API Key is
enabled by default.
If you want to change your API Key later on, click Add to generate a new
key and use the new key in your requests. You can click the toggle button
under Status to disable the old key or delete it if both of the following
conditions are met:
• Requests can be sent successfully with the new key.
• The old key is not used by any other applications that have access to
Trend Micro Email Security.

362
About Trend Micro Email Security

A maximum of two API Keys are allowed at a time.

Important
The API Key allows your application to communicate with Trend Micro
Email Security. Keep the API Key private.

Log Retrieval
The Log Retrieval tab allows you to decide whether to retrieve policy event
logs and mail tracking logs via REST APIs for third-party SIEM application
integration.
To retrieve the logs, you must enable the log retrieval function first.
For more information about log retrieval via REST APIs, refer to the Trend
Micro Email Security REST API Online Help at http://docs.trendmicro.com/en-us/
enterprise/trend-micro-email-security.aspx.

Apex Central
Trend Micro Apex Central consolidates your organization's Virtual Analyzer
and user-defined suspicious object lists and synchronizes the lists among
integrated managed products. After Trend Micro Email Security is registered
to Apex Central, Apex Central automatically synchronizes the Virtual
Analyzer and user-defined suspicious object lists with Trend Micro Email
Security at a scheduled time interval. In addition to its own scanning
mechanism, Trend Micro Email Security implements these lists during URL
and file scanning.
The Apex Central tab lets you configure the following suspicious object lists:
• Suspicious URL list
• Suspicious file list
For more information about how Apex Central manages suspicious object
lists, see the Apex Central Administrator's Guide.

363
Trend Micro Email Security Administrator's Guide

Configuring Suspicious Object Settings


Trend Micro Apex Central consolidates and synchronizes the Virtual
Analyzer and user-defined suspicious object lists with Trend Micro Email
Security. Enable this feature to implement the lists during scanning.

Before you begin configuring this feature, make sure that:

• You have installed Apex Central, and your Apex Central has a serving
Deep Discovery product, which can be a Deep Discovery Inspector, Deep
Discovery Email Inspector, or Deep Discovery Analyzer.

• Your Trend Micro Email Security has been registered to a required


Trend Micro Apex Central.

• You have enabled Web Reputation settings in the spam policy you want
to apply the suspicious URL list to.

Procedure

1. Go to Administration > Service Integration.

2. Click Apex Central.

3. Select the Enable check box to enable this feature.

4. Under Security Level for Files, specify the security level for files to
determine whether to take actions on the files:

• High: Applies actions on files that exhibit any suspicious behavior.

• Medium: Applies actions on files that have moderate to high


probability of being malicious.

• Low: Applies actions on files have high probability of being


malicious.

Suspicious URLs are detected during Web Reputation scanning.


Therefore, when you configure Web Reputation settings in your spam
policy, specify the security level to determine whether to take actions on
the URLs.

364
About Trend Micro Email Security

Note
Trend Micro Email Security classifies all files and URLs in the user-defined
suspicious object lists as the "High" risk.

5. Check additional information about suspicious object list


synchronization from the Apex Central.
6. Click Save.

Remote Manager
The Remote Manager tab shows the settings you must configure to integrate
with Remote Manager.
To enable Trend Micro Remote Manager to monitor and manage Trend
Micro Email Security:
1. Contact your reseller administrator to add Trend Micro Email Security
as a managed product on the Remote Manager web console and obtain
the authorization key generated by Remote Manager.
2. Go to Administration > Service Integration and click Remote Manager.
3. Type your authorization key you obtained and click Connect.
To prevent Trend Micro Remote Manager from managing Trend Micro Email
Security:
1. Go to Administration > Service Integration and click Remote Manager.
2. Click Discontinue.
3. After you get a confirmation message, click OK.

License Information
The License Information screen provides a summary of the following:
• Purchased version: Displays the product license version you purchased.

365
Trend Micro Email Security Administrator's Guide

• Activation code: Displays the activation code.


• Expiration date: Displays the date on which your license expires.
• Grace end date: Displays the end date of the grace period granted after
the expiration of your license.
• License type: Displays either “Full” or “Trial” version.
• Seat count: Displays the total number of seats assigned to your license.
Immediately after your license expires, it will go through a grace period,
wherein the service continues as expected. After the grace period, your
service will be suspended, and your data will be permanently deleted. To
prevent unnecessary disruptions to your email service, please renew your
license or change your MX records before the grace end date.
If you have two valid licenses (namely, Trend Micro Email Security Standard
and Trend Micro Email Security Advanced), both of them display on this
screen and Trend Micro Email Security Advanced applies by default. After
the grace period of Trend Micro Email Security Advanced expires, your
license will automatically downgrade to Trend Micro Email Security
Standard.
There are two ways to manage your licenses:
• From the Licensing Management Platform
The Licensing Management Platform allows partners to self-provision
and auto-renew licenses. Contact your reseller or MSP to add, renew or
extend your licenses.
• From the Customer Licensing Portal
Visit the Customer Licensing Portal website at https://
clp.trendmicro.com and activate, register and manage your products on
the portal. For details, see the supporting documentation at:
http://docs.trendmicro.com/en-us/smb/customer-licensing-portal.aspx
If you want to convert a trial license into a full license or upgrade from Trend
Micro Email Security Standard to Trend Micro Email Security Advanced, do
the following:

366
About Trend Micro Email Security

1. Log on to the Customer Licensing Portal website (https://


clp.trendmicro.com).

2. From the Customer Licensing Portal page, click Provide Key.

3. Provide your activation code and click Continue.

Activating Sandbox as a Service


To activate Sandbox as a Service, obtain the Activation Code from your Trend
Micro sales representative or reseller and provide the Activation Code on the
Customer Licensing Portal.

Note
If you have not activated the license for Sandbox as a Service or your license
expires, all your Virtual Analyzer settings in virus and spam policies cannot
take effect.

Procedure

1. Log on to the Customer Licensing Portal using your Trend Micro


account and password.

2. Click the My Products/Services menu tab.

3. Click Provide Key.

The License Key screen appears.

4. Type your Activation Code.

5. Click Continue.

The My Products/Services screen appears and displays the updated


license information.

6. Log on to the Trend Micro Email Security administrator console.

7. Check whether the license activation is successful.

367
Trend Micro Email Security Administrator's Guide

Wait for some time because the license activation may take as long as 20
minutes to finish. If you keep seeing the error message about the
Sandbox as a Service license after that, contact technical support for
assistance.

Migrating Data from Hosted Email Security


If you are a customer of Trend Micro Hosted Email Security and want to
switch to Trend Micro Email Security, Trend Micro Email Security allows you
to migrate your existing data from Hosted Email Security.
There are two ways to migrate your data:
• Provisioning wizard
When you log on to the Trend Micro Email Security administrator
console for the first time, a provisioning wizard will be launched, asking
whether to migrate your data from Hosted Email Security before
provisioning your account. If you choose to migrate data, follow the on-
screen instructions to perform migration. If you choose not to migrate
data, you will proceed with provisioning.
• Data migration tool
If you decide to migrate data after going through all the features on the
administrator console, choose Administration > Hosted Email Security
Migration Tool to run the tool for data migration. The data migration
tool is only available after you choose not to migrate data in the
provisioning wizard. Follow the on-screen instructions to perform
migration with the tool.
The following procedure details how to use the wizard for data migration and
provisioning.

Procedure
1. In the provisioning wizard, choose Migrate data from Hosted Email
Security.

368
About Trend Micro Email Security

The migration starts, and the progress is displayed in the wizard.


The migration process may take up to one hour depending on the size of
your account, domain and policy settings.
2. Click Next once the migration is done.
You are ready to proceed with provisioning.

Note
If you have any settings in Trend Micro Email Security, your current
settings will be overwritten during the migration process.

3. Provide your administrator profile information.


Keep your information current because Trend Micro will send you
important maintenance plans, urgent incidents and new features.
a. Type your first name and last name.
b. Specify your email address.
c. Click Next.
An email message will be sent to your registered email address.
Check your mailbox and click the verification link in the message to
proceed.
4. Set your company identifier.

369
Trend Micro Email Security Administrator's Guide

Note
Your domain settings will then be migrated from Hosted Email Security.

Trend Micro generates a custom subdomain for your company based on


the company identifier you set. For example, if your company identifier is
"example", your MX record for incoming email messages will be generated
based on your location.

• North America, Latin America and Asia Pacific:

example.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:

example.in.tmes.trendmicro.eu

• Australia and New Zealand:

example.in.tmes-anz.trendmicro.com

• Japan:

example.in.tmems-jp.trendmicro.com

• Singapore:

example.in.tmes-sg.trendmicro.com

• India:

example.in.tmes-in.trendmicro.com

You still need to perform further setup tasks to get Trend Micro Email
Security up and running. For details, see Setting Up Trend Micro Email
Security After Data Migration on page 373.

Data That Will Be Migrated


The following data and settings will be migrated to Trend Micro Email
Security:

• Dashboard customization settings

370
About Trend Micro Email Security

• Sender Filter settings

• Keywords and expressions in policy objects

• Notifications in policy objects

• Stamps in policy objects

• Web Reputation Approved List

• BEC settings

• Scan exceptions and settings

• IP reputation settings

Note
If your license for Hosted Email Security has expired, IP reputation
settings will not be migrated.

• Time-of-Click Protection settings

• Sender address types in quarantine settings

• End user logon method settings

• Synchronization authentication key for Directory Synchronization Tool

• Administrator profile information

• Administrator subaccounts

Note
If the subaccount names that you migrate from Hosted Email Security
already exist in Trend Micro Email Security, those subaccounts will be
renamed, and you will be prompted with the details.

• Co-branding settings

• Policy rule order

371
Trend Micro Email Security Administrator's Guide

Note
The order of policy rules can be customized for a single domain in Hosted
Email Security. After migration, policy rules are categorized by different
types of rules in Trend Micro Email Security, but the order for each type of
rules is retained. For example, for virus policy rules of a single domain,
the original order will still be applied.

• Domain settings, including inbound sever information, outbound sever


information and domain status
• All policy rules
• Recipient Filter settings
• Approved and blocked senders
• TLS Peers
• SPF settings
• DKIM verification and signing settings
• DMARC settings
• Quarantine digest settings
• End user managed accounts

Data That Will Not Be Migrated


The following data and settings will not be migrated to Trend Micro Email
Security:
• Mail tracking logs
• Quarantine messages and logs
• Policy event logs
• Audit logs
• DMARC records

372
About Trend Micro Email Security

• Statistical data on the dashboard

• Last trigger time of policy rules

• Synchronization history of valid recipients, groups and email aliases

• Single sign-on settings for end user accounts

• Remote Manager integration settings

Setting Up Trend Micro Email Security After Data Migration


To ensure your organization achieves effective email security protection,
Trend Micro Email Security recommends you perform the following tasks
after data migration:

1. Verify the migrated data on the Trend Micro Email Security


administrator console.

For details about the migrated data, see Data That Will Be Migrated on
page 370.

2. Set up Trend Micro Email Security after migration, for example, adjust
your domain and account settings.

a. Check the status of the domain you added for provisioning and
make sure your domain has been properly configured.

Perform the following operations if necessary:

• Verify your domain to prove that you own the domain.

• Modify your firewall settings to accept email messages from


Trend Micro Email Security.

• Change the MX record of your domain to point to the Trend


Micro Email Security server.

• Modify the SPF record for your domain.

For details, see Configuring a Domain on page 64.

373
Trend Micro Email Security Administrator's Guide

b. Obtain the web address for you to access the Trend Micro Email
Security administrator console based on your licensing agreement
with Trend Micro.

For details, see Accessing the Trend Micro Email Security Administrator
Console on page 26.

c. Share the End User Console web address for your region with your
end users:

• North America, Latin America and Asia Pacific:

https://euc.tmes.trendmicro.com

• Europe, the Middle East and Africa:

https://euc.tmes.trendmicro.eu

• Australia and New Zealand:

https://euc.tmes-anz.trendmicro.com

• Japan:

https://euc.tmems-jp.trendmicro.com

• Singapore:

https://euc.tmes-sg.trendmicro.com

• India:

https://euc.tmes-in.trendmicro.com

3. If you want to enable single sign-on (SSO) for end user accounts,
complete required settings.

For details, see Configuring Single Sign-On on page 336.

4. Install the latest version of the Directory Synchronization Tool.

For details, see Installing the Directory Synchronization Tool on page 358.

374
About Trend Micro Email Security

Migrating Data from IMSS or IMSVA


If you are a customer of InterScan Messaging Security Suite (IMSS) or
InterScan Messaging Security Virtual Appliance (IMSVA) and want to switch
to Trend Micro Email Security, Trend Micro Email Security allows you to
migrate your existing data from IMSS 9.1 or IMSVA 9.1.

Data That Will Be Migrated


All settings in IMSS or IMSVA will be migrated to Trend Micro Email Security
completely or partially except those listed in Data That Will Not Be Migrated
on page 382. Among the settings that are partially migrated, some are
modified to adapt to Trend Micro Email Security due to the feature
differences between IMSS or IMSVA and Trend Micro Email Security.
Therefore, you need to confirm or fix these settings according to the on-
screen instructions after migration.
The following table lists some examples of the settings that will be partially
migrated and describes the feature differences.

Note
For details about all the settings that are completely or partially migrated, see
the data migration report downloaded from the Trend Micro Email Security
administrator console when the migration completes.

375
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > The following The following The following LDAP users in IMSS
Policy List settings on the submenus settings in the or MISVA are
Step 1: Select under the Senders section migrated as static
Recipients and Inbound of the email addresses in
Senders screen: Protection and Recipients and Trend Micro Email
Outbound Senders tab: Security.
• Sender Protection
menus: • Sender
• Recipient
• Virus Scan • Recipient
• Sender to
recipient • Spam • Sender to
exception Filtering recipient
exception
• Content
Filtering
• Data Loss
Preventio
n (DLP)

Condition • Inbound Condition Only content


match settings Protection match settings filtering supports all
on the Step 2: > Content in the Advanced condition matched
Select Filtering section of the (AND).
Scanning Scanning
Conditions • Outbound Criteria tab
screen Protection
> Content
Filtering

True file type • Inbound True file type Trend Micro Email
settings in the Protection settings in the Security does not
Attachment > Content Advanced support MSI, PNG,
section of the Filtering section of the 7-Zip, or Microsoft
Step 2: Select Scanning Windows shortcuts.
Scanning • Outbound Criteria tab
Conditions Protection
screen > Content
Filtering

376
About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > The settings of • Inbound The settings of None


Approved List the following Protection the following
approved lists: > Domain- approved lists:
based
• DKIM • DKIM
Authentica
approved approved
tion >
list list
DomainKe
• Web ys • Web
reputation Identified reputation
approved Mail approved
list (DKIM) list
Verificatio
• URL n (Ignored • URL
keyword peers of keyword
list the Default exception
domain) list

• Administra
tion >
Policy
Objects >
Web
Reputatio
n
Approved
List
• Administra
tion >
Policy
Objects >
URL
Keyword
Exception
List

377
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > Name and Administration Name and Trend Micro Email
Policy address settings > Policy address settings Security supports
Objects > of an address Objects > of an address wildcard domains
Address group Address Groups group (for example,
Groups *@*.example.com)
in hybrid address
groups, and does
not support
wildcard domains in
internal address
groups.
If an address group
is used as senders
(or sender
exceptions) in
outbound policies
or recipients (or
recipient
exceptions) in
inbound policies
and the group
contains email
addresses from
unmanaged
domains, Trend
Micro Email Security
will create a copy of
the address group,
delete those email
addresses from the
copy, and suffix the
copy name with " -
internal".

378
About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > Match settings Administration Match settings None


Policy of a keyword or > Policy of a keyword or
Objects > expression Objects > expression
Keywords & Keywords and
Expressions Expressions

Policy > Variables list in Administration Variables list in Trend Micro Email
Policy the settings of a > Policy the settings of a Security does not
Objects > policy Objects > policy support the
Policy notification Notification notification following variables:
Notification
• %RULETYPE%
• %ENTITY%
• %QUARANTINE
_PATH%
• %QUARANTINE
_AREA%
• %PROTOCOL%
• %HOSTNAME%
• %MAILCHARSE
T%
• %SUSPICIOUS
_URL%

379
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Sender The following Inbound IP address Trend Micro Email


Filtering > settings of an Protection > settings in the Security does not
Approved List approved list: Connection IP addresses support the
Filtering > IP section following settings:
• IP
Reputation >
addresses • IP addresses
Approved IP
resolved from
• Groups of Addresses
domains
computers
• Private IP
addresses
Note
• IP addresses in
Trend
disabled
Micro
approved lists
Email
Security
migrates
IP
addresse
s and
groups of
computer
s from
IMSVA
only if
the
Email
Reputati
on and
IP
Profiler
check
box to
the right
of Apply
to is
selected.
This
restrictio
n does
not apply
to IMSS.
380
About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Sender The following Inbound IP address Trend Micro Email


Filtering > settings of a Protection > settings in the Security does not
Blocked List blocked list: Connection IP addresses support the
FilteringIP section following settings:
• IP
Reputation >
addresses • IP addresses
Blocked IP
resolved from
• Groups of Addresses
domains
computers
• Private IP
addresses
Note
• IP addresses in
Trend
disabled
Micro
blocked lists
Email
Security
migrates
only IP
addresse
s and
groups of
computer
s whose
Action is
Block
Permane
ntly.

Sender DMARC settings Inbound DMARC settings Trend Micro Email


Filtering > Protection > Security does not
DMARC Domain-based support DMARC
Note Authentication exception lists in the
DMARC > Domain- format of IP
settings based Message addresses.
are Authentication
available , Reporting and
only in Conformance
IMSVA. (DMARC)

381
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Administratio Advanced Outbound Advanced Trend Micro Email


n > IMSVA settings of DKIM Protection > settings of DKIM Security does not
Configuratio signatures DomainKeys signatures support exempt
n > DKIM Identified Mail domains.
Signature (DKIM) Signing
Note
DKIM
signature
s are
available
only in
IMSVA.

Data That Will Not Be Migrated


The following table lists the settings on the IMSS or IMSVA management
console that will not be migrated to Trend Micro Email Security and
describes the reason. All settings on the EUQ management console will not
be migrated.

Note
For details about all the settings that are not migrated, see the data migration
report downloaded from the Trend Micro Email Security administrator console
when the migration completes.

382
About Trend Micro Email Security

Navigation in IMSS or
Settings Remarks
IMSVA

Dashboard All settings The dashboard is a statistical


summary of past mail traffic
and scanning results. Trend
Micro Email Security provides
a more powerful dashboard
feature.

System Status All settings Trend Micro Email Security is


a cloud-based product. It is
unnecessary to display
system status information.

Cloud Pre-Filter All settings Trend Micro Email Security is


a cloud-based product. It is
unnecessary to display cloud
pre-filter information.

383
Trend Micro Email Security Administrator's Guide

Navigation in IMSS or
Settings Remarks
IMSVA

Policy > Policy List • Settings on the Step 1: Trend Micro Email Security
Select Recipients and does not support these
Senders screen settings.
• POP3 option of the
This rule will apply
to drop-down list
• Settings on the Step 2:
Select Scanning
Conditions screen
• C&C email settings
check box in the C&C
Email section
• Received time range
check box in the
Others section
• Unable to decrypt
messages check box
in the Others section
• Spoofed internal
messages check box
in the Others section
• Settings on the Step 3:
Select Actions screen
• Postpone delivery to
check box in the
Modify section
• Archive modified to
check box in the
Monitor section

384
About Trend Micro Email Security

Navigation in IMSS or
Settings Remarks
IMSVA

Policy > Scanning All settings Trend Micro Email Security


Exceptions provides more powerful scan
exception configuration,
which is different from the
configuration in IMSS or
IMSVA. You need to manually
configure scan exception
settings in Trend Micro Email
Security.

Policy > Policy Objects > Predefined DLP compliance Trend Micro Email Security
DLP Compliance templates already provides predefined
Templates DLP compliance templates.

Policy > Policy Objects > Predefined expressions, file Trend Micro Email Security
DLP Data Identifiers attributes, and keyword lists already provides predefined
DLP data identifiers.

Policy > Scan Engine All settings Advanced Threat Scan


Engine is enabled
automatically in Trend Micro
Email Security.

Policy > Internal All settings IMSS or IMSVA uses the


Addresses Internal Addresses menu to
determine mail traffic
direction in policy
configuration. This is
unnecessary in Trend Micro
Email Security.

Policy > Smart Protection All settings Smart Protection is enabled


automatically in Trend Micro
Email Security.

Policy > Encryption All settings These settings are designed


Settings for on-premise products.
Trend Micro Email Security
completes all encryption
settings on the cloud server
automatically.

385
Trend Micro Email Security Administrator's Guide

Navigation in IMSS or
Settings Remarks
IMSVA

Sender Filtering > All settings Trend Micro Email Security


Overview provides block traffic details
under Logs > Mail Tracking.

Sender Filtering > Rules All settings Trend Micro Email Security
does not support this feature.

Sender Filtering > All settings Trend Micro Email Security


Suspicious IP does not support this feature.

Reports All settings Trend Micro Email Security


provides a more powerful
report feature.

Logs All settings Trend Micro Email Security


provides a more powerful log
query feature.

Mail Areas & Queues All settings Trend Micro Email Security
provides a more powerful
quarantine query feature.
Other mail queue
management is not
supported by Trend Micro
Email Security.

Administration All settings except DKIM These features provided by


signatures IMSS or IMSVA are mainly for
on-premise products while
Trend Micro Email Security is
a cloud-based product.

Prerequisites for Data Migration


Before migrating data from IMSS 9.1 or IMSVA 9.1, make sure the following
has been done:
• Add, provision, and verify the domains you want to manage through
Trend Micro Email Security.
For details, see Adding a Domain on page 62.

386
About Trend Micro Email Security

• Synchronize with LDAP servers using the Directory Synchronization


Tool if IMSS or IMSVA has enabled LDAP settings.
The Directory Synchronization Tool is available under Administration >
Directory Management.
For details, refer to Directory Synchronization Tool User's Guide.
• Enable IMSS or IMSVA to support Trend Micro Email Security migration
by doing the following:
1. On the IMSS or IMSVA management console, go to Administration
> Updates > System & Applications and check the build number.
If the build number does not meet the following requirements,
install the latest service pack and hotfix.
• IMSS 9.1.0.1357 or later
• IMSVA 9.1.0.2011 or later
2. Enable the hidden key in the IMSS or IMSVA admin database by
running the following SQL statements:

Note
IMSS and IMSVA use the same configuration file imss.ini.

insert into tb_global_setting (section, name, value,


inifile)

values ('imp_exp', 'enable_ems_migrate', '1',


'imss.ini');

• Export configuration files from the IMSS or IMSVA management console


under Administration > Import/Export.

387
Trend Micro Email Security Administrator's Guide

Migrating Data to Trend Micro Email Security

Procedure

1. Go to Administration > IMSS/IMSVA Migration Tool.

2. Read the on-screen instructions, and click Get Started.

3. On the pop-up screen, click Choose File..., select the configuration file
you exported, select Overwrite or Merge, and click Next.

Trend Micro Email Security begins to create a migration task, analyze


the configuration file, and generate a data analysis report.

Note
This process may take several minutes, depending on the size of the
configuration file.

4. At Step 2 on the pop-up screen, view pre-migration check results to


determine which settings will be migrated to Trend Micro Email
Security and which will not.

a. Select an option from the Show drop-down list to show the settings
in a specific state.

• Not supported: Settings in this state are not supported in Trend


Micro Email Security and will not be migrated. If you need
these settings, you have to add them in Trend Micro Email
Security manually.

• Error: There are some critical issues about the settings in this
state, but the settings will still be migrated to Trend Micro
Email Security. During migration, some improper settings may
be removed or modified. The settings in Trend Micro Email
Security may be unexpected after migration, and the
corresponding policies will be disabled temporarily. You need
to fix these error settings and enable the policies manually
after migration.

388
About Trend Micro Email Security

• Warning: There are some minor issues about the settings in


this state, and the settings will be automatically handled by
Trend Micro Email Security. You only need to confirm these
warning settings after migration.
• Successful: Settings in this state will be migrated to Trend
Micro Email Security without any issue.
b. View the detailed description of the settings in the table.
c. Click Download Report to download the data analysis report.
d. (Optional) If the data analysis report contains too many error
settings, click Cancel, modify the settings, and restart migration.
Clicking Cancel at this step will not import the settings into Trend
Micro Email Security.
5. Click Next to proceed with the migration.
Trend Micro Email Security begins to analyze the configuration file,
import settings in the configuration file, and generate a data migration
report.

Note
This process may take several minutes, depending on the size of the
configuration file.

6. At Step 3 on the pop-up screen, view the migration results to find which
settings are migrated to Trend Micro Email Security and which are not.
a. Select an option from the Show drop-down list to show the settings
in a specific state.
• Not supported: Settings in this state are not supported in Trend
Micro Email Security and are not migrated. If you need these
settings, you have to add them in Trend Micro Email Security
manually.
• Error: There are some critical issues about the settings in this
state, but the settings are still migrated to Trend Micro Email

389
Trend Micro Email Security Administrator's Guide

Security. During migration, some improper settings may be


removed or modified. The settings in Trend Micro Email
Security may be unexpected after migration, and the
corresponding policies are disabled temporarily. You need to
fix these error settings and enable the policies manually after
migration.
• Warning: There are some minor issues about the settings in
this state, and the settings are automatically handled by Trend
Micro Email Security. You only need to confirm these warning
settings after migration.
• Successful: Settings in this state are migrated to Trend Micro
Email Security without any issue.
b. View the detailed description of the settings in the table.
c. Click Download Report to download the data migration report.
7. Click Finish
Under Inbound Protection and Outbound Protection, you will find that
the Migration status drop-down list and Migration Status column are
added on the policy list screens. Deselect the Show migration status
check box in the migration tool if you do not want Trend Micro Email
Security to show the Migration status drop-down list and Migration
Status column any more.
You still need to verify the migrated data after the migration. For details,
see Verifying Data After Migration on page 390.

Verifying Data After Migration


To ensure your organization achieves effective email security protection,
Trend Micro Email Security recommends you perform the following tasks
after data migration:

390
About Trend Micro Email Security

Procedure
1. Verify migrated policy data under Inbound Protection and Outbound
Protection.
a. Go to the following locations respectively:
• Virus Scan
• Spam Filtering
• Content Filtering
• Data Loss Prevention (DLP)

Note
After migration, policy rules are categorized into the following four
types: virus scan, spam filtering, content filtering, and DLP.

b. Select Error or Warning from the Migration status drop-down list.


c. Follow the on-screen instructions in the Migration Status column to
fix error settings or confirm warning settings and enable the
corresponding policies.
d. Reorder policy rules.
You can manually reorder the policy rules in each domain after
migration if they do not meet your requirements. For details, see
Reordering Policy Rules on page 166.
2. Verify other migrated data.
a. Go to Inbound Protection > Connection Filtering > IP Reputation >
Settings to verify email reputation settings.
b. Go to the following locations respectively to verify approved and
blocked IP addresses:
• Inbound Protection > Connection Filtering > IP Reputation >
Approved IP Addresses

391
Trend Micro Email Security Administrator's Guide

• Inbound Protection > Connection Filtering > IP Reputation >


Blocked IP Addresses

c. Go to Inbound Protection > Domain-based Authentication >


DomainKeys Identified Mail (DKIM) Verification to verify the
Global DKIM Enforcement rule.

d. Go to Inbound Protection > Domain-based Authentication >


Domain-based Message Authentication, Reporting and
Conformance (DMARC) to verify DMARC settings.

e. Go to Inbound Protection > Spam Filtering > Time-of-Click


Protection to verify time-of-click protection settings.

f. Go to Outbound Protection > DomainKeys Identified Mail (DKIM)


Signing to verify DKIM signature settings.

g. Go to Administration > Policy Objects to verify policy object


settings.

FAQs and Instructions


Table 72. Frequently Asked Questions (FAQs)

Question Answer

What is Trend Micro Trend Micro Email Security provides always-up-to-the-minute


Email Security? email security with no maintenance required by IT staff to stop
spam, viruses and other malware before they reach your network.
Trend Micro Email Security is a cloud service that can benefit any
size organization. We provide the hardware, software, and
messaging expertise to cleanse your email messages of spam,
viruses, worms, Trojans, and phishing (identity theft) attacks. The
cleaned email messages are sent directly to your MTA for final
delivery to your end users. Trend Micro Email Security can also use
LDAP directories to help prevent backscatter (or outscatter) spam
and Directory Harvest Attacks (DHA).

392
About Trend Micro Email Security

Question Answer

What are the advantages As a cloud service, Trend Micro Email Security can stop attacks
of Trend Micro Email before they get a chance to reach your network. In addition to
Security? stopping spam, viruses, worm, Trojans, and other malware, Trend
Micro Email Security can protect your network from attacks that:
• Attempt to block your Internet connection (Denial of Service)
• Steal your email addresses for spammers (Directory Harvest
Attacks)

How can I upgrade? Trend Micro Email Security is a cloud service and so there is no
need to buy additional hardware or software. The service is
managed by security professionals, relieving your IT staff of the
burden of installing, maintaining, and fine-tuning a complex email
security system.

How can I migrate Attach the Customer Licensing Portal account you created with the
configurations from the Trend Micro Email Security trial license to your Smart Protection
trial Trend Micro Email Complete full license first.
Security management
console to the 1. Log on to Customer Licensing Portal (https://
production clp.trendmicro.com) using your account credentials.
management console 2. Go to My Products/Services and click Provide Key.
after purchasing Smart
Protection Complete 3. On the License Key screen, type your registration key, not the
with a full license? activation code, in the Provide your Activation Code or
product key text box, and then click Continue.
4. Select the check box and click Continue to finish the process.
After you re-log on to the Trend Micro Email Security production
management console, all configurations are migrated and your
license is updated.

Will email message The time required to process each message is measured in
delivery be delayed? milliseconds. Any delay in the delivery of your messages is
negligible and will not be noticed by the end user.

393
Trend Micro Email Security Administrator's Guide

Question Answer

How much does the Trend Micro Email Security is priced on a per user basis under an
service cost? annual contract. The cost per user drops as the number of users
increases.
There is no set-up fee or additional support costs from Trend Micro.
There may be a small fee (unlikely) associated with changing your
MX record. Contact your web-hosting service to review their pricing
policies.

Is Trend Micro Email All messages are processed automatically and transparently. Many
Security confidential? messages are rejected before they are even received based on the
Who reads my mail? reputation of the IP that is attempting to send the message.
Messages that are received are processed through a multi-layered
spam and virus filtering system that does not include any human
intervention. Messages are never stored unless your MTA becomes
unavailable.

What do I need in order To use this service you only need to have an existing Internet
to access the gateway or workgroup email connection and a web browser for
administrator console? accessing the online reporting and administrator console.
To access the console through Trend Micro Licensing Management
Platform, you need the service web address and account
information.

How do I get started To get started using Trend Micro Email Security, do the following:
using Trend Micro Email
Security? 1. Submit account activation information
2. Log on to the Trend Micro Email Security administrator
console
3. Provision a Trend Micro Business Account
4. Configure the domain you added and add additional domains
if needed
5. Import user directories that will be applied by policies
6. Configure policies to design your organizational protection
solution
For details, see Getting Started with Trend Micro Email Security on
page 26.

394
About Trend Micro Email Security

Question Answer

How do I redirect my Before redirecting your MX record to the service, make sure you
mail exchanger record have added and configured your domain to your Trend Micro Email
(MX record)? Security.
To redirect your MX record:
1. For details about adding an MX record for the Trend Micro
Email Security server, see step 1 in Configuring a Domain on
page 64.
2. Check Trend Micro Email Security welcome email message,
which contains the specific MX record information.
3. Do one of the following:
• Manual configuration
If you manage your own DNS, you can manually edit your
MX record (this applies to self-managed, smaller
accounts).
• Through a support technician
If you are unsure how to configure the MX records for your
domain, contact your Internet Service Provider's (ISP)
help desk or your Domain Name Service (DNS) technician
for assistance. If your DNS is managed by a third-party or
ISP, either they can do this for you or they may have a
simple Web interface allowing you to make the change
yourself. It can take up to 48 hours for any changes to
propagate throughout the system.
After making the modifications to the MX record, Trend Micro Email
Security becomes the point of entry of messages for your domain.
After the DNS record modifications take effect (up to 48 hours), all
inbound email traffic is routed through Trend Micro Email Security.

Tip
After the modifications take effect, test the message route by
sending messages from another email service provider (for
example, Yahoo! Mail or Gmail) to a recipient in your
domain. If you receive the message from that email service
provider, the MX record is configured correctly.

395
Trend Micro Email Security Administrator's Guide

Question Answer

Where can I locate the The MX record determines the message routing for all email
instruction to redirect messages sent to your domain.
the MX record to point to
Trend Micro Email The Trend Micro Email Security welcome email message from
Security? Trend Micro specifically provides details about where to redirect
your MX record.

How do I accept email To ensure that you are able to receive email messages processed by
messages from the the service:
service?
• Configure your firewall to accept traffic from Trend Micro Email
Security IP addresses
• Configure your MTA to accept transactions from these IP
addresses

Can I try Trend Micro Yes.


Email Security on a
limited number of email
addresses? Tip
Trend Micro recommends that you use a test domain for trial
purposes. Doing so allows you to experience the service and
test how it functions for different types of users.

Does Trend Micro Email Trend Micro Email Security does not store or archive email
Security store or archive messages by default. All messages are processed and immediately
email messages? passed through to the customer's MTA. Messages are not spooled
or stored in memory unless your MTA becomes unavailable.
However, if you create a policy to quarantine messages (spam for
example) these email messages will be stored at our data center for
up to 30 days.
With Email Continuity enabled by default, Trend Micro Email
Security provides a standby email system that gives virtually
uninterrupted use of email in the event of a mail server outage. If
an outage occurs, Trend Micro Email Security will keep your
incoming email messages for 10 days. Once your email server is
back online within the 10-day period, these messages will be
restored to your email server.

396
About Trend Micro Email Security

Question Answer

How do I reset or resend When your users lost or cannot remember their password, they can
an End User Console go to the logon screen of the Trend Micro Email Security End User
password? Console and click Forgot your password to reset their passwords.
It is not necessary for you to reset end users' passwords.

What does the service If your MTA becomes unavailable for whatever reason, your
do when my MTA is message stream is automatically queued for up to ten (10) days or
unavailable? until such time that your server comes back online.
You should not lose any of your valuable email messages due to
hardware or software failure, power outages, network failure or
simple human error.

Where does outgoing By default, your outbound email messages are handled directly by
mail go? your own MTA and passed out to other networks as it is currently
handled. However, with Trend Micro Email Security (full version)
you can choose to redirect your outbound email traffic through
Trend Micro Email Security services.
Opting for Outbound Filtering:
When you activate Trend Micro Email Security, you will be informed
of what MTA to send your outbound messages to if you choose to
utilize outbound filtering.
For complete instructions on enabling outbound filtering, see
Configuring a Domain on page 64.

What happens when my Immediately after your license expires, it will go through a grace
license expires? period, wherein the service continues as expected. After the grace
period, however, your inbound messages will be stamped with a
notification and you will lose access to the administrator console.
Eventually, your data will be permanently deleted. To prevent
unnecessary disruptions to your email service, please renew your
license before it expires.

How does Trend Micro Trend Micro Email Security is configured in Opportunistic Transport
Email Security Layer Security (TLS) mode. In this mode, the MTA servers will
implement the initially check if the sending or receiving MTA can perform SMTP
Transport Layer Security transaction in TLS mode. If so, the entire session and process will
(TLS) protocol? be done in TLS mode.

397
Trend Micro Email Security Administrator's Guide

About MX Records and Trend Micro Email Security

Important
Make sure the MX record is entered exactly as provided in the Trend Micro
Email Security welcome email message.

An MX record (DNS mail exchanger host record) determines the message


routing for all messages sent to a domain. To route messages destined for
your domain through the Trend Micro Email Security MTA, you must point
your MX record to the fully qualified domain name (FQDN) provided in the
welcome email message that Trend Micro sent you after you registered.

To disable Trend Micro Email Security, point your MX record to route all
inbound SMTP traffic to your own mail server.

If you are unsure how to configure the MX records for your domain, contact
your Internet Service Provider or your DNS technician.

The following external links to MX record configuration help pages are


provided for your convenience:

• GoDaddy

http://support.godaddy.com/help/article/680/managing-dns-for-your-
domain-names

• Network Solutions

http://www.networksolutions.com/support/mx-records-mail-servers-2/

• Enom

http://www.enom.com/help/hostinghelp.asp?
displaymenu=ok&hosthelp=9

• DreamHost

http://wiki.dreamhost.com/MX_record

• Yahoo! SmallBusiness

398
About Trend Micro Email Security

https://help.smallbusiness.yahoo.net/s/article/SLN17921#add

Feature Limits and Capability Restrictions


The following table outlines the limits on both inbound and outbound
messages.
Table 73. Message Limits

Per Message Limit

Size • Trend Micro Email Security Standard


license: 50 MB
• Trend Micro Email Security Advanced
license: 150 MB

Number of recipients per message 500 recipients

The following table details the limits on End User Console settings.
Table 74. End User Console Limits

Per Seat Limit

Approved sender list entries 500 entries

Blocked sender list entries 500 entries

Retention period for quarantined messages 30 days

The following table shows message retention information.


Table 75. Retention Schedule

Item Retention Period

Quarantined email messages (all regions) 30 days

Message tracking information 90 days

Message queue when customer MTA is unavailable Up to 10 days

399
Trend Micro Email Security Administrator's Guide

Viewing Your Service Level Agreement


Trend Micro provides a Service Level Agreement (SLA) for Trend Micro
Email Security that is intended to help your organization receive secure,
uninterrupted email service.

The Service Level Agreement covers availability, latency, spam blocking,


false positives, antivirus, and support. Specific service-level guarantees are
included in the most current version of the Trend Micro Email Security
Service Level Agreement, which you can view or download from this screen.

Important
Provisions of the Service Level Agreement may vary among regions, so be sure
to select your region and language when using this screen. Trend Micro
reserves the right to modify the service at any time without prior notice. The
current version of the Trend Micro Email Security service level agreement is
available for review by paid customers and by customers conducting a trial.

To view the Service Level Agreement for your region:

Procedure

1. Go to Help > Service Level Agreement.

The Service Level Agreement screen appears.

2. From the drop-down list, select your language/region.

Tip
Disable any pop-up blockers for your browser in order to download the
Service Level Agreement.

Trend Micro Email Security displays an Adobe Reader (PDF) document


of the Service Level Agreement for the language and region that you
selected.

400
About Trend Micro Email Security

Technical Support
Learn about the following topics:
• Contacting Support on page 401
• Sending Suspicious Content to Trend Micro on page 403
• Troubleshooting Resources on page 404

Contacting Support
Depending on how you subscribed to your Trend Micro SaaS offering, the
method of obtaining additional assistance differs. Refer to the following table
to better understand how to contact your support representative.

Purchase Channel Contact Method

Trend Micro direct Use the online Support Portal to file a case with Trend Micro support
purchase representatives.
For more information, see Using the Support Portal on page 401.

Service Provider Contact your service provider directly if you have questions about the
offering service or are experiencing problems. Service Providers have more
information about your specific environment and may be able to
address your concerns quickly. Most product consoles include a
support link that should provide the necessary contact information.

Using the Support Portal


The Trend Micro Support Portal is a 24x7 online resource that contains the
most up-to-date information about both common and unusual problems.

Procedure
1. Go to https://success.trendmicro.com/business-support.
2. Use the Search Support text box to search for available solutions or
keywords.

401
Trend Micro Email Security Administrator's Guide

3. Click the All Products drop-down and select your product.

4. If no solution is found, click Contact Support and select the type of


support needed.

Tip
To submit a support case online, visit the following URL:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24


hours or less.

Speeding Up the Support Call


To improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional connected hardware or


devices

• Amount of memory and free hard disk space

• Operating system and service pack version

• Version of the installed agent

• Serial number or Activation Code

• Detailed description of install environment

• Exact text of any error message received

402
About Trend Micro Email Security

Sending Suspicious Content to Trend Micro


Several options are available for sending suspicious content to Trend Micro
for further analysis.

Email Reputation Services


Query the reputation of a specific IP address and nominate a message
transfer agent for inclusion in the global approved list:

https://www.ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to


Trend Micro:

https://success.trendmicro.com/solution/1112106

File Reputation Services


Gather system information and submit suspicious file content to Trend
Micro:

https://success.trendmicro.com/solution/1059565

Record the case number for tracking purposes.

Web Reputation Services


Query the safety rating and content type of a URL suspected of being a
phishing site, or other so-called "disease vector" (the intentional source of
Internet threats such as spyware and malware):

https://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend


Micro.

403
Trend Micro Email Security Administrator's Guide

Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend
Micro online resources.

Threat Encyclopedia
Most malware today consists of blended threats, which combine two or more
technologies, to bypass computer security protocols. Trend Micro combats
this complex malware with products that create a custom defense strategy.
The Threat Encyclopedia provides a comprehensive list of names and
symptoms for various blended threats, including known malware, spam,
malicious URLs, and known vulnerabilities.

Go to https://www.trendmicro.com/vinfo/us/threat-encyclopedia/#malware
to learn more about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Download Center
From time to time, Trend Micro may release a patch for a reported known
issue or an upgrade that applies to a specific product or service. To find out
whether any patches are available, go to:

https://www.trendmicro.com/download/

If a patch has not been applied (patches are dated), open the Readme file to
determine whether it is relevant to your environment. The Readme file also
contains installation instructions.

404
About Trend Micro Email Security

Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please go to the following site:
https://docs.trendmicro.com/en-us/survey.aspx

405
Index
A E
Advanced Threat Scan Engine, 177 expressions, 143
about, 177 customized, 144, 147
ATSE, 177 criteria, 145, 146
about, 177 predefined, 144

C F
condition statements, 156 file attributes, 143, 152–154
criteria creating, 153
customized expressions, 145, 146 importing, 154
predefined, 153
keywords, 149, 150
wildcards, 153
customized expressions, 144–147
criteria, 145, 146 K
importing, 147 keywords, 143, 148
customized keywords, 149 customized, 149–151
criteria, 149, 150 predefined, 148
importing, 151
L
customized templates, 156
logical operators, 156
creating, 157
importing, 158 P
PCRE, 144
D Perle Compatible Regular Expressions,
data identifiers, 143 144
expressions, 143 predefined expressions, 144
file attributes, 143
keywords, 143 S
Data Loss Prevention, 143 support
data identifiers, 143 resolve issues faster, 402
expressions, 143–147 T
file attributes, 152–154 templates, 155–158
keywords, 148–151 condition statements, 156
templates, 155–158 customized, 156–158
documentation feedback, 405 logical operators, 156

IN-1
Trend Micro Email Security Administrator's Guide

W
wildcards, 153
file attributes, 153

IN-2

You might also like