Allowlisting in Trend Micro

Introduction

The allowlist policies that need to be created in Trend Micro depends on the User Protection solution you have purchased:

Cloud App Security

Trend Micro Cloud App Security provides Content Scanning to detect certain types of attacks distributed through email messages. To allow our emails to be delivered, you will need to create/modify the Default Exchange Policy ATP. Inside the policy, we will add our email stack information to the approved sender list for the below two settings

Advanced Spam Protection

  1. Select Advance Spam Protection on the left-hand side of the screen
  2. Check the box to Enable Advanced Spam Protection.
  3. Configure Rules settings:
    • Apply To: Incoming Messages
    • Detection Level: Medium
  4. Click on Approved Header Field
  5. Check the box to Enable the approved header field
  6. Enter the following information:
    • Name: X-PHISH
    • Operator: Contains
    • Value: security awareness phishing simulation test from Infosec Institute
  7. After adding the domains, click Save

Web Reputation Services

  1. Select Web Reputation on the left-hand side
  2. Check the box to Enable Web Reputation
  3. Select Rules
  4. In the Apply To: drop-down menu, select All Messages
  5. Select Medium in the Security Level Section
  6. Click on Approved Header Field
  7. Check the box to Enable the approved header field
  8. Enter the following information:
    • Name: X-PHISH
    • Operator: Contains
    • Value: security awareness phishing simulation test from Infosec Institute
  9. After adding the domains, click Save

Return to Table of Contents

Trend Micro Email Security

Trend Micro Email Security will not perform the following checks on email messages from senders added to the Approved Senders list:
  • IP reputation-based filtering
  • Unknown sender domain check
  • Spam
  • BEC
  • Phishing
  • Social engineering attack
  • Web reputation
  • Graymail

To configure the Approved Senders list:

  1. Login to the Trend Micro console
  2. Navigate to the Inbound Protection menu and select Connection Filtering
  3. From there, select Sender Filter and then Approved Senders
  4. Specify the senders to allow by using our phishy domains. The following syntax must be used when adding our phishy domains: *@example.com

Note: Trend Micro Email Security still performs virus scanning and content filtering on all messages received and takes the action configured in policy rules once detecting any virus or content filtering violation. Because of this, Attachment Attacks cannot be used.

Direct SMTP Sending

Depending on how you have your Trend Micro Email Security configured, you may need to set up Direct SMTP sending in your Infosec IQ account. By setting this up, it allows you to completely bypass Trend Micro and have all email traffic from Infosec IQ flow from your firewall to your email environment over Port 25. To learn more, visit the Sending Configurations section in our Knowledge Base or contact our support team: customer-support@infosecinstitute.com

Return to Table of Contents

ScanMail for Microsoft Exchange

If you have ScanMail for Microsoft Exchange configured for your mail environment, you will need to add our Phishy Domains to the Web Reputation approved URL list. The Web Reputation policy specifically scans all incoming emails and checks the URLs. When these URL checks happen, the learner will get marked as being Phished in Infosec IQ. To add our URLs:

  1. Login to ScanMail
  2. Select Web Reputation on the left-hand side
  3. Check the box to Enabled approved URL list
  4. Add our Phishy Domains
    • Individually: Enter the URL in the approved URL box and click add
    • Bulk Add: Click Import and select the CSV file of our Phishy Domains

Return to Table of Contents