Trend Micro Incorporated reserves the right to make changes to this

document and to the service described herein without notice. Before

installing and using the service, review the readme files, release notes,
and/or the latest version of the applicable documentation, which are
available from the Trend Micro website at:
https://docs.trendmicro.com/en-us/enterprise/email-security.aspx
Trend Micro, the Trend Micro t-ball logo, Remote Manager, Apex Central,
Cloud App Security, and Hosted Email Security are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2021. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEM09182/210104
Release Date: Jan 28, 2021
Protected by U.S. Patent No.: Patents pending.
This documentation introduces the main features of the service and/or
provides installation instructions for a production environment. Read
through the documentation before installing or using the service.
Detailed information about how to use specific features within the service
may be available at the Trend Micro Online Help Center and/or the Trend
Micro Knowledge Base.
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please contact us at [email protected].
Evaluate this documentation on the following site:
https://www.trendmicro.com/download/documentation/rating.asp
Privacy and Personal Data Collection Disclosure
Certain features available in Trend Micro products collect and send feedback
regarding product usage and detection information to Trend Micro. Some of
this data is considered personal in certain jurisdictions and under certain
regulations. If you do not want Trend Micro to collect personal data, you
must ensure that you disable the related features.
The following link outlines the types of data that Trend Micro Email Security
collects and provides detailed instructions on how to disable the specific
features that feedback the information.
https://success.trendmicro.com/data-collection-disclosure
Data collected by Trend Micro is subject to the conditions stated in the Trend
Micro Privacy Notice:
https://www.trendmicro.com/privacy
Table of Contents
About Trend Micro Email Security .......................................... 1
What's New ..................................................................... 1
Service Requirements .................................................... 14
Features and Benefits ..................................................... 14
Available License Versions ............................................. 18
Inbound Message Protection .......................................... 20
Inbound Message Flow ............................................ 21
Outbound Message Protection ........................................ 22
Integration with Trend Micro Products ........................... 23
Apex Central ........................................................... 23
Trend Micro Remote Manager .................................. 25
Getting Started with Trend Micro Email Security ................... 26
Accessing the Trend Micro Email Security Administrator
Console ......................................................................... 26
Provisioning a Trend Micro Business Account ................. 29
Setting Up Trend Micro Email Security ...................... 31
Working with the Dashboard ................................................ 32
Threats Tab ................................................................... 35
Ransomware Details Chart ....................................... 36
Threats Chart .......................................................... 36
Threats Details Chart ............................................... 39
Virtual Analyzer File Analysis Details Chart ............... 41
Virtual Analyzer URL Analysis Details Chart .............. 42
Virtual Analyzer Quota Usage Details ........................ 44
Domain-based Authentication Details Chart .............. 45
Blocked Message Details .......................................... 46
Top Statistics Tab ........................................................... 49
Top BEC Attacks Detected by Antispam Engine Chart
............................................................................... 49
Top BEC Attacks Detected by Writing Style Analysis
Chart ...................................................................... 49
Top Targeted High Profile Users ................................ 50

i
Trend Micro Email Security Administrator's Guide

Top Analyzed Advanced Threats (Files) Chart ............ 51

Top Analyzed Advanced Threats (URLs) Chart ........... 51
Top Malware Detected by Predictive Machine Learning
Chart ...................................................................... 52
Top Malware Detected by Pattern-based Scanning Chart
............................................................................... 52
Top Spam Chart ....................................................... 53
Top Data Loss Prevention (DLP) Incidents Chart ........ 53
Other Statistics Tab ........................................................ 54
Volume Chart .......................................................... 54
Bandwidth Chart ..................................................... 55
Time-of-Click Protection Chart ................................. 56
Managing Domains .............................................................. 57
Adding a Domain ........................................................... 59
Configuring a Domain .................................................... 61
Adding SPF Records ................................................. 67
Adding Office 365 Inbound Connectors ..................... 68
Adding Office 365 Outbound Connectors ................... 70
Editing or Deleting Domains .......................................... 73
Inbound and Outbound Protection ....................................... 74
Managing Recipient Filter .............................................. 74
Managing Sender Filter .................................................. 75
Sender Filter Settings ............................................... 75
Configuring Approved and Blocked Sender Lists ........ 76
Transport Layer Security (TLS) Peers .............................. 82
Adding TLS Peers ..................................................... 83
Editing TLS Peers ..................................................... 86
Understanding IP Reputation ......................................... 86
About Quick IP List .................................................. 87
About Standard IP Reputation Settings ...................... 89
About Approved and Blocked IP Addresses ................ 90
IP Reputation Order of Evaluation ............................ 91
Troubleshooting Issues ............................................ 92
Domain-based Authentication ........................................ 93
Sender IP Match ...................................................... 94
Sender Policy Framework (SPF) ................................ 96
DomainKeys Identified Mail (DKIM) ........................ 101

ii
 Table of Contents

Domain-based Message Authentication, Reporting &

Conformance (DMARC) .......................................... 109
How DMARC Works with SPF and DKIM .................. 114
File Password Analysis ................................................. 115
Configuring File Password Analysis ......................... 116
Adding User-Defined Passwords .............................. 116
Importing User-Defined Passwords ......................... 117
Configuring Scan Exceptions ........................................ 118
Scan Exception List ................................................ 118
Configuring "Scan Exceptions" Actions .................... 119
Business Email Compromise (BEC) ............................... 121
Configuring High Profile Users ............................... 122
Configuring Time-of-Click Protection Settings ............... 125
Data Loss Prevention .................................................... 126
Data Identifier Types .............................................. 126
DLP Compliance Templates .................................... 139
Configuring Policies ........................................................... 142
Managing Policy Rules ................................................. 143
Reordering Policy Rules ............................................... 145
Naming and Enabling a Rule ......................................... 146
Specifying Recipients and Senders ................................ 147
Inbound Policy Rules ............................................. 147
Outbound Policy Rules ........................................... 149
About Rule Scanning Criteria ........................................ 151
Configuring Virus Scan Criteria .............................. 153
Configuring Spam Filtering Criteria ........................ 156
Configuring Data Loss Prevention Criteria ............... 165
Configuring Content Filtering Criteria ..................... 166
About Rule Actions ....................................................... 181
Specifying Rule Actions .......................................... 182
Intercept Actions ................................................... 183
Modify Actions ...................................................... 187
Monitor Actions ..................................................... 194
Encrypting Outbound Messages .............................. 195
About the Send Notification Action ......................... 198
Understanding Quarantine ................................................. 199
Querying the Quarantine .............................................. 200

iii
Trend Micro Email Security Administrator's Guide

Configuring End User Console Settings .......................... 202

Quarantine Digest Settings ........................................... 203
Adding or Editing a Digest Rule ............................... 204
Adding or Editing a Digest Template ........................ 206
Logs in Trend Micro Email Security .................................... 209
Understanding Mail Tracking ....................................... 210
Social Engineering Attack Log Details ..................... 215
Business Email Compromise Log Details ................. 219
Understanding Policy Events ........................................ 219
Predictive Machine Learning Log Details ................. 227
Understanding URL Click Tracking ............................... 228
Understanding Audit Log .............................................. 230
Configuring Syslog Settings .......................................... 231
Syslog Forwarding .................................................. 233
Syslog Server Profiles ............................................. 234
Content Mapping Between Log Output and CEF Syslog
Type ...................................................................... 236
Reports ............................................................................. 243
My Reports .................................................................. 243
Scheduled Reports ....................................................... 244
Configuring Administration Settings ................................... 245
Policy Objects .............................................................. 245
Managing Address Groups ...................................... 246
Keyword Expressions ............................................. 248
Managing Notifications .......................................... 251
Managing Stamps ................................................... 252
Managing the URL Keyword Exception List .............. 253
Managing the Web Reputation Approved List ........... 253
Email Continuity .......................................................... 255
Adding an Email Continuity Record ........................ 256
Editing an Email Continuity Record ........................ 257
Administrator Management .......................................... 257
Account Management ............................................ 257
Logon Methods ...................................................... 260
End User Management ................................................. 275
Changing End User Passwords ................................ 275

iv
 Table of Contents

Managed Accounts ................................................. 276

Logon Methods ...................................................... 278
Directory Management ................................................. 294
Synchronizing User Directories ............................... 295
Importing User Directories ..................................... 296
Exporting User Directories ..................................... 299
Installing the Directory Synchronization Tool .......... 300
Co-Branding ................................................................ 301
Service Integration ....................................................... 303
API Access ............................................................. 303
Apex Central .......................................................... 304
Remote Manager .................................................... 306
License Information .................................................... 307
Activating Sandbox as a Service .............................. 308
Migrating Data from Hosted Email Security ................... 309
Data That Will Be Migrated ..................................... 311
Data That Will Not Be Migrated ............................... 313
Setting Up Trend Micro Email Security After Data
Migration .............................................................. 314
Migrating Data from IMSS or IMSVA ............................. 315
Data That Will Be Migrated ..................................... 315
Data That Will Not Be Migrated ............................... 323
Prerequisites for Data Migration ............................. 327
Migrating Data to Trend Micro Email Security ......... 329
Verifying Data After Migration ................................ 331
FAQs and Instructions ........................................................ 333
About MX Records and Trend Micro Email Security ....... 339
Feature Limits and Capability Restrictions ..................... 340
Viewing Your Service Level Agreement ......................... 341
Technical Support .............................................................. 342
Contacting Support ...................................................... 342
Using the Support Portal ......................................... 343
Speeding Up the Support Call ................................. 343
Sending Suspicious Content to Trend Micro ................... 344
Email Reputation Services ...................................... 344
File Reputation Services ......................................... 344
Web Reputation Services ........................................ 344

v
Trend Micro Email Security Administrator's Guide

Troubleshooting Resources ........................................... 345

Threat Encyclopedia .............................................. 345
Download Center ................................................... 345
Documentation Feedback ....................................... 346

Index
Index ............................................................................... IN-1

vi
About Trend Micro Email Security
Trend Micro Email Security is an enterprise-class solution that delivers
continuously updated protection to stop phishing, ransomware, Business
Email Compromise (BEC) scams, spam and other advanced email threats
before they reach your network. It provides advanced protection for
Microsoft™ Exchange Server, Microsoft Office 365, Google™ Gmail, and other
cloud or on-premises email solutions.
Using Trend Micro Email Security, mail administrators set up policies to
handle email messages based on the threats detected. For example,
administrators can remove detected malware from incoming messages
before they reach the corporate network or quarantine detected spam and
other inappropriate messages.
Furthermore, Trend Micro Email Security delivers Email Continuity against
planned or unplanned downtime events, which allows end users to continue
sending and receiving email messages in the event of an outage.

What's New
The following new features are available in Trend Micro Email Security.

1
Trend Micro Email Security Administrator's Guide
Table 1. New Features in This Release (Available on January 28, 2021)
Feature
Quarantine Digest Template Enhancement
Log Search Enhancement
Table 2. New Features Available on December 18, 2020
Feature
IP Reputation Enhancement
2
Description
Trend Micro Email Security enhances its
quarantine digest template by allowing you
to:
• Use two more actions: "Approve Sender
Domain" and "Block Sender Domain".
• Customize inline actions that are
available in digest notifications.
• Send a test digest mail based on the
configured digest template.
For details, see Adding or Editing a Digest
Template on page 206.
Trend Micro Email Security enhances its log
search feature by allowing you to search
policy event logs by message header address
and threat name, and search mail tracking
logs by message header address.
For details, see Understanding Mail Tracking
on page 210 and Understanding Policy Events
on page 219.
Description
Trend Micro Email Security enhances its IP
Reputation feature by allowing you to search,
import, and export approved and blocked IP
addresses.
For details, see Understanding IP Reputation
on page 86.
 About Trend Micro Email Security

Feature Description

REST API Support Enhancement
Trend Micro Email Security enhances its REST
API Support feature by opening two more
APIs, allowing you to retrieve policy event
logs and mail tracking logs from Trend Micro
Email Security. These logs can be aggregated
with other security data by security
information and event management (SIEM)
applications to detect abnormal behaviors or
potential threats.
Refer to the Trend Micro Email Security REST
API Online Help at http://
docs.trendmicro.com/en-us/enterprise/trend-
micro-email-security.aspx for details.

Table 3. New Features Available on November 26, 2020

Feature Description

Address Group Support Trend Micro Email Security supports local

address groups, which can be used in policy
routing. If some email addresses are used in
multiple policies, maintaining an address
group that contains the email addresses
facilitates policy management.
For details, see Managing Address Groups on
page 246.

Message Size Limit Raised to 150 MB
Trend Micro Email Security has increased the
maximum message size limit to 150 MB for
both inbound and outbound email messages.
For customers with the Trend Micro Email
Security Standard license, the message size
limit remains 50 MB.

3
Trend Micro Email Security Administrator's Guide
Table 4. New Features Available on October 29, 2020
Feature
Quarantine Digest Enhancement
Domain-based Authentication Enhancements
Table 5. New Features Available on October 15, 2020
Feature
Virtual Analyzer Submission Quota Increase
4
Description
Trend Micro Email Security enhances its
Quarantine Digest feature by allowing you to:
• Customize digest rules for different
recipients
• Apply digest rules to LDAP groups
besides domains
• Perform one more inline action “Block
Sender” from digest notifications
For details, see Quarantine Digest Settings on
page 203.
Trend Micro Email Security provides the
following enhancements to Domain-based
Authentication features under Inbound
Protection:
• Adding the Search, Import and Export
functions to SPF, DKIM verification, and
DMARC settings
• Refining both the user interface design
and text for all Domain-based
Authentication features
For details, see Domain-based Authentication
on page 93.
Description
Trend Micro Email Security has increased the
submission quota limiting the number of files
and URLs that can be sent to Virtual Analyzer
within 24 hours.
For details, see Configuring Virus Scan Criteria
on page 153 and Configuring Web Reputation
Criteria on page 160.
 About Trend Micro Email Security

Table 6. New Features Available on September 21, 2020

Feature Description

DKIM and DMARC Enhancement Trend Micro Email Security is enhanced to

enable DKIM verification or DMARC
authentication for all sender domains, and
exclude some of them by configuring ignored
peers. Besides, Trend Micro Email Security
supports DKIM signing for outbound
messages that have no envelope sender
addresses.
For details, see DomainKeys Identified Mail
(DKIM) on page 101 and Domain-based
Message Authentication, Reporting &
Conformance (DMARC) on page 109.

Mail Traffic Support for TLS 1.3 Trend Micro Email Security supports
transmitting mail traffic with TLS 1.3.

Table 7. New Features Available on August 31, 2020

Feature Description

SSO Enhancement Trend Micro Email Security supports single

sign-on (SSO) from multiple identity provider
servers.
• Different administrator subaccounts can
log on to the administrator console from
different identity provider servers
through SSO.
• Different end users can log on to the End
User Console from different identity
provider servers through SSO.
For details, see Logon Methods on page 260 for
administrator subaccounts and Logon
Methods on page 278 for end user accounts.

Quarantined Message Query by Quarantine Trend Micro Email Security allows you to
Reason or Rule Name query quarantined messages by quarantine
reason or matched policy rule name.

5
Trend Micro Email Security Administrator's Guide

Feature Description

Widget Available to Show Blocked Message Trend Micro Email Security allows you to view
Statistics blocked message statistics on the dashboard.

Violating URL Extraction from QR Code Trend Micro Email Security supports
extracting violating URLs from QR code.

Table 8. New Features Available on June 30, 2020

Feature Description

IMSS or IMSVA Data Migration A migration tool is provided for existing

customers of InterScan Messaging Security
Suite (IMSS) or InterScan Messaging Security
Virtual Appliance (IMSVA) to smoothly migrate
to Trend Micro Email Security, giving them the
opportunity to benefit from more advanced
and enhanced functionality.
For details, see Migrating Data from IMSS or
IMSVA on page 315.

Scan Exception Enhancement Trend Micro Email Security provides a new

type of scan exception to deal with the
situation where the number of submissions to
Virtual Analyzer exceeds the allocated quota.
For details, see Scan Exception List on page
118 and Virtual Analyzer Quota Usage Details
on page 44.

Approved Sender X-Header Trend Micro Email Security allows you to

choose whether to insert an X-Header in the
message header for email messages matching
approved senders. With this feature enabled,
you can do extra actions based on the
message header on their own MTA or mail
server.
For details, see Managing Sender Filter on
page 75 and Sender Filter Settings on page
75.

6

Table 9. New Features Available on June 4, 2020
Feature
Spam Detection Enhancement
Approved Sender Details Available in Logs
Table 10. New Features Available on May 13, 2020
Feature
More Types of Logs That Can Be Exported as
CSV
TLS Mutual Authentication for Syslog
About Trend Micro Email Security
Description
Trend Micro Email Security enhances the
phishing and bulk email message detection
using the Trend Micro Email Behavior Analysis
(EBA) module.
For details, see Configuring Graymail Criteria
on page 159.
For email messages matching approved
senders, Trend Micro Email Security shows
the match details in mail tracking logs.
Description
Trend Micro Email Security can export mail
tracking logs, policy event logs, and URL click
tracking logs to CSV files from the log result
page.
For details, see Logs in Trend Micro Email
Security on page 209.
To securely forward logs to syslog servers,
Trend Micro Email Security allows you to
choose whether to authenticate peer
certificates, and supports client certificate
authentication if required by syslog servers.
For details, see Syslog Server Profiles on page
234.
7
Trend Micro Email Security Administrator's Guide
Table 11. New Features Available on Apr 7, 2020
Feature
Directory Synchronization Enhancement
Policy Event Log Enhancements
Table 12. New Features Available on March 24, 2020
Feature
DMARC and DKIM Enhancement
8
Description
Trend Micro Email Security enhances its
directory synchronization tool by allowing an
administrator to customize search filters and
specify a primary email alias in advanced
settings.
For details, refer to the Directory
Synchronization Tool User's Guide at http://
docs.trendmicro.com/en-us/enterprise/trend-
micro-email-security.aspx.
Trend Micro Email Security provides the
following enhancements to its policy event
logs:
• Extending the sliding window for log
search from 30 days to 60 days
• Extending the log retention period from
30 days to 90 days
For details, see Understanding Policy Events
on page 219.
Description
Trend Micro Email Security now supports
organizational domains in DKIM verification,
DMARC record query, as well as identifier
alignment of DMARC in relaxed mode.
For details, see DomainKeys Identified Mail
(DKIM) on page 101 and Domain-based
Message Authentication, Reporting &
Conformance (DMARC) on page 109.
 About Trend Micro Email Security

Table 13. New Features Available on March 9, 2020

Feature Description

Data Loss Prevention Support in Inbound
Protection
Trend Micro Email Security adds support for
Data Loss Prevention (DLP) in inbound
protection, allowing you to create DLP
policies to better manage your incoming
email messages that may contain sensitive
data.
For details, see Data Loss Prevention on page
126.

Table 14. New Features Available in February 2020

Feature Description

Syslog Enhancement Trend Micro Email Security allows you to

choose whether to forward specific detection
logs about spam violations to syslog servers.
For details, see Syslog Forwarding on page
233.

Policy Event Log Enhancements
Policy event logs have been enhanced to
include spam as a new threat type, show
reorganized threat details, and provide more
flexible search criteria to help you learn
details about threat detections in email
messages received or sent by Trend Micro
Email Security.
For details, see Understanding Policy Events
on page 219.

9
Trend Micro Email Security Administrator's Guide
Table 15. New Features Available in January 2020
Feature
Syslog Enhancement
Language Support for Italian
Table 16. New Features Available in December 2019
Feature
Inbound and Outbound Policy Enhancement
“Quarantine” Action Added in Outbound
Content Filtering Policies
10
Description
In addition to detection logs and audit logs,
Trend Micro Email Security can now forward
mail tracking logs (accepted traffic only) to
syslog servers.
For details, see Configuring Syslog Settings on
page 231.
In addition to English, Japanese, German,
French, Spanish and Brazilian Portuguese,
Trend Micro Email Security End User Console
adds language support for Italian.
Description
Trend Micro Email Security enhances the
design of sender and recipient exceptions in
inbound and outbound policies. The new
design enables you to combine sender
addresses with recipient addresses as an
exception, which complements the original
way of setting a separate sender or recipient
exception. In addition, inbound and
outbound policies can be queried by a
combination of sender and recipient
addresses.
For details, see Specifying Recipients and
Senders on page 147 and Managing Policy
Rules on page 143.
Trend Micro Email Security adds the
“Quarantine” action to the “Intercept” actions
in outbound content filtering policies. All
quarantine management features on the
administrator console are applicable to the
email messages that are quarantined once
triggering content filtering rules.

Table 17. New Features Available in November 2019
Feature
File Password Analysis
Trend Micro Remote Manager Integration
"Deliver Now" Rule Action Enhancement
Table 18. New Features Available on October 31, 2019
Feature
Migration from Trend Micro Hosted Email
Security
About Trend Micro Email Security
Description
Based on the user-defined passwords you
submitted, Trend Micro Email Security can
extract password-protected archive files and
open password-protected document files in
email messages to investigate any malicious
or suspicious content in those messages.
For details, see File Password Analysis on page
115.
Trend Micro Remote Manager is integrated to
allow resellers to monitor and manage Trend
Micro Email Security from the Trend Micro
Remote Manager web console.
For details, see Trend Micro Remote Manager
on page 25.
Trend Micro Email Security provides one more
option for the "Deliver now" rule action. In
addition to the default mail server, you are
now allowed to configure a specific mail
server for message delivery.
For details, see Using the Deliver Now Action
on page 184.
Description
A migration wizard is provided for existing
customers of Trend Micro Hosted Email
Security to smoothly migrate to Trend Micro
Email Security, giving them the opportunity
to benefit from more advanced and enhanced
functionality.
For details, see Migrating Data from Hosted
Email Security on page 309.
11
Trend Micro Email Security Administrator's Guide
Feature
Trend Micro Email Security Standard Available
Table 19. New Features Available on October 10, 2019
Feature
Single Sign-On Enhancement
Two-Factor Authentication Support
12
Description
Trend Micro Email Security Standard is
available from this release, which includes a
subset of features in Trend Micro Email
Security to deliver essential email protection
for cloud or on-premises email solutions.
For details, see Available License Versions on
page 18.
Description
Trend Micro Email Security extends its
support for Security Assertion Markup
Language (SAML) single sign-on (SSO). Both
administrator subaccounts and end user
accounts are allowed to use their identity
provider credentials to single sign-on to the
Trend Micro Email Security web consoles.
For details, see Logon Methods on page 260 for
administrator subaccounts and Logon
Methods on page 278 for end user accounts.
Trend Micro Email Security provides two-
factor authentication support to add extra
security to both administrator subaccounts
and end user accounts. With this support,
administrator subaccounts and end user
accounts are required to use a one-time
password generated by Google Authenticator
in addition to their local account and
password.
For details, see Setting Up Two-Factor
Authentication on page 262.
 About Trend Micro Email Security

Table 20. New Features Available in September 2019

Feature Description

Mail Tracking Log Enhancements
Mail tracking logs have been enhanced to
provide more search criteria, expanded
wildcard search, and better search
performance to help you learn details about
the email messages received or sent by Trend
Micro Email Security.
The following enhancements have been
implemented to mail tracking logs:
• The Sender and Recipient fields are
refined to support wildcards (*) in the
domain part so that you can search by a
particular user account on all domains.
• Wildcards (*) are supported by the
Subject field.
• More search criteria such as Action and
Message ID are available.
• Search results are returned much faster
than before.
• The sliding window for search has been
extended from 7 days to 60 days.
For details, see Understanding Mail Tracking
on page 210.

REST API Support Trend Micro Email Security provides

programmatic access through
Representational State Transfer (REST) APIs,
allowing you to perform create, read, update
and delete operations on resources such as
valid recipients within Trend Micro Email
Security.
Refer to the Trend Micro Email Security REST
API Online Help at http://
docs.trendmicro.com/en-us/enterprise/trend-
micro-email-security.aspx for details.

13
Trend Micro Email Security Administrator's Guide

Service Requirements
Trend Micro Email Security does not require hardware on your premises. All
scanning is performed in the cloud. To access your web-based Trend Micro
Email Security administrator console, you need a computer with access to
the Internet.
The following are required before Trend Micro Email Security can be
activated:
• An existing mail gateway or workgroup SMTP connection
For example:
• A local MTA or mail server
• A cloud-based MTA solution
• Access to domain MX records (DNS mail exchanger host records) for
repointing MX records to the Trend Micro Email Security MTA
(Contact your service provider, if necessary, for more information or
configuration help.)
If you have trouble accessing the site, confirm that you are using the correct
web address. For details, see Accessing the Trend Micro Email Security
Administrator Console on page 26.
If you have trouble using the site or with the way the website displays,
confirm that you are using a supported browser with JavaScript enabled.
Supported browsers include:
• Microsoft Internet Explorer 11
• Mozilla Firefox 60.0 or later
• Google Chrome 67.0 or later

Features and Benefits

Trend Micro Email Security provides the following features and benefits:

14
 About Trend Micro Email Security

Sender Filter

Trend Micro Email Security allows you to filter senders of incoming email
messages. You can specify the senders to allow or block using specific email
addresses or entire domains and specify the type of sender addresses
collected to match the approved and blocked sender lists.

For details, see Managing Sender Filter on page 75.

Email Reputation Services

Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service. Email Reputation
Services use a standard IP reputation database and an advanced and dynamic
IP reputation database (a database updated in real time). These databases
have distinct entries, allowing Trend Micro to maintain a very efficient and
effective system that can quickly respond to new sources of spam.

For details, see Understanding IP Reputation on page 86.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

As an email validation system to detect and prevent email spoofing, Domain-

based Message Authentication, Reporting and Conformance (DMARC) is
intended to fight against certain techniques used in phishing and spam, such
as email messages with forged sender addresses that appear to originate
from legitimate organizations. DMARC fits into the inbound email
authentication process of Trend Micro Email Security, allowing you to define
DMARC policies, including the actions to take on messages that fail DMARC
authentication.

For details, see Domain-based Message Authentication, Reporting &

Conformance (DMARC) on page 109.
Multitiered Virus, Spam and Content Filtering

Trend Micro Email Security leverages the Trend Micro Virus Scan Engine to
compare the files with the patterns of known viruses and integrates
Predictive Machine Learning to detect new, previously unidentified, or
unknown malware through advanced file feature analysis. Trend Micro
Email Security also supports integration with Virtual Analyzer, a cloud-based

15
Trend Micro Email Security Administrator's Guide

virtual environment designed for manage and analyze objects submitted by

Trend Micro products.
Furthermore, Trend Micro Email Security detects phishing, spam, Business
Email Compromise (BEC) scams, graymail and social engineering attacks
and examines the message contents to determine whether the message
contains inappropriate content.
You can configure domain-level policies to detect various security risks by
scanning email messages and then performing a specific action for each
security risk detected.
For details, see Configuring Policies on page 142.
Virtual Analyzer

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files

and URLs. Sandbox images allow observation of files and URLs in an
environment that simulates endpoints on your network without any risk of
compromising the network.
Trend Micro Email Security sends suspicious files or URLs to Virtual
Analyzer when a file or URL exhibits suspicious characteristics and
signature-based scanning technologies cannot find a known threat. Virtual
Analyzer performs static analysis and behavior simulation in various
runtime environments to identify potentially malicious characteristics.
During analysis, Virtual Analyzer rates the characteristics in context and
then assigns a risk level to the sample based on the accumulated ratings.
For details on Virtual Analyzer settings, see Configuring Virus Scan Criteria on
page 153 and Configuring Web Reputation Criteria on page 160.
Data Loss Prevention

Data Loss Prevention (DLP) safeguards an organization's digital assets against

accidental or deliberate leakage. DLP evaluates data against a set of rules
defined in policies to determine the data that must be protected from
unauthorized transmission and the action that DLP performs when it detects
transmission. With DLP, Trend Micro Email Security allows you to manage
your incoming email messages containing sensitive data and protects your
organization against data loss by monitoring your outbound email messages.

16
 About Trend Micro Email Security

For details, see Data Loss Prevention on page 126.

File Password Analysis

Based on user-defined passwords, Trend Micro Email Security can extract

password-protected archive files and open password-protected document
files in email messages to investigate any malicious or suspicious content in
those messages.
For details, see File Password Analysis on page 115.
Suspicious Objects

Suspicious objects are objects with the potential to expose systems to danger
or loss. After Trend Micro Email Security is registered to Trend Micro Apex
Central, Apex Central synchronizes the suspicious object lists consolidated
from its managed Trend Micro products with Trend Micro Email Security at a
scheduled time interval.
For details, see Apex Central on page 304.
Email Continuity

Trend Micro Email Security provides protection against email loss if your
email server goes down. If your server becomes unavailable due to a crash or
network connectivity problem, Trend Micro Email Security automatically
transfers inbound traffic to a backup server until your server is back online.
This enables end users to read, forward, download and reply to email
messages on the End User Console.
For details, see Email Continuity on page 255.
Logs and Reports

Trend Micro Email Security provides detailed logs to help you analyze system
security and improve protection solutions. You can view and search logs to
track messages for inbound and outbound traffic, and to track all messages
for a specific sender, recipient, rule or detection. Trend Micro Email Security
allows you to forward syslog messages to an external syslog server in a
structured format, which allows third-party application integration.
For details, see Logs in Trend Micro Email Security on page 209.

17
Trend Micro Email Security Administrator's Guide

Trend Micro Email Security provides reports to assist in mitigating threats

and optimizing system settings. You can generate reports based on a daily,
weekly, monthly or quarterly schedule.
For details, see Reports on page 243.
Message Quarantine
Quarantined messages are blocked as detected spam or other inappropriate
content before delivery to an email account. Messages held in quarantine
can be reviewed and manually deleted or delivered on the administrator
console. Furthermore, end users can view and manage their own
quarantined messages on the End User Console.
For details, see Understanding Quarantine on page 199.

Available License Versions

Starting from October 31, 2019, Trend Micro Email Security Standard is
available in addition to Trend Micro Email Security.
Trend Micro Email Security Standard includes a subset of features available
in Trend Micro Email Security to deliver essential email protection for cloud
or on-premises email solutions. Trend Micro Email Security includes all the
features of the standard version and provides more advanced and enhanced
functionality.
The following table summarizes the feature differences between the two
license versions.

Note
The features that are common to both versions are not listed here.

18
 About Trend Micro Email Security

Table 21. Feature differences

Trend Micro Email Trend Micro Email

Feature
Security Standard Security

Virtual Analyzer No Yes (both URL and file

analysis)

Email continuity No Yes

Writing style analysis for No Yes

Business Email Compromise
(BEC) threat detection

File password analysis No Yes

Virtual Analyzer scan No Yes

exceptions

Sliding window for mail 30 days 60 days

tracking log search

Sliding window for policy 30 days 60 days

event log search

Message size limit 50 MB 150 MB

The features of Trend Micro Email Security Standard and Trend Micro Email
Security are controlled by the license applied. There are two ways to manage
your license:

• From the Licensing Management Platform

The Licensing Management Platform allows partners to self-provision

and auto-renew licenses. Contact your reseller or MSP to add, renew or
extend your licenses.

• From the Customer Licensing Portal

Visit the Customer Licensing Portal website at https://

clp.trendmicro.com and activate, register and manage your products on
the portal. For details, see the supporting documentation at:

http://docs.trendmicro.com/en-us/smb/customer-licensing-portal.aspx

19
Trend Micro Email Security Administrator's Guide

If you have purchased the standard version and want to upgrade to Trend
Micro Email Security, do the following:
1. Log on to the Customer Licensing Portal website (https://
clp.trendmicro.com).
2. From the Customer Licensing Portal page, click Provide Key.
3. Provide your activation code and click Continue.
Your version will then be upgraded to Trend Micro Email Security.

Inbound Message Protection

Trend Micro Email Security provides inbound message protection by
evaluating email messages in the following order:
• Connection filtering
Provides the recipient filter, sender filter, Transport Layer Security (TLS)
check, and IP Reputation settings.
• Domain-based authentication
Provides authentication methods such as Sender IP Match, Sender
Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and
Domain-based Message Authentication, Reporting & Conformance
(DMARC) to protect against email spoofing.
• Virus scan
Allows you to configure virus policies and scan exceptions.
• Spam filtering
Allows you to configure spam policies, high profile users for BEC
policies and Time-of-Click Protection settings.
• Content filtering
Allows you to configure content filtering policies to take actions on
messages based on the conditions matched.

20
 About Trend Micro Email Security

• Data Loss Prevention

Allows you to create Data Loss Prevention (DLP) policies to manage your
incoming email messages containing sensitive data.

Inbound Message Flow

Trend Micro Email Security will first scan incoming email messages before
final delivery to the “example.com” Inbound Server.

The flow of messaging traffic from the Internet, through the Trend Micro
Email Security, and then to the “example.com” Inbound Server, or local
MTA.

Evaluation is done in the following order:

1. The originating MTA performs a Domain Name Service (DNS) lookup of
the MX record for “example.com” to determine the location of the
“example.com” domain.
The MX record for “example.com” points to the IP address of the Trend
Micro Email Security instead of the original “example.com” Inbound
Server.

21
Trend Micro Email Security Administrator's Guide

2. The originating MTA routes messages to Trend Micro Email Security.

3. The Trend Micro Email Security accepts the connection from the
originating mail server.
4. Trend Micro Email Security performs connection-based filtering at the
MTA connection level to decide on an action to take. Actions include the
following:
• Trend Micro Email Security terminates the connection, rejecting
the messages.
• Trend Micro Email Security accepts the messages and filters them
using content-based policy filtering.
5. Trend Micro Email Security examines the message contents to
determine whether the message contains malware or any other threats.
6. Assuming that a message is slated for delivery according to the domain
policies, the Trend Micro Email Security routes the message to the
original “example.com” Inbound Server.

Outbound Message Protection

Trend Micro Email Security scans outgoing email messages before delivery if
outbound filtering is enabled. Trend Micro Email Security applies the
following policies for filtering:
• Malware (viruses, spyware, and so on)
• Spam and phishing
• Web reputation
• Data Loss Prevention (DLP)
• Transport Layer Security (TLS) check
• DomainKeys Identified Mail (DKIM) signing
In addition, outbound encryption is seamlessly integrated with the content-
filtering capabilities of Trend Micro Email Security, using policy-based

22
 About Trend Micro Email Security

encryption to secure email messages. The service does not automatically

encrypt email messages. When outbound filtering is enabled, outbound
encryption appears as a policy option within the Trend Micro Email Security
administrator console. You will need to configure rules that apply encryption
as a rule action.
To learn about the policy rule used to encrypt outbound messages, see
Encrypting Outbound Messages on page 195. To learn more about how to enable
outbound protection for a managed domain, see step 5 in Adding a Domain
on page 59.
Trend Micro Email Security evaluates outgoing messages against regulatory
compliance templates defined in DLP policies to prevent data leakage. For
details about DLP, see Data Loss Prevention on page 126.

Integration with Trend Micro Products

For seamless integration, make sure that the Trend Micro products or
services that integrate with Trend Micro Email Security run the required or
recommended versions.
Table 22. Trend Micro Products that Integrate with Trend Micro Email Security

Product/Service Version

Apex Central 2019

Control Manager 7.0 with hot fix HF2964

Apex Central
Apex Central™ is a central management console that manages Trend Micro
products and services at the gateway, mail server, file server, and corporate
desktop levels. The Apex Central web-based management console provides a
single monitoring point for managed products and services throughout the
network.
Apex Central allows system administrators to monitor and report on
activities such as infections, security violations, or virus entry points. System

23
Trend Micro Email Security Administrator's Guide

administrators can download and deploy components throughout the

network, helping ensure that protection is consistent and up-to-date. Apex
Central allows both manual and pre-scheduled updates, and the
configuration and administration of products as groups or as individuals for
added flexibility.
If Trend Micro Email Security is managed from Apex Central, you can use
single sign-on to access the Trend Micro Email Security administrator
console and check the connection status of registered Trend Micro Email
Security servers.

Registering to Apex Central

Make sure you have a Customer Licensing Portal account and your account
has been bound both with Trend Micro Email Security and Apex Central.

Procedure
1. Open the Apex Central management console.
2. Go to Administration > Managed Servers > Server Registration.
3. On the screen that appears, select Trend Micro Email Security as Server
Type.
4. Click Cloud Service Settings.
5. Specify your Customer Licensing Portal account credentials and click
OK.
The Trend Micro Email Security server appears in the server list.
You can click the server address to single sign-on to the Trend Micro
Email Security administrator console.

24
 About Trend Micro Email Security

Checking Trend Micro Email Security Server Status

Procedure

1. Go to Dashboard.

2. Click the Summary tab.

3. Scroll down and find the Product Connection Status widget.

You can check the status of any Trend Micro Email Security server
registered with Apex Central.

Unregistering from Apex Central

Procedure

1. Go to Administration > Managed Servers > Server Registration.

2. Click Cloud Service Settings.

3. Click Stop managing services with Apex Central.

4. In the dialog box that appears, click Yes.

The Trend Micro Email Security server disappears from the server list.

Trend Micro Remote Manager

Trend Micro Remote Manager is a robust console that works in parallel with
the Customer Licensing Portal and the Licensing Management Platform to
provide managed security services to small and medium businesses.

Remote Manager enables you to monitor the health of multiple managed

networks through multiple, managed products and services. Remote
Manager allows reseller administrators to issue commands to manage
critical aspects of network security.

25
Trend Micro Email Security Administrator's Guide

Trend Micro Email Security is one of the products that Remote Manager
monitors and manages.
• If you are using Licensing Management Platform accounts, contact your
reseller to connect to or disconnect from Remote Manager.
• If you are using Customer Licensing Portal accounts, you can connect to
or disconnect from Remote Manager on the Trend Micro Email Security
administrator console.
For details, see Remote Manager on page 306.

Getting Started with Trend Micro Email Security

Accessing the Trend Micro Email Security Administrator

Console
Choose the proper way to access the Trend Micro Email Security
administrator console based on your licensing agreement with Trend Micro.

26
 About Trend Micro Email Security

Table 23. Accessing the Trend Micro Email Security administrator console

Account Type Logon Method

Customer Licensing Portal account Log on directly to your administrator console

at the following web address for your region:
• North America, Latin America and Asia
Pacific:
https://tm.tmes.trendmicro.com
• Europe, the Middle East and Africa:
https://tm.tmes.trendmicro.eu
• Australia and New Zealand:
https://tm.tmes-anz.trendmicro.com
• Japan:
https://tm.tmems-jp.trendmicro.com

Note
Customer Licensing Portal helps you
manage your accounts, customer
information, and subscriptions. You
can directly access the web consoles of
Trend Micro solutions including Trend
Micro Email Security.
For details about how to log on to,
register and manage Trend Micro Email
Security using Customer Licensing
Portal, see the Customer Licensing
Portal documentation at http://
docs.trendmicro.com/en-us/smb/
customer-licensing-portal.aspx.

27
Trend Micro Email Security Administrator's Guide

Account Type Logon Method

Licensing Management Platform account For Licensing Management Platform resellers,

substitute your Tenant ID for <tenant-id> in
the following web address for your region:
• North America, Latin America and Asia
Pacific:
https://<tenant-
id>.tmes.trendmicro.com

• Europe, the Middle East and Africa:

https://<tenant-
id>.tmes.trendmicro.eu

• Australia and New Zealand:

https://<tenant-id>.tmes-
anz.trendmicro.com

• Japan:
https://<tenant-id>.tmems-
jp.trendmicro.com

Local subaccounts added by the • North America, Latin America and Asia
administrator Pacific:
https://ui.tmes.trendmicro.com
• Europe, the Middle East and Africa:
https://ui.tmes.trendmicro.eu
• Australia and New Zealand:
https://ui.tmes-anz.trendmicro.com
• Japan:
https://ui.tmems-jp.trendmicro.com

SSO accounts Log on to the administrator console at the

URL generated in Step 4 in Configuring Single
Sign-On on page 264.

28
 About Trend Micro Email Security

From the Trend Micro Email Security administrator console, administrators

can create reports, view logs, perform administrative tasks, and configure
security policies against different types of threats.

The Trend Micro Email Security administrator console provides the

following features:

• Chart-based dashboard

• Domain management

• Inbound and outbound protection settings

• Quarantined message query and quarantine digest settings

• Mail tracking, policy event, URL click tracking and syslog settings

• Daily, weekly, monthly and quarterly reports

• Centralized administration settings, including:

• Policy objects

• Suspicious objects

• Email continuity settings

• Administrator management

• End user management

• Directory management

• License information

Provisioning a Trend Micro Business Account

When you first log on to the administrator console, Trend Micro Email
Security launches a provisioning wizard for you to provision your Trend
Micro Business Account.

29
Trend Micro Email Security Administrator's Guide

Procedure

1. Provide your administrator profile information.

Keep you information current because Trend Micro will send you
important maintenance plans, urgent incidents and new features.

a. Type your first name and last name.

b. Specify your email address.

c. Optionally specify your mobile number, click Send Verification

Code, and type the verification code sent to your mobile phone.

d. Click Next.

An email message will be sent to your registered email address.

Check your mailbox and click the verification link in the message to
proceed.

2. Set your company identifier.

Note
Trend Micro generates a custom subdomain for your company based on
the company identifier you set. For example, if your company identifier is
"example", your MX record for incoming email messages will be generated
based on your location.

• North America, Latin America and Asia Pacific:

example.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:

example.in.tmes.trendmicro.eu

• Australia and New Zealand:

example.in.tmes-anz.trendmicro.com

• Japan:

example.in.tmems-jp.trendmicro.com

30
 About Trend Micro Email Security

3. Add a domain you want to manage through Trend Micro Email Security.

Note
For details about adding domains, see Adding a Domain on page 59.

You still need to perform further setup tasks to get Trend Micro Email
Security up and running. For details, see Setting Up Trend Micro Email
Security on page 31.

Setting Up Trend Micro Email Security

To ensure your organization achieves effective email security protection,
Trend Micro recommends you perform the following tasks:

1. Configure the domain you added and add additional domains if needed.

Check the status of the domain you added for provisioning and make
sure the domain has been configured properly. Add more domains if
necessary.

For details, see Managing Domains on page 57.

2. Import user directories that will be applied by policies.

Trend Micro Email Security provides multiple ways to import user

directories. Choose the proper way that suits your organization.

For details, see Directory Management on page 294.

3. Configure policies to design your organizational protection solution.

Trend Micro Email Security provides robust email management options,

enabling you to customize your email security protection and configure
policies to meet the needs of your organization. Trend Micro Email
Security is preconfigured with several default policies to provide
immediate protection upon deployment.

For details, see Configuring Policies on page 142.

31
Trend Micro Email Security Administrator's Guide

Working with the Dashboard

The Dashboard screen displays charts for email traffic relayed through
Trend Micro Email Security.

Note
The time zone of the browser accessing Trend Micro Email Security is used.

Select the data shown in charts and their corresponding thumbnail charts on
the Threats, Top Statistics, or Other Statistics tab of Dashboard using the
following controls and settings.
Table 24. Controls and settings

Control Settings

Domain and direction Select a domain and mail traffic direction using specific controls.
of traffic

Tip
To select all domains, select all my domains from the
Managed domain drop-down list.

Settings Click the settings icon on the right of the tabs to select widgets to
show on each tab as needed.

32
 About Trend Micro Email Security

Control Settings

Time periods Select a time period at the top of each chart. The following are the
definitions of time periods:
• Date: The most recent eight (8) days. Days are split into hours
from 0:00 to 23:59. Because days start at midnight, charts with a
time period of the current day will never show a full 24 hours of
data.
• Week: The most recent eight (8) weeks. Weeks are the days from
Sunday to Saturday. Because weeks start on Sunday, charts with
a time period of the current week will never show a full seven (7)
days of data.
• Month: The most recent two (2) months. Months are days from
the first to the last day of the calendar month. Because months
start on the first, charts with a time period of the current month
will never show the full month of data.
• Last 12 months: The data for the last twelve months plus all days
of the current month. Always shows more than one year of data.

Note
The specified time period only affects the data shown on the
current chart and its corresponding thumbnail chart on the
Summary tab. Changing the selection on a chart does not
affect other charts.

33
Trend Micro Email Security Administrator's Guide

Table 25. Specific Charts

Chart Settings

Ransomware Details Select a time period by Date, Week, Month, or Last 12 months to
show data for the selected time period.
Threats
Threats Details
Virtual Analyzer File
Analysis Details
Virtual Analyzer URL
Analysis Details
Virtual Analyzer
Quota Usage Details
Domain-based
Authentication
Details

34
 About Trend Micro Email Security

Chart Settings

Top Business Email Select a time period by Date, Week, Month, or Last 12 months to
Compromise (BEC) show the total percentage of messages by value for the selected time
Threats period.
Top Analyzed Use the Top violators drop-down list to select the number of email
Advanced Threats addresses that display on the chart.
(Files)
Top Analyzed
Advanced Threats
(URLs)
Top Malware
Detected by
Predictive Machine
Learning
Top Malware
Detected by
Pattern-based
Scanning
Top Spam
Top Data Loss
Prevention (DLP)
Incidents

Volume Select a time period by Date, Week, or Month to show data for the
selected time period.
Bandwidth
Time-of-Click
Protection

Threats Tab
The Threats tab of Dashboard provides the information about the threats
processed by Trend Micro Email Security.

35
Trend Micro Email Security Administrator's Guide

Ransomware Details Chart

The Ransomware Details chart on the Threats tab of Dashboard displays the
number of incoming messages detected as ransomware by different
components of Trend Micro Email Security.

Note
This widget is available for incoming mail traffic only.

Hover over Malware Scanning detections above the chart to view the
number of threats detected by Predictive Machine Learning and the number
of threats detected by pattern-based scanning.
Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

Threats Chart
The Threats chart on the Threats tab of Dashboard displays the total
percentage of messages detected as threats.
Select a time period by Date, Week, Month, or Last 12 months to show the
total percentage of messages by value for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:

36
 About Trend Micro Email Security

Table 26. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Ransomware The number of email messages The number of email messages

containing attachments that are
detected as ransomware or the URL
of sites that directly or indirectly
facilitate the distribution of
ransomware
containing attachments that are
detected as ransomware or the URL
of sites that directly or indirectly
facilitate the distribution of
ransomware

Malware The number of email messages that The number of email messages that
(Pattern-based) pattern-based scanning detected as pattern-based scanning detected as
containing a malware threat containing a malware threat

Malware (PML The number of email messages that Not available

Detected) Predictive Machine Learning
detected as containing a malware
threat

Suspicious Files The number of suspicious files The number of suspicious files
detected during spam scanning detected during spam scanning

Analyzed The number of email messages Not available

Advanced containing suspected file threats
Threats (Files) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Analyzed The number of email messages Not available

Advanced containing suspected URL threats
Threats (URLs) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Probable The number of email messages Not available

Advanced containing suspected file threats
Threats detected by the Advanced Threat
Scan Engine but not analyzed by
Virtual Analyzer

37
Trend Micro Email Security Administrator's Guide

Detected
For Incoming Mail For Outgoing Mail
Values

BEC The number of email messages Not available

detected as Business Email
Compromise (BEC) attacks

Phishing The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as phishing based filtering detected as phishing
threats threats

Suspicious The number of suspicious URLs The number of suspicious URLs

URLs detected during spam scanning detected during spam scanning

Web Reputation The number of email messages The number of email messages
containing URLs that pose security containing URLs that pose security
risks risks

Spam The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as spam based filtering detected as spam

Domain-based The number of messages that failed Not available

Authentication Sender IP Match, SPF, DKIM, and
DMARC authentication

Graymail The number of email messages Not available

detected as graymail

Data Loss The number of email messages that The number of email messages that
Prevention triggered Data Loss Prevention triggered Data Loss Prevention
incidents regardless of the action incidents regardless of the action
taken (block or pass) taken (block or pass).

Other The number of email messages The number of email messages

detected by content-based policy detected by content-based policy
rules (for example, attachment true rules (for example, attachment true
file type) file type)

Total The total number of email messages processed

38
 About Trend Micro Email Security

Threats Details Chart

The Threat Details chart on the Threats tab of Dashboard displays the
number of messages detected as threats and the total percentage of blocked
messages.

The Threat Details table allows you to drill down from overall metrics into
policy event logs for more granular data. The drill-down actions are available
only for threats detected within the past 30 days.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:
Table 27. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Ransomware The number of email messages Not available

containing attachments that are
detected as ransomware or the URL
of sites that directly or indirectly
facilitate the distribution of
ransomware

Malware The number of email messages that The number of email messages that
(Pattern-based) pattern-based scanning detected as pattern-based scanning detected as
containing a malware threat containing a malware threat

Malware (PML The number of email messages that Not available

Detected) Predictive Machine Learning
detected as containing a malware
threat

Suspicious Files The number of suspicious files The number of suspicious files
detected during spam scanning detected during spam scanning

39
Trend Micro Email Security Administrator's Guide

Detected
For Incoming Mail For Outgoing Mail
Values

Analyzed The number of email messages Not available

Advanced containing suspected file threats
Threats (Files) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Analyzed The number of email messages Not available

Advanced containing suspected URL threats
Threats (URLs) detected as high risk by the
Advanced Threat Scan Engine or
analyzed by Virtual Analyzer as
security risks

Probable The number of email messages Not available

Advanced containing suspected file threats
Threats detected by the Advanced Threat
Scan Engine but not analyzed by
Virtual Analyzer

BEC The number of email messages Not available

detected as Business Email
Compromise (BEC) attacks

Phishing The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as phishing based filtering detected as phishing
threats threats

Suspicious The number of suspicious URLs The number of suspicious URLs

URLs detected during spam scanning detected during spam scanning

Web Reputation The number of email messages The number of email messages
containing URLs that pose security containing URLs that pose security
risks risks

Spam The number of email messages that The number of email messages that
Trend Micro Email Security content- Trend Micro Email Security content-
based filtering detected as spam based filtering detected as spam

40
 About Trend Micro Email Security

Detected
For Incoming Mail For Outgoing Mail
Values

Domain-based The number of messages that failed Not available

Authentication Sender IP Match, SPF, DKIM, and
DMARC authentication

Graymail The number of email messages Not available

detected as graymail

Data Loss The number of email messages that The number of email messages that
Prevention triggered Data Loss Prevention triggered Data Loss Prevention
incidents regardless of the action incidents regardless of the action
taken (block or pass) taken (block or pass).

Other The number of email messages The number of email messages

detected by content-based policy detected by content-based policy
rules (for example, attachment true rules (for example, attachment true
file type) file type)

Total The total number of email messages processed

Virtual Analyzer File Analysis Details Chart

The Virtual Analyzer File Analysis Details chart on the Threat tab of
Dashboard displays the number and level of file threats detected by Virtual
Analyzer based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:

41
Trend Micro Email Security Administrator's Guide

Table 28. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

High Risk The number of email messages Not available

containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as high
risk by Virtual Analyzer

Medium Risk The number of email messages Not available

containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as
medium risk by Virtual Analyzer

Low Risk The number of email messages Not available

containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as low
risk by Virtual Analyzer

No Risk The number of email messages Not available

containing suspected file threats
detected by the Advanced Threat
Scan Engine and detected as safe by
Virtual Analyzer

Risk Rating The number of email messages Not available

Unavailable containing suspected file threats
detected by the Advanced Threat
Scan Engine but not analyzed by
Virtual Analyzer

Total The total number of email messages processed

Virtual Analyzer URL Analysis Details Chart

The Virtual Analyzer URL Analysis Details chart on the Threat tab of
Dashboard displays the number and level of URL threats detected by Virtual
Analyzer based on the selected mail traffic direction.

42
 About Trend Micro Email Security

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:
Table 29. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

High Risk The number of email messages Not available

containing suspected URL threats
detected during spam scanning and
rated as high risk by Virtual Analyzer

Medium Risk The number of email messages Not available

containing suspected URL threats
detected during spam scanning and
rated as medium risk by Virtual
Analyzer

Low Risk The number of email messages Not available

containing suspected URL threats
detected during spam scanning and
rated as low risk by Virtual Analyzer

No Risk The number of email messages Not available

containing suspected URL threats
detected during spam scanning and
rated as safe by Virtual Analyzer

43
Trend Micro Email Security Administrator's Guide

Detected
For Incoming Mail For Outgoing Mail
Values

Risk Rating The number of email messages Not available

Unavailable containing suspected URL threats
detected during spam scanning but
not analyzed by Virtual Analyzer

Total The total number of email messages processed

Virtual Analyzer Quota Usage Details

The Virtual Analyzer Quota Usage Details chart on the Threats tab of
Dashboard displays the usage of the Virtual Analyzer submission quota.

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:
Table 30. Values on Charts

Value For Incoming Mail For Outgoing Mail

File submission The total number of file submissions Not available

quota to Virtual Analyzer allowed by the
allocated quota

URL submission The total number of URL Not available

quota submissions to Virtual Analyzer
allowed by the allocated quota

44
 About Trend Micro Email Security

Value For Incoming Mail For Outgoing Mail

Files over quota The number of file submissions over Not available
quota

URLs over quota The number of URL submissions Not available

over quota

Total The total number of file and URL submissions over quota

Domain-based Authentication Details Chart

The Domain-based Authentication Details chart on the Threat tab of
Dashboard displays the number of messages that failed Sender IP Match,
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and
Domain-based Message Authentication, Reporting & Conformance (DMARC)
authentication based on the selected mail traffic direction.
Sender IP Match is a way that readily enables you to simultaneously allow all
inbound email traffic from a particular domain while equally preventing
spoofing by manually defining the allowed IP ranges. SPF, DKIM and DMARC
are three email authentication systems to protect against email spoofing.

Note
The data on this tab is displayed for incoming mail traffic only.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:

45
Trend Micro Email Security Administrator's Guide

Table 31. Detected Values on Charts

Detected Values For Incoming Mail

Sender IP Match The total number of messages that failed the

Sender IP Match check.

SPF The total number of messages that failed SPF

check.

DKIM The total number of messages that failed

DKIM verification.

DMARC The total number of messages that failed

DMARC authentication.

DMARC - SPF The total number of messages that failed SPF

check of DMARC authentication.

DMARC - DKIM The total number of messages that failed

DKIM signature check of DMARC
authentication.

DMARC - Alignment The total number of messages that failed

alignment check of DMARC authentication.

DMARC - Availability The total number of messages that failed

availability check of DMARC authentication
because the sending domain does not have
any DMARC record.

Blocked Message Details

The Blocked Message Details chart on the Threats tab of Dashboard
displays the number of messages blocked for different reasons.

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

46
 About Trend Micro Email Security

The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:
Table 32. Values on Charts

For Outgoing
Value For Incoming Mail
Mail

Sender IP found in The number of messages blocked because the sender IP address was
QIL detected in the Quick IP List (QIL)

Sender IP found in The number of messages blocked because the sender IP address was
KSSL found in the Known Spam Source List (KSSL)

Sender IP found in The number of messages blocked because the sender IP address was
DUL found in the Dynamic User List (DUL)

Sender IP found in The number of messages blocked because the sender IP address was
ETL found in the Emerging Threat List (ETL)

Sender IP found in The number of messages blocked because the sender IP address was
block list found in the customized block list

Recipient invalid The number of messages blocked because the recipient was not in the
Valid Recipient list when Recipient Directory Management is enabled

Sender IP not The number of messages blocked because the sender IP address was
allowed not in the Outbound Servers under Domain Management

Sender domain not The number of messages blocked because the sender domain was not
found found in the public DNS system

Recipient domain not The number of messages blocked because the recipient domain was
found not found in the public DNS system

TLS not available The number of messages blocked because the email client did not use
TLS

Message too big The number of messages blocked because the message size exceeded
the maximum

Rate limit exceeded The number of messages blocked because the total number of
messages exceeded the maximum limit in a certain period

47
Trend Micro Email Security Administrator's Guide

For Outgoing
Value For Incoming Mail
Mail

Rate limit exceeded - The number of messages blocked because the total number of
message count (by IP messages sent from a single IP address exceeded the maximum limit
address) in a certain period

Rate limit exceeded - The number of messages blocked because the total number of
message count (by messages sent from or to a single email address exceeded the
email address) maximum limit in a certain period

Rate limit exceeded - The number of messages blocked because the accumulated data size
data size (by IP from a single IP address exceeded the maximum limit in a certain
address) period

Rate limit exceeded - The number of messages blocked because the accumulated data size
data size (by email from or to a single email address exceeded the maximum limit in a
address) certain period

Rate limit exceeded - The number of messages blocked because the accumulated data size
data size (by domain) from or to a single domain exceeded the maximum limit in a certain
period

Recipient blocked The number of messages blocked because the recipient email address
was found in the internal global block list

Sender IP blocked The number of messages blocked because the sender IP address was
found in the internal global block list

Sender blocked The number of messages blocked because the sender email address
was found in the blocked sender list or the internal global block list

Policy matching error The number of messages blocked because an error occurred during
policy matching for the specific domain

Sender domain The number of messages blocked because the sender’s DNS record
malformed was found malformed

Recipient domain The number of messages blocked because the recipient’s DNS record
malformed was found malformed

Other The number of messages blocked due to other reasons

Total The total number of email messages blocked

48
 About Trend Micro Email Security

Top Statistics Tab

The Top Statistics tab of Dashboard provides the top 20 recipients of spam,
malware, Business Email Compromise threats, and analyzed advanced
threats.

Top BEC Attacks Detected by Antispam Engine Chart

The Top BEC Attacks Detected by Antispam Engine chart on the Top
Statistics tab of Dashboard displays the email recipients that received the
most messages containing Business Email Compromise (BEC) attacks as
detected by the Antispam Engine based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top BEC Attacks Detected by Writing Style Analysis Chart

The Top BEC Attacks Detected by Writing Style Analysis chart on the Top
Statistics tab of Dashboard displays the email recipients that received the
most messages containing Business Email Compromise (BEC) attacks as
detected by writing style analysis based on the selected mail traffic direction.

49
Trend Micro Email Security Administrator's Guide

Note
For details about writing style analysis, see Business Email Compromise (BEC) on
page 121.
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Targeted High Profile Users

The Top Targeted High Profile Users chart on the Top Statistics tab of
Dashboard displays the high profile users that were most frequently targeted
for BEC attacks through email and detected by writing style analysis during
selected time period.

Note
For details about high profile users, see Configuring High Profile Users on page
122.
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

50
 About Trend Micro Email Security

Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Analyzed Advanced Threats (Files) Chart

The Top Analyzed Advanced Threats (Files) chart on the Top Statistics tab
of Dashboard displays the email addresses that received the most messages
containing advanced file threats based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Analyzed Advanced Threats (URLs) Chart

The Top Analyzed Advanced Threats (URLs) chart on the Top Statistics tab
of Dashboard displays the email addresses that received the most messages
containing advanced URL threats based on the selected mail traffic direction.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.

51
Trend Micro Email Security Administrator's Guide

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Malware Detected by Predictive Machine Learning Chart

Trend Micro Predictive Machine Learning uses advanced machine learning
technology to correlate threat information and perform in-depth file analysis
to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. For details, see About
Predictive Machine Learning on page 156.
The Top Malware Detected by Predictive Machine Learning chart on the
Top Statistics tab of Dashboard displays the email addresses that received
the most messages containing malware threats, as detected by Predictive
Machine Learning.

Note
The data on this tab is displayed for incoming mail traffic only.

Hover over a bar to see details.

Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Malware Detected by Pattern-based Scanning Chart

The Top Malware Detected by Pattern-based Scanning chart on the Top
Statistics tab of Dashboard displays the email addresses that sent or

52
 About Trend Micro Email Security

received the most messages containing malware threats based on the

selected mail traffic direction, as detected by traditional pattern-based
scanning.
Hover over a bar to see details.
Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Spam Chart

The Top Spam chart on the Top Statistics tab of Dashboard displays the
email addresses that sent or received the most spam messages based on the
selected mail traffic direction.
Hover over a bar to see details.
Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Top Data Loss Prevention (DLP) Incidents Chart

The Top Data Loss Prevention (DLP) Incidents chart on the Top Statistics
tab of Dashboard displays the email addresses that sent or received the most
messages triggering DLP incidents regardless of the action taken (block or
pass) based on the selected mail traffic direction.

53
Trend Micro Email Security Administrator's Guide

Select a time period by Date, Week, or Month to show data for the selected
time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
Use the Top violators drop-down list to select the number of email addresses
that display on the chart.

Other Statistics Tab

The Other Statistics tab of Dashboard provides volume and bandwidth of
messages processed by Trend Micro Email Security.

Volume Chart
The Volume chart on the Summary tab of Dashboard displays the total
number of accepted and blocked messages and the total percentage of
blocked messages.
Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.
The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.
The traffic direction slightly changes the data displayed on charts. The
following is the specific data displayed:

54

Table 33. Detected Values on Charts
Detected
For Incoming Mail
Values
Blocked The number of email messages
blocked by connection-based
filtering at the MTA connection level
or by Trend Micro Email Security
incoming security filtering
Note
This value does not include
messages blocked by
content-based filtering.
Accepted The number of email messages
passed by connection-based
filtering at the MTA connection level
or by Trend Micro Email Security
incoming security filtering
Blocked % The percentage of email messages
blocked by connection-based
filtering at the MTA connection level
or by Trend Micro Email Security
incoming security filtering
Total The total number of email messages processed
Bandwidth Chart
The Bandwidth chart on the Other Statistics tab of Dashboard displays the
total size of email messages scanned by Trend Micro Email Security.
About Trend Micro Email Security
For Outgoing Mail
The number of messages blocked
using Trend Micro Email Security
relay mail service filtering
Possible reasons for blocking
include:
• Recipient address is not
resolvable (such as
someone@???.com).
• Spammers forged the mail
sender address so the message
appears to be coming from the
customer domain.
• The customer's MTA is
compromised and is sending
spam messages (for example, it
is an open relay).
The number of messages passed by
Trend Micro Email Security relay
mail service filtering
The percentage of messages
blocked by Trend Micro Email
Security relay mail service filtering
55
Trend Micro Email Security Administrator's Guide

Select a time period by Date, Week, Month, or Last 12 months to show data
for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

The traffic direction does not change the data displayed on charts. The
following is the specific data displayed:
Table 34. Detected Values on Charts

Detected
For Incoming Mail For Outgoing Mail
Values

Not The total size of email messages that Trend Micro Email Security did not
Quarantined quarantine

Quarantined The total size of email messages that Trend Micro Email Security
quarantined

Note
By default, no messages are quarantined. To begin using the
quarantine, select a quarantine action for one or more policy rules.

Total Size The total size of email messages scanned by Trend Micro Email Security

Time-of-Click Protection Chart

The Time-of-Click Protection chart on the Other Statistics tab of Dashboard
displays the total number of URL clicks, number of clicks allowed and
blocked, number of clicks warned and stopped, and number of clicks warned
but clicked through.

Select a time period by Date, Week or Month to show daily, weekly or

monthly data for the selected time period.

The specified time period only affects the data shown on this chart and its
corresponding thumbnail chart on the Threats tab. Changing these
selections does not affect other charts.

56
 About Trend Micro Email Security

Note
If you select Outgoing from Direction, this chart will be hidden because Time-
of-Click Protection applies only to incoming messages.

The following is the specific data displayed:

Table 35. Detected Values on Charts

Detected Values For Incoming Mail

Blocked The total number of URL clicks analyzed and blocked by Trend
Micro Email Security at the time of click.

Allowed The total number of URL clicks analyzed and allowed by Trend
Micro Email Security at the time of click.

Warned and stopped The total number of URL clicks collected where Trend Micro
Email Security warned users and users stopped their access to
the URLs.

Warned but accessed The total number of URL clicks collected where Trend Micro
Email Security warned users but users continued to access the
URLs.

Total The total number of URL clicks collected where Trend Micro
Email Security provides Time-of-Click Protection.

Managing Domains
Use the Domains screen to add, modify, or delete domains.
Table 36. Fields on the Domains screen

Field Description

Domain name Name of a domain you added.

57
Trend Micro Email Security Administrator's Guide

Field Description

Inbound Servers Recipient: Recipient can be a wildcard (*) or an exact email address.
IP address or FQDN: Fully qualified domain name (FQDN) is a unique
name, which includes both host name and domain name, and resolves to
a single IP address.
• For example: hostmaster1.example.com or
mailhost.example.com

• Not valid: example.com

Port: Port is a number from 1 to 65535 that an inbound server listens on.
These ports vary based on server configuration.
Preference: Preference, sometimes referred to as distance, is a value from
1 to 100. The lower the preference value, the higher the priority.

Note
If more than one mail server is available, delivery is prioritized to
servers with lower values. Using the same value will balance
delivery to each server.

Outbound If outbound protection is enabled, this is the information for the MTA(s)
Servers that Trend Micro Email Security relays your outbound messages from.
The following options are available:
Office 365: Relays your outbound messages from your Office 365
solution.
Google G Suite: Relays your outbound messages from your Google G
Suite solution.
User-defined mail servers: Relays your outbound messages from the
mail servers you specified for your managed domain.

Time Added Time when a domain was added.

58
 About Trend Micro Email Security

Field Description

Status Status of a domain, which can be one of the following:

• Completed: All required information and operations have been
completed. The domain is successfully added.
• Configuration Required: Certain required information or
configurations are missing or incorrect.

Adding a Domain

Procedure

1. Click Domains.

2. On the Domains screen, click Add.

The Add Domain screen appears.

3. In the General section, specify the following:

• Domain name: Includes everything to the right of the at sign (@) in

email addresses managed by the server(s) being added.

4. In the Inbound Servers section, specify the following:

• Recipient: Recipient can be a wildcard (*) or an exact email address.

Specify the local part of an email address.

• IP address or FQDN: Fully qualified domain name (FQDN) is a

unique name, which includes both host name and domain name,
and resolves to a single IP address.

• Port: Port is a number from 1 to 65535 that an inbound server

listens on. These ports vary based on server configuration.

• Preference: Preference, sometimes referred to as distance, is a

value from 1 to 100. The lower the preference value, the higher the
priority.

59
Trend Micro Email Security Administrator's Guide

If more than one mail server is available, delivery is prioritized to

servers with lower values. Using the same value will balance
delivery to each server.

Note
You can specify up to 30 inbound servers and 30 outbound servers.

Use the add and the remove buttons to manage additional

entries.

Here is an example to explain how messages are routed to inbound

servers based on preference values.
Table 37. Message routing example

Recipient IP Address or FQDN Preference

*@test.com 1.2.3.4 10

[email protected] 1.2.3.5 11

[email protected] 1.2.3.6 9

If a message is sent to [email protected], Trend Micro Email

Security routes the message to the server (IP address: 1.2.3.4) with
lower preference value (10), and then the server (IP address: 1.2.3.5)
if the first server is unavailable.

If a message is sent to [email protected], Trend Micro Email

Security routes the message to the server (IP address: 1.2.3.6) with
lower preference value (9), and then the server (IP address: 1.2.3.4)
if the first server is unavailable.

• Send test message to: (optional) Email address used to confirm

email delivery from Trend Micro Email Security.

5. In the Outbound Servers section, specify the following:

• Select Enable outbound protection.

60
 About Trend Micro Email Security

WARNING!
Enabling outbound protection without specifying outbound servers
will prevent the delivery of any outbound traffic routed through the
service.

• Configure outbound servers using the following options:

• Office 365: Relays your outbound messages from your Office
365 solution.
• Google G Suite: Relays your outbound messages from your
Google G Suite solution.
• User-defined mail servers: Relays your outbound messages
from the mail servers you specified for your managed domain.
6. Click Add Domain.
If the domain is valid and an MX record for the domain exists, the
domain appears on the Domains screen.
After adding a domain, Trend Micro sends a welcome message to the
administrative email address on record.

Configuring a Domain
After adding a domain, perform required configurations to finish
provisioning the domain. On the Domains screen, any domain missing
required configurations is in the “Configuration required” status, and a red
exclamation mark will be shown next to the field that requires your
operation or reports any problem. You can hover over the exclamation mark
to view the detailed error message.
After you finish all required operations, the status of the domain will change
from “Configuration required” into “Completed.”

61
Trend Micro Email Security Administrator's Guide

Procedure
1. In the General section, verify your domain.
a. Add the TXT record provided on the console to your domain's DNS
configuration to prove that you own the domain.
b. Click Verify.
The message “Domain verified” appears if the domain verification is
successful.
If you have difficulty adding the TXT record, you can add an MX record
for your domain instead:
Add an MX record for the Trend Micro Email Security server with the
highest preference value.
• North America, Latin America and Asia Pacific:
<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =

<company_identifier>.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:

<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =

<company_identifier>.in.tmes.trendmicro.eu

• Australia and New Zealand:

<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =

<company_identifier>.in.tmes-anz.trendmicro.com

• Japan:

62
 About Trend Micro Email Security

<your_domain> MX preference = 20, mail exchanger =

<your_domain_mta>

<your_domain> MX preference = 32767, mail exchanger =

<company_identifier>.in.tmems-jp.trendmicro.com

Note
In the preceding MX record, the second preference value 32767 is only
used as an example. When setting the second preference value, make sure
it is larger than the first preference value, which means this route has
lower priority than the first one.

To learn more about MX records, see About MX Records and Trend Micro
Email Security on page 339.
If your domain does not pass the verification, the default antispam and
antivirus policy rules for the domain will be locked and cannot be
changed.

Tip
DNS propagation can take up to 48 hours. The status of the domain you are
adding does not change until DNS propagation is complete. During this
period, do not turn off any on-premises security. While waiting for DNS
propagation, you can use the administrator console to customize the
domain settings for features such as Policy, Recipient Filter, Sender
Filter, Policy Objects, BEC, and IP Reputation.
If the domain stays as unverified for more than 48 hours, confirm that the
TXT record or MX record for the domain is correct.
• For Linux, run one of the following commands:
dig txt <domain_name>

dig mx <domain_name>

• For Windows, run one of the following commands:

nslookup -q=txt <domain_name>

nslookup -q=mx <domain_name>

63
Trend Micro Email Security Administrator's Guide

2. In the Inbound Servers section, complete the following configurations:

a. Configure your firewall to accept email messages from the following
Trend Micro Email Security IP addresses or CIDR blocks:
• North America, Latin America and Asia Pacific:
18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

18.188.239.128/26

• Europe, the Middle East and Africa:

18.185.115.0/25

18.185.115.128/26

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:

13.238.202.0/25

13.238.202.128/26

• Japan:
18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

64
 About Trend Micro Email Security

Note
If you are using a third-party IP reputation service, add the preceding
Trend Micro Email Security IP addresses or CIDR blocks to the
approved list of the IP reputation service, or disable the third-party
service and enable Trend Micro Email Security to perform IP
reputation-based filtering for you.

b. Click Test Connection.

c. Point the MX record of your domain to the Trend Micro Email
Security server with the lowest preference value.
• North America, Latin America and Asia Pacific:
<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =

<company_identifier>.in.tmes.trendmicro.com

• Europe, the Middle East and Africa:

<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =

<company_identifier>.in.tmes.trendmicro.eu

• Australia and New Zealand:

<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =

<company_identifier>.in.tmes-anz.trendmicro.com

• Japan:
<your_domain> MX preference = 20, mail exchanger =
<your_domain_mta>

<your_domain> MX preference = 10, mail exchanger =

<company_identifier>.in.tmems-jp.trendmicro.com

65
Trend Micro Email Security Administrator's Guide

To learn more about MX records, see About MX Records and Trend

Micro Email Security on page 339.
d. Click Verify to verify the inbound servers you added.
The message “Inbound servers verified” appears if the inbound
server verification is successful.
e. Type an email address next to Send test message to to verify that
messages are being delivered from Trend Micro Email Security.
3. In the Outbound Servers section, complete the following
configurations:
a. If your domain has SPF records, make sure the following record is
also included:
spf.tmes.trendmicro.com

For details on adding SPF records, see Adding SPF Records on page
67.
b. Click Verify.
c. Route your outbound mail server to the following Trend Micro
Email Security MTA for your region:
• North America, Latin America and Asia Pacific:
<company_identifier>.relay.tmes.trendmicro.com

• Europe, the Middle East and Africa:

<company_identifier>.relay.tmes.trendmicro.eu

• Australia and New Zealand:

<company_identifier>.relay.tmes-anz.trendmicro.com

• Japan:
<company_identifier>.relay.tmems-jp.trendmicro.com

4. If you currently use Office 365, configure Office 365 connectors to allow
email traffic to or from Trend Micro Email Security MTAs.

66
 About Trend Micro Email Security

See Adding Office 365 Inbound Connectors on page 68.

See Adding Office 365 Outbound Connectors on page 70.

Adding SPF Records

Sender Policy Framework (SPF) is an open standard to prevent sender
address forgery. An SPF record is a type of Domain Name Service (DNS)
record that identifies which mail servers are permitted to send email
messages on behalf of your domain. The purpose of an SPF record is to
prevent spammers from sending messages with forged addresses at your
domain.

Procedure

1. Access your DNS hosting provider's website.

2. Edit the existing SPF record or create a new TXT record for SPF.

If you have an SPF record for your domain, add required values to the
current record for Trend Micro. For example, change the following TXT
record:

v=spf1 ip4:x.x.x.x include:spf.example.com ~all

Into:

v=spf1 ip4:x.x.x.x include:spf.tmes.trendmicro.com

include:spf.example.com ~all

Important
A domain cannot have more than one TXT record for SPF. If your domain
has more than one SPF record, a message delivery or spam classification
issue may occur.

67
Trend Micro Email Security Administrator's Guide

Adding Office 365 Inbound Connectors

Before you begin

Before integrating your Office 365 managed domain name with Trend Micro
Email Security, perform all steps recommended by Microsoft to complete
configuration of Office 365 email management for your domain.

To configure inbound connectors, ensure that you have an Office 365

administrator account.

Some organizations use Office 365 to remotely host their email architecture,
allowing Microsoft to manage the day-to-day aspects of maintaining their
email servers. Trend Micro Email Security integrates with Office 365 to
provide additional security and benefits.

Configure Office 365 connectors to allow email traffic to and from Trend
Micro Email Security MTAs.

Important
Consult the Office 365 help for information about adding connectors. Some
Office 365 plans do not offer connectors.

http://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx

Procedure

1. Log on to your Office 365 administration center.

2. In the navigation on the left, go to Admin > Admin centers > Exchange

The Exchange admin center screen appears.

3. In the navigation on the left, go to mail flow, and then click connectors
in the top navigation.

4. Do the following to add an Inbound Connector to Office 365:

68
 About Trend Micro Email Security

Note
By adding an inbound connector, you can configure Office 365 to accept
mail filtered by Trend Micro Email Security for delivery to email accounts
in your Office 365 managed domain.

a. Click the plus (+) icon.

A new connector configuration screen appears.
b. In the From field, select Partner organization.
c. In the To field, select Office 365.
d. Click Next.
e. In the Name field, type a descriptive name for the connector.
For example, type Trend Micro Email Security (Inbound).
f. Select the Turn it on check box.
g. Click Next.
h. Select Use the sender's IP address, and then click Next.
i. In the Specify the sender IP address range. field, add the following
Trend Micro Email Security IP addresses:
• North America, Latin America and Asia Pacific:
18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

18.188.239.128/26

• Europe, the Middle East and Africa:

18.185.115.0/25

18.185.115.128/26

69
Trend Micro Email Security Administrator's Guide

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:

13.238.202.0/25

13.238.202.128/26

• Japan:

18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

j. Click Next.

k. Select Reject email messages if they aren't sent over TLS, and then
click Next.

The New connector confirmation screen appears, displaying all the

settings that you have configured.

l. Click Save.

Adding Office 365 Outbound Connectors

Before you begin

To configure outbound connectors, ensure that you have an Office 365

administrator account.

Some organizations use Office 365 to remotely host their email architecture,
allowing Microsoft to manage the day-to-day aspects of maintaining their
email servers. Trend Micro Email Security integrates with Office 365 to
provide additional security and benefits.

70
 About Trend Micro Email Security

Configure Office 365 connectors to allow email traffic to and from Trend
Micro Email Security MTAs.

Important
Consult the Office 365 help for information about adding connectors. Some
Office 365 plans do not offer connectors.
http://technet.microsoft.com/en-us/library/exchange-online-mail-flow.aspx

Procedure
1. Log on to your Office 365 administration center.
2. In the navigation on the left, go to Admin > Admin centers > Exchange
The Exchange admin center screen appears.
3. In the navigation on the left, go to mail flow, and then click connectors
in the top navigation.
4. Do the following to add an Outbound Connector to Office 365:

Note
By adding an outbound connector, you can configure Office 365 to relay
outbound mail to Trend Micro Email Security for filtering and delivery to
recipients outside of your Office 365 managed domain.

a. Click the plus (+) icon.

A new connector configuration screen appears.
b. In the From field, select Office 365.
c. In the To field, select Partner organization.
d. Click Next.
e. In the Name field, type a descriptive name for the connector.
For example, type Trend Micro Email Security (Outbound).

71
Trend Micro Email Security Administrator's Guide

f. Select the Turn it on check box.

g. Click Next.
h. Select Only when I have a transport rule set up that redirects
messages to this connector, and then click Next.
i. Select Route email through these smart hosts, click the plus (+)
icon, and then add the following host to the list:
<company_identifier>.relay.<domain_name>

Note
In the preceding information, replace <company_identifier> and
<domain_name> with actual values. The value of <domain_name>
varies according to your location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

j. Click Next.
k. Keep the default settings on the screen that appears, and click Next.
The New connector confirmation screen appears, displaying all the
settings that you have configured.
l. Click Next.
m. Add an email address to the field provided, and then click Validate.
After the validation process completes, the Validation Result screen
displays.

72
 About Trend Micro Email Security

n. Click Save.

5. Add an email flow rule to use the outbound connector you created.

a. In the navigation on the left, go to mail flow, and then click rules in
the top navigation.

b. Click the plus (+) icon and click Create a new rule.

c. In the Name field, type a name for the rule, for example, Trend
Micro Email Security (Outbound).

d. Under Apply this rule if..., select The recipient is located and then
Outside the organization and click OK.

e. Click More Options at the bottom to show more settings.

f. Under Do the following..., select Redirect the message to and then

the following connector and choose the outbound connector you
created for message redirection.

g. Configure the remaining fields if necessary; otherwise, keep the

default settings for them.

h. Click Save.

Editing or Deleting Domains

Procedure

1. On the Domains screen, select domains by doing one of the following:

• To select one or more domains, select the check box to the left of
each entry.

• To select all domains, select the check box to the left of the Domain
Name column title.

2. To edit information for a domain, do the following:

73
Trend Micro Email Security Administrator's Guide

a. Click the domain name in the Domain Name column.

The Edit Domain screen appears, with fields pre-filled with the
information on record for that domain.

b. Modify the fields as needed.

3. To delete domains, select one or multiple domain records and click

Delete.

Inbound and Outbound Protection

Managing Recipient Filter

The Recipient Filter screen displays the list of available domains. You can
enable or disable these domains to check valid recipients and export the
domain recipient lists to local storage.
Table 38. Recipient Filter Tasks

Tasks Steps

Enable All Filters On the Recipient Filter screen, click Enable All to enable all filters
in all domains.

Disable All Filters On the Recipient Filter screen, click Disable All to disable all
filters in all domains.

Export All On the Recipient Filter screen, click Export All to export all filters
in all domains to the local storage.

Export A Filter List On the Recipient Filter screen, click the

icon under the Export column to export the filter list in a domain.

74
 About Trend Micro Email Security

Managing Sender Filter

Trend Micro Email Security allows you to configure the following to filter
senders of incoming messages:
• Sender filter settings
• Specifies the type of sender addresses collected to match the
approved and blocked sender lists.
• Specifies whether to insert an X-Header in the message header for
email messages matching approved senders.
• Approved senders
Specifies the senders to allow using specific email addresses or entire
domains.
• Blocked senders
Specifies the senders to block using specific email addresses or entire
domains.

Sender Filter Settings

Just like physical letters, an email message has two sets of addresses: the
envelope address and the message header address. The envelope address,
like the address on the outside of an envelope, is used by the MTA to route
and deliver the email message; the message header address, which is part of
the message header, is similar to the address attached to a salutation at the
start of a physical letter.
The Sender Filter Settings screen enables you to choose the type of sender
addresses Trend Micro Email Security uses to match the approved or blocked
sender list.
The following options are available:
• Envelope addresses
By default, this option is selected and cannot be modified.

75
Trend Micro Email Security Administrator's Guide

• Message header addresses

If you select this option, Trend Micro Email Security uses both addresses
for matching.
Trend Micro Email Security provides the capability of inserting an X-Header
in the message header for email messages matching approved senders. If you
select the Insert an X-Header in the message header if an approved sender
matches check box, you can do extra actions based on the message header
on your own MTA or mail server.
• The following X-Header is inserted in the message header once an
approved sender's envelope address matches:
X-TM-Approved-Sender: envelope-sender

• The following X-Header is inserted in the message header if an approved

sender's envelope address does not match but the message header
address matches:
X-TM-Approved-Sender: header-sender

Note
Unless specified otherwise, Trend Micro Email Security considers the envelope
address as the common sender address.
Regardless of your sender address settings, IP reputation-based filtering and
unknown sender domain check will always use Envelope addresses rather than
Message header addresses to match the approved or blocked sender list.
Unknown sender domain check refers to the check that verifies if the sender's
envelop address has a valid DNS A or MX record.

Configuring Approved and Blocked Sender Lists

Configure the Approved Senders and Blocked Senders lists to control which
email messages Trend Micro Email Security scans. Specify the senders to
allow or block using specific email addresses or entire domains.
For example, *@example.com specifies all senders from the example.com
domain.

76
 About Trend Micro Email Security

Evaluation is done in the following order:

1. End User Console blocked sender list
2. Administrator console blocked sender list
3. End User Console approved sender list
4. Administrator console approved sender list

Note
Approved senders added to the End User Console will not override blocked
senders for the same email address or domain in the administrator console. For
example, assume that *@example.com is in the blocked sender list of the
administrator console, and [email protected] is in the approved sender list in
the End User Console for an end user. Messages from [email protected] will
still be blocked.
IP reputation-based filters use only IP address data to filter messages. You can
also use sender email address and domain to filter incoming messages.
Approved senders bypass IP reputation-based filtering at the MTA connection
level.

Lists of approved or blocked senders are managed using the following

screens:
• Approved Senders
Trend Micro Email Security will not perform the following checks on
email messages from senders added to this list:
• IP reputation-based filtering
• Unknown sender domain check
• Spam
• BEC
• Phishing
• Social engineering attack

77
Trend Micro Email Security Administrator's Guide

• Web reputation

• Graymail

Trend Micro Email Security still performs virus scanning and content
filtering on all messages received and takes the action configured in
policy rules once detecting any virus or content filtering violation.

Go to Inbound Protection > Connection Filtering > Sender Filter >

Approved Senders to display this screen.

• Blocked Senders

Trend Micro Email Security automatically blocks messages sent from

addresses or domains added to the blocked list without submitting the
messages to any scanning.

Go to Inbound Protection > Connection Filtering > Sender Filter >

Blocked Senders to display this screen.

The Approved Senders and Blocked Senders tables display the following
information:

• Sender: The email address or domain that you approved or blocked for
the specified Recipient Domain

• Recipient Domain: The managed domain for which you approved or

blocked the specified sender

• Date Added: The date that you added the sender to the list

Adding Senders
Trend Micro Email Security only approves or blocks email messages from
the specified sender for the specified domain.

For example, after adding [email protected] to the

blocked list for your managed domain mydomain.com, Trend Micro Email
Security only blocks the email messages sent from
[email protected] to addresses in the mydomain.com
domain. Trend Micro Email Security still scans and possibly passes email

78
 About Trend Micro Email Security

messages sent from [email protected] to your other

managed domains.
To block or allow email messages from a specific sender to all domains,
select all my domains from the Managed domain drop-down list.

Procedure
1. Select a specific domain from the Managed domain drop-down list. To
select all domains, select all my domains from the list.

2. In the Email address or domain field, type a sender. A sender can be a

specific email address or all addresses from a specific domain or
subdomain.
• Filter a specific email address by typing that email address.
• Filter all addresses from a domain by using an asterisk (*) to the left
of the at sign (@) in the email address. For example, *@example.com
will filter all email addresses in the example.com domain.
• Filter all addresses from a subdomain by using an asterisk (*) to the
left of the at sign (@) and also using an asterisk (*) in place of the
subdomain in the email address. For example, *@*.example.com
will filter all email addresses in all subdomains of the example.com
domain.
The following table displays format examples that are valid or not valid:
Table 39. Format Examples for Approved Senders and Blocked Senders

Valid Not Valid

[email protected] name@*.example.com

*@example.com *@*.com

*@server.example.com *@*

79
Trend Micro Email Security Administrator's Guide

Valid Not Valid

*@*.example.com

3. Click Add to List.

Trend Micro Email Security validates the sender address and adds it to
the list.

Tip
Trend Micro Email Security validates the format of the sender address
before adding the sender to the list. If you receive multiple formatting
error messages and are sure that the address provided is accurate, your
administrator console may have timed out. Reload the page and try again.

Editing Senders

Procedure

1. Select a specific domain from the Managed domain drop-down list. To

select all domains, select all my domains from the list.

2. Optionally type a sender address and click Search to search for specific
senders.

3. Click the email address of a sender or the Edit button for the sender.

The email address becomes editable, and buttons labeled Save or Cancel
appear.

4. Make and confirm your changes or corrections.

• Filter a specific email address by typing that email address.

80
 About Trend Micro Email Security

• Filter all addresses from a domain by using an asterisk (*) to the left
of the at sign (@) in the email address. For example, *@example.com
will filter all email addresses in the example.com domain.

• Filter all addresses from a subdomain by using an asterisk (*) to the

left of the at sign (@) and also using an asterisk (*) in place of the
subdomain in the email address. For example, *@*.example.com
will filter all email addresses in all subdomains of the example.com
domain.

The following table displays format examples that are valid or not valid:
Table 40. Format Examples for Approved Senders and Blocked Senders

Valid Not Valid

[email protected] name@*.example.com

*@example.com *@*.com

*@server.example.com *@*

*@*.example.com

Importing and Exporting Senders

Trend Micro Email Security allows you to import approved and blocked
senders in batches from a properly-formatted CSV file and export the
existing senders to the local storage.

Procedure

1. Go to Inbound Protection > Connection Filtering > Sender Filter >

Approved Senders or go to Inbound Protection > Connection Filtering
> Sender Filter > Blocked Senders.

2. Import or export senders.

81
Trend Micro Email Security Administrator's Guide

Option Description

Import a. Click Import to import multiple senders.

senders
The Import Approved Senders screen appears.
b. Click Choose File to locate the file to import.
c. Select one of the following import options:
• Merge: append the sender email addresses or domains to the
existing list.
• Overwrite: replace the existing list with the sender email
addresses or domains in the file.
d. Click Import.

Export Select the senders that you want to export and click Export.
senders
The selected senders are exported to the local storage.

Transport Layer Security (TLS) Peers

Transport Layer Security (TLS) is a protocol that helps to secure data and
ensure communication privacy between endpoints. Trend Micro Email
Security allows you to configure TLS encryption policies between Trend
Micro Email Security and specified TLS peers. Trend Micro Email Security
supports the following TLS protocols in descending order of priority: TLS
1.3, TLS 1.2, TLS 1.1 and TLS 1.0.
The Transport Layer Security (TLS) screen uses the following important
terms:

Term Details

TLS peer Trend Micro Email Security can apply your specified TLS configuration
with this domain during network communications.

82
 About Trend Micro Email Security

Term Details

Security level • Opportunistic:

• Communicates using encryption if the peer supports and
elects to use TLS
• Communicates without encryption if the peer does not
support TLS
• Communicates without encryption if the peer supports TLS
but elects not to use TLS
• Mandatory:
• Communicates using encryption if the peer supports and
elects to use TLS
• Does not communicate if the peer does not support TLS
• Does not communicate if the peer supports TLS but elects
not to use TLS

Status • Enabled: Trend Micro Email Security applies your specified TLS
configuration to the peer
• Disabled: Trend Micro Email Security does not apply your
specified TLS configuration to the peer
Instead, the “Default” TLS configuration applies.

Default (TLS Peer) This configuration applies to all domains that meet any of the
following criteria:
• Domain is not in the peer list
• Domain is in the peer list, but is not enabled

Adding TLS Peers

Procedure
1. Go to Inbound Protection > Connection Filtering > Transport Layer
Security (TLS) Peers.
2. Select a managed domain.

83
Trend Micro Email Security Administrator's Guide

3. Click Add to add a TLS peer for the selected domain.

4. Specify a sender domain, IP address, or CIDR block as TLS Peer.
5. Set the Security level to one of the following:
• Opportunistic:
• Communicates using encryption if the peer supports and elects
to use TLS
• Communicates without encryption if the peer does not support
TLS
• Communicates without encryption if the peer supports TLS but
elects not to use TLS
• Mandatory:
• Communicates using encryption if the peer supports and elects
to use TLS
• Does not communicate if the peer does not support TLS
• Does not communicate if the peer supports TLS but elects not
to use TLS

84
 About Trend Micro Email Security

Important
To ensure messages can be received from the Trend Micro Email
Security MTA, configure your firewall to accept email messages
from the following Trend Micro Email Security IP address /
CIDR blocks:

• North America, Latin America and Asia Pacific:

18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

18.188.239.128/26

• Europe, the Middle East and Africa:

18.185.115.0/25

18.185.115.128/26

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:

13.238.202.0/25

13.238.202.128/26

• Japan:

18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

6. Select Enabled to have Trend Micro Email Security apply your specified
TLS security level to the new peer.

7. Click Save.

85
Trend Micro Email Security Administrator's Guide

Editing TLS Peers

Procedure
1. Go to Inbound Protection > Connection Filtering > Transport Layer
Security (TLS) Peers.
2. Select a managed domain.
3. Find the TLS peer that you want to edit, click Edit to the right of the
record.
4. Edit the peer information as required.
5. Click Save.

Understanding IP Reputation
Trend Micro Email Security offers two tiers of protection. Connection-based
filtering at the MTA connection level, including IP reputation-based filtering
provided by Trend Micro Email Reputation Services (ERS), is the first tier.
The second is content-based filtering at the message level.

Tip
IP reputation-based filters use only IP address data to filter messages. You can
also use sender email address and domain to filter incoming messages.
Approved senders bypass IP reputation-based filtering at the MTA connection
level.
See IP Reputation Order of Evaluation on page 91.

Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service. Email Reputation
Services use a standard IP reputation database and an advanced, dynamic IP
reputation database (a database updated in real time). These databases have
distinct entries, allowing Trend Micro to maintain a very efficient and
effective system that can quickly respond to new sources of spam.

86
 About Trend Micro Email Security

Configure the following settings on the Settings tab of the IP Reputation

screen:

• Quick IP List, which is also known as dynamic IP reputation settings,

controls how Trend Micro Email Security uses the dynamic IP
reputation database from Email Reputation Services Advanced Service.

• Standard IP Reputation Settings control how Trend Micro Email

Security uses the standard IP reputation database from Email
Reputation Services Standard Service.

The other tabs of the IP Reputation screen are as follows:

• Approved IP Address

• Blocked IP Address

• Approved Country/Region

• Blocked Country/Region

About Quick IP List

Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service.

Quick IP List uses Trend Micro Email Reputation Services Advanced Service,
a real-time antispam solution. The Trend Micro network of automated expert
systems, along with Trend Micro spam experts, continuously monitor
network and traffic patterns and immediately update the dynamic IP
reputation database as new spam sources emerge, often within minutes. As
evidence of spam activity increases or decreases, the dynamic IP reputation
database is updated accordingly.

The dynamic IP reputation database includes the following blocking levels:

• Level 0: Off

Queries the dynamic reputation database but does not block any IP
addresses.

87
Trend Micro Email Security Administrator's Guide

• Level 1: Least aggressive

Trend Micro Email Security allows the same amount of spam from a
sender with a good rating as in Level 2. The length of time that the IP
address stays in the database is generally shorter than for more
aggressive settings.
• Level 2: (the default setting)
Trend Micro Email Security allows a larger volume of spam from a
sender with a good rating than more aggressive settings. However, if an
increase in spam above the allowable threshold is detected, it adds the
sender to the dynamic reputation database. The length of time that the
IP address stays in the database is generally shorter than for more
aggressive settings.
• Level 3:
Trend Micro Email Security allows a small volume of spam from senders
with a good rating. However, if an increase in spam beyond the
allowable threshold is detected, it adds the sender to the dynamic
reputation database. The length of time that the IP address stays in the
database depends on whether additional spam from the sender is
detected.
• Level 4: Most aggressive
If even a single spam message from a sender IP address is detected,
Email Reputation Services adds the sender to the dynamic reputation
database and Trend Micro Email Security blocks all messages from the
sender. The length of time that the IP address stays in the database
depends on whether additional spam from the sender is detected.
If legitimate email is being blocked, select a less aggressive setting. If too
much spam is reaching your network, select a more aggressive setting.
However, this setting might increase false positives by blocking connections
from legitimate email senders.

88
 About Trend Micro Email Security

Note
To avoid false positives from a trusted partner company, go to Inbound
Protection > Connection Filtering > IP Reputation, and add the IP address for
their MTA to the Approved IP Address list.
The IP addresses in the approved lists bypass other IP reputation-based
filtering. This list is useful for ensuring all messages from a partner company
or other MTA are allowed, no matter their status with the standard IP
reputation databases or with the Trend Micro Email Reputation Services (ERS)
dynamic IP reputation database. When using the IP reputation approved lists,
you may experience lower overall spam catch rates.

About Standard IP Reputation Settings

Trend Micro Email Security makes use of Trend Micro Email Reputation
Services (ERS) Standard Service and Advanced Service.
Standard IP Reputation Settings use Trend Micro Email Reputation Services
Standard Service, which helps block spam by validating requested IP
addresses against the Trend Micro standard IP reputation database, powered
by the Trend Micro Threat Prevention Network. This ever-expanding
database currently contains over a billion IP addresses with reputation
ratings based on spamming activity. Trend Micro spam investigators
continuously review and update these ratings to ensure accuracy.
Trend Micro Email Security makes a query to the standard IP reputation
database server whenever it receives an email message from an unknown
host. If the host is listed in the standard IP reputation database, that message
is reported as spam.
You can choose which lists to enable from the standard IP reputation
database. By default, all lists are enabled. The default setting is the most
effective for reducing spam levels, and it meets the needs of most customers.

Note
If you disable some portions of the standard IP reputation database, you may
see an increase in the amount of spam messages that reach your internal mail
server for additional content filtering.

89
Trend Micro Email Security Administrator's Guide

The standard IP reputation database includes the following lists:

• Known Spam Source List: The Known Spam Source List (KSSL) is a list
of IP addresses of mail servers that are known to be sources of spam.
• Dynamic User List: The Dynamic User List (DUL) is a list of dynamically
assigned IP addresses, or those with an acceptable use policy that
prohibits public mail servers. Most entries are maintained in
cooperation with the ISP owning the network space. IP addresses in this
list should not be sending email directly but should be using the mail
servers of their ISP.
• Emerging Threat List: The Emerging Threat List (ETL) is a list of IP
addresses identified as involved in active ransomware, malware, or other
email threat campaigns.

Note
To avoid false positives from a trusted partner company, go to Inbound
Protection > Connection Filtering > IP Reputation, and add the IP address for
their MTA to the Approved IP Address list.

About Approved and Blocked IP Addresses

To manually override IP reputation-based filtering at the MTA connection
level:
• Configure the Approved IP Address list
• Configure the Blocked IP Address list
• Configure the Approved Country/Region list
• Configure the Blocked Country/Region list

Tip
The Approved IP Address and Blocked IP Address lists support both IP
addresses and Classless Inter-Domain Routing (CIDR) blocks.
To add a CIDR block to the list, type the IPv4 address / CIDR block. The
following is the only valid format: x.x.x.x/z

90
 About Trend Micro Email Security

These lists override the Quick IP List and Standard IP Reputation Settings
and allow for customization of which addresses are subjected to IP
reputation-based filtering.

The IP addresses in the approved lists bypass other IP reputation-based

filtering. This list is useful for ensuring all messages from a partner company
or other MTA are allowed, no matter their status with the standard IP
reputation databases or with the Trend Micro Email Reputation Services
(ERS) dynamic IP reputation database. When using the IP reputation
approved lists, you may experience lower overall spam catch rates.

The IP addresses in the blocked lists are not subject to other IP reputation-
based filtering. Trend Micro Email Security permanently rejects connection
attempts from such IP addresses by responding with a 550 error (a rejection
of the requested connection).

IP Reputation Order of Evaluation

Message sender IP addresses go through IP reputation-based filtering. IP
addresses are evaluated until the first match is found.

Messages from approved sender IP addresses bypass IP reputation-based

filtering at the MTA connection level. Messages from blocked sender IP
addresses are blocked.

Evaluation is done in the following order:

1. IP addresses

a. In the Approved IP Address list

b. In the Blocked IP Address list

2. Countries/regions

a. In the Approved Country/Region list

b. In the Blocked Country/Region list

3. The Known Spam Source (KSS) in the IP Reputation settings

91
Trend Micro Email Security Administrator's Guide

4. The Dynamic User List (DUL) in the IP Reputation settings

5. The Emerging Threat List (ETL) in the IP Reputation settings

An IP address added to the Approved IP Address list will not be blocked even
if that IP address is also in a CIDR block listed in the Blocked IP Address list.
Furthermore, that IP address will not be blocked even if it is also in the
Known Spam Source standard IP reputation database list.

Important
IP reputation-based filters use only IP address data to filter messages. You can
also use sender email address and domain to filter incoming messages.
Approved senders bypass IP reputation-based filtering at the MTA connection
level.

See Managing Sender Filter on page 75.

Troubleshooting Issues
If you encounter unexpected errors while trying to save your settings on the
IP Reputation screen, you may be able to resolve the issue on your own.
Consult the following table for guidance on resolving the problem before
contacting technical support.
Table 41. IP Reputation Settings: Issues and Solutions

Issue Possible Cause Possible Solution

The Save button is You do not have a valid Activation Obtain a valid Activation Code
disabled. Code. from your vendor.

You have applied for an Activation Try again later.

Code, but it has not yet been added
to the Trend Micro Email Security
system.

A temporary network issue is Try again later.

preventing Trend Micro Email
Security from validating the
Activation Code.

92
 About Trend Micro Email Security

Issue Possible Cause Possible Solution

I cannot save my IP There is a temporary network Try again later.

Reputation settings. issue.
Log off, log on, and try again.

There is more than one browser
window open to the Trend Micro
Email Security administrator
console, and the session in one of
the other windows has expired.
Close the other windows and try
again.
Log off, log on, and try again.

Domain-based Authentication
Trend Micro Email Security provides authentication methods such as Sender
IP Match, Sender Policy Framework (SPF), DomainKeys Identified Mail
(DKIM) verification, and Domain-based Message Authentication, Reporting
& Conformance (DMARC) to protect against email spoofing.

If all these methods are enabled, Trend Micro Email Security evaluates email
messages in the following order:

1. Sender IP Match

2. SPF check

3. DKIM verification

4. DMARC authentication

Trend Micro Email Security keeps evaluating and scanning an email message
in the preceding order until encountering an “Intercept” action. If an email
message passes the Sender IP Match check, Trend Micro Email Security
skips its own SPF check as well as the SPF check of DMARC authentication
for this message.

Note
For details about intercept actions, see “Intercept” Actions on page 183.

93
Trend Micro Email Security Administrator's Guide

Sender IP Match
Trend Micro Email Security allows you to specify an IP address or a range of
addresses within a sender domain identified by the message header address
to allow email messages only from those addresses. Sender IP Match is a way
that readily enables you to simultaneously allow all inbound email traffic
from a particular domain while equally preventing spoofing by manually
defining the allowed IP ranges.

If an email message passes the Sender IP Match check, Trend Micro Email
Security skips its own SPF check as well as the SPF check of DMARC
authentication for this message.

Adding Sender IP Match Settings

To prevent sender forgery, you can specify a sender domain within the
message header address and the allowed IP addresses for the domain.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.

You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure

1. Go to Inbound Protection > Domain-based Authentication > Sender IP

Match.

2. Click Add.

The Add Sender IP Match Settings screen appears.

3. Select a specific recipient domain from the Managed domain drop-

down list.

94
 About Trend Micro Email Security

4. Select Enable Sender IP Match.

5. Under Sender Domain-IP Paris, add one or multiple domain-IP pairs.

a. Specify a sender domain using one of the following formats:

• example.com

• subdomain.example.com

• *.example.com

b. Specify one or multiple IP addresses or IP/CIDR blocks to pair with

the domain.

c. Click Add.

6. Under Intercept, specify the action to take if the sender IP address does
not match the sender domain as you specified.

• Delete entire message

• Quarantine

7. Under Notify, choose to send notifications and select at least one

notification template.

8. Click Add.

Editing Sender IP Match Settings

Procedure

1. Go to Inbound Protection > Domain-based Authentication > Sender IP

Match

2. From the list of Sender IP Match rules, click a managed domain to edit
its settings.

3. Modify the Sender IP Match settings as required.

95
Trend Micro Email Security Administrator's Guide

Note
For details about the settings, see Adding Sender IP Match Settings on page
94.

4. Click Save.

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an open standard to prevent sender
address forgery. SPF protects the envelope address of a sender, which is
used for the delivery of email messages. Trend Micro Email Security allows
you to verify the sender's authenticity using SPF settings.

SPF requires the owner of a domain to publish the email sending policy (for
example, which email servers are used to send email messages from that
domain) in an SPF record in the Domain Name System (DNS).

When Trend Micro Email Security receives an email message claiming to

come from that domain, Trend Micro Email Security checks the SPF record
to verify whether the email message complies with the domain's stated
policy. For example, if the message comes from an unknown server, the
email message can be considered as fake.

Evaluation of an SPF record can return any of the following results.

Result Explanation Default Action

Pass The SPF record designates the host to be allowed to Accept (reserved)
send.

Fail The SPF record has designated the host as not being Delete
allowed to send. (customizable)

SoftFail The SPF record has designated the host as not being Accept
allowed to send but is in transition. (customizable)

Neutral The SPF record specifies explicitly that nothing can be Accept
said about validity. (customizable)

96
 About Trend Micro Email Security

Result Explanation Default Action

None The domain does not have an SPF record or the SPF Accept
record does not evaluate to a result. (customizable)

PermError A permanent error has occurred (for example, badly Accept

formatted SPF record). (customizable)

TempError A transient error has occurred. Accept

(customizable)

Note
By default, if an email message gets a "Pass" result, Trend Micro Email Security
will bypass the SPF check and skip the remaining SPF settings for the message.
Trend Micro Email Security will then continue scanning the message according
to policy rules.
If an email message passes the Sender IP Match check, the message is also
considered as passing its own SPF check.

Adding SPF Settings

Trend Micro Email Security allows you to add SPF settings to validate an
inbound message comes from the authorized IP address stated in the DNS
record for the sender domain within the envelope address.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Sender
Policy Framework (SPF).

97
Trend Micro Email Security Administrator's Guide

2. Click Add.
The Add SPF Settings screen appears.
3. Select a specific recipient domain from the Managed domain drop-
down list.
4. Select Enable SPF to enable SPF check in Trend Micro Email Security.
5. Optionally select Insert an X-Header into email messages to add the
SPF check result into the email message's X-Header.
Trend Micro Email Security adds messages similar to the following in
email message's X-Header named X-TM-Received-SPF:

Status X-Header

Pass X-TM-Received-SPF: Pass (domain of

[email protected]
designates 10.64.72.206 as permitted
sender) client-ip=10.64.72.206;
envelope-
[email protected];
helo=mailserver.example.com

Fail X-TM-Received-SPF: Fail (domain of

[email protected] does not
designates 10.64.72.206 as permitted
sender) client-ip=10.64.72.206;
envelope-
[email protected];
helo=mailserver.example.com

SoftFail X-TM-Received-SPF: SoftFail (domain

of transitioning
[email protected]
discourages use of 10.64.72.206 as
permitted sender) client-
ip=10.64.72.206; envelope-
[email protected];
helo=mailserver.example.com

98
 About Trend Micro Email Security

Status X-Header

Neutral X-TM-Received-SPF: Neutral

(10.64.72.206 is neither permitted
nor denied by domain of
[email protected]) client-
ip=10.64.72.206; envelope-
[email protected];
helo=mailserver.example.com

None X-TM-Received-SPF: None (domain of

[email protected] does not
designate permitted sender hosts)
client-ip=10.64.72.206; envelope-
[email protected];
helo=mailserver.example.com

PermError X-TM-Received-SPF: PermError (domain

of [email protected] uses
mechanism not recognized by this
client) client-ip=10.64.72.206;
envelope-
[email protected];
helo=mailserver.example.com

TempError X-TM-Received-SPF: TempError (error

in processing during lookup of
[email protected]) client-
ip=10.64.72.206; envelope-
[email protected];
helo=mailserver.example.com

Note
If the value of envelope-from is blank, the value of helo will be used
instead for the SPF check.

6. Under Intercept, specify an action to take based on the SPF check

result.

• Do not intercept messages

• Delete entire message

99
Trend Micro Email Security Administrator's Guide

• Quarantine
7. Under Tag and Notify, select further actions that you want to take on the
message.
• Tag subject

Note
Tags can be customized. When selecting the Tag subject action, note
the following:
• This action may destroy the existing DKIM signatures in email
messages, leading to a DKIM verification failure by the
downstream mail server.
• To prevent tags from breaking digital signatures, select Do not
tag digitally signed messages.

• Send notification
8. Under Ignored Peers, do any of the following:
• To add ignored peers to skip SPF check for a specific sender, specify
the sender's domain name, IP address or CIDR block in the text box
and click Add.

Note
Trend Micro Email Security will not implement SPF check for email
messages from the specific domain, IP address or CIDR block. The
email messages will continue to the next step in the regular delivery
process.
However, this does not mean the email messages have passed SPF
check. They will fail subsequent DMARC authentication if they do not
actually meet specific criteria of the SPF standard.

• To search for existing ignored peers, type a keyword and click

Search.
• To import ignored peers from a CSV file, click Import.
The following import options are available:

100
 About Trend Micro Email Security

• Merge: append the ignored peers to the existing list.

• Overwrite: replace the existing list with the ignored peers in
the file.
• To export all ignored peers to a CSV file, click Export.
9. Click Add to finish adding the SPF settings.

Note
All the settings you added take effect only when you click Add.

Editing SPF Settings

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Sender
Policy Framework (SPF).
2. From the list of domains to perform SPF record check, click a domain
that you want to edit.
3. Modify the SPF settings as required.

Note
For details about the settings, see Adding SPF Settings on page 97.

4. Click Save.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email validation system that
detects email spoofing by validating a domain name identity associated with
a message through cryptographic authentication. In addition, DKIM is used
to ensure the integrity of incoming messages or ensure that a message has
not been tampered with in transit.

101
Trend Micro Email Security Administrator's Guide

To ensure the validity and integrity of email messages, DKIM uses a public
and private key pair system. A public and private key pair is created for the
sending domain. The private key is stored securely on the mail server and
used to sign outgoing messages. The public key is stored and published in
DNS as a TXT record of the domain. When an email message is sent, the mail
server uses the private key to digitally sign it, which is a part of the message
header. When the email message is received, the DKIM signature can be
verified against the public key on the domain's DNS.
Trend Micro Email Security implements DKIM authentication only in the
following scenarios:
• Verifies DKIM signatures in incoming messages only when the domain
specified in the “d=” tag of the DKIM signature header field belongs to
the same organizational domain as the domain part of the “From” field
in the message header.
• Adds DKIM signatures to outgoing message headers to prevent spoofing
only when the domain part of the “From” field in the message header
belongs to the same organizational domain as the MAIL FROM address
(envelope sender).

Adding DKIM Verification Settings

Trend Micro Email Security verifies DKIM signatures in incoming email
messages and allows administrators to take actions on messages that fail to
pass signature verification. If a message's DKIM signature passes
verification, the message will continue to the next step in the regular delivery
process.
The DKIM verification settings apply only to the selected recipient domain.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

102
 About Trend Micro Email Security

Procedure

1. Go to Inbound Protection > Domain-based Authentication >

DomainKeys Identified Mail (DKIM) Verification.

2. Click Add.

The Add DKIM Verification Settings screen appears.

3. Select a specific recipient domain from the Managed domain drop-

down list.

4. Select Enable DKIM verification.

5. Optionally select Skip DKIM verification for email messages with no

envelope sender addresses.

6. Optionally select Insert an X-Header into email messages.

X-Header is added to indicate whether DKIM verification is successful or

not.

Here are some examples of X-Header:

X-TM-Authentication-Results:dkim=pass; No signatures and

verification is not enforced

X-TM-Authentication-Results:dkim=pass; No processed
signatures and verification is not enforced

X-TM-Authentication-Results:dkim=fail; No processed
signatures but verification is enforced

X-TM-Authentication-Results:dkim=pass; Contain verified

signature, header.d=test.com, header.s=TM-
DKIM_201603291435, [email protected]

X-TM-Authentication-Results:dkim=fail; No verified
signatures

7. Under Intercept, select an action that you want to take on a message

that fails DKIM verification.

103
Trend Micro Email Security Administrator's Guide

• Do not intercept messages

• Delete entire message
• Quarantine
8. Under Tag and Notify, select further actions that you want to take on the
message.
• Tag subject

Note
Tags can be customized. When selecting the Tag subject action, note
the following:
• This action may destroy the existing DKIM signatures in email
messages, leading to a DKIM verification failure by the
downstream mail server.
• To prevent tags from breaking digital signatures, select Do not
tag digitally signed messages.

• Send notification
9. Under Ignored Peers, do any of the following:
• To add ignored peers to skip DKIM verification for specific sender
domains, specify one or multiple sender domain names and click
Add.

Note
Trend Micro Email Security will not implement DKIM verification for
email messages from the specific domain. The email messages will
continue to the next step in the regular delivery process.
However, this does not mean the email messages have passed DKIM
verification. They will fail subsequent DMARC authentication if they
do not actually meet specific criteria of the DKIM standard.

• To search for existing ignored peers, type a keyword and click

Search.

104
 About Trend Micro Email Security

• To import ignored peers from a CSV file, click Import.

The following import options are available:
• Merge: append the ignored peers to the existing list.
• Overwrite: replace the existing list with the ignored peers in
the file.
• To export all ignored peers to a CSV file, click Export.
10. Under Enforced Peers, do any of the following:
• To add enforced peers to enforce DKIM verification for specific
sender domains, specify one or multiple sender domain names and
click Add.
Each email message from the specified domain must meet specific
criteria of the DKIM standard; otherwise, an action will be taken on
the message.
The following criteria must be met:
• The sender domain must have a DKIM record.
• There is at least one verified signature in the message.
• To search for, import or export enforced peers, perform similar
operations as described in the previous step.

Note
If a sender domain is specified in both the ignored peer list and enforced
peer list, Trend Micro Email Security skips DKIM verification for email
messages from this domain.

11. Click Add to finish adding the DKIM verification settings.

Note
All the settings you added take effect only when you click Add.

105
Trend Micro Email Security Administrator's Guide

Editing DKIM Verification Settings

Procedure
1. Go to Inbound Protection > Domain-based Authentication >
DomainKeys Identified Mail (DKIM) Verification.
2. From the list of DKIM verification domains, click a domain that you
want to edit.
3. Modify the DKIM verification settings as required.

Note
For details about the settings, see Adding DKIM Verification Settings on page
102.

4. Click Save.

Adding DKIM Signing Settings

Trend Micro Email Security supports DKIM signing for all outgoing messages
from a specific domain. Recipients can verify that the email messages from
the domain are authorized by the domain's administrator and that the
messages, including attachments, have not been modified during transport.
The DKIM signing settings apply only to the selected sender domain.

Procedure
1. Go to Outbound Protection > DomainKeys Identified Mail (DKIM)
Signing.
2. Click Add.
The Add DKIM Signing Settings screen appears.
3. Select a specific sender domain from the Managed domain drop-down
list.

106
 About Trend Micro Email Security

4. Select Enable DKIM signing.

5. Optionally select Sign email messages with no envelope sender

addresses.

For email messages with no envelope sender addresses (such as auto-

reply messages or bounced messages), Trend Micro Email Security
attempts to find the sender domain from the email header From and
applies DKIM signing settings of the sender domain.

6. Configure general settings for DKIM signing.

• SDID: select a signing domain identifier from the drop-down list.

• Selector: selector to subdivide key namespace. Retain the default

value.

• Headers to sign: select one or multiple headers to sign and

customize more headers if necessary.

• Wait time: specify how long it takes for a key pair to take effect.
Trend Micro Email Security starts to count the wait time once if
finds the public key in the DNS.

• Key pair: select a key length and click Generate to generate a key
pair.

Note
Use the generated DNS TXT record name and DNS TXT record value
to publish the key pair to your DNS server.

If your domain provider supports the 2048-bit domain key length but
limits the size of the TXT record value to 255 characters, split the key
into multiple quoted text strings and paste them together in the TXT
record value field.

7. Configure advanced settings for DKIM signing.

• Header canonicalization: select Simple or Relaxed.

• Body canonicalization: select Simple or Relaxed.

107
Trend Micro Email Security Administrator's Guide

Note
Two canonicalization algorithms are defined for each of the email
header and the email body: a "simple" algorithm that tolerates almost
no modification and a "relaxed" algorithm that tolerates common
modifications such as whitespace replacement and header field line
rewrapping.

• Signature expiration: set the number of days that the signature will
be valid.

• Body length: set the number of bytes allowed for the email body.

• AUID: specify the Agent or User Identifier on behalf of which SDID

is taking responsibility.

8. Click Add to finish adding the DKIM signing settings.

Editing DKIM Signing Settings

Procedure

1. Go to Outbound Protection > DomainKeys Identified Mail (DKIM)

Signing.

2. From the list of DKIM signing domains, click a domain that you want to
edit.

3. Modify the DKIM signing settings as required.

Note
For details about the settings, see Adding DKIM Signing Settings on page
106.

If you regenerate a key pair, remember to publish it to your DNS server.

4. Click Save.

108
 About Trend Micro Email Security

Domain-based Message Authentication, Reporting &

Conformance (DMARC)
Domain-based Message Authentication, Reporting and Conformance
(DMARC) is an email validation system designed to detect and prevent email
spoofing. It is intended to combat certain techniques often used in phishing
and email spam, such as email messages with forged sender addresses that
appear to originate from legitimate organizations. It provides a way to
authenticate email messages for specific domains, send feedback to senders,
and conform to a published policy.
DMARC fits into the inbound email authentication process of Trend Micro
Email Security. The way it works, is to help email recipients to determine if
the purported message aligns with what the recipient knows about the
sender. If not, DMARC provides guidance on how to handle the non-aligned
messages. DMARC requires either of the following:
• A message passes the SPF check, and its identifier domain is in
alignment.
• A message passes the DKIM signature check, and its identifier domain is
in alignment.
Identifier alignment requires that the domain authenticated by SPF or DKIM
be the same as or belong to the same organizational domain as the message
header domain. If the alignment mode is “s” (strict), the two domains must
be exactly the same; if the alignment mode is “r” (relaxed), they must belong
to the same organizational domain.

Note
If an email message passes the Sender IP Match check, the message is also
considered as passing the SPF check of DMARC authentication.

Adding DMARC Settings

Trend Micro Email Security authenticates incoming email messages of the
selected domain and allows administrators to take actions on messages that
fail to pass DMARC authentication. If DMARC authentication passes, the

109
Trend Micro Email Security Administrator's Guide

messages will be delivered normally. If DMARC authentication fails, the

messages will be quarantined, rejected or delivered according to the DMARC
settings.
The DMARC settings apply only to the selected recipient domain.

Note
Trend Micro Email Security provides a built-in default rule that has the lowest
priority to ensure you receive a baseline level of protection. The default rule
cannot be deleted.
You can create only one single rule for each “Managed Domain”. The default
rule will be applied if no other rules are matched based on the “Managed
Domain”.

Procedure
1. Go to Inbound Protection > Domain-based Authentication > Domain-
based Message Authentication, Reporting and Conformance
(DMARC).
2. Click Add.
The Add DMARC Settings screen appears.
3. Select a specific recipient domain from the Managed domain drop-
down list.
4. Select Enable DMARC.
5. Optionally select Skip DMARC for email messages with no envelope
sender addresses.
6. Optionally select Insert an X-Header into email messages.
X-Header is added to indicate whether DMARC authentication is
successful or not.
Here are some examples of X-Header:
X-TM-Authentication-Results: spf=pass (sender IP address:
10.210.128.20) smtp.mailfrom=example.com; dkim=pass

110
 About Trend Micro Email Security

(signatures verified) header.d=example.com; dmarc=pass

action=none header.from=example.com;

X-TM-Authentication-Results: spf=fail (sender IP address:

10.204.148.40) smtp.mailfrom=example.com; dkim=fail (no
verified signatures found) header.d=example.com; dmarc=fail
action=none header.from=example.com;

X-TM-Authentication-Results: spf=fail (sender IP address:

10.204.148.40) smtp.mailfrom=example.com; dkim=pass
(signatures verified) header.d=example.com; dmarc=pass
action=none header.from=example.com;

X-TM-Authentication-Results: spf=pass (sender IP address:

10.204.128.20) smtp.mailfrom=example.com; dkim=fail (no
verified signatures found) header.d=example.com; dmarc=pass
action=none header.from=example.com;

7. Optionally select Deliver daily reports to senders.

If you select this option, aggregated reports will be generated daily for
authentication failures and sent back to email senders.

8. Under Intercept, specify actions to take on messages that fail DMARC

authentication.

A DMARC tag instructs recipients how to handle email messages that fail
DMARC authentication. There are three values for the tag: "none",
"quarantine", and "reject". Trend Micro Email Security enables you to
specify the action to take in each scenario based on the instructions:

• None: select the action to take when the DMARC tag value is "none".

• Quarantine: select the action to take when the DMARC tag value is
"quarantine".

• Reject: select the action to take when the DMARC tag value is
"reject".

• No DMARC records: select the action to take when there is no

DMARC records.

111
Trend Micro Email Security Administrator's Guide

9. Under Tag and Notify, select further actions that you want to take on the
messages.
• Tag subject

Note
Tags can be customized. When selecting the Tag subject action, note
the following:
• This action may destroy the existing DKIM signatures in email
messages, leading to a DKIM verification failure by the
downstream mail server.
• To prevent tags from breaking digital signatures, select Do not
tag digitally signed messages.

• Send notification
10. Under Ignored Peers, do any of the following:
• To add ignored peers to skip DMARC authentication for specific
sender domains, specify one or multiple sender domain names and
click Add.

Note
Trend Micro Email Security will not implement DMARC
authentication for email messages from the specific domain. The
email messages will continue to the next step in the regular delivery
process.

• To search for existing ignored peers, type a keyword and click

Search.
• To import ignored peers from a CSV file, click Import.
The following import options are available:
• Merge: append the ignored peers to the existing list.
• Overwrite: replace the existing list with the ignored peers in
the file.

112
 About Trend Micro Email Security

• To export all ignored peers to a CSV file, click Export.

11. Under Enforced Peers, do any of the following:

• To add enforced peers to enforce DMARC authentication for specific

sender domains, specify one or multiple sender domain names and
click Add.

Each email message from the specified domain must meet specific
criteria of the DMARC standard; otherwise, an action will be taken
on the message.

The following criteria must be met:

• The sender domain has a DMARC record.

• The message passes the SPF check, and its identifier domain is
in alignment. Alternatively, the message passes DKIM
verification, and its identifier domain is in alignment.

• To search for, import or export enforced peers, perform similar

operations as described in the previous step.

12. Click Add to finish adding the DMARC settings.

Note
All the settings you added take effect only when you click Add.

Editing DMARC Settings

Procedure

1. Go to Inbound Protection > Domain-based Authentication > Domain-

based Message Authentication, Reporting and Conformance
(DMARC).

2. From the list of DMARC authentication domains, click a domain that you
want to edit.

113
Trend Micro Email Security Administrator's Guide

3. Modify the DMARC settings as required.

Note
For details about the settings, see Adding DMARC Settings on page 109.

4. Click Save.

How DMARC Works with SPF and DKIM

SPF, DKIM and DMARC are three independent features in Trend Micro Email
Security. You can enable or disable those features based on your
requirements.

The following are typical scenarios for your reference:

• DMARC enabled only

Trend Micro Email Security performs its own SPF check and DKIM
signature check before alignment check.

• SPF check, DKIM verification and DMARC authentication enabled at the

same time

Trend Micro Email Security checks the sender domain for each inbound
email message. If a message does not pass the SPF check, the message
will be deleted, quarantined or delivered depending on the action
configured.

If the message passes the SPF check, Trend Micro Email Security verifies
DKIM signatures in the message. If the message does not pass DKIM
verification, the message will be deleted, quarantined or delivered
depending on the action configured.

If the message continues to the next step in the delivery process, Trend
Micro Email Security implements DMARC authentication on the
message.

114
 About Trend Micro Email Security

File Password Analysis

By leveraging a combination of user-defined passwords and message content
(subject, body and attachment names), Trend Micro Email Security can
heuristically extract or open password-protected files, namely, archive files
and document files, in email messages to detect any malicious payload that
may be embedded in those files.

You can add or import user-defined passwords to help Trend Micro Email
Security efficiently extract or open password-protected files for further
scanning.

Note
File password analysis is only applied for virus scan, and not for DLP or content
filtering.

Trend Micro Email Security supports the following password-protected

archive file types:

• 7z

• rar

• zip

Trend Micro Email Security supports the following password-protected

document file types:

• doc

• docx

• pdf

• pptx

• xls

• xlsx

115
Trend Micro Email Security Administrator's Guide

Configuring File Password Analysis

Procedure

1. Choose Inbound Protection > Virus Scan > File Password Analysis.

2. In the File Password Analysis Settings section, select Enable file

password analysis.

3. Optionally select Hold on a message to associate later messages for

password analysis and specify a certain amount of time for Analysis
timeout.

Note
This step is required if you want Trend Micro Email Security to associate
later email messages to further analyze the file password for the current
email message. The current message will not be released for delivery
during the analysis timeout period.

4. Click Save.

To help Trend Micro Email Security crack file passwords more

efficiently, you can add or import passwords that are commonly used by
your organization as the user-defined passwords. Trend Micro Email
Security will try the user-defined passwords first before any other ways
to extract or open files.

Adding User-Defined Passwords

A maximum of 100 passwords is allowed.

Procedure

1. In the User-Defined Passwords section, click Add.

The Add Password dialog box appears.

116
 About Trend Micro Email Security

2. Type a priority value next to Priority for the new password.

Note
The priority value ranges from 1 to 100.

The lower the priority value, the higher the priority.

3. Type a password with only ASCII characters.

4. Click Save.

The password you added appears in the user-defined password list.

If there are multiple passwords, you can click the up or down arrow next
to Priority to sort the passwords by priority level. To delete one or
multiple passwords, select the check box of each password and click
Delete.

Importing User-Defined Passwords

A maximum of 100 passwords is allowed.

Procedure

1. In the User-Defined Passwords section, click Import.

The Import Passwords dialog box appears.

2. Next to File location, browse and select a TXT file to import.

You can click Download sample file to view a sample of a properly

formatted file.

Trend Micro Email Security checks all the entries in the selected file to
identify any invalid, duplicate or conflicting passwords.

3. After you confirm all the entries to be imported, click Import.

117
Trend Micro Email Security Administrator's Guide

Configuring Scan Exceptions

Under certain circumstances, you may want to prevent Trend Micro Email
Security from scanning certain types of messages that may pose security
risks. For example, compressed files provide a number of special security
concerns since they can harbor security risks or contain numerous
compression layers. Scan exceptions are configured to instruct Trend Micro
Email Security to take actions on these messages.

Note
If an email message triggers the scan exception "Malformed messages", Trend
Micro Email Security stops scanning and takes the corresponding actions.
If any other scan exception is triggered, Trend Micro Email Security takes the
specified actions and will not stop scanning until encountering a terminal scan
action. For details about terminal actions, see “Intercept” Actions on page 183.

Scan Exception List

Trend Micro Email Security allows you to configure different types of
exceptions. If an email message meets any of the following conditions, Trend
Micro Email Security will trigger an exception and take the specified actions:
• The number of files in a compressed file exceeds 353.
• The decompression ratio of a compressed file exceeds 100.

Note
The decompression ratio refers to the ratio between a decompressed file's
size and its original compressed size. For example, for a 1 MB compressed
file, if the decompressed file size is 100 MB, the ratio would be 100 to 1,
which is equivalent to 100.

• The number of decompression layers in a compressed file exceeds 20.

Trend Micro Email Security checks for malware "smuggled" within
nested compressions and supports scanning up to 20 recursive
compression layers.

118
 About Trend Micro Email Security

• The size of a single decompressed file exceeds 60 MB.

• An Office 2007/2010/2013/2016 file contains more than 353 subfiles.

• An Office 2007/2010/2013/2016 file contains a subfile whose

decompression ratio exceeds 100.

• Malformed messages.

• Virtual Analyzer scan exception.

Possible scenarios include:

• Cloud sandbox analysis timed out.

• Unable to connect to the cloud sandbox.

• Virtual Analyzer submission quota exception.

Note
The Virtual Analyzer scan exception and submission quota exception are
available only in inbound protection.

These settings are not included in the Trend Micro Email Security Standard
license.

For details about different license versions, see Available License Versions on page
18.

Configuring "Scan Exceptions" Actions

To configure centralized scan exception settings, go to the following paths:

• Inbound Protection > Virus Scan > Scan Exceptions

• Outbound Protection > Virus Scan > Scan Exceptions

Scan exceptions under Inbound Protection apply to incoming messages,

while scan exceptions under Outbound Protection apply to outgoing
messages. The scan actions configured for each exception apply to all
senders and recipients.

119
Trend Micro Email Security Administrator's Guide

Specify actions for Trend Micro Email Security to take on email messages
that meet the scan exception criteria.

Procedure

1. On the Scan Exceptions screen, click the action name for an exception
in the Actions column.

The Select Scan Exception Actions screen appears.

2. Configure Intercept settings.

Option Description

Do not intercept Trend Micro Email Security does not take action on the message
messages and processes the message using other rules if other rules apply.

Delete entire Trend Micro Email Security deletes the message, including its
message attachments.

Quarantine Trend Micro Email Security moves the message into quarantine.

3. Configure Modify settings.

a. Select the Tag subject action to insert configurable text into the
message subject line.

b. Type a tag in the Tag field, for example, Spam.

c. Optionally select Do not tag digitally signed messages. to prevent

tags from breaking digital signatures.

4. Configure Monitor settings.

a. Select the Send notification action.

b. Click the message to people link.

The Notifications screen appears.

c. Select a notification message from the Available pane on the left

side and click Add>.

120
 About Trend Micro Email Security

The Add, Edit, Copy and Delete buttons under Available are
provided for managing notification messages. For details about
managing notifications, see Managing Notifications on page 251.
d. Click Save to save the notification setting.

Note
The Modify and Monitor settings are not mandatory.

5. Click Save.

Note
If multiple scan exceptions are triggered for one email message, Trend
Micro Email Security chooses the action with the highest priority from the
configured “Intercept” actions, combines the action with the “Modify” and
“Monitor” actions, and performs those actions together on the message.
“Intercept” actions are listed as follows in descending order of priority:
• Delete entire message
• Quarantine
• Do not intercept messages

Business Email Compromise (BEC)

The FBI defines Business Email Compromise (BEC) as "a sophisticated scam
targeting businesses working with foreign suppliers and businesses that
regularly perform wire transfer payments." Formerly known as Man-in-the-
Email scams, these schemes compromise official business email accounts to
conduct unauthorized fund transfers. For more information, see FBI Public
Service Announcement.
A BEC scam is a form of phishing attack where a fraudster impersonates a
high profile executive, for example, the CEO or CFO, and attempts to trick an
employee, a customer, or a vendor into transferring funds or sensitive
information to the fraudster.

121
Trend Micro Email Security Administrator's Guide

In addition, Trend Micro Email Security integrates with Trend Micro's

Writing Style DNA as an additional layer of protection for your organization's
users against BEC threats.

Note
This feature is not included in the Trend Micro Email Security Standard license.

For details about different license versions, see Available License Versions on page
18.

Trend Micro's Writing Style DNA technology scans email messages of a

desired individual to learn the particular writing style and generate a writing
style model. The writing style model is a set of properties or features
explored with automated methods that uniquely identify the way an
individual composes email messages. By leveraging the writing style model
trained in Cloud App Security for high profile users, Trend Micro Email
Security compares the incoming email messages claimed to be sent from the
individual with the model to identify BEC attacks.

To ensure that the writing style model of a high profile user is available for
analysis, Trend Micro Email Security runs a scheduled task every five
minutes to synchronize the status of writing style models trained in Cloud
App Security.

Note
In this release, writing style analysis applies to email messages written in
English, Japanese, German, French, Spanish, Swedish, Danish, and Norwegian.

To enable writing style analysis, the license for Cloud App Security is required.

Configuring High Profile Users

Since Business Email Compromise (BEC) scams target high profile users
such as company executives, Trend Micro Email Security allows you to add
high profile users who are likely to be impersonated for detection and
classification.

122
 About Trend Micro Email Security

Specify the email display names of the high profile users who might be
frequently forged. Trend Micro Email Security will check incoming email
messages claimed to be sent from those users and apply fraud checking
criteria to identify forged messages. Trend Micro Email Security enables you
to take actions on the BEC attacks that are detected or suspected by the
Antispam Engine or detected by writing style analysis.
The specified high profile users are applicable to all BEC policies of your
domains as the global settings.

Procedure
1. Go to Inbound Protection > Spam Filtering > Business Email
Compromise (BEC).
2. From the Source drop-down list, select either of the following:
• Synchronize users from Directory: select this option to
synchronize users from your directory.
• Click Select Groups to select a user group that you want to
synchronize.
A maximum of 500 users can be synchronized from one or
multiple directory groups. If there are more than 500 users,
Trend Micro Email Security sorts all users alphanumerically in
ascending order and applies BEC policies only to the first 500
users.

123
Trend Micro Email Security Administrator's Guide

Note
The Directory Synchronization Tool is required to synchronize
user information from the directory server. For details about
installing and updating the tool, see the Directory
Synchronization Tool User's Guide. To download the tool and the
guide, do the following:

a. Go to Administration > Directory Management.

b. On the Directory Synchronize tab, find the tool and guide

under Downloads.

If you select Microsoft AD Global Catalog for synchronization in

the Directory Synchronization Tool, make sure the givenName,
initials and sn attributes have been replicated. By default,
these attributes are not replicated to the global catalog server by
Microsoft. If they are not replicated, use the Active Directory
Schema snap-in in the Microsoft Management Console for
replication.

• Click Export to export the directory user list to a CSV file.

• Click Refresh to refresh the current user list.

• Custom: select this option to create a customized list of high profile

users.

• Click Add to add a high profile user. Specify the first name,
middle name (optional), last name and email addresses
(optional) of the user.

• Click Delete to delete a high profile user.

• Click Import to import multiple users from a CSV file.

The following import options are available:

• Merge: append the users to the existing list.

• Overwrite: replace the existing list with the users in the

file.

124
 About Trend Micro Email Security

• Click Export to export the customized user list to a CSV file.

Configuring Time-of-Click Protection Settings

If you enable Time-of-Click Protection, Trend Micro Email Security rewrites
URLs in email messages for further analysis. Trend Micro analyzes those
URLs at the time of click and will block them if they are malicious to protect
you.

Procedure
1. Go to Inbound Protection > Spam Filtering > Time-of-Click Protection.
2. Under Time-of-Click Protection Settings, do the following:
• Dangerous: Select an action ( Allow, Warn or Block) to take on
dangerous URLs. The default value is Block.
Dangerous URLs are verified to be fraudulent or known sources of
threats.
• Highly Suspicious: Select an action ( Allow, Warn or Block) to take
on highly suspicious URLs. The default value is Block.
Highly suspicious URLs are suspected to be fraudulent or possible
sources of threats.
• Suspicious: Select an action ( Allow, Warn or Block) to take on
suspicious URLs. The default value is Warn.
Suspicious URLs are associated with spam or possibly
compromised.
• Untested: Select an action ( Allow, Warn or Block) to take on
untested URLs. The default value is Warn.
While Trend Micro actively tests URLs for safety, users may
encounter untested pages when visiting new or less popular
websites. Blocking access to untested pages can improve safety but
can also prevent access to safe pages.

125
Trend Micro Email Security Administrator's Guide

3. Click Save.

Data Loss Prevention

Data Loss Prevention (DLP) safeguards an organization's confidential and
sensitive data, referred to as digital assets, against accidental disclosure and
intentional theft. DLP allows you to:
• Identify the digital assets to protect
• Create policies that limit or prevent the transmission of digital assets
through email
• Enforce compliance to established privacy standards
DLP evaluates data against a set of rules defined in policies. Policies
determine the data that must be protected from unauthorized transmission
and the action that DLP performs when it detects transmission.
With DLP, Trend Micro Email Security allows you to manage your incoming
email messages containing sensitive data and protects your organization
against data loss by monitoring your outbound email messages.

Data Identifier Types

Digital assets are files and data that an organization must protect against
unauthorized transmission. Administrators can define digital assets using
the following data identifiers:
• Expressions: Data that has a certain structure.
For details, see Expressions on page 127.
• File attributes: File properties such as file type and file size.
For details, see File Attributes on page 136.
• Keyword lists: A list of special words or phrases.
For details, see Keywords on page 131.

126
 About Trend Micro Email Security

Note
Administrators cannot delete a data identifier that a DLP template is using.
Delete the template before deleting the data identifier.

Expressions
An expression is data that has a certain structure. For example, credit card
numbers typically have 16 digits and appear in the format "nnnn-nnnn-
nnnn-nnnn", making them suitable for expression-based detections.

Administrators can use predefined and customized expressions.

For details, see Predefined Expressions on page 127 and Customized Expressions
on page 127.

Predefined Expressions

Data Loss Prevention comes with a set of predefined expressions. These

expressions cannot be modified or deleted.

Data Loss Prevention verifies these expressions using pattern matching and
mathematical equations. After Data Loss Prevention matches potentially
sensitive data with an expression, the data may also undergo additional
verification checks.

For a complete list of predefined expressions, see the Data Protection Lists
document at http://docs.trendmicro.com/en-us/enterprise/data-protection-
reference-documents.aspx.

Customized Expressions

Create customized expressions if none of the predefined expressions meets

the company's requirements.

Expressions are a powerful string-matching tool. Become comfortable with

expression syntax before creating expressions. Poorly written expressions
can dramatically impact performance.

When creating expressions:

127
Trend Micro Email Security Administrator's Guide

• Refer to the predefined expressions for guidance on how to define valid

expressions. For example, when creating an expression that includes a
date, refer to the expressions prefixed with "Date".
• Note that Data Loss Prevention follows the expression formats defined
in Perl Compatible Regular Expressions (PCRE). For more information
on PCRE, visit the following website:
http://www.pcre.org/
• Start with simple expressions. Modify the expressions if they are causing
false alarms or fine tune them to improve detections.
Administrators can choose from several criteria when creating expressions.
An expression must satisfy the chosen criteria before Data Loss Prevention
subjects it to a DLP policy. For details about the different criteria options, see
Criteria for Customized Expressions on page 128.

Criteria for Customized Expressions

Table 42. Criteria Options for Customized Expressions

Criteria Rule Example

None None All - Names from US Census Bureau

• Expression: [^\w]([A-Z][a-z]{1,12}
(\s?,\s?|[\s]|\s([A-Z])\.\s)[A-Z][a-z]
{1,12})[^\w]

Specific characters An expression must include US - ABA Routing Number

the characters you have
specified.
In addition, the number of
characters in the expression
must be within the minimum
and maximum limits.
• Expression: [^\d]([0123678]\d{8})[^
\d]
• Characters: 0123456789
• Minimum characters: 9
• Maximum characters: 9

128

Criteria Rule
Suffix Suffix refers to the last
segment of an expression. A
suffix must include the
characters you have specified
and contain a certain number
of characters.
In addition, the number of
characters in the expression
must be within the minimum
and maximum limits.
Single- character An expression must have two
separator segments separated by a
character. The character
must be 1 byte in length.
In addition, the number of
characters left of the
separator must be within the
minimum and maximum
limits. The number of
characters right of the
separator must not exceed
the maximum limit.
Creating a Customized Expression
Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the Expression tab.
3. Click Add.
A new screen displays.
About Trend Micro Email Security
Example
All - Home Address
• Expression: \D(\d+\s[a-z.]+\s([a-z]+
\s){0,2} (lane|ln|street|st|avenue|ave|
road|rd|place|pl|drive|dr|circle| cr|
court|ct|boulevard|blvd)\.? [0-9a-z,#
\s\.]{0,30}[\s|,][a-z]{2}\ s\d{5}(-
\d{4})?)[^\d-]
• Suffix characters: 0123456789-
• Number of characters: 5
• Minimum characters in the
expression: 25
• Maximum characters in the
expression: 80
All - Email Address
• Expression: [^\w.]([\w\.]{1,20}@[a-
z0-9]{2,20}[\.][a-z]{2,5}[a-z\.]{0,10})
[^\w.]
• Separator: @
• Minimum characters to the left: 3
• Maximum characters to the left: 15
• Maximum characters to the right: 30
129
Trend Micro Email Security Administrator's Guide

4. Type an expression name that does not exceed 256 characters in length.
5. Type a description that does not exceed 256 characters in length.
6. Type the displayed data.
For example, if you are creating an expression for ID numbers, type a
sample ID number. This data is used for reference purposes only and
will not appear elsewhere in the product.
7. Choose one of the following criteria and configure additional settings
for the chosen criteria (see Criteria for Customized Expressions on page
128):
• None
• Specific characters
• Suffix
• Single-character separator
8. Optional: Select a validator for the expression.

Note
Data units follow semantic rules. Not every 9-digit number is a valid social
security number and not every 15- or 16-digit number is a valid credit card
number. To reduce false positives, expression validators check if the
extracted data units follow these rules.

9. Test the expression against an actual data.

For example, if the expression is for a national ID, type a valid ID
number in the Test data text box, click Test, and then check the result.
10. Click Save if you are satisfied with the result.

130
 About Trend Micro Email Security

Note
Save the settings only if the testing was successful. An expression that
cannot detect any data wastes system resources and may impact
performance.

Importing Customized Expressions

Use this option if you have a properly-formatted .xml file containing the
expressions. You can generate the file by exporting the expressions from the
Trend Micro Email Security administrator console.

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the Expression tab.
3. Click Import and then locate the .xml file containing the expressions.
4. Click Open.
A message appears, informing you if the import was successful.

Note
Every customized expression is identified by its name field in the .xml file.
This name is a unique internal name that does not display on the
administrator console.
If the file contains a customized expression that already exists, Trend
Micro Email Security overwrites the existing expression. If the file
contains any predefined expression, Trend Micro Email Security skips the
predefined expression while importing the remaining customized
expressions.

Keywords
Keywords are special words or phrases. You can add related keywords to a
keyword list to identify specific types of data. For example, "prognosis",

131
Trend Micro Email Security Administrator's Guide

"blood type", "vaccination", and "physician" are keywords that may appear in
a medical certificate. If you want to prevent the transmission of medical
certificate files, you can use these keywords in a DLP policy and then
configure Data Loss Prevention to block files containing these keywords.

Commonly used words can be combined to form meaningful keywords. For

example, "end", "read", "if", and "at" can be combined to form keywords
found in source codes, such as "END-IF", "END-READ", and "AT END".

You can use predefined and customized keyword lists. For details, see
Predefined Keyword Lists on page 132 and Customized Keyword Lists on page 132.

Predefined Keyword Lists

Data Loss Prevention comes with a set of predefined keyword lists. These
keyword lists cannot be modified or deleted. Each list has its own built-in
conditions that determine if the template should trigger a policy violation.

For details about the predefined keyword lists in Data Loss Prevention, see
the Data Protection Lists document at http://docs.trendmicro.com/en-us/
enterprise/data-protection-reference-documents.aspx.

Customized Keyword Lists

Create customized keyword lists if none of the predefined keyword lists

meets your requirements.

There are several criteria that you can choose from when configuring a
keyword list. A keyword list must satisfy your chosen criteria before Data
Loss Prevention subjects it to a policy. Choose one of the following criteria
for each keyword list:

• Any keyword

• All keywords

• All keywords within <x> characters

• Combined score for keywords exceeds threshold

132
 About Trend Micro Email Security

For details regarding the criteria rules, see Customized Keyword List Criteria
on page 133.

Customized Keyword List Criteria

Table 43. Criteria for a Keyword List

Criteria Rule

Any keyword A file must contain at least one keyword in the keyword list.

All keywords A file must contain all the keywords in the keyword list.

All keywords A file must contain all the keywords in the keyword list. In addition, each
within <x> keyword pair must be within <x> characters of each other.
characters
For example, your 3 keywords are WEB, DISK, and USB and the number of
characters you specified is 20.
If Data Loss Prevention detects all keywords in the order DISK, WEB, and
USB, the number of characters from the "D" (in DISK) to the "W" (in WEB)
and from the "W" to the "U" (in USB) must be 20 characters or less.
The following data matches the criteria: DISK####WEB############USB
The following data does not match the criteria:
DISK*******************WEB****USB(23 characters between "D" and "W")
When deciding on the number of characters, remember that a small
number, such as 10, usually results in a faster scanning time but only covers
a relatively small area. This may reduce the likelihood of detecting sensitive
data, especially in large files. As the number increases, the area covered also
increases but scanning time might be slower.

133
Trend Micro Email Security Administrator's Guide

Criteria Rule

Combined A file must contain one or more keywords in the keyword list. If only one
score for keyword was detected, its score must be higher than the threshold. If there
keywords are several keywords, their combined score must be higher than the
exceeds threshold.
threshold
Assign each keyword a score of 1 to 10. A highly confidential word or phrase,
such as "salary increase" for the Human Resources department, should have
a relatively high score. Words or phrases that, by themselves, do not carry
much weight can have lower scores.
Consider the scores that you assigned to the keywords when configuring the
threshold. For example, if you have five keywords and three of those
keywords are high priority, the threshold can be equal to or lower than the
combined score of the three high priority keywords. This means that the
detection of these three keywords is enough to treat the file as sensitive.

Creating a Keyword List

Procedure

1. Go to Administration > Policy Objects > DLP Data Identifiers.

2. Click the Keyword tab.

3. Click Add.

A new screen displays.

4. Type a keyword list name that does not exceed 256 characters in length.

5. Type a description that does not exceed 256 characters in length.

6. Choose one of the following criteria and configure additional settings

for the chosen criteria:

• Any keyword

• All keywords

• All keywords within <x> characters

134
 About Trend Micro Email Security

• Combined score for keywords exceeds threshold

7. To manually add keywords to the list:
a. Type a keyword that is 3 to 40 characters in length and specify
whether it is case-sensitive.
b. Click Add.
8. To edit a keyword, click a keyword in the list, edit it in the Keyword text
box, and then click Update.
9. To delete keywords, select the keywords and click Delete.
10. Click Save.

Importing a Keyword List

Use this option if you have a properly-formatted .xml file containing the
keyword lists. You can generate the file by exporting the keyword lists from
the Trend Micro Email Security administrator console.

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the Keyword tab.
3. Click Import and then locate the .xml file containing the keyword lists.
4. Click Open.
A message appears, informing you if the import was successful.

135
Trend Micro Email Security Administrator's Guide

Note
Every customized keyword list is identified by its name field in the .xml
file. This name is a unique internal name that does not display on the
administrator console.

If the file contains a customized keyword list that already exists, Trend
Micro Email Security overwrites the existing keyword list. If the file
contains any predefined keyword list, Trend Micro Email Security skips
the predefined keyword list while importing the remaining customized
keyword lists.

File Attributes

File attributes are specific properties of a file. You can use two file attributes
when defining data identifiers, namely, file type and file size. For example, a
software development company may want to limit the sharing of the
company's software installer to the R&D department, whose members are
responsible for the development and testing of the software. In this case, the
Trend Micro Email Security administrator can create a policy that blocks the
transmission of executable files that are 10 to 40 MB in size to all
departments except R&D.

By themselves, file attributes are poor identifiers of sensitive files.

Continuing the example in this topic, third-party software installers shared
by other departments will most likely be blocked. Trend Micro therefore
recommends combining file attributes with other DLP data identifiers for a
more targeted detection of sensitive files.

For a complete list of supported file types, see the Data Protection Lists
document at http://docs.trendmicro.com/en-us/enterprise/data-protection-
reference-documents.aspx.

Predefined File Attributes List

Data Loss Prevention comes with a predefined file attributes list. This list
cannot be modified or deleted. The list has its own built-in conditions that
determine if the template should trigger a policy violation.

136
 About Trend Micro Email Security

Creating a File Attribute List

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the File Attribute tab.
3. Click Add.
A new screen displays.
4. Type a file attribute list name that does not exceed 256 characters in
length.
5. Type a description that does not exceed 256 characters in length.
6. Select either of the following:
• Not selected: The selected file types will be excluded.
• Selected: The selected file types will be included.
7. Select your preferred true file types.
8. If a file type you want to include is not listed, select File extensions and
then type the file type’s extension. Data Loss Prevention checks files
with the specified extension but does not check their true file types.
Guidelines when specifying file extensions:
• Each extension must start with an asterisk (*), followed by a period
(.), and then the extension. The asterisk is a wildcard, which
represents a file’s actual name. For example, *.pol matches
12345.pol and test.pol.

• You can include wildcards in extensions. Use a question mark (?) to

represent a single character and an asterisk (*) to represent two or
more characters. See the following examples:
- *.*m matches the following files: ABC.dem, ABC.prm, ABC.sdcm
- *.m*r matches the following files: ABC.mgdr, ABC.mtp2r,
ABC.mdmr

137
Trend Micro Email Security Administrator's Guide

- *.fm? matches the following files: ABC.fme, ABC.fml, ABC.fmp

• Be careful when adding an asterisk at the end of an extension as this
might match parts of a file name and an unrelated extension. For
example: *.do* matches abc.doctor_john.jpg and
abc.donor12.pdf.

• Use semicolons (;) to separate file extensions. There is no need to

add a space after a semicolon.
9. Type the minimum and maximum file sizes in bytes. Both file sizes must
be whole numbers larger than zero.
10. Click Save.

Importing a File Attribute List

Use this option if you have a properly-formatted .xml file containing the file
attribute lists. You can generate the file by exporting the file attribute lists
from the Trend Micro Email Security administrator console.

Procedure
1. Go to Administration > Policy Objects > DLP Data Identifiers.
2. Click the File Attribute tab.
3. Click Import and then locate the .xml file containing the file attribute
lists.
4. Click Open.
A message appears, informing you if the import was successful.

138
 About Trend Micro Email Security

Note
Every file attribute list is identified by its name field in the .xml file. This
name is a unique internal name that does not display on the administrator
console.

If the file contains a customized file attribute list that already exists, Trend
Micro Email Security overwrites the existing file attribute list. If the file
contains any predefined file attribute list, Trend Micro Email Security
skips the predefined file attribute list while importing the remaining
customized file attribute lists.

DLP Compliance Templates

A DLP compliance template combines DLP data identifiers and logical
operators (And, Or, Except) to form condition statements. Only files or data
that satisfy a certain condition statement will be subject to a DLP policy.

You can create your own templates if you have configured DLP data
identifiers. You can also use predefined templates. For details, see Customized
DLP Templates on page 140 and Predefined DLP Templates on page 139.

Note
It is not possible to delete a template that is being used in a DLP policy. Remove
the template from the policy before deleting it.

Predefined DLP Templates

Trend Micro comes with a set of predefined templates that you can use to
comply with various regulatory standards. These templates cannot be
modified or deleted.

For a detailed list on the purposes of all predefined templates, and examples
of data being protected, see the Data Protection Lists document at http://
docs.trendmicro.com/en-us/enterprise/data-protection-reference-
documents.aspx.

139
Trend Micro Email Security Administrator's Guide

Customized DLP Templates

Create your own templates if you have configured data identifiers. A template
combines data identifiers and logical operators (And, Or, Except) to form
condition statements.

For more information and examples on how condition statements and

logical operators work, see Condition Statements and Logical Operators on page
140.

Condition Statements and Logical Operators

Data Loss Prevention evaluates condition statements from left to right. Use
logical operators carefully when configuring condition statements. Incorrect
usage leads to an erroneous condition statement that will likely produce
unexpected results.

See the examples in the following table.

Table 44. Sample Condition Statements

Condition Statement Interpretation and Example

[Data Identifier1] And [Data
Identifier 2] Except [Data
Identifier 3]
A file must satisfy [Data Identifier 1] and [Data Identifier 2] but
not [Data Identifier 3].
For example:
A file must be [an Adobe PDF document] and must contain [an
email address] but should not contain [all of the keywords in
the keyword list].

[Data Identifier 1] Or [Data
Identifier 2]
A file must satisfy [Data Identifier 1] or [Data Identifier 2].
For example:
A file must be [an Adobe PDF document] or [a Microsoft Word
document].

Except [Data Identifier 1] A file must not satisfy [Data Identifier 1].
For example:
A file must not be [a multimedia file].

140
 About Trend Micro Email Security

As the last example in the table illustrates, the first data identifier in the
condition statement can have the "Except" operator if a file must not satisfy
all of the data identifiers in the statement. In most cases, however, the first
data identifier does not have an operator.

Creating a Template

Procedure

1. Go to Administration > Policy Objects > DLP Compliance Templates.

2. Click Add.

A new screen displays.

3. Type a template name that does not exceed 256 characters in length.

4. Type a description that does not exceed 256 characters in length.

5. Select data identifiers and then click the "add" icon.

6. If you selected an expression, type the number of occurrences, which is

the number of times an expression must occur before Data Loss
Prevention subjects it to a policy.

7. Choose a logical operator for each definition.

Note
Use logical operators carefully when configuring condition statements.
Incorrect usage leads to an erroneous condition statement that will likely
produce unexpected results. For examples of correct usage, see Condition
Statements and Logical Operators on page 140.

8. To remove a data identifier from the list of selected identifiers, click the
trash bin icon.

9. Click Save.

141
Trend Micro Email Security Administrator's Guide

Importing Templates

Use this option if you have a properly-formatted .xml file containing the
templates. You can generate the file by exporting the templates from the
Trend Micro Email Security administrator console.

Procedure
1. Go to Administration > Policy Objects > DLP Compliance Templates.
2. Click Import and then locate the .xml file containing the templates.
3. Click Open.
A message appears, informing you if the import was successful.

Note
Every customized template is identified by its name field in the .xml file.
This name is a unique internal name that does not display on the
management console.
If the file contains a customized template that already exists, Trend Micro
Email Security overwrites the existing template. If the file contains any
predefined template, Trend Micro Email Security skips the predefined
template while importing the remaining customized templates.

Configuring Policies
The virus policy, spam policy and content filtering policy screens all show a
list of the currently defined policy rules and their status. From each screen,
you can add a new rule and edit, copy, or delete existing rules.
The policy screens under Inbound Protection and Outbound Protection are
technically separate and can be managed independently.
The rules are displayed in a table, sorted by the order in which the rules were
modified by default.

142
 About Trend Micro Email Security

Table 45. Policy Terminology

Column Description

Status : A rule is enabled.

: A rule is disabled.

: A rule is locked.

Note
If a new domain does not pass the
domain owner verification, the default
virus and spam rules for the domain
will be locked and cannot be changed.

Rules Name of the rule.

Action Action taken if the rule's criteria are met.

Modified Timestamp when the rule was last modified.

Last Used Timestamp of when the rule was last used. If

the rule has not yet been triggered, the value
in this column will be “Never”.

Each column's heading can be clicked to sort the list. For example, to re-sort
the list alphabetically by Action, click the Action column heading.

Managing Policy Rules

Rules are the means by which messaging policies are applied to message
traffic in Trend Micro Email Security. At any time, administrators can see the
rules that apply to their organizations, and make changes to the rules that
comprise their policy, rename the rules, query the rules, and create new
rules. Each rule can be disabled if desired without losing its definition, and
re-enabled at a later time.

143
Trend Micro Email Security Administrator's Guide

Table 46. Policy Rule Tasks

Task Step

Adding Policy Rules Click Add.

1. Define the basic information about the rule (rule name,
Tip whether it is enabled or not, and notes about the rule).
A new rule may See Naming and Enabling a Rule on page 146.
be similar to the
one you already 2. Select the address(es), domains(s) or group(s) that the rule
have. In this case, applies to.
it is easier to copy See Specifying Recipients and Senders on page 147.
the rule and edit
it rather than 3. Select and configure criteria.
create a new rule
from scratch. See About Rule Scanning Criteria on page 151.
4. Select and configure actions.
See About Rule Actions on page 181.

Copying Policy Rules In the rule list, select the rule to copy. Click Copy.

Editing Policy Rules In the rule list, click the name of the rule you want to edit and
follow the procedures in the “Adding Policy Rules” task.

Deleting Policy Rules In the rule list, select the rule or rules to delete. Click Delete.

144
 About Trend Micro Email Security

Task Step

Querying Policy Rules Use the following criteria to perform a rule query:
• Sender: Specify a sender address to search for rules that
match this address.
• Recipient: Specify a recipient address to search for rules that
match this address.
• Rule: Specify a rule name to search for rules that match this
name.
• Status: Select Enabled or Disabled to search for rules in the
specific status.

Note
For content filtering policy rules, Criteria type is
provided to narrow down the search results by certain
types of criteria.

Reordering Policy Rules

Policy rules can be sorted by a single domain and reordered, but the domain
must be successfully added and completely configured. For details about
domain management, see Managing Domains on page 57.

Procedure

1. Specify a single domain to sort policy rules.

• Inbound policies:

Specify a domain for Recipient. Retain default values for other

conditions and click Search.

• Outbound policies:

Specify a domain for Sender. Retain default values for other

conditions and click Search.

145
Trend Micro Email Security Administrator's Guide

The screen refreshes to display policy rules that match the specified
conditions, with the up and down arrow buttons in the Order column
for each rule.

Note
If your domain does not pass the verification, the default virus and spam
policy rules for the domain will be locked and cannot be moved. If any
rule for the selected domain is locked, the rule order cannot be changed,
and no up and down arrow buttons will appear.

2. Click the up or down arrow button to move rules up or down.

Alternatively, double-click the order number of a rule in the Order
column and specify a new order number for the rule.
Policy rules will be reordered as you configured, and email messages
will be scanned based on the new rule order.

Naming and Enabling a Rule

Name and enable the rule you have just created. You can also add notes
about the rule.

Procedure
1. On the Basic Information tab on the left side:
a. Select Enable to put the rule into effect, or clear this option to
disable it.
b. Name the rule.

Note
Trend Micro recommends using a descriptive name that will allow
administrators to easily identify this rule from the rule list. For
instance, if you are creating a spam rule that applies to the
one.example.com domain, you might name it something like “One
Example Spam Rule”.

146
 About Trend Micro Email Security

c. Type any note information for this rule.

2. Proceed to the next screen to specify recipients and senders.

Specifying Recipients and Senders

Configuring senders, recipients, and exception lists with specific users and
groups is done on the Recipients and Senders tab. This tab differs slightly
depending on which direction the messages are routed and whether Sender
or Recipient addresses are being selected.

Inbound Policy Rules

Procedure

1. In the Recipients section, choose one of the following ways to add

recipient addresses from the drop-down list:

• My domains: Select domains from the available domains and click

Add.

• My LDAP groups: Select user groups from the available directory

groups and click Add.

• My address groups: Select address groups from the available

address groups and click Add.

• Type address or domain: Type a specific domain or wildcard

address.

2. In the Senders section, choose either of the following ways to specify

sender addresses:

• Anyone: Choose it to apply any email addresses for the rule.

• Select addresses: Choose either of the following ways to add

selected addresses:

147
Trend Micro Email Security Administrator's Guide

• My domains: Select domains from the available domains and

click Add.
• My address groups: Select address groups from the available
address groups and click Add.
• Type address or domain: Type a specific domain or wildcard
address.
3. In the Exceptions section, specify one or multiple exceptions, each of
which consists of a sender part and a recipient part.
a. Next to Sender, choose one of the following ways to specify the
sender part of an exception:
• Anyone
• My domains
• My address groups
• Type address or domain
b. Next to Recipient, choose one of the following ways to specify the
recipient part of an exception:
• Anyone
• My domains
• My LDAP groups
• My address groups
• Type address or domain
c. Click Add to add an exception composed of both the sender and
recipient parts.
The exception you added appears in the exception list.
For example, if you select Anyone for the sender part and specify a
specific email address for the recipient part, Trend Micro Email
Security considers email messages sent from any senders to this
recipient safe and bypasses the rule on these messages.

148
 About Trend Micro Email Security

d. Add more exceptions if necessary.

Note
The import and export functions are available for recipients, senders and
exception lists. Click Import to import groups, addresses or domains from
a local file. Click Export to export groups, addresses or domains as a local
file for future use.
A maximum of 500 records can be imported, and there is no upper limit
for export.

4. Proceed to the next screen to specify rule scanning criteria.

Outbound Policy Rules

Procedure
1. In the Recipients section, choose either of the following ways to specify
recipient addresses:
• Anyone: Choose it to apply any email addresses for a rule.
• Select addresses: Choose either of the following ways to add
selected addresses:
• My domains: Select domains from the available domains and
click Add.
• My address groups: Select address groups from the available
address groups and click Add.
• Type address or domain: Type a specific domain or wildcard
address.
2. In the Senders section, choose one of the following ways to add sender
addresses from the drop-down list:
• My domains: Select domains from the available domains and click
Add.

149
Trend Micro Email Security Administrator's Guide

• My LDAP groups: Select user groups from the available directory

groups and click Add.
• My address groups: Select address groups from the available
address groups and click Add.
• Type address or domain: Type a specific domain or wildcard
address.
3. In the Exceptions section, specify one or multiple exceptions, each of
which consists of a sender part and a recipient part.
a. Next to Sender, choose one of the following ways to specify the
sender part of an exception:
• Anyone
• My domains
• My LDAP groups
• My address groups
• Type address or domain
b. Next to Recipient, choose one of the following ways to specify the
recipient part of an exception:
• Anyone
• My domains
• My address groups
• Type address or domain
c. Click Add to add an exception composed of both the sender and
recipient parts.
The exception you added appears in the exception list.
For example, if you specify a specific email address for the sender
part and select Anyone for the recipient part, Trend Micro Email
Security considers email messages sent from this sender to any
recipients safe and bypasses the rule on these messages.

150
 About Trend Micro Email Security

d. Add more exceptions if necessary.

Note
The import and export functions are available for recipients, senders and
exception lists. Click Import to import groups, addresses or domains from
a local file. Click Export to export groups, addresses or domains as a local
file for future use.

A maximum of 500 records can be imported, and there is no upper limit

for export.

4. Proceed to the next screen to specify rule scanning criteria.

About Rule Scanning Criteria

Rule scanning criteria allow you to specify the conditions that the rule
applies to messages scanned by Trend Micro Email Security.

The available criteria are shown in a list in the center of the screen. Some of
these criteria have links to screens where you specify the associated details.
Table 47. Basic Criteria

Criteria Filter Based on Available in

Virus Scan > “Specify at least Detected malware, worms, and Inbound and
Virus Policy one detection other threats by pattern-based outbound
type” scanning. protection

“Specify Detected unknown threats by Inbound

Predictive Predictive Machine Learning. protection
Machine
Learning
settings”

“Specify Detected threats by the Inbound

advanced Advanced Threat Scan Engine. protection
settings”

151
Trend Micro Email Security Administrator's Guide

Criteria Filter Based on Available in

Spam Filtering > “ Spam ” Detected spam. Inbound and

Spam Policy outbound
protection

“Business Email Detected BEC attacks. Inbound

Compromise protection
(BEC)”

“ Phishing and Detected phishing and other Inbound and

other suspicious suspicious content. outbound
content ” protection

“ Graymail ” Detected graymail messages. Inbound

protection

“Web reputation” Detected URLs on the web or Inbound and

embedded in email messages outbound
that pose security risks. protection

“ Social Detected social engineering Inbound

engineering attacks. protection
attack ”

Content Filtering No criteria All messages. Inbound and

outbound
protection

“ All Match ” Specific attribute and content Inbound and

targets. outbound
“ Any Match ” protection
See Configuring Advanced
Criteria on page 166.

Data Loss “ Select fields to Detected DLP incidents. Inbound and

Prevention (DLP) scan ” outbound
> DLP Policy protection
“ Selected
Templates ”

152
 About Trend Micro Email Security

Configuring Virus Scan Criteria

The virus scan criteria allow you to create rules that take actions on
messages that contain malware, worms, or other malicious code.

Procedure

1. Click Scanning Criteria.

2. Specify at least one of the following detection types under the Specify at
least one detection type section.

Option Description

Cleanable Apply the rule to messages or attachments that contain cleanable

malware or malware. Cleanable malware are those that can be safely removed
malicious code from the contents of the infected file, resulting in an uninfected
copy of the original message or attachment.

WARNING!
Selecting Cleanable malware or malicious code as a rule
criterion, and then selecting a rule action other than Delete or
Clean, can result in infected messages or attachments entering
your messaging environment. By default, Trend Micro Email
Security is configured with malware rules to appropriately handle
threats when it is installed.

Uncleanables Apply the rule to messages that contain uncleanable malware,

with mass- worms, or other threats that cannot be removed from messages or
mailing behavior attachments, and that propagate by mass-mailing copies of
themselves.

Uncleanables Apply the rule to messages that contain the following:

without mass-
mailing behavior • Spyware
• Dialers
• Hacking tools
• Password cracking applications
• Adware

153
Trend Micro Email Security Administrator's Guide

Option Description
• Joke programs
• Remote access tools
• All others

3. Configure Predictive Machine Learning settings to leverage the

Predictive Machine Learning engine to detect emerging unknown
security risks.
a. Select Enable Predictive Machine Learning under the Specify
Predictive Machine Learning settings section.
For details, see About Predictive Machine Learning on page 156.
b. Optionally select the Allow Trend Micro to collect suspicious files
to improve its detection capabilities check box.

Note
By default, this option is selected.
If you enable this option, Trend Micro only checks potentially risky
messages and encrypts all content before transferring any
information. By stripping out specific personal information and
keeping only anonymous behavior profiles, Trend Micro can
maintain your privacy while discovering new threats.

4. Specify advanced settings.

Note
These settings are not included in the Trend Micro Email Security
Standard license.
For details about different license versions, see Available License Versions on
page 18.

a. Select Submit files to Virtual Analyzer and select the security level
from the drop-down list to perform further observation and
analysis on the submitted files.

154
 About Trend Micro Email Security

Virtual Analyzer performs observation and analysis on samples in a

closed environment. It takes 3 minutes on average to analyze and
identify the risk of a file, and the time could be as long as 30
minutes for some files.

Note
There is a submission quota limiting the number of files that can be
sent to Virtual Analyzer within 24 hours. The quota is calculated
based on a 24-hour sliding window as follows:
File submission quota = Seat count * 0.02
For example, if you have 1,000 seats, a total of 20 files can be
submitted to Virtual Analyzer for analysis within 24 hours. The
default quota will be 1 if your seat count is less than 100. Note that the
submission quota mentioned here is subject to change without
notice.
In addition, the following cases will not be taken into account for
quota measurement:
• Samples hit the local or cloud cache.
• Samples are in unsupported file format.
• Other unexpected scan exceptions.
Once the quota is used up, no more files can be sent to Virtual
Analyzer. Nevertheless, the quota will be restored as the 24-hour
sliding window moves forward.
You can configure scan exception actions for the file submissions
over quota. For details, see Configuring "Scan Exceptions" Actions on
page 119.

b. Select Include macro, JSE and VBE scanning to include macro

threats during observation and analysis.
5. Click Submit.

About Advanced Threat Scan Engine

The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-
based scanning and heuristic scanning to detect document exploits and

155
Trend Micro Email Security Administrator's Guide

other threats used in targeted attacks. By default, this engine is enabled for
virus scanning policies.
Its major features include:
• Detection of zero-day threats
• Detection of embedded exploit code
• Detection rules for known vulnerabilities
• Enhanced parsers for handling file deformities

About Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning
technology to correlate threat information and perform in-depth file analysis
to detect emerging unknown security risks through digital DNA
fingerprinting, API mapping, and other file features. Predictive Machine
Learning is a powerful tool that helps protect your environment from
unidentified threats and zero-day attacks.
After detecting an unknown or low-prevalence file, Trend Micro Email
Security scans the file using the Advanced Threat Scan Engine to extract file
features and sends the report to the Predictive Machine Learning engine.
Through use of malware modeling, Predictive Machine Learning compares
the sample to the malware model, assigns a probability score, and
determines the probable malware type that the file contains.

Configuring Spam Filtering Criteria

The Spam, Phishing, Graymail, Web Reputation, or Social engineering
attack criteria allow you to create rules that take actions on these types of
potentially unwanted messages.

156
 About Trend Micro Email Security

Note
Trend Micro Email Security does not apply content-based heuristic spam, BEC,
phishing, graymail, Web reputation, or social engineering attack rules to email
messages received from email addresses and domains listed on the Approved
Senders screen.

Configuring Spam Criteria

Procedure

1. Select “Spam”.

2. Choose a baseline spam catch rate.

• Lowest (most conservative)

• Low

• Moderately low (the default setting)

• Moderately high

• High

• Highest (most aggressive)

Configuring Business Email Compromise Criteria

A Business Email Compromise (BEC) scam is a form of phishing attack

where a fraudster impersonates a high profile executive, for example, the
CEO or CFO, and attempts to trick an employee, a customer, or a vendor into
transferring funds or sensitive information to the fraudster.

The BEC criteria are configured to detect and take actions on BEC email
messages.

157
Trend Micro Email Security Administrator's Guide

Procedure
1. Select Business Email Compromise (BEC).
2. Click High Profile Users to add high profile users for detection and
classification.

Note
Add high profile users as the global BEC settings so that Trend Micro
Email Security will check incoming email messages claimed to be sent
from those users and apply fraud checking criteria to identify forged
messages.
For details about high profile users, see Configuring High Profile Users on
page 122.

3. Choose the type of email messages to apply this rule to:

• Detected as BEC attacks by Antispam Engine: apply this rule to
email messages that are verified to be BEC attacks by the Antispam
Engine.
• Detected as BEC attacks by writing style analysis: apply this rule to
email messages that are verified to be BEC attacks by writing style
analysis.

Note
These settings are not included in the Trend Micro Email Security
Standard license.
For details about different license versions, see Available License
Versions on page 18.

158
 About Trend Micro Email Security

Note
Writing style analysis applies only to the high profile users with email
addresses specified and takes effect only when the writing style
models of the high profile users have been trained in Cloud App
Security.
For details about writing style analysis, see Business Email Compromise
(BEC) on page 121.

• BEC attacks suspected by Antispam Engine: apply this rule to

email messages that are suspected to be BEC attacks by the
Antispam Engine.

Configuring Phishing Criteria

Procedure
1. Select “Phishing and other suspicious content”.

Note
Trend Micro Email Security leverages Trend Micro Antispam Engine to
filter email messages for spam and phishing incidents. Email messages
will be categorized as phishing threats if Trend Micro Antispam Engine
detects phishing and other suspicious content in those messages.

Configuring Graymail Criteria

Graymail refers to solicited bulk email messages that do not fit the definition
of spam email messages. Trend Micro Email Security detects marketing
messages and newsletters, social network notifications, forum notifications,
and bulk email messages as graymail messages.

Procedure
1. Select “Graymail”.

159
Trend Micro Email Security Administrator's Guide

2. Click Graymail.

The Graymail Detection Setting screen appears.

3. Select at least one graymail category from the following:

• Marketing message and newsletter

• Social network notification

• Forum notification

• Bulk email message

4. To omit the IP addresses of specific mail servers from this rule, select
Enable the graymail exception list under Graymail Exception List.

5. Specify IP addresses that you want to bypass graymail scanning.

Note
The rule will not apply to graymail messages from IP addresses in this
exception list. The list is specific just to the rule being edited.

6. Click Save.

Configuring Web Reputation Criteria

Trend Micro web reputation technology helps break the infection chain by
assigning websites a "reputation" based on an assessment of the
trustworthiness of a URL, derived from an analysis of the domain. Web
reputation protects against web-based threats including zero-day attacks,
before they reach the network. Trend Micro web reputation technology
tracks the lifecycle of hundreds of millions of web domains, extending
proven Trend Micro antispam protection to the Internet.

The Web reputation criteria are configured to prevent access to malicious

URLs in email messages.

160
 About Trend Micro Email Security

Procedure

1. Click Scanning Criteria.

2. Select and click Web reputation.

The Web Reputation Settings screen appears.

3. Complete web reputation security settings.

a. Select a baseline web reputation catch rate from the Security level
drop-down list:

• Lowest (most conservative)

• Low

• Moderately low

• Moderately high (the default setting)

• High

• Highest (most aggressive)

b. Optionally select Detect URLs that have not been tested by Trend
Micro to block websites that might pose threats.

Note
Web pages change frequently, and it is difficult to find data or follow a
link after the underlying page is modified. Such websites are usually
used as vehicles for transporting malware and carrying out phishing
attacks.

If you select this check box, Trend Micro Email Security will block all
the URLs that have not been tested by Trend Micro, which might
include some legitimate URLs.

4. Under Virtual Analyzer, do the following:

161
Trend Micro Email Security Administrator's Guide

Note
These settings are not included in the Trend Micro Email Security
Standard license.
For details about different license versions, see Available License Versions on
page 18.

a. Select Submit URLs to Virtual Analyzer.

b. Select a security level from the drop-down list to perform further
observation and analysis on the submitted URLs.
Virtual Analyzer performs observation and analysis on samples in a
closed environment. It takes 3 minutes on average to analyze and
identify the risk of a URL, and the time could be as long as 30
minutes for some URLs.

162
 About Trend Micro Email Security

Note
There is a submission quota limiting the number of URLs that can be
sent to Virtual Analyzer within 24 hours. The quota is calculated
based on a 24-hour sliding window as follows:
URL submission quota = Seat count * 4
For example, if you have 1,000 seats, a total of 4,000 URLs can be
submitted to Virtual Analyzer for analysis within 24 hours. Note that
the submission quota mentioned here is subject to change without
notice.
In addition, the following cases will not be taken into account for
quota measurement:
• Samples hit the local or cloud cache.
• Sample URLs are unreachable.
• Other unexpected scan exceptions.
Once the quota is used up, no more URLs can be sent to Virtual
Analyzer. Nevertheless, the quota will be restored as the 24-hour
sliding window moves forward.
You can configure scan exception actions for the URL submissions
over quota. For details, see Configuring "Scan Exceptions" Actions on
page 119.

5. Under Time-of-Click Protection, do the following:

a. Select Enable Time-of-Click Protection and click one of the
following:
• Apply to URLs that have not been tested by Trend Micro
• Apply to URLs marked by Web Reputation Services as
possible security risks
• Apply to all URLs

163
Trend Micro Email Security Administrator's Guide

Note
Time-of-Click Protection is available only in inbound protection.

Web Reputation Services mark URLs as possible security risks if the

URLs host or redirect to malicious files. For example, untested
websites, file sharing websites and shortened URLs are marked as
possible security risks.

b. Optionally select Apply to URLs in digitally signed messages if

necessary.

Note
Enabling Time-of-Click Protection for digitally signed messages is not
recommended because digital signatures might be destroyed.

6. Select Enable the Web Reputation Approved List to prevent Trend

Micro Email Security from scanning and blocking domains or IP
addresses included in the Web Reputation Approved List.

Note
To manage the Web Reputation Approved List, navigate to the following
path:

Administration > Policy Objects > Web Reputation Approved List

For details, see Managing the Web Reputation Approved List on page 253.

7. Optionally select Enable the URL keyword exception list to exclude

URLs containing specified keywords from both Time-of-Click Protection
and Virtual Analyzer scanning.

Note
To manage the URL keyword exception list, navigate to the following path:

Administration > Policy Objects > URL Keyword Exception List

For details, see Managing the URL Keyword Exception List on page 253.

164
 About Trend Micro Email Security

8. Click Save.

Configuring Social Engineering Attack Criteria

Social Engineering Attack Protection detects suspicious behavior related to
social engineering attacks in email messages.

For more information about social engineering attack detections, see Social
Engineering Attack Log Details on page 215.

Procedure

1. Select Social engineering attack.

Configuring Data Loss Prevention Criteria

Trend Micro Email Security evaluates email messages, including their
content and attachments, against a set of rules defined in Data Loss
Prevention (DLP) policies. Policies determine files or data that requires
protection from unauthorized transmission and the action that Trend Micro
Email Security performs after detecting a transmission.

Create DLP policies after you have configured data identifiers and organized
them in templates. For details about the data identifiers and templates, see
Data Loss Prevention on page 126.

Procedure

1. Choose a correct path to create your DLP policy for the proper mail
traffic direction:

• Inbound Protection > Data Loss Prevention (DLP)

• Outbound Protection > Data Loss Prevention (DLP)

2. Click Add to add a DLP policy.

165
Trend Micro Email Security Administrator's Guide

3. Click the Scanning Criteria tab.

4. Select fields to scan, for example, Subject and Body. To add a
customized message header field, select Other and specify the field in
the text box.
5. Select at least one compliance templates from the Available Templates
list and click the right arrow button.

Note
A maximum of 255 compliance templates can be selected for each DLP
policy.

Configuring Content Filtering Criteria

On the Scanning Criteria tab, select Advanced to display the advanced
criteria.
From the drop-down list, do one of the following:
• Select “All Match” to trigger the rule only when all selected “Advanced”
criteria are matched.
• Select “Any Match” to do the following:
• Trigger the rule when any selected “Advanced” criteria are matched
• Display the Attachment is “password protected” and Recipient
number criteria in the “Advanced” criteria list

166
 About Trend Micro Email Security

The following tables all contain the same information sorted differently. Use
the following sorted tables to find appropriate “Advanced” criteria to filter
messages by your desired rule targets:

167
Trend Micro Email Security Administrator's Guide

Table 48. Advanced Criteria Sorted by Display Order

Rule Targets Criteria Filter Based On

Sorted by display Attachment is “ name or Attachment name or extension

order extension ”

“ MIME content- Attachment MIME content-type

type ”

“ true file type ” Attachment true file type

Message size is >, <= Size

<number>
KB, MB

Subject matches “ keyword Keywords in headers and

expressions ” content

Subject is “ blank ”

Body matches “ keyword

expressions ”

Specified header “ keyword

matches expressions ”

Attachment “ keyword
content matches expressions ”

Attachment size >, <= Attachment size

is
<number>
B, KB, MB

Attachment >, <= Number of attachments

number is
<number>

Attachment is “ password Zipped, signed, or password-

protected ” protected attachment

Recipient >, <= Number of recipients

number
<number>

168
 About Trend Micro Email Security

Table 49. Advanced Criteria Sorted by Attribute and Content Targets

Rule Targets Criteria Filter Based On

Name and type Attachment is “ name or Attachment name or extension

attributes extension ”

“ MIME content- Attachment MIME content-type

type ”

“ true file type ” Attachment true file type

Size attributes Message size is >, <= Size

<number>
KB, MB

Attachment size >, <= Attachment size

is
<number>
B, KB, MB

Keyword content Subject matches “ keyword Keywords in headers and

expressions ” content

Subject is “ blank ”

Body matches “ keyword

expressions ”

Specified header “ keyword

matches expressions ”

Attachment “ keyword
content matches expressions ”

Quantity Attachment >, <= Number of attachments

attributes number is
<number>

Recipient >, <= Number of recipients

number
<number>

169
Trend Micro Email Security Administrator's Guide

Rule Targets Criteria Filter Based On

Compressed, Attachment is “ password Zipped, signed, or password-

signed, or protected ” protected attachment
encrypted
attributes

Table 50. Advanced Criteria Sorted by Message-Only or Attachment-Only Targets

Rule Targets Criteria Filter Based On

Message-only Message size is >, <= Size

<number>
KB, MB

Subject matches “ keyword Keywords in headers and

expressions ” content

Subject is “ blank ”

Body matches “ keyword

expressions ”

Specified header “ keyword

matches expressions ”

Recipient >, <= Number of recipients

number
<number>

170
 About Trend Micro Email Security

Rule Targets Criteria Filter Based On

Attachment-only Attachment is “ name or Attachment name or extension

extension ”

“ MIME content- Attachment MIME content-type

type ”

“ true file type ” Attachment true file type

Attachment “ keyword Keywords in headers and

content matches expressions ” content

Attachment size >, <= Attachment size

is
<number>
B, KB, MB

Attachment >, <= Number of attachments

number is
<number>

Attachment is “ password Zipped, signed, or password-

protected ” protected attachment

Using Attachment Name or Extension Criteria

The Attachment is “name or extension” criteria allows you to create rules
that take actions on messages based on the name or the extension of
attachments a message contains. If a message contains a compressed
attachment, the criteria can further match the name or extension of the files
included in the compressed attachment.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select the Attachment is “name or extension” criteria.

3. Click the “name or extension” link.

The Attachment Names screen appears.

171
Trend Micro Email Security Administrator's Guide

4. From the drop-down list, select either Selected attachment names or

Not the selected attachment names.
5. If you want to block attachment names by file extension:
a. Select File extensions to block (recommended) and/or File
extensions to block (commonly exchanged).

Note
The “recommended” category contains those whose file types
commonly act as containers for malware and are not types that are
normally exchanged via email in an organization. This list includes
extensions such as COM, DLL, and EXE. The commonly exchanged
category includes file types that are commonly sent between
members of an organization.
The latter list includes the DOC extension used by Microsoft Word
documents. These files are often used to propagate VB macro viruses,
but they are also often commonly exchanged within organizations.

b. Click the open arrow buttons to drop-down the lists of standard file
extensions.
c. Select the file extensions for Trend Micro Email Security to trigger
on for this rule.
d. Click the close arrow button to collapse the list.
6. If you want to block attachments with your own specified names or
extensions:
a. Select Attachments named.
b. Type an extension or a filename to block.

172
 About Trend Micro Email Security

Tip
You can use an asterisk (*) as a substitute for any part of a filename.

The following examples are valid:

• Extension:

• .doc

• .doc*

• Filename:

• abc

• a*c

• *.docx

• *.doc*

• LOVE-LETTER*.vbs

• LOVE-LETTER-FOR-YOU.TXT.vbs

c. Click Add.

The file name is added to the list just below.

Tip
If there are any names in the list that you want to delete, select them and
click Delete.

Using Attachment MIME Content-type Criteria

The Attachment is “MIME content-type” criteria allows you to create rules

that take actions on messages based on the MIME content-type of
attachments a message contains.

173
Trend Micro Email Security Administrator's Guide

Note
Where the Attachment is “MIME content-type” criteria makes decisions based
on the MIME content-type indicated, the Attachment is “true file type” criteria
scans the headers of the actual attached files themselves for the identifying
signatures.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select the Attachment is “MIME content-type” criteria.

3. Click the “MIME content-type” link.

The Attachment MIME Type screen appears.

4. From the drop-down list, select Selected attachment types or Not the
selected attachment types.

5. Select the MIME types for Trend Micro Email Security to match on.

6. If you want to block attachments by explicit MIME content-types, type

the names of the MIME content-types to block, under the Other MIME
content-type text field.

Tip
The following examples are valid:

• 3dm or *.3dm

• 3dmf or *.3dmf

Using Attachment True File Type Criteria

The Attachment is “true file type” criteria allows you to create rules that
take actions on messages based on the true file type of attachments a
message contains.

174
 About Trend Micro Email Security

Note
Where the Attachment is “name or extension” criteria makes decisions based
on just file names and/or extensions, the Attachment is “true file type” criteria
scans the headers of the files themselves for the identifying signatures.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select the Attachment is “true file type” criteria.

3. Click the “true file type” link.

The Attachment True File Type screen appears.

4. From the drop-down list, select Selected attachment types or Not the
selected attachment types.

5. Select the true file types for Trend Micro Email Security to match on.

Note
The Compressed file type of other includes only the following file types:
ar, arc, amg, lzw, cab, lha, pklite, diet, lzh, and lz.

Using Message Size Criteria

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select Message size is in the criteria list.

3. Select > or <= from the comparison drop-down list.

• Select > to apply the rule to messages that are larger than the
specified size.

175
Trend Micro Email Security Administrator's Guide

• Select <= to apply the rule to messages that are smaller than or
equal to the specified size.

For example, <= 10 MB applies the rule to all messages that are smaller
than or equal to 10 megabytes.

4. Type a number for the size.

5. Select a unit of measurement from the following choices:

• KB: Kilobytes

• MB: Megabytes

Note
The Message size is criteria is applied to the total size of a message,
including any attachments it might contain.

For example, if a message contained two attachments, one a 3 MB

attachment and the other a 1 MB attachment, a rule that deletes
messages over 2 MB would delete the entire message, including both
attachments.

Using Subject Matches Criteria

Trend Micro Email Security can scan the message subject for keyword
expressions.

Procedure

1. On the Scanning Criteria tab, click Advanced.

2. Select Subject matches “keyword expressions”.

3. Click the “keyword expressions” link.

4. Configure keywords.

176
 About Trend Micro Email Security

Using Subject is Blank Criteria

Trend Micro Email Security can scan the message for a blank subject line.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Subject is “blank”.

Using Body Matches Criteria

Trend Micro Email Security can scan the message body for keyword
expressions.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Body matches.
3. Click the “keyword expressions” link.
4. Configure keywords.

Using Specified Header Matches Criteria

Trend Micro Email Security can scan the message headers for keyword
expressions.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select Specified header matches.
3. Click the “keyword expressions” link.

177
Trend Micro Email Security Administrator's Guide

4. Configure keywords.

Using Attachment Content Matches Keyword Criteria

The Attachment content matches “keyword expressions” criteria allows
you to create rules that take actions on messages based on keyword
expressions contained in a message.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select the Attachment content matches “keyword expressions”
criteria.
3. Click the “keyword expressions” link.
The Attachment Content Keyword Expressions screen appears.
4. Configure the keywords.

Using Attachment Size Criteria

The Attachment size is criteria allows you to create rules that take actions on
messages based on the size of any attachments to the message.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select the Attachment size is criteria.
3. Select > or <= from the comparison drop-down list.
• Select > to apply the rule to attachments that are larger than the
specified size.
• Select <= to apply the rule to attachments that are smaller than or
equal to the specified size.

178
 About Trend Micro Email Security

For example, <= 10 MB applies the rule to all messages that are equal to
or smaller than 10 megabytes.
4. Type a value for the size.
5. Select a unit of measurement from the following choices:
• B: Bytes
• KB: Kilobytes
• MB: Megabytes

Note
The Attachment size is criteria is applied to the total size of each
attachment.

For example, if a message contained two attachments, one a 3 MB

attachment and the other a 1 MB attachment, a rule that deletes
attachments over 2 MB would delete only the 3 MB attachment. The
other attachment would not be deleted.

Using Attachment Number Criteria

The Attachment number is criteria allow you to create rules that take
actions on messages based on the number of attachments the message
contains.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select the Attachment number is criteria.
3. Select > or <= from the comparison drop-down list.
• Select > to apply the rule to messages that are sent with more than
the specified number of attachments.

179
Trend Micro Email Security Administrator's Guide

• Select <= to apply the rule to messages that have the same number
or fewer than the specified number of attachments.
For example:
> 10 applies the rule to all messages that have more than 10 recipients.
<= 10 applies the rule to all messages that have 10 or fewer recipients.
4. Type the number of attachments to evaluate.

Using Attachment is Password Protected Criteria

Trend Micro Email Security can scan messages for attachments of the
following types:
• .7z

• .ace

• .arj

• .docx

• .pptx

• .rar

• .xlsx

• .zip

• .pdf

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select “Any Match”.
The Attachment is “password protected” and Recipient number
criteria become available.

180
 About Trend Micro Email Security

3. Select Attachment is “password protected”.

Using the Number of Recipients Criteria

The Recipient Number criteria allows you to create rules that take actions on
messages based on the number of recipients the message is addressed to.

Procedure
1. On the Scanning Criteria tab, click Advanced.
2. Select “Any Match”.
The Attachment is “password protected” and Recipient number
criteria become available.
3. Select Recipient number.
4. Select > or <= from the comparison drop-down list.
• Select > to apply the rule to messages that are sent to more than the
specified number of recipients.
• Select <= to apply the rule to messages that have the same number
or fewer than the specified number of recipients.
For example:
> 10 applies the rule to all messages that have more than 10 recipients.
<= 10 applies the rule to all messages that have 10 or fewer recipients.
5. Type a value for the number of recipients.

About Rule Actions

Rule actions allow you to specify what happens to messages that satisfy the
conditions of the rule's criteria.
Actions fall into these classes:

181
Trend Micro Email Security Administrator's Guide

• “Intercept” actions: Actions in this class intercept the message,

preventing it from reaching the original recipient. Intercept actions
include deleting the entire message and re-addressing the message.
• “Modify” actions: Actions in this class change the message or its
attachments. Modify actions include cleaning cleanable viruses, deleting
message attachments, inserting a stamp in the message body, or tagging
the subject line.
• “Monitor” actions: Actions in this class allow administrators to monitor
messaging. Monitor actions include sending a notification message to
others or sending a BCC (blind carbon copy) of the message to others.
• “Encrypt Email Message” actions: Actions in this class encrypt the
message and then queue it for delivery. This is a non-intercept action,
but no other actions can be taken on the target message after this rule is
triggered. This action has the lowest priority of all actions, but when
triggered it is always the final rule run before the message is queued for
delivery. If more than one rule in the rule set is triggered, the rule that
uses the encrypt email action will always be triggered last.

Note
This action only applies to outbound rules.

Each rule can contain:

• One and only one intercept action, and
• Any combination of modify or monitor actions

Specifying Rule Actions

Procedure
• To add actions to a rule definition, select the desired action.
• To specify details of an action (where required), select the drop-down
list, text field, or link that provides more detail for the rule.

182
 About Trend Micro Email Security

For example, if the quarantine action is desired, you need to select

which quarantine to send messages to when they trigger this rule. You
also might want to create a new quarantine based on an existing one.
You can click Edit there to begin that process.

“Intercept” Actions
“Intercept” actions prevent a message from being delivered to the mailbox of
the original recipient. Instead, the message is deleted, quarantined, or sent
to a different recipient.

“Intercept” actions are "terminal" actions. Once a terminal action executes,

processing of that rule stops and no further action takes place for that rule.

Terminal actions execute following a strict priority order:

1. Delete the entire message.

2. Deliver the message now.

WARNING!
The Deliver now action is not recommended for use as the only action. If
you choose Deliver now as the only action for Spam mail, for example, all
of that mail will simply be delivered to your recipients, as if there were no
spam filter in place.

If you use Deliver now with a virus rule, ensure that you also have a Delete
action for the virus rule. Only the Delete action takes higher priority than
Deliver now and so would be processed before it (and then terminate the
processing of that rule).

If you chose Deliver now as the only action for a virus rule, mail
containing viruses would leak through unblocked.

3. Quarantine the message.

4. Change recipient.

183
Trend Micro Email Security Administrator's Guide

Using the Delete Action

This action deletes the message and all attachments. The message is
recorded as deleted in the Trend Micro Email Security logs, but once deleted,
the message cannot be recovered. It is one of the “intercept” category of
actions. To configure a rule action to delete a message:

Procedure
• Select the Delete entire message action from the “Intercept” section.

Using the Deliver Now Action

Trend Micro Email Security provides two options for the Deliver Now action:
• Deliver the email message to the default mail server
If you choose this option, Trend Micro Email Security delivers the email
message to the default mail server without executing any more rules for
the affected email message.
By default, all rules are automatically ordered for security and execution
efficiency. Administrators are relieved of determining the order of rule
execution. This option bypasses the automatic order of execution so that
Trend Micro Email Security can deliver the email message immediately.

WARNING!
This option of Deliver now is not recommended for use as the only action.
If you choose this option of Deliver now as the only action for spam, for
example, all of that email message will simply be delivered to your
recipients, as if there were no spam filter in place.
If you use this option of Deliver now with a malware rule, ensure that you
also have a Delete action for the malware rule. Only the Delete action
takes higher priority than this option and so would be processed before it
(and then terminate the processing of that rule).
If you chose this option of Deliver now as the only action for a malware
rule, email messages containing malware would leak through unblocked.

184
 About Trend Micro Email Security

• Deliver the email message to a specific mail server

If you choose this option, Trend Micro Email Security delivers the email
message to the specific mail server that you have configured. This option
is recommended if you have a secure messaging server on your network
that can process or handle the message.

Note
Trend Micro Email Security can track an email message only before it is
delivered. After the delivery, the message is no longer traceable as it is not
under the control of Trend Micro Email Security.

Procedure
1. Select the Deliver now action from the Intercept section.
• Click To the default mail server.
• Click To a specific mail server. Specify the FQDN or IP address as
well as the listening port number for a specific mail server.
Click Test to check the connection between Trend Micro Email
Security and the mail server you specified.

Note
The corresponding TLS peer settings will still apply to the communication
between Trend Micro Email Security and the mail server you choose.

2. Click Submit.
3. Click OK on the Deliver now warning message that appears.

Using the Quarantine Action

Quarantined items are now stored in a directory structure created by Trend
Micro Email Security. This structure allows for increased performance when
the service is saving items into quarantines or when users view them through

185
Trend Micro Email Security Administrator's Guide

the End User Console. Quarantined messages are indexed in the Trend Micro
Email Security database to provide you with queries and improved search
tools.

Procedure

1. In the “Intercept” section of the Action tab, select the Quarantine

action.

Using the Change Recipient Action

The Change recipient action intercepts messages and sends them to a new
recipient. This means that the original message recipient will not receive a
copy of the message. It is one of the “intercept” class of actions. You can only
select a recipient address that is in your domain.

Note
The Change recipient action does not change the recipient address in the
message header. The message will be routed to the new address and the
original recipient will not receive the message. The new recipient, however,
will see the original recipient's address in the message header. To have a copy
of the message sent to a different address while allowing the original message
to go to the original recipient, select the BCC action.

WARNING!
Redirected messages may contain viruses or malicious code. Trend Micro
recommends against redirecting messages to external addresses unless you
have configured an outbound virus policy.

Procedure

1. From the “Intercept” section of the Action page, select the Change
recipient action.

186
 About Trend Micro Email Security

2. Type the email address of the recipient in the field. If you have more
than one email address, enter them in the field separated by commas or
semicolons.

“Modify” Actions
“Modify” actions change the message or its attachments. The original sender
will still receive the modified message, assuming that the message does not
trigger other rules with “Intercept” actions.

Note
Note that the "Modify" actions may destroy the existing DKIM signatures in
email messages. If this occurs, the messages cannot pass DKIM verification by
the downstream mail server.

For more information about specific “Modify” actions, select from the
following:
• Clean cleanable Viruses, delete those that cannot be cleaned Action
See Cleaning Cleanable Viruses on page 188.
• Delete Matching Attachments Action
See Deleting Matching Attachments on page 188.
• Insert X-Header Action
See Insert an X-Header on page 189.
• Insert stamp in body Action
See Inserting a Stamp on page 190.
See Configuring Stamps on page 191.
• Tag subject Action
See Tagging the Subject Line on page 192.

187
Trend Micro Email Security Administrator's Guide

Tip
Terminal “Modify” actions have higher execution priority over non-terminal
actions. When a terminal “Modify” action is triggered, there is no need to
perform any other actions. However, non-terminal actions can be combined,
such as Delete matching attachments and Insert stamp in body.

Cleaning Cleanable Malware

This action will clean cleanable malware (or other configured threats)
contained in message attachments. If the threat cannot be cleaned, the
message attachment that contains it will be deleted. Clean cleanable
malware is one of the “Modify” class of actions.

Important
The Clean cleanable malware, delete those that cannot be cleaned action is
only available in policies with the target criteria of Message contains “malware
or malicious code”. If the Clean cleanable malware, delete those that cannot
be cleaned action is used in the rule, and a message contains an uncleanable
malware, the attachment will be deleted.

The Delete matching attachments and Clean cleanable malware, delete those
that cannot be cleaned actions cannot be used in the same rule.

To configure a rule action to clean malware-infected attachments:

Procedure

• From the “Modify” section of the Action page, select the Clean
cleanable malware, delete those that cannot be cleaned action.

Deleting Matching Attachments

This action deletes any attachments that match the rule criteria. It is one of
the “Modify” category of actions.

188
 About Trend Micro Email Security

Important
The Delete matching attachments and Clean cleanable malware, delete those
that cannot be cleaned actions cannot be used in the same rule.

The Delete matching attachments action is invoked only when one or more
of the following criteria trigger a rule:
• Message contains “ malware or malicious code ”
• Attachment is “ name or extension ”
• Attachment is “ MIME content-type ”
• Attachment is “ true file type ”
• Attachment is “ password protected ”
• Attachment size is
• Attachment content matches “ keyword expressions ”
For example, if a “Message size is” rule (by default, greater than 10 MB) is
triggered with an action of Delete matching attachments, all attachments
will be deleted.
To configure a rule action to delete attachments that match certain criteria:

Procedure
• Select Delete matching attachments from the “Modify” section.

Insert an X-Header
The Insert X-Header action adds an X-Header to the message header before
sending a message to the intended recipients. An X-Header consists of a
name field and a body field, which can be customized according to your
requirements.
Insert X-Header is one of the "Modify" class of actions.

189
Trend Micro Email Security Administrator's Guide

Procedure
1. Select Insert X-Header from the Modify section.
2. Type the X-Header name and body.

Note
Do not use or start your X-Header name (case-insensitive) with the
following since they are reserved for Trend Micro Email Security:
• X-TM
• X-MT
The reserved X-Headers might be adjusted dynamically if necessary.

Inserting a Stamp
The Insert stamp in body action inserts a block of text into the message
body. The stamps are maintained as named objects in the database and are
selected from a list. The stamp definitions contain the text of the stamp
(which can contain Trend Micro Email Security tokens/variables), whether
they are to be inserted at the beginning or the end of the message body, and
whether or not to avoid stamping TNEF and digitally signed messages to
prevent breakage.
Trend Micro Email Security recognizes messages signed using the S/MIME
standard.

Procedure
1. Select Insert stamp in body.
2. Select from the drop-down list of available stamps.
3. To configure stamps in the list, click Edit.
See Configuring Stamps on page 191.

190
 About Trend Micro Email Security

Configuring Stamps

You can edit or add a new message stamp. Stamps are inserted into messages
when they trigger the rule. Typically they contain some standard
confidentiality statement or a similar block of text. Rule Tokens/Variables
(for example, the name of an attached file) can also be included in the text.
To edit or add a new message stamp:

Procedure
1. On the Actions page, select Insert stamp in body.
2. Click Edit.
The Stamps screen appears, showing a list of available stamps.
3. Click Add or select a stamp from the list and click Edit.
The Stamps screen appears, showing details for the stamp.
4. Type a name in the Name field, or edit the exiting name if desired.
5. Select whether to insert the stamp at the end or the beginning of the
message body.
6. Type the desired text into the text box. Optionally, use rule tokens/
variables (such as the attachment name) as part of the text message.
See Rule Tokens/Variables on page 192.
7. To exclude TNEF and digitally signed messages from stamping, select Do
not stamp message formats that might become corrupted or
unreadable, such as digitally signed and Outlook TNEF.

191
Trend Micro Email Security Administrator's Guide

Note
Trend Micro Email Security recognizes messages signed using the S/MIME
standard.

The Microsoft TNEF format is used when sending rich text email using the
Outlook client. If Trend Micro Email Security tries to insert a stamp into a
TNEF-formatted email, the message might become corrupted or
unreadable. To prevent this, if your organization uses Outlook to send rich
text formatted messages, Trend Micro Email Security enables you to
exempt TNEF messages from those actions that might corrupt the
message.

Tagging the Subject Line

The Tag Subject action inserts configurable text into the message subject
line. It is one of the “Modify” class of actions.

Procedure

1. Select the Tag Subject action.

2. Type a tag in the Tag field.

3. Optionally select Do not tag digitally signed messages.

Note
Trend Micro Email Security recognizes messages signed using the S/MIME
standard.

Rule Tokens/Variables

Use the following tokens to include variables in notifications and stamps:

192
 About Trend Micro Email Security

Table 51. Tokens and Variables

Token Variable

%SENDER% Message sender

%RCPTS% Message recipients

%SUBJECT% Message subject

%DATE&TIME% Date and time of incident

%MAILID% Mail ID

%RULENAME% Name of the rule that contained the triggered filter

%RULETYPE% Type of a rule: Content Filter, Message Size Filter, and others

%DETECTED% Current filter scan result in other task

%FILENAME% Names of files that were affected by the rule

%DEF_CHARSET% Default character set of the notification message

%MSG_SIZE% Total size of the message and all attachments

%ATTACH_SIZE% Total size of the attachment(s) that triggered the rule

%ATTACH_COUNT% Number of attachments that triggered the rule

%TACTION% Terminal action taken by Trend Micro Email Security

%ACTION% All other (non-terminal) actions taken by Trend Micro Email

Security

%VIRUSNAME% Name of any malware detected

This token will be empty if the message did not trigger a malware
action.

%VIRUSACTION% Action taken on any malware detected in the message

This token will be empty if the message did not trigger a malware
action.

%HPU_CONFIRMED_URL% Option selected by a high profile user to confirm that he or she is

the real sender of an email message.

193
Trend Micro Email Security Administrator's Guide

Token Variable

%HPU_DENIED_URL% Option selected by a high profile user to deny that he or she is the
real sender of an email message.

“Monitor” Actions
“Monitor” actions do not change the original message or its attachments. The
original sender will still receive the message, assuming that the message
does not trigger other rules with intercept actions.

There are two “Monitor” actions:

• Send notification action

• BCC action

You can combine the first action with any other kind of action. You can
combine the BCC action with "modify" actions (and with the first "monitor"
action). However, the BCC action cannot be combined with terminal
“intercept” actions.

Tip
The notification email message sent to “monitor” actions can be customized
using the variables shown in Rule Tokens/Variables on page 192.

Using the Bcc Action

The BCC action sends a Bcc (blind carbon copy) to a recipient or recipients
configured in the rule. It is one of the “monitor” class of actions. You can
only configure a notification to be sent to an address in your own domain.

Procedure

1. From the Monitor section of the Action page, select BCC.

194
 About Trend Micro Email Security

2. Type the email address of the recipient in the field. If you have more
than one email address, enter them in the field separated by commas or
semicolons.

Encrypting Outbound Messages

The purpose of this rule action is to protect sensitive data in email messages
sent by users in your organization.

Note
This action only applies to outbound rules.

Actions in this class encrypt the message and then queue it for delivery. This
is a non-intercept action, but no other actions can be taken on the target
message after this rule is triggered. This action has the lowest priority of all
actions, but when triggered it is always the final rule run before the message
is queued for delivery. If more than one rule in the rule set is triggered, the
rule that uses the encrypt email action will always be triggered last.

In most cases, a rule to encrypt email messages will be based on one of the
following:

• Specific senders or recipients of the message (for example, a rule that

encrypts all email sent from Human Resources or the Legal department)

• Specific content in the message body

• Sensitive data contained in the message

Procedure

1. From the “Intercept” section of the Action page, select Do not intercept
messages

2. From the “Modify” section of the page, select the Encrypt email action.

195
Trend Micro Email Security Administrator's Guide

Reading an Encrypted Email Message

When an “Encrypt Email Message” action is triggered, the recipient can
decrypt the resulting encrypted message in the following way:
Use a web browser. Recipients of encrypted messages who are not using
Email Encryption Client receive an email notification that provides a website
link allowing the recipient to view the content of the message.

Note
Decrypting messages with Microsoft Outlook Web Access 2007 is not supported.
Microsoft Outlook 2016 mail client is supported for decrypting messages.

Below is a sample encrypted email notification message:

Procedure
1. Double-click the attached Encrypted_Message.htm file, which opens in
your default web browser, as shown below.

196
 About Trend Micro Email Security

2. Click Open my email, and if not yet registered, fill in the registration
information on the subsequent pages. If you have already registered for
this service, the encryption site displays your decrypted email at this
point.

Note
The Open my email function may not work reliably with some web-based
email systems. If the button does not work, the customer can save the
attachment to a local computer and then open it again.
Recipients only need to register once. After registering with the Email
Encryption service, the recipient will be able to view decrypted email in a
browser window by clicking Open my email.

3. For enhanced security, match a CAPTCHA image, type and confirm a

pass phrase, and select and answer three security questions. Upon
successful registration, the email encryption site sends an activation
message to the registered email account.
4. Upon receipt of the activation message, click Please click here to
validate your identity. The Trend Micro email encryption site loads in
your browser and displays your decrypted message, as shown below:

197
Trend Micro Email Security Administrator's Guide

About the Send Notification Action

Notifications are messages that are sent when the rule is triggered. They are
one of the “Monitor” actions.
You can only send notification messages from addresses within your own
domain.

Configuring Send Notification Actions

Procedure
1. Select a message from the list of those available on the left side of the
screen.
2. Click the right arrow button (Add>).
The selected message appears in the Selected list on the right side.

Duplicating or Copying Send Notification Actions

Procedure
1. Select a message that you want to create a copy of from the list of those
available on the left side of the screen.

198
 About Trend Micro Email Security

2. Click Copy.
The copy of the selected message appears in the Available list, with the
prefix Copy of in its original name.

Removing Notifications from Rule Actions

Procedure
1. Select the message you want to delete from the Selected list on the right
side.
2. Click Remove.

Deleting Notifications from Lists of Messages

To delete an existing notification message from the list of messages:

Procedure
1. Select the message you want to delete from the list of those available on
the left side of the screen.
2. Click Delete.

Understanding Quarantine
Quarantined messages are blocked as detected spam or other inappropriate
content before delivery to an email account. Messages held in quarantine
can be reviewed and manually deleted or delivered.

WARNING!
Trend Micro Email Security automatically deletes messages from the
quarantine after 30 days.

199
Trend Micro Email Security Administrator's Guide

Do either of the following to manage quarantined messages on the

administrator console:
• Use the Query screen to view a list of quarantined messages for your
managed domains. You can review the messages, delete them, or release
them for further scanning.
Queries include data for up to seven continuous days in one calendar
month. Use more than one query to search across calendar months.
• Use the Digest Settings screen to configure the rules and templates that
Trend Micro Email Security applies to automatically send quarantine
digest notifications. Intended digest recipients can either go to the End
User Console or use inline actions in the digest notifications if available
to manage quarantined messages.

Querying the Quarantine

Use the Query screen to view a list of quarantined messages for your
managed domains. You can review the messages, delete them, or release
them for further scanning.

Procedure
1. In the Dates fields, select a range of dates.

Note
Queries include data for up to seven continuous days in one calendar
month. Use more than one query to search across calendar months.

2. In the Direction field, select a mail traffic direction.

3. Type your search criteria into one or more of the following fields:
• Recipient
• Sender
• Subject

200
 About Trend Micro Email Security

A recipient or sender can be a specific email address or all addresses

from a specific domain.
• Query a specific email address by typing that email address.
• Query all addresses from a domain by using an asterisk (*) to the
left of the at sign (@) in the email address. For example,
*@example.com will search for all email addresses in the
example.com domain.

The following table displays format examples that are valid or not valid:
Table 52. Format Examples for Mail Tracking and Quarantine Query

Valid Not Valid

[email protected] name@*.example.com

*@example.com *@*.com

*@server.example.com *@*

*@*.example.com

4. Click Search.
5. Select one or multiple messages to manage.
6. Click one of the following buttons to manage the selected messages:
• Delete: Cancel delivery and permanently delete the message

• Deliver: Release from quarantine

201
Trend Micro Email Security Administrator's Guide

Note
Released messages are no longer marked as spam, but they will
continue to be processed by Trend Micro Email Security. The
following conditions apply to delivery:

• If a message triggers a content-based policy rule with an

Intercept action of Quarantine, it will once again appear in the
quarantined message list.

• If a message triggers a content-based policy rule with an

Intercept action of Delete entire message or Change recipient,
it will not arrive at its intended destination.

7. Optionally click on the Date value to view the Quarantine Query Details
screen for a given message.

a. Check the summary and message view information about the

message.

b. Click Delete, Deliver, or Download to manage the message.

Note
Download: Download the message to your local host.

This button is available only on the Quarantine Query Details screen.

Configuring End User Console Settings

By default, sender addresses shown on the End User Console and in the
quarantine digest notifications are envelope addresses. Trend Micro Email
Security is capable of displaying both the envelope addresses and the
message header addresses if configured.

On the End User Console Settings screen, choose from the following
options:

• Envelope addresses

202
 About Trend Micro Email Security

• Message header addresses

• Both

Note
If Both is selected, each envelope address is followed by the
corresponding message header address in parentheses, for example,
[email protected] ([email protected]).

Quarantine Digest Settings

Note
Quarantine Digest is only available for inbound email messages that matched
the Spam or Graymail criteria.

A quarantine digest notification is an email message Trend Micro Email

Security sends to inform end users of email messages that were temporarily
quarantined. The digest notification lists up to 100 of each end user's
quarantined messages.

You can customize digest rules and templates on the Digest Settings screen.
A digest notification contains the following information:

• A link to access quarantined messages through the End User Console

• The number of new email messages that have been quarantined since
the last notification was sent

• Digest of the new email messages that have been quarantined

• Quarantined: The time an email message was quarantined

• Sender: The sender address of the email message

• Recipient: The recipient address of the email message

• Subject: The email subject

203
Trend Micro Email Security Administrator's Guide

• Manage Messages: The links that users can click to apply actions to
the quarantined message

WARNING!
Inline action links display only when you enable Inline actions in the
digest template.

Anyone receiving the digest notification can take the following inline
actions: Deliver, Deliver & Approve Sender, Block Sender, Approve
Sender Domain, and Block Sender Domain. Therefore,
administrators must warn digest recipients not to forward the digest
notification.

If an end user account manages multiple accounts, Trend Micro Email

Security sends digest notifications for the managed accounts as described in
the following table.

Source of Managed Accounts Digest Notification Recipients

Aliases synchronized from directories Primary alias

Note
If you have not set the primary alias,
digest notifications will be distributed
to each email address associated with
the current end user account.

Manually added accounts Primary account

For details about managed accounts, refer to “Managed Accounts” in the

Trend Micro Email Security End User Console Online Help at https://
docs.trendmicro.com/en-us/enterprise/trend-micro-email-security.aspx.

Adding or Editing a Digest Rule

You can customize digest rules for different recipients. If there are multiple
rules, you can set or adjust the priority to apply each rule.

204
 About Trend Micro Email Security

Procedure
1. Go to Quarantine > Digest Settings.
2. Click the Digest Rules tab.
3. Click Add or click the name of an existing rule.
4. In the General Information section, do the following:
a. Click the Status toggle button to enable the current rule.
b. Type the rule name and description.
5. In the Recipients section, select the recipients for digest notifications:
• All recipients: This option only applies to the default rule. All users
of your managed domains will receive digest notifications.
• Specified recipients: This option enables you to choose users from
both your LDAP groups and managed domains and add all of them
as intended recipients.
6. In the Schedule section, select the frequency to send digest
notifications:
• Daily: Specify the exact time to send the digest notifications. A
maximum of six times daily is supported.
Use the add and the remove buttons to manage additional
entries.
• Weekly: Specify the days of the week and time of the day to send the
digest notifications.

Note
The time zone of the browser accessing Trend Micro Email Security is
used.

7. In the Template section, select the digest template that you want to use
for the current rule.

205
Trend Micro Email Security Administrator's Guide

8. Click Save.

The newly added or edited rule displays on the Digest Rules screen. You
can further change the rule status, set the rule priority, copy and delete
the rule.

Note
If the recipient scope for different digest rules conflicts with each other, a
red exclamation mark icon will be shown next to the recipients of each
rule. Hover over the icon to view the current recipients, conflict rules and
conflict recipients. Digest notifications are sent to the conflict recipients
according to the rule with the higher priority. The smaller the priority
number, the higher the priority.

The following table is an example for your reference.

Digest Rule Priority Recipients

Rule1 1 domain1.com

Rule2 2 domain2.com;
usergroup1

If Rule1 and Rule2 are both enabled and usergroup1 contains some
recipients in domain1.com, this means the two rules have a recipient
conflict. In this case, Trend Micro Email Security applies Rule1 that has
the higher priority to send digest notifications to the conflict recipients.

Adding or Editing a Digest Template

You can create digest templates to define the format and content of
notification email messages that end users receive.

Procedure

1. Go to Quarantine > Digest Settings.

2. Click the Digest Templates tab.

206
 About Trend Micro Email Security

3. Click Add or click the name of an existing template.

4. In the General Information section, specify the template name and
description.
5. In the Digest Notification Template section, configure the following:

Note
The digest notification template is available either in HTML or plain text
versions. Each version of the template can incorporate tokens to
customize output for digest recipients. You can right-click any of the
following fields to display a list of available and selectable tokens for the
field.

• From: Specify the email address that displays as the sender of the
digest notification.
Table 53. From field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the From

field of the received digest notification

• Subject: Specify the subject line for the digest notification.

Table 54. Subject field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the

subject line

%DIGEST_DATE% Digest date appears in the subject line

• HTML:
• Specify if Inline actions should be Enabled or Disabled using
the toggle button to the right of Inline actions.
• Select the language you want to use for inline actions from the
Language drop-down list.

207
Trend Micro Email Security Administrator's Guide

• Customize the inline actions that digest recipients can take in

the digest notifications.
The following inline actions are available for your
customization and the first three ones are selected by default:
• Deliver
• Deliver & Approve Sender
• Block Sender
• Approve Sender Domain
• Block Sender Domain
• Specify the HTML content of the digest notification if the email
client accepts HTML messages.
Table 55. HTML field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the HTML

body

%DIGEST_DATE% Digest date appears in the HTML body

%DIGEST_BODY_HTML% Digest summary in HTML table format appears in the

HTML body

%DIGEST_PAGE_COUNT% Total number of quarantined messages listed in the

digest summary (up to 100) appears in the HTML
body

%EUC_HOST_SERVER% Web address of Trend Micro Email Security End User

Console appears in the HTML body

• Plain text: Specify the plain text content of the digest notification if
the email client only accepts plain text messages.

208
 About Trend Micro Email Security

Table 56. Plain text field digest tokens

Token Content in Sent Digest Notifications

%DIGEST_RCPT% Digest recipient's email address appears in the text

body

%DIGEST_DATE% Digest date appears in the text body

%DIGEST_BODY_TEXT% Digest summary in plain text format appears in the

text body

%DIGEST_PAGE_COUNT% Total number of quarantined messages listed in the

digest summary (up to 100) appears in the plain text
body

%EUC_HOST_SERVER% Web address of Trend Micro Email Security End User

Console appears in the plain text body

6. In the Test Digest Mail section, specify the intended digest recipient and
click Test to test digest notification delivery.

The digest recipient receives a notification message. The sender, subject

and content of the notification and the available inline actions match the
configured settings.

Note
Trend Micro Email Security will save the settings after the test.

7. Click Save.

The newly added or edited template displays on the Digest Templates

screen. You can further copy and delete the template if necessary.

Logs in Trend Micro Email Security

209
Trend Micro Email Security Administrator's Guide

Understanding Mail Tracking

This screen is designed for you to track email messages that passed through
Trend Micro Email Security, including blocked or delivered messages. Trend
Micro Email Security maintains up to 90 days of mail tracking logs. The
sliding window for mail tracking log search is 60 continuous days that may
across calendar months.

Note
The sliding window for mail tracking log search is 30 days in the Trend Micro
Email Security Standard license.

For details about different license versions, see Available License Versions on page
18.

The Mail Tracking screen provides the following search criteria:

• Period: The time range for your query.

• Last 1 hour

• Last 24 hours

• Last 7 days

• Last 14 days

• Last 30 days

• Custom range

• Direction: The direction of messages.

• Incoming

• Outgoing

• Recipient: The envelope recipient address.

• Sender: The envelope sender address.

210
 About Trend Micro Email Security

• Email Header (To):: The recipient address in the message header.

• Email Header (From):: The sender address in the message header.

Note
Pay attention to the following when setting the preceding four address
fields:
• Specify an exact email address or use wildcards (*) to substitute any
characters in a search. In the general format of an email address
(local-part@domain), be aware that:
• The local part must be a wildcard (*) or a character string that
does not start with *, for example, *@example.com or
test*@example.com.
• The domain must be a wildcard (*) or a character string that does
not end with *, for example, example@* or example@*.test.com.
• If this field is left blank, *@* is used by default.
• Use wildcards (*) strategically to expand or narrow your search
results. For example, put a wildcard (*) in the domain part to search
by a particular user account on all domains or in the local part to
match all accounts on a particular domain.

• Type: The type of email traffic that you want to query.

• Accepted traffic: The messages that were allowed in by Trend Micro
Email Security for further processing.
If you select Accepted traffic as your search condition, a summary
of email message traffic accepted by Trend Micro Email Security is
displayed. For a message that has multiple recipients, the result will
be organized as one recipient per entry.
• Blocked traffic: The attempts to send messages that were stopped
by connection-based filtering at the MTA connection level or by
Trend Micro Email Security incoming security filtering.
If you select Blocked traffic as your search condition, you can
further select a block reason. A summary of email message traffic
blocked by Trend Micro Email Security is displayed.

211
Trend Micro Email Security Administrator's Guide

Note
Content-based filtering is not included in this category.

• Action: The last action taken on the message.

• All: All the actions will be matched for your search.

• Bounced: Trend Micro Email Security bounced the message back to

the sender because the message was rejected by the downstream
MTA.

• Temporary delivery error: Trend Micro Email Security attempted

to deliver the message to the downstream MTA but failed due to
unexpected errors. This is a transient state of the message, and a
message should not remain in this state for an extended period of
time.

• Deleted: Trend Micro Email Security deleted the entire email

message according to the matched policy.

• Delivered: Trend Micro Email Security delivered the message to the

downstream MTA.

• Expired: Trend Micro Email Security bounced the message back to

the sender because the message had not been delivered successfully
for a long time.

• Quarantined: Trend Micro Email Security held the message in

quarantine awaiting actions because the message triggered a
certain policy rule. Quarantined messages can be reviewed and
manually deleted or delivered.

• Redirected: Trend Micro Email Security redirected the message to a

different recipient according to the matched policy.

• Submitted to sandbox: Trend Micro Email Security submitted the

message to Virtual Analyzer for further analysis. This is a transient
state of the message, and the state will change once the Virtual
Analyzer analysis result is returned or Virtual Analyzer scan
exception is triggered.

212
 About Trend Micro Email Security

• Subject: The email message subject.

The Subject field supports the following:

• Fuzzy match

Type one or multiple keywords for a fuzzy match. If you type more
than one keyword, all keywords will be matched based on a logical
AND, which means the matched subject must contain every
keyword. Wildcards (*) will be automatically added before and after
each keyword for a fuzzy match.

• Exact keyword or phrase match

Enclose a keyword or phrase in quotes for an exact match. Only

records that contain the exact keyword or phrase will be matched.

For example, there are three email subjects:

• Subject1: Hello world

• Subject2: Hello new world

• Subject3: "Hello"

If you type Hello world in the Subject field, this is a fuzzy match, and
Subject1 and Subject2 will be matched. If you type "Hello world", this
is an exact match using quotes, and only Subject1 will be matched. If you
want to search for Subject3, be aware that quotes are contained by the
subject itself. In this particular case, use backslashes (\) as the escape
characters and type \"Hello\" for search.

• Message ID: The unique ID of an email message.

• Upstream TLS: The version of the TLS protocol used by the upstream
server to connect to Trend Micro Email Security.

• All

• TLS 1.0

• TLS 1.1

213
Trend Micro Email Security Administrator's Guide

• TLS 1.2

• TLS 1.3

• None

• Downstream TLS: The version of the TLS protocol used by Trend Micro
Email Security to connect to the downstream server.

• All

• TLS 1.0

• TLS 1.1

• TLS 1.2

• TLS 1.3

• None

• Attachment SHA256 Hash: The SHA256 hash value of a message

attachment. Specify a SHA256 hash value consisting of 64 hexadecimal
characters or leave it blank.

When a valid SHA256 hash value is specified, the Attachment Status

field displays with the following options:

• All: Query all messages containing the specified attachment. This is

the default option.

• Deleted: Query the messages with the specified attachment deleted.

• Cleaned: Query the messages with the specified attachment cleaned

for malware.

• Bypassed: Query the messages with the specified attachment

bypassed.

• Timestamp: The time a message was received.

Choose the ascending or descending order of time to sort the search

results.

214
 About Trend Micro Email Security

When you query mail tracking information, use the various criteria fields to
restrict your searches. After a query is performed, Trend Micro Email
Security provides a list of log records that satisfy the criteria. Select one or
more records and click Export to CSV to export them to a CSV file.
The most efficient way to query mail tracking information is to provide both
sender and recipient email addresses within a time range that you want to
search. For an email message that has multiple recipients, the result will be
organized as one recipient per entry.
If the message you are tracking cannot be located using this strategy,
consider the following:
• Expand the result set by omitting the recipient.
If the sender is actually blocked by connection-based filtering, the
Blocked traffic results that do not match the intended recipient might
indicate this. Provide only the sender and time range for a larger result
set.
• Look for other intended recipients of the same message.
If the sender IP address has a “bad” reputation, mail tracking
information will only be kept for the first recipient in a list of recipients.
Therefore, the remaining message recipient addresses will not be listed
when querying this sender.
• Expand the result set by omitting the sender.
If the sender IP address has a “bad” reputation, omit the sender and
provide only the recipient. If only the recipient email address is
provided, all the messages that pertain to the recipient will be listed.

Social Engineering Attack Log Details

Trend Micro Email Security provides detailed information for email
messages detected as possible social engineering attacks. To view social
engineering attack details, click the Details link beside Social engineering
attack on the Mail Tracking Details screen.
The following table lists the possible reasons for social engineering attack
detections.

215
Trend Micro Email Security Administrator's Guide

Table 57. Possible reasons for social engineering attack detections

Email Characteristics Description

Inconsistent sender host Inconsistent host names between Message-ID (<domain>) and
names From (<domain>).

Broken mail routing path Broken mail routing path from hop (<IP_address>) to hop
(<IP_address>).

Mail routing path contains The mail routing path contains mail server with bad
mail server with bad reputation (<IP_address>).
reputation

Significant time gap during Significant time gap (<duration>) detected during email
email message transit message transit between hops (<source> & <destination>)
from time (<date_time>) to time (<date_time>).

Inconsistent recipient Envelope recipient (<email_address>) is inconsistent with

accounts header recipient (<email_address>).

Possibly forged sender Possibly forged sender account (<email_address>) is sending

account or unexpected relay/ email messages via host/IP (<host_address>) of which ASNs
forward (<ASN_list>) are inconsistent to sender ASNs (<ASN_list>); or
unexpected server-side relay/forward.

Email message travels across The email message travels across time zones
multiple time zones (<time_zone_list>).

Possible social engineering Suspicious charsets (<character_set_list>) are identified in a

attack characterized by single email message, implying the email message originated
suspicious charsets in email from a foreign region. This behavior is an indicator of a social
entities engineering attack.

Violation of time headers Multiple time headers (<date_time>, <date_time>) exist in one
message, which violates RFC5322 section 3.6.

Possibly forged sender The email message claimed from Yahoo (<email_address>)
(Yahoo) lost required headers.

Executable files with Executable files in compressed attachment (<file_name>)

tampered extension names in intend to disguise as ordinary files with tampered extension
the attachment names.

216
 About Trend Micro Email Security

Email Characteristics Description

Anomalous relationship Anomalous relationship between sender/recipient(s) related

between sender/recipient(s) email headers (<email_address>).
related email headers

Encrypted attachment Encrypted attachment (<file_name>) with password

intends to bypass antivirus (<password>) provided in email content possibly intends to
scan engines bypass antivirus scan engines.

Email attachment could be Email attachment (<file_name>) could be exploitable.

exploitable

Email message might be sent Content-Transfer-Encoding (<encoding_type>) is abnormal in

from a self-written mail agent the email message. The email message might be sent from a
due to abnormal transfer self-written mail agent.
encoding in email entities

Few meaningful words in the The email message is less meaningful with only few characters
email message in its text/HTML body (<character_count>).

Possible email spoofing The email message was claimed as a forwarded or replied
message with subject-tagging (<email_subject>), but the
email message does not contain corresponding email headers
(RFC 5322).

Email message travels across The email message travels across multiple ASNs (<ASN_list>).
multiple ASNs

Email message travels across The email message travels across multiple countries
multiple countries (<country_code_list>).

Abnormal Content-type Content-type in email content should not have attributes

behavior in email message (<attribute_list>).

Executable files archived in Executable files archived in compressed attachment

the compressed attachment (<file_name>).

Exploitable file types Exploitable file types detected in compressed attachment

detected in the compressed (<file_name>).
attachment

Sender account header The email message was sent from an email client or service
potentially modified provider (<user_agent>) that allows modification of the
sender address or nickname.

217
Trend Micro Email Security Administrator's Guide

Email Characteristics Description

Conversation history in email The email message includes a conversation history between
body (<email_account>) and (<email_account>). This email
message may be part of a man-in-the-middle attack.

Internal message with a The reply-to domain (<domain_name>) has been disguised to
disguised reply-to domain be similar to the sender and recipient domains
(domain_name). The email message may be disguised to
appear internal.

Internal message with a The reply-to domain (<domain_name>) belongs to a public

public reply-to domain messaging service but the sender and recipient domains are
the same (<domain_name>). The email message may be
disguised to appear internal.

Nickname of company The sender header (<sender_header>) contains a nickname

executive with public domain that appears to be a company executive and an email address
address from a public messaging service.

Reply-to account disguised to The reply-to account (<email_account>) uses a different

be similar to sender account domain but similar information to the sender account
(<email_account>) to disguise the two accounts to be from the
same individual.

Sender account possibly The sender account (<email_account>) has been associated
associated with targeted with one or more targeted attacks or performed behavior
attacks consistent with targeted attacks.

Sender domain disguised to The sender domain (<domain_name>) is different but similar
be similar to recipient to the recipient domain (<domain_name>). The email
domain message may be disguised to appear internal.

Sender host name possibly The sender host name (<host_name>) has been associated
associated with targeted with one or more targeted attacks or performed behavior
attacks consistent with targeted attacks.

Sender IP address possibly The sender IP address (<ip_address>) has been associated
associated with targeted with one or more targeted attacks or performed behavior
attacks consistent with targeted attacks.

218
 About Trend Micro Email Security

Business Email Compromise Log Details

Trend Micro Email Security provides detailed information for email
messages detected as analyzed or probable Business Email Compromise
(BEC) attacks. To view BEC attack details, click the BEC Report link in the
Actions section on the Mail Tracking Details screen.

The possible reasons for BEC attack detections are the same as those for
social engineering attack detections. See Social Engineering Attack Log Details
on page 215 for details.

Understanding Policy Events

This screen enables you to track threat detections in email messages
received or sent by Trend Micro Email Security. Trend Micro Email Security
maintains up to 90 days of policy event logs. The sliding window for policy
event log search is 60 continuous days that may across calendar months.

Note
The sliding window for policy event log search is 30 days in the Trend Micro
Email Security Standard license.

For details about different license versions, see Available License Versions on page
18.

The Policy Events screen provides the following search criteria:

• Period: The time range for your query.

• Last 1 hour

• Last 24 hours

• Last 7 days

• Last 14 days

• Last 30 days

219
Trend Micro Email Security Administrator's Guide

• Custom range

• Direction: The direction of messages.

• Incoming

• Outgoing

• Recipient: The envelope recipient address.

• Sender: The envelope sender address.

• Email Header (To):: The recipient address in the message header.

• Email Header (From):: The sender address in the message header.

Note
Pay attention to the following when setting the preceding four address
fields:

• Specify an exact email address or use wildcards (*) to substitute any

characters in a search. In the general format of an email address
(local-part@domain), be aware that:

• The local part must be a wildcard (*) or a character string that

does not start with *, for example, *@example.com or
test*@example.com.

• The domain must be a wildcard (*) or a character string that does

not end with *, for example, example@* or example@*.test.com.

• If this field is left blank, *@* is used by default.

• Use wildcards (*) strategically to expand or narrow your search

results. For example, put a wildcard (*) in the domain part to search
by a particular user account on all domains or in the local part to
match all accounts on a particular domain.

• Subject: The email message subject.

The Subject field supports the following:

• Fuzzy match

220
 About Trend Micro Email Security

Type one or multiple keywords for a fuzzy match. If you type more
than one keyword, all keywords will be matched based on a logical
AND, which means the matched subject must contain every
keyword. Wildcards (*) will be automatically added before and after
each keyword for a fuzzy match.
• Exact keyword or phrase match
Enclose a keyword or phrase in quotes for an exact match. Only
records that contain the exact keyword or phrase will be matched.
For example, there are three email subjects:
• Subject1: Hello world
• Subject2: Hello new world
• Subject3: "Hello"
If you type Hello world in the Subject field, this is a fuzzy match, and
Subject1 and Subject2 will be matched. If you type "Hello world", this
is an exact match using quotes, and only Subject1 will be matched. If you
want to search for Subject3, be aware that quotes are contained by the
subject itself. In this particular case, use backslashes (\) as the escape
characters and type \"Hello\" for search.
• Rule Name: The name of the rule that was triggered by email messages.
The Rule Name field supports the following:
• A maximum of 20 rules in use will be listed for you to choose when
you click in this text box.
• Select from the rules listed or type keywords for a fuzzy match.
• Threat Type: The type of threats detected in email messages.
• All: Query all messages.
• Domain-based Authentication: Query the messages that failed to
pass domain-based authentication.
• All: Query the messages that failed Sender IP Match, SPF, DKIM
and DMARC authentication.

221
Trend Micro Email Security Administrator's Guide

• Sender IP Match: Query the messages that failed Sender IP

Match check.
• SPF: Query the messages that failed SPF check.
• DKIM: Query the messages that failed DKIM verification.
• DMARC: Query the messages that failed DMARC
authentication.
• Advanced Persistent Threat: Query the messages that triggered the
advanced threat policy.
• All: Query all messages triggering the advanced threat policy.
• Analyzed Advanced Threats (Files): Query the messages that
are identified as advanced file threats according to Virtual
Analyzer and the policy configuration
• Analyzed Advanced Threats (URLs): Query the messages that
are identified as advanced URL threats according to Virtual
Analyzer and the policy configuration
• Probable Advanced Threats: Query the messages that are
treated as suspicious according to policy configuration or the
messages that are not sent to Virtual Analyzer due to exceptions
that occurred during analysis.
• Attachment: Query the messages that triggered the message
attachment criteria.
• Business Email Compromise (BEC): Query the messages that
triggered the Business Email Compromise (BEC) criteria.
• All: Query all messages triggering the BEC criteria.
• Detected by Antispam Engine: Query the messages that are
verified to be BEC attacks by the Antispam Engine.
• Detected by writing style analysis: Query the messages that
are verified to be BEC attacks by writing style analysis.
• Suspected by Antispam Engine: Query the messages that are
suspected to be BEC attacks by the Antispam Engine.

222
 About Trend Micro Email Security

• Content: Query the messages that triggered the message content

criteria. For example, a message's header, body or attachment
matches the specified keywords or expressions.
• Suspicious Objects: Query the messages that contain suspicious
files and URLs.
• All: Query all messages containing suspicious objects.
• Suspicious Files: Query all messages containing suspicious
files.
• Suspicious URLs: Query all messages containing suspicious
URLs.
• Data Loss Prevention: Query the messages that triggered the Data
Loss Prevention policy.
• Graymail: Query the messages that triggered the graymail criteria.
• All: Query all graymail messages.
• Marketing message and newsletter
• Social network notification
• Forum notification
• Bulk email message
• Phishing: Query the messages that triggered the phishing criteria.
• Ransomware: Query the messages that are identified as
ransomware.
• Scan Exception: Query the messages that triggered scan exceptions.
• Virtual Analyzer scan exception
• Virtual Analyzer submission quota exception
• Other exceptions
• Spam: Query the messages that are identified as spam.

223
Trend Micro Email Security Administrator's Guide

• Malware: Query the messages that triggered the malware criteria.

When Malware is selected as the threat type, the Detected By field

displays with the following options:

• All: Query all messages triggering the malware criteria.

• Predictive Machine Learning: Query the messages containing

malware, as detected by Predictive Machine Learning.

• Pattern-based scanning: Query the messages containing

malware, as detected by traditional pattern-based scanning.

• Web Reputation: Query the messages that triggered the Web

Reputation criteria.

• Threat Name: The name of threats detected in email messages.

• Message ID: A unique identifier for the message.

When you query policy event information, use the various criteria fields to
restrict your searches. After a query is performed, Trend Micro Email
Security provides a list of log records that satisfy the criteria. Select one or
more records and click Export to CSV to export them to a CSV file.

The most efficient way to query policy event information is to provide both
sender and recipient email addresses, message subject and message ID
within a time range that you want to search. For an email message that has
multiple recipients, the result will be organized as one entry.

In addition to the search criteria, detailed policy event information provides

the following:

• Timestamp: The time the policy event occurred. Click on the

Timestamp value to view the event details for a given message.

• Message Size: The size of the message. This information is not always
available.

• Action: The action taken on the email message.

• Attachment deleted: Deleted the attachment from the message.

224
 About Trend Micro Email Security

• BCC: Sent a blind carbon copy (BCC) to the recipient.

• Bypassed: Did not intercept the message.
• Cleaned: Cleaned the message for malware.
• Delivered: Delivered the message to the recipient.
• Message deleted: Deleted the entire email message.
• Notification sent: Sent a notification message to the recipient when
a policy was triggered.
• Quarantined: Held the message in quarantine awaiting user actions
on the End User Console. Messages held in quarantine can be
reviewed and manually deleted or delivered.
• Recipient changed: Changed the recipient and redirected the
message to a different recipient as configured in the policy
triggered.
• Rejected: Blocked the message before it arrived at Trend Micro
Email Security.
• Stamp inserted: Inserted a stamp into the message body.
• Subject tagged: Inserted configurable text into the message subject
line.
• Submitted for encryption: Submitted to the encryption server for
processing. After encryption is complete, Trend Micro Email
Security will queue the message for delivery.
• X-Header inserted: Inserted an X-Header to the message header.
• (Optional) Risk Rating: The risk rating of the message identified by
Virtual Analyzer.
• (Optional) Violating URLs: The URLs in the message that violated the
Web Reputation criteria.
• (Optional) Violating Files: The files in the message that violated the
malware or ransomware criteria.

225
Trend Micro Email Security Administrator's Guide

• (Optional) Malware: The specific malware detected in the message.

• (Optional) Scanned File Reports: The reports for the attached files in
messages. If a file is analyzed for advanced threats, the risk level for the
file is displayed here. If a report exists, click View Report to see the
detailed report.
Detailed reports are available only for suspicious files that are analyzed
by Virtual Analyzer.
• (Optional) Scanned URL Reports: The reports for the embedded URLs
in messages. If a URL is analyzed as advanced threats, the risk level of
the URL is displayed here. If a report exists, click View Report to see the
detailed report.
• (Optional) DLP Incident: The information about the DLP incident
triggered by the message. Click View Details to check the incident
details.
• (Optional) Analyzed Report: The information about BEC related
characteristics that were detected in the message.
• (Optional) Exception Details: The specific exception that was triggered
by the message.

226
 About Trend Micro Email Security

Predictive Machine Learning Log Details

You can view a comprehensive report for each Predictive Machine Learning
log detection by clicking the Predictive Machine Learning Log Details link
on the Policy Event Details screen.

The Predictive Machine Learning Log Details screen consists of two

sections:
• Top banner: Specific details related to this particular log detection
• Bottom tab controls: Details related to the Predictive Machine Learning
threat, including threat probability scores and file information
The following table discusses the information provided in the top banner.

227
Trend Micro Email Security Administrator's Guide

Table 58. Log Details - Top Banner

Section Description

Detection name Indicates the name of the Predictive Machine Learning detection
Example: Ransom.Win32.TRX.XXPE1

Detection time / Indicates when this specific log detection occurred and the action
Action taken on the threat

File name Indicates the name of the file that triggered the detection

Recipient Displays the recipient of the email message that triggered the
detection

The following table discusses the information provided on the bottom tabs.
Table 59. Log Details - Tab Information

Tab Description

Threat Indicators Provides the results of the Predictive Machine Learning analysis
• Threat Probability: Indicates how closely the file matched the
malware model
• Probable Threat Type: Indicates the most likely type of threat
contained in the file after Predictive Machine Learning compared
the analysis to other known threats
• Similar Known Threats: Provides a list of known threat types
that exhibit similar file features to the detection

File Details Provides general details about the file properties for this specific
detection log

Understanding URL Click Tracking

The URL Click Tracking screen enables you to track the URL clicks where
Trend Micro Email Security provides Time-of-Click Protection.

Trend Micro Email Security maintains up to 30 days of URL click tracking log
information.

228
 About Trend Micro Email Security

The URL Click Tracking screen provides the following search criteria:
• Dates: The time range for your query.
• Direction: The direction of messages.

Note
URL click tracking applies only to URL clicks protected by Trend Micro
Email Security using Time-of-Click Protection.

• Recipient: The recipient email address.

• Sender: The sender email address.
• URL: The URL contained in the message.
• Message ID: A unique identifier for the message.
When you query URL click tracking information, use the various criteria
fields to restrict your searches. After a query is performed, Trend Micro
Email Security provides a list of log records that satisfy the criteria. Select
one or more records and click Export to CSV to export them to a CSV file.
In addition to the search criteria, detailed URL click tracking information
provides the following:
• Time of Click: The time a URL was clicked.
• Action Applied: The action taken on the URL. For all the actions, see
Actions below.
• Blocked: Trend Micro Email Security blocked the URL that a user
wanted to access.
• Allowed: Trend Micro Email Security allowed a user to access the
requested URL.
• Warned and stopped: Trend Micro Email Security warned a user of
the threat, and the user stopped access to the URL.
• Warned but accessed: Trend Micro Email Security warned a user of
the threat, but the user continued to access the URL.

229
Trend Micro Email Security Administrator's Guide

Understanding Audit Log

The Audit Log screen enables you to track the administration and user
events occurred in Trend Micro Email Security.

Trend Micro Email Security maintains up to 30 days of audit log information.

The Audit Log screen provides the following search criteria:

• Account and Type: The account name and the type for which you want
to search the audit log.

• Dates: The time range for your query.

When you query audit logs, use the various criteria fields to restrict your
searches. After a query is performed, Trend Micro Email Security provides a
list of log records that satisfy the criteria. Select one or more records and
click Export to CSV to export them to a CSV file.

To see the detail of an event, click on the time under the Timestamp column.

The Audit Log Details screen displays the following information:

• User: The administrator or user name under which the event occurred.

• Event Type: The type of event that occurred.

• Timestamp: The date and time when the event occurred.

• Affected Domain(s): The domains (if any) that were affected by the
event.

• Fields:

• Field: The name of the fields that were affected by the event.

• New Value: The latest value of the field after the event occurred.

• Previous Value: The previous value of the field (if any) before the
event occurred.

230
 About Trend Micro Email Security

Configuring Syslog Settings

When receiving events, Trend Micro Email Security stores the events in its
database and forwards syslog messages to an external syslog server in a
structured format, which allows third-party application integration.
The Syslog Settings screen is composed of the following tabs:
• Syslog Forwarding: Specifies the mapping between syslog servers and
different types of logs.
• Syslog Server Profiles: Enables you to add, edit or delete syslog servers
for syslog forwarding.

231
Trend Micro Email Security Administrator's Guide

Note

• To ensure Trend Micro Email Security can properly forward syslog

messages, configure your firewall to accept connections from the following
IP addresses or CIDR blocks:

• North America, Latin America and Asia Pacific:

18.208.22.64/26

18.208.22.128/25

18.188.9.192/26

18.188.239.128/26

• Europe, the Middle East and Africa:

18.185.115.0/25

18.185.115.128/26

34.253.238.128/26

34.253.238.192/26

• Australia and New Zealand:

13.238.202.0/25

13.238.202.128/26

• Japan:

18.176.203.128/26

18.176.203.192/26

18.177.156.0/26

18.177.156.64/26

• Be aware that Trend Micro Email Security keeps syslog messages for 7 days
if your syslog server is unavailable. Messages older than 7 days will not be
restored when your syslog server recovers.

232
 About Trend Micro Email Security

Syslog Forwarding
Configure the syslog server where Trend Micro Email Security forwards
different types of logs.

Procedure
1. Go to Logs > Syslog Settings.
The Syslog Forwarding tab appears by default.
2. From the Detection logs drop-down list, select a syslog server for Trend
Micro Email Security to forward syslog messages on threat detections.
a. Select from any of the following options:
• None: Select this option to disable syslog forwarding for this
type of logs.
• New: Select this option to add a new syslog server.
For details on syslog server profiles, see Syslog Server Profiles on
page 234.
• Any syslog server profile: select any profile you configured for
forwarding this type of logs.
b. Select the Include spam detections check box if you want to include
spam detection logs in syslog forwarding.
3. From the Audit logs drop-down list, select a syslog server for Trend
Micro Email Security to forward syslog messages for audit logs.
4. From the Mail tracking logs drop-down list, select a syslog server for
Trend Micro Email Security to forward syslog messages for mail tracking
logs, which are related to the accepted traffic that passed through Trend
Micro Email Security.

233
Trend Micro Email Security Administrator's Guide

Note
For details about the accepted traffic defined in mail tracking logs, see
Understanding Mail Tracking on page 210.

Syslog Server Profiles

Trend Micro Email Security allows you to add, edit or delete syslog server
profiles for syslog forwarding.

Procedure
1. Go to Logs > Syslog Settings.
The Syslog Forwarding tab appears by default.
2. Click the Syslog Server Profiles tab.
3. Click Add or click the name of an existing profile name.
The Add Syslog Server Profile or Edit Syslog Server Profile screen
appears.
4. Specify or edit the following for a syslog server:
• Profile name: Unique profile name for a syslog server.
• Description: Description of this profile.
• Server address: IP address or FQDN of the syslog server.
• Port: Port number of the syslog server.
• Protocol: Protocol to be used to transport logs to the syslog server.
• TCP
• TLS+TCP
This option applies the Transport Layer Security (TLS)
encryption for messages sent to the syslog server.

234
 About Trend Micro Email Security

• Format: Format in which event logs are sent to the syslog server.
• Key value
• CEF
For details about the Common Event Format (CEF) format, see
Content Mapping Between Log Output and CEF Syslog Type on page
236.
• Severity: Severity level assigned to syslog messages.
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug
• Facility:
• user
• mail
• auth
• authpriv
• local0
• local1
• local2
• local3

235
Trend Micro Email Security Administrator's Guide

• local4
• local5
• local6
• local7
• Enable TLS authentication: Whether to enable TLS authentication
for the connection between the syslog server and Trend Micro
Email Security.
5. Click Save.
If you select the Enable TLS authentication check box, Trend Micro
Email Security starts to execute TLS authentication.
• If the TLS authentication is successful, the new syslog server profile
appears in the profile list on the Syslog Server Profiles tab or the
existing profile is updated.
• If the TLS authentication is unsuccessful, the Peer Certificate
Summary dialog box pops up, displaying peer certificate
information such as the certificate ID, subject, and subject key ID.
When detecting that the certificate is not issued by a known
Certificate Authority (CA), Trend Micro Email Security prompts you
to trust or not trust the certificate. In other cases, an error message
is displayed, instructing you how to fix the error.

Note
To test the connection between the syslog server and Trend Micro Email
Security, click Test under Connection.

Content Mapping Between Log Output and CEF Syslog Type

To enable flexible integration with third-party log management systems,
Trend Micro Email Security supports Common Event Format (CEF) as the
syslog message format.

236
 About Trend Micro Email Security

Common Event Format (CEF) is an open log management standard created

by HP ArcSight. Trend Micro Email Security uses a subset of the CEF
dictionary.
The following tables outline syslog content mapping between Trend Micro
Email Security log output and CEF syslog types.

CEF Detection Logs

Table 60. CEF Detection Logs

CEF Key Description Value

Header (logVer) CEF format version CEF: 0

Header (vendor) Appliance vendor Trend Micro

Header (pname) Appliance product TMES

Header (pver) Appliance version Example: 1.0.0.0

Header (eventid) Signature ID 100101

Header (eventName) Description DETECTION

Header (severity) Email severity 6: Medium

rt Log generation time Example: 2018-06-28 03:22:31

cs1Label Event type eventType

cs1 Event type Example: ransomware

cs2Label Domain name domainName

cs2 Domain name Example: example1.com

suser Email sender Example: [email protected]

duser Email recipients Example: [email protected]

cs3Label Email message direction direction

237
Trend Micro Email Security Administrator's Guide

CEF Key Description Value

cs3 Email message direction • incoming

• outgoing

cs4Label Unique message identifier messageId

cs4 Unique message identifier Example:

[email protected]
m

msg Email subject Example: hello

cn1Label Email message size messageSize

cn1 Email message size Example: 1809

cs5Label Violated event analysis policyName

cs5 Violated event analysis Example: Spam

cs6Label Violated event details details

cs6 Violated event details Example:

{"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"ab
"threatName":"Troj"}]}

238
 About Trend Micro Email Security

CEF Key Description Value

act Action in the event • Quarantine

• Bypass
• Delete Attachment
• Insert Stamp
• Tag Subject
• Change Recipient
• Delete Message
• Send Notification
• Reject
• Clean
• BCC
• Deliver
• Insert X-Header
• Encryption in progress

Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2018-06-28 03:22:31
cs1Label=eventType cs1=virus cs2Label=domainName cs2=example1.com
[email protected] [email protected] cs3Label=direction
cs3=incoming cs4Label=messageId [email protected]
msg=test sample cn1Label=messageSize cn1=1809 cs5Label=policyName
cs5=Test Rule act=Quarantine cs6Label=details cs6={"threatNames":"Troj",
"fileInfo":[{"fileName":"file1","fileSha256":"abcd1234dae60bcae54516be6c9953b4bb9644e188606cea
"threatName":"Troj"}]}

CEF Audit Logs

Table 61. CEF Audit Logs

CEF Key Description Value

Header (logVer) CEF format version CEF: 0

239
Trend Micro Email Security Administrator's Guide

CEF Key Description Value

Header (vendor) Appliance vendor Trend Micro

Header (pname) Appliance product TMES

Header (pver) Appliance version Example: 1.0.0.0

Header (eventid) Signature ID 300101

Header (eventName) Description AUDIT

Header (severity) Email severity 4: Low

rt Log generation time Example: 2018-06-28 03:22:31

cs1Label Account type accountType

cs1 Account type • end user

• admin

suser Email sender Example:

[email protected]

cs2Label Event type eventType

cs2 Event type Example: End-User Actions

act Action in the event Example: User login to End

User Console

cs3Label Domain affected by the event affectedDomains

cs3 Domain affected by the event Example: example1.com

Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|300101|AUDIT|4|rt=2018-06-28 03:22:31
cs1Label=accountType cs1=end user [email protected] cs2Label=eventType
cs2=End-User Actions act=User login to End User Console cs3Label=affectedDomains
cs3=

240
 About Trend Micro Email Security

CEF Mail Tracking Logs (Accepted Traffic)

Table 62. CEF Mail Tracking Logs (Accepted Traffic)

CEF Key Description Value

Header (logVer) CEF format version CEF: 0

Header (vendor) Appliance vendor Trend Micro

Header (pname) Appliance product TMES

Header (pver) Appliance version Example: 1.0.0.0

Header (eventid) Signature ID 400101

Header (eventName) Description TRACKING

Header (severity) Email severity 4: Low

rt Log generation time Example: 2018-06-28 03:22:31

suser Email sender Example: [email protected]

duser Email recipients Example: [email protected]

msg Email subject Example: hello

src Source IP address Example: 10.1.144.199

deviceTranslatedAddress Relay MTA IP address Example: 204.92.31.146

cs1Label Internal email message ID mailUuid

cs1 Internal email message ID Example: 6965222B-13A6-

C705-89D4-6251B6C41E03

cs2Label Email message direction direction

cs2 Email message direction • incoming

• outgoing

cs3Label Unique message identifier messageId

241
Trend Micro Email Security Administrator's Guide

CEF Key Description Value

cs3 Unique message identifier Example:

[email protected]
m

cs4Label Email attachments attachments

cs4 Email attachments Example: [["filename", "sha256"],

["filename", "sha256"], ...]

cn1Label Email message size messageSize

cn1 Email message size Example: 1809

act Action on an email • Bounced

message
• Temporary delivery error
• Deleted
• Delivered
• Expired
• Quarantined
• Redirected
• Submitted to sandbox
• Password analyzing

cs5Label TLS information tlsInfo

cs5 TLS information Example: upstreamTLS: None;

downstreamTLS: TLS 1.2

Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|400101|TRACKING|4|rt=2019-12-10T08:26:46.728Z
[email protected] [email protected] msg=DLP--test src=1.1.1.1
deviceTranslatedAddress=2.2.2.2 cs1Label=mailUuid
cs1=7ea8f636-c26e-4b78-a341-9b5becb83db7 cs2Label=direction cs2=incoming
cs3Label=messageId cs3=<[email protected]>
cn1Label=messageSize cn1=41438 act=Delivered cs4Label=attachments
cs4=[{"sha256":"f78960148721b59dcb563b9964a4d47e2a834a4259f46cd12db7c1cfe82ff32e"}]
cs5Label=tlsInfo cs5=upstreamTLS: None; downstreamTLS: TLS 1.2

242
 About Trend Micro Email Security

Reports
Trend Micro Email Security provides reports to assist in mitigating threats
and optimizing system settings. Generate reports based on a daily, weekly,
monthly or quarterly schedule. Trend Micro Email Security offers flexibility
in specifying the content for each report.
The reports generate in PDF format.

My Reports
The My Reports tab shows all reports generated by Trend Micro Email
Security.
From the Type drop-down list, sort out the type of scheduled reports you
want to view.

Field Description

Period Time range that a report covers.

Type Type of the scheduled report listed.

Report File format of the report, which is PDF only.

Generated Time when the report is generated.

On the My Reports screen, you can also sort the reports by the time they
were generated and download reports to your local system for further
analysis.
The information displayed in a report could vary depending on the options
you select, and threat types included in reports are consistent with those
shown on the dashboard.

243
Trend Micro Email Security Administrator's Guide

Note
On the My Reports screen, you can save a maximum of 31 daily reports, 12
weekly reports, 12 monthly reports, and 4 quarterly reports. If the number of
reports reaches the maximum, the oldest report will be overwritten.

Scheduled Reports
Scheduled reports automatically generate according to the configured
schedules. The Schedules tab shows all the report schedules, and each
schedule contains settings for reports. Reports generate on a specified day of
each schedule, which is not configurable.
• Weekly reports generate on every Sunday.
• Monthly reports generate on the first calendar day of every month.
• Quarterly reports generate on the first calendar day of every quarter.

Note
This screen does not contain any generated reports. To view the generated
reports, go to Reports > My Reports.

Procedure
1. Go to Reports > Schedules.
2. Choose the type of scheduled reports you want to generate and click the
report type:
• Daily Report
• Weekly Report
• Monthly Report
• Quarterly Report
3. Complete settings for the scheduled reports.

244
 About Trend Micro Email Security

• Status: Specifies whether to enable the scheduled reports.

• Report Content: Specifies the detailed information contained in the

scheduled reports.

• Sending schedule: Specifies how often and when scheduled reports

will be sent by email.

Note
When a monthly report schedule is set to send reports on the 29th,
30th, or 31st day, the report is delivered on the last day of the month
for months with fewer days. For example, if you select 31, the report
is delivered on the 28th (or 29th) in February, and on the 30th in
April, June, September, and November.

By default, quarterly reports are delivered at 8:00 a.m. on the first day
of each calendar quarter, and the default setting is not configurable.

• Notify: Specifies the recipients of the scheduled reports.

Note
Make sure the recipients' domains are your managed domains.
Separate multiple recipients with a semicolon.

4. Click Save.

Configuring Administration Settings

Policy Objects
Common policy objects, such as keyword expressions, notifications, stamps
and Web Reputation Approved List, simplifies policy management by storing
configurations that can be shared across all policies.

245
Trend Micro Email Security Administrator's Guide

Managing Address Groups

You can use Address Groups screen to manage address groups in Trend
Micro Email Security.
Table 63. Address Groups Screen

Tasks Steps

Querying Address 1. Specify an address group name or an email address.

Groups
2. Click Search.

246
 About Trend Micro Email Security

Tasks Steps

Adding an Address Click Add.

Group
1. In the Basic Information section, provide the following
information:
• Name: A name for the address group.
• Description (optional): A description for the address
group.
• Internal Group (optional): An address group that only
contains managed domains or email addresses that
belong to managed domains.

Important
Creating an address group facilitates your policy
management. When specifying senders (or sender
exceptions) in outbound policies or recipients (or
recipient exceptions) in inbound policies, you
must use internal groups.

2. In the Email Addresses section, choose either of the following

ways to specify the email addresses in the address group:
• Specify the email address in the text box and click Add.
The email address can be in either of the following
formats: [email protected] or *@trendmicro.com
The latter specifies all email addresses from the
trendmicro.com domain.

Note
Only one email address can be added at a time.

• Import email addresses.

a. Click Import.
b. Next to File location, browse and select a CSV file to
import.
You can click Download sample file to view a
sample of a properly formatted file.
Trend Micro Email Security checks all the entries in
the selected file to identify any invalid and duplicate
email addresses. 247

c. After you confirm all the entries to be imported, click

Import.
3. Click Submit.
Trend Micro Email Security Administrator's Guide

Tasks Steps

Editing an Address In the Address Groups list, click the name of the group you want to
Group edit and follow the instructions in Adding an Address Group
procedure in this table.

Deleting Address Groups In the Address Groups list, select the groups to delete. Click
Delete, and click OK to confirm.

Note
Only address groups that are not referenced by any policies
can be deleted.

Keyword Expressions
Keyword expressions can be:
• Groups of literal text characters
• Patterns, defined using symbols (regular expressions) that describe a
range of possible groupings of text
• A mixture of literal text and symbolic patterns
For example, a keyword expression might be a single word, a phrase, or even
a substring; or it might be a pattern that defines a more general grouping of
text, such as an asterisk used as a wildcard to stand in for any text of one or
more characters in length.
Regular expressions, often called regexes, are sets of symbols and syntactic
elements used to match patterns of text. The symbols stand in for character
patterns or define how the expression is to be evaluated. Using regular
expressions is sophisticated way to search for complex character patterns in
large blocks of text. For example, suppose you want to search for the
occurrence of an email address—any email address—in a block of text. You
can build a regular expression that will match any pattern of text that has
any valid name string, followed by an @ character, followed by any valid
domain name string, followed by a period, followed by any valid domain
suffix string.

248
 About Trend Micro Email Security

Trend Micro Email Security uses a subset of POSIX regular expression

syntax.

Tip
If your expression includes the characters \ | ( ) { } [ ] . ^ $ * + or ?, you must
escape them by using a \ immediately before the character. Otherwise, they will
be assumed to be regular expression operators rather than literal characters.

This help system contains a brief summary of common regex elements, but a
thorough guide to regular expression syntax is beyond the scope of this help
system. However, there are many sources of reference information available
on the Web or in books.

Using Keyword Expressions

You can select existing keyword expressions from the list of those available.
New keyword expressions can be defined and saved, either from scratch or
by copying and editing an existing expression.

Procedure

1. Create or edit a content filtering policy.

2. Click the Scanning Criteria tab.

3. Select Advanced and click keyword expressions for each condition.

4. Select an existing keyword expression from the Available field.

5. Click the move button (Add>) to move the selected keyword expression
to the Selected field.

Note
You can also add, edit, copy, or delete keyword expressions.

249
Trend Micro Email Security Administrator's Guide

6. Repeat until you have moved all the keyword expressions you want to
apply.

Adding Keyword Expressions

New keyword expressions can be defined and saved, and then applied to a
rule.

Procedure
1. Click Add.
2. Type a name for the list.
3. Select Match criteria:
• Select Any specified to match keywords based on a logical OR.
• Select All specified to match keywords based on a logical AND.
• Select Not the specified to apply the rule to messages that do not
contain the keywords.
4. Click on individual keyword expressions in the list below to edit them.
5. Repeat until you have added your keyword expressions to the list.

Editing Keyword Expressions

Existing keyword expressions can be modified, or can be copied with a new
name.

Procedure
1. Click Edit.
2. Edit the Match criteria if desired:
• Select Any specified to match keywords based on a logical OR.

250
 About Trend Micro Email Security

• Select All specified to match keywords based on a logical AND.

• Select Not the specified to apply the rule to messages that do not
contain the keywords.

3. Click on individual keyword expressions in the list below to edit them.

Managing Notifications
You can use Notifications screen to manage notifications in Trend Micro
Email Security.

For information on using and configuring notifications, see About the Send
Notification Action on page 198.
Table 64. Notifications Screen

Tasks Steps

Adding a Notification Click Add.

1. Provide the following information:

Tip
• Name: A name for the notification email message.
Often a new
notification will • From: The email addresses that you want to use to send
be very similar to notifications message from.
one you already
have. In that case, • To: The recipient email address.
it is usually easier • Subject: The notification email message subject. You can
to copy the add also use variables in your notification email message.
notification and
edit it rather than See Rule Tokens/Variables on page 192.
create a new
notification from • Body (optional): The email notification message body.
scratch. 2. Click Save.

Copying Notifications In the Notifications list, select the notification to copy. Click Copy.

Editing Notifications In the Notifications list, click the name of the notification you want
to edit and follow the instructions in Adding a Notification
procedure in this table.

251
Trend Micro Email Security Administrator's Guide

Tasks Steps

Deleting Notifications In the Notifications list, select the notifications to delete. Click
Delete, and click OK to confirm.

Managing Stamps
You can use Stamps screen to manage stamps in Trend Micro Email Security.
For information on inserting and configuring stamps, see Inserting a Stamp
on page 190.
Table 65. Stamps Screen

Tasks Steps

Adding a Stamp Click Add.

1. Provide the following information:
Tip
• Name: A name for the stamp.
Often a new
stamp will be very • Insert at: Select whether you want to insert the stamp at
similar to one you the beginning or the at end of the message body.
already have. In • Text: The stamp text. You can add also use variables in
that case, it is your text.
usually easier to
copy the stamp See Rule Tokens/Variables on page 192.
and edit it rather
than create a new 2. Click Save.
stamp from
scratch.

Copying Stamps In the Stamps list, select the stamp to copy. Click Copy.

Editing Stamps In the Stamps list, click the name of the stamp you want to edit
and follow the instructions in Adding a Stamp procedure in this
table.

Deleting Stamps In the Stamps list, select the stamps to delete. Click Delete, and
click OK to confirm.

252
 About Trend Micro Email Security

Managing the URL Keyword Exception List

URLs that contain any of the specified keywords will bypass Time-of-Click
Protection and Virtual Analyzer scanning. Those URLs will be considered
one-click URLs and will neither be rewritten at the time of user clicks nor
sent to Virtual Analyzer for further analysis.
You can manage keywords on the URL Keyword Exception List screen.
Table 66. URL Keyword Exception List Screen

Add keywords 1. Click Add.

2. Specify a keyword that consists of 3 to 256 alphanumeric
characters and underscores.
3. Click Save.
The new keyword appears in the keyword list.
4. Add multiple entries if necessary.

Note
If your Customer Licensing Portal or Licensing
Management Platform account has created multiple
administrator accounts, be aware that the total number
of entries added by all the accounts cannot exceed 100
entries.

Delete keywords Select the keywords you want to delete and click Delete.

Managing the Web Reputation Approved List

The Web Reputation Approved List provides you a way to bypass scanning
and blocking of URLs that you considered safe. Domains and IP addresses
added to the Web Reputation Approved List will not be scanned by Trend
Micro Email Security.

253
Trend Micro Email Security Administrator's Guide

Procedure
1. Enable the Web Reputation Approved List.
a. Create or edit an inbound or outbound policy.
For details about configuring a policy, see Configuring Policies on
page 142.
b. Click the Scanning Criteria tab.
c. Select and click Web reputation.
d. Under Web Reputation Approved List, select the Enable the Web
Reputation Approved List check box.
2. Manage the Web Reputation Approved List.
The Web Reputation Approved List is available in the following path:
Administration > Policy Objects > Web Reputation Approved List

Option Description

Add a record to the Web a. Click Add.

Reputation Approved List
The Add Domain or IP Address screen appears.
b. Type a domain name or an IP address.
c. Click OK.

Delete records from the Web a. Select one or multiple records from the existing list
Reputation Approved List and click Delete.
b. Click OK to confirm your deletion.

254
 About Trend Micro Email Security

Email Continuity

Note
This feature is not included in the Trend Micro Email Security Standard license.
For details about different license versions, see Available License Versions on page
18.

With Email Continuity, Trend Micro Email Security provides a standby email
system that gives virtually uninterrupted use of email in the event of a mail
server outage. If a planned or unplanned outage occurs, Trend Micro Email
Security will keep your incoming email messages for 10 days. Once your
email server is back online within the 10-day period, these messages will be
restored to your email server.
A continuity mailbox is available instantly and automatically, providing end
users the ability to read, forward, download and reply to any email messages.
This enables end users to have continued email access during an outage
without requiring any action from IT.
In fact, Trend Micro Email Security will scan the email messages sent from
the continuity mailbox based on its default outbound policy.
Administrators can configure and manage Email Continuity records on the
Trend Micro Email Security administrator console, and end users will be
able to use the continuity mailbox to manage email messages on the End
User Console.
Share the End User Console web address for your region with your end users:
• North America, Latin America and Asia Pacific:
https://euc.tmes.trendmicro.com
• Europe, the Middle East and Africa:
https://euc.tmes.trendmicro.eu
• Australia and New Zealand:
https://euc.tmes-anz.trendmicro.com

255
Trend Micro Email Security Administrator's Guide

• Japan:

https://tm.tmems-jp.trendmicro.com

Adding an Email Continuity Record

Add Email Continuity records for specified recipient domains to provide
uninterrupted email access for end users on this domain during email server
outages.

Procedure

1. Go to Administration > Email Continuity.

2. Click Add.

The Add Email Continuity Record screen appears.

3. Select a specific recipient domain from the Domain name drop-down

list.

4. Select Enable Email Continuity to apply Email Continuity to the selected

domain.

5. Select Enable Email Sending.

Note
This option is disabled by default.

This option allows you to compose and send email messages directly from
the End User Console. If your domain has SPF records, make sure the
following record is included:

spf.tmes.trendmicro.com

6. Click Add.

256
 About Trend Micro Email Security

Editing an Email Continuity Record

Procedure

1. Go to Administration > Email Continuity.

2. Click the domain name of the record that you want to edit.

The Edit Email Continuity Record screen appears.

3. Change your setting as required.

4. Click Save.

Administrator Management
Trend Micro Email Security allows you to perform the following
administrator management tasks:

• Creating and managing administrator subaccounts

• Configuring the way that administrator subaccounts access the

administrator console

Account Management
Use the Administration > Administrator Management > Account
Management screen to search for subaccounts under your control and
perform actions on behalf of those subaccounts.

Subaccounts refer to the accounts that are created by an administrator

account (Trend Micro Business Account) and have the administrator account
privileges.

After clicking Assume Control beside a subaccount in the list, you will be
able to perform privileged operations on behalf of the subaccount.

To stop acting on behalf of a subaccount, click Release in the title bar area.

257
Trend Micro Email Security Administrator's Guide

Adding and Configuring a Subaccount

Procedure

1. Go to Administration > Administrator Management > Account

Management.

2. Click Add.

The Add Subaccount screen appears.

3. Configure the following information on the screen:

• Subaccount Basic Information: type the account name and email

address.

Note
If you want to enable single sign-on for this subaccount, the email
address specified here will be used to map to its equivalent from your
identity provider to verify the identity of this subaccount. Therefore,
set up the subaccount with the email address used by your identity
provider.

• Select Permission Types: select permissions from the Predefined

Permission Types drop-down list, or configure permissions for
each of the feature manually.

• Select Domains: select domains that the account can manage.

4. Click Save.

Trend Micro Email Security sends an email message with logon

information to the newly created account owner.

Note
The Reset Password button resets the password and sends a new
notification message to the account owner.

258
 About Trend Micro Email Security

Editing a Subaccount

Procedure
1. Go to Administration > Administrator Management > Account
Management.
2. Click name of the subaccount that you want to edit.
The Edit Subaccount screen appears.
3. Modify the following information on the screen as required:
• Subaccount Basic Information: modify the email address if
necessary.

Note
The account name cannot be modified.

• Select Permission Types: select a predefined permission from the

Predefined Permission Types drop-down list, or configure
permissions for each of the feature manually.
• Select Domains: select the domains that the account can manage.
4. Click OK.

Deleting Subaccounts

Procedure
1. Go to Administration > Administrator Management > Account
Management.
2. Select the subaccounts that you want to delete, and then click Delete.
3. Click OK in the confirmation dialog box.

259
Trend Micro Email Security Administrator's Guide

Changing the Password of a Subaccount

Note
If you have a Business Account on the Customer Licensing Portal or Licensing
Management Platform, sign in to your account and follow the instructions
provided there to change your password. Trend Micro recommends changing
your password regularly.
The password cannot be changed for a disabled subaccount.

Procedure
1. Go to Administration > Administrator Management > Account
Management.
2. Select the subaccount for which you want to change the password, and
then click Reset Password.
Trend Micro Email Security generates a new password for the
subaccount, and sends it to the account owner through an email
message.

Enabling or Disabling a Subaccount

Procedure
1. Go to Administration > Administrator Management > Account
Management.
2. Click (enabled) or (disabled) to toggle the status of a subaccount,
and then click OK in the confirmation dialog box.

Logon Methods
Trend Micro Email Security allows you to control the way that administrator
subaccounts access the administrator console.

260
 About Trend Micro Email Security

On the Logon Methods screen, you can enable or disable the following logon
methods:
• Local Account Logon
If this method is enabled, subaccounts can log on to the administrator
console with their user name and password. Enforcing two-factor
authentication adds an extra layer of security to the subaccounts.
• Single Sign-On
Once you enable single sign-on (SSO) and complete required settings,
subaccounts can log on to the administrator console through SSO with
their existing identity provider credentials. You can create multiple SSO
profiles so that different subaccounts can log on to the administrator
console from different identity provider servers through SSO.
Trend Micro Email Security currently supports the following identity
providers for SSO:
• Microsoft Active Directory Federation Services (AD FS)
• Azure Active Directory (Azure AD)
• Okta

Configuring Local Account Logon

Procedure
1. Go to Administration > Administrator Management > Logon Methods.
2. In the Local Account Logon section, configure the settings for local
account logon.
a. Click the toggle button to enable local account logon.
This allows administrator subaccounts to log on to the
administrator console with their user name and password.
b. Click the toggle button to enforce two-factor authentication.

261
Trend Micro Email Security Administrator's Guide

Two-factor authentication adds an extra layer of security to the

subaccounts.

After enforcing two-factor authentication, administrator

subaccounts must provide the following authentication credentials
each time they log on to the administrator console:

• Local account and password

• A one-time password generated by the Google Authenticator

app

Setting Up Two-Factor Authentication

Note
If your administrator has enforced two-factor authentication, it means that
two-factor authentication must be used every time you log on to the
administrator console and it cannot be disabled. Complete the following steps
to set up two-factor authentication before you can access the administrator
console.

The Trend Micro Email Security administrator console provides two-factor

authentication support. Two-factor authentication provides an added layer of
security for administrator subaccounts and prevents unauthorized access to
your Trend Micro Email Security administrator console, even if your
password is stolen.

After enabling two-factor authentication, administrator subaccounts need to

provide the following authentication credentials each time they sign in:

• Local account and password

• A one-time password generated by the Google Authenticator app

This section describes how to set up two-factor authentication with an

administrator subaccount.

262
 About Trend Micro Email Security

Procedure
1. Log on to the Trend Micro Email Security administrator console with
your local account and password.
2. Click your account name in the top right corner and choose Two-Factor
Authentication to open the setup wizard.
3. Set up two-factor authentication in the wizard.
a. Click Get Started.
b. Verify your email address and click Next.
c. Obtain the verification code from the notification sent to your email
address.

Note
If you did not get the verification code, wait for at least 3 minutes
before clicking Resend Code.

d. Type the verification code and click Next.

e. Follow the instructions to set up two-factor authentication.
i. Download Google Authenticator either from Apple's App Store
or Google Play and install it on your mobile phone.
ii. Add your Trend Micro Email Security account to Google
Authenticator by scanning the QR code.
iii. Provide the 6-digit code generated by Google Authenticator to
verify that your authentication works properly.
f. Click Finish.
Your account will be presented with the two-factor authentication
when they try to log on.
If you want to disable two-factor authentication, click Disable on
the Two-Factor Authentication screen. If your administrator has

263
Trend Micro Email Security Administrator's Guide

enforced two-factor authentication, click Reset to reset two-factor

authentication if necessary.

Configuring Single Sign-On

Before specifying single sign-on (SSO) settings on the administrator console,
configure the identity provider you choose for SSO, that is, AD FS 4.0, Azure
AD or Okta:
• Configuring Active Directory Federation Services on page 266
• Configuring Azure Active Directory on page 269
• Configuring Okta on page 272

Note
Gather required settings from your identity provider before setting up the
administrator console.

Procedure
1. Go to Administration > Administrator Management > Logon Methods.
2. In the Single Sign-On section, click the toggle button to enable SSO.
3. Click Add to create an SSO profile.
4. Configure general information for SSO.
a. Specify an SSO profile name.
b. Specify an identifier that is globally unique at your site.
The administrator console URL is generated.
If you have to change the unique identifier due to conflict with
another identifier, make sure you also change it in your identity
provider configuration.
5. Select the subaccounts to which the current profile applies:

264
 About Trend Micro Email Security

• All subaccounts: applies this profile to all subaccounts.

Note
You can create only one profile that is applied to all subaccounts.

• Specified subaccounts: applies this profile to specified

subaccounts.
Select subaccounts from the Available pane and click Add > to add
them to the Selected pane.
6. Complete identity provider configuration for SSO.
a. Select your identity provider from the Identity provider drop-down
list.
b. Specify the logon and logoff URLs for your identity provider.

Note
Use the logon URL collected from AD FS, Azure AD or Okta
configurations.
The logoff URL logs you off and also terminates the current identity
provider logon session.

c. (For Okta only) Click Download Logoff Certificate to obtain the

certificate file to upload to your federation server.
d. Locate the certificate file you downloaded from AD FS, Azure AD or
Okta configurations and upload it for signature validation.
e. Specify the identity claim type based on the claim you configured
for AD FS, Azure AD or Okta. For example, if you use email as the
claim name, type email.
7. Click Save to save the profile.
8. Click Save to save SSO settings.
Once you have completed the configuration, log on with a subaccount
using the administrator console URL generated in Step 4 to initiate SSO

265
Trend Micro Email Security Administrator's Guide

from the identity provider to the Trend Micro Email Security

administrator console. The identity claim type specified in Step 6 is used
to get the mapping claim value from your identity provider. In this case,
Trend Micro Email Security obtains the email address of the logon
subaccount and checks if it matches the subaccount email address you
set before. If they are matched, you will be successfully logged on to the
administrator console with the subaccount.

Configuring Active Directory Federation Services

Active Directory Federation Services (AD FS) provides support for claims-
aware identity solutions that involve Windows Server and Active Directory
technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.

This section uses Windows 2016 as an example to describe how to configure

AD FS as a SAML server to work with Trend Micro Email Security. Make sure
you have installed AD FS successfully.

Procedure

1. Go to Start > All Programs > Windows Administrative Tools > AD FS

Management.

2. On the AD FS management console, go to AD FS, right-click Relying

Party Trusts, and then choose Add Relying Party Trust.

3. Complete settings for each screen in the Add Relying Party Trust wizard.

a. On the Welcome screen, select Claims aware and click Start.

b. On the Select Data Source screen, select Enter data about the
relying party manually and click Next.

c. On the Specify Display Name screen, specify a display name, for

example, Trend Micro Email Security Administrator
Console, and click Next.

d. On the Configure Certificate screen, click Next.

266
 About Trend Micro Email Security

Note
No encryption certificate is required, and HTTPS will be used for
communication between Trend Micro Email Security and federation
servers.

e. On the Configure URL screen, select Enable support for the SAML
2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service
URL, and then click Next.

Note
Specify the SAML 2.0 SSO service URL for your region as follows:

https://ui.<domain_name>/uiserver/subaccount/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:

• Replace <unique_identifier> with a unique identifier. Record

the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.

• Replace <domain_name> with any of the following based on your

location:

• North America, Latin America and Asia Pacific:

tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:

tmems-jp.trendmicro.com

f. On the Configure Identifiers screen, type the identifier for the

relying party trust, click Add, and then click Next.

267
Trend Micro Email Security Administrator's Guide

Note
Specify the identifier for the relying party trust for your region as
follows:

https://ui.<domain_name>/uiserver/subaccount/ssoLogin

g. On the Choose Access Control Policy screen, choose an access

control policy and click Next.

h. Continue clicking Next in the wizard and finally click Close.

4. From the Edit Claim Issuance Policy for Trend Micro Email Security
Administrator Console dialog box, click Add Rule in the Issuance
Transform Rules tab.

5. Complete settings for each screen in the Add Transform Claim Rule
wizard.

a. On the Select Rule Template screen, select Send LDAP Attributes

as Claims for Claim rule template and click Next.

b. On the Configure Rule screen, specify a claim rule name and select
Active Directory for Attribute store.

c. Select LDAP attributes and specify an outgoing claim type for each
attribute. For example, select E-Mail-Addresses and type email as
the outgoing claim type.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim type specified
here.

d. Click Finish.

e. Click OK to close the wizard.

6. From AD FS > Relying Party Trust, double-click the relying party trust
file you created earlier.

268
 About Trend Micro Email Security

a. From the Test Properties dialog box, click the Advanced tab.

b. Select SHA1 from the Secure hash algorithm drop-down list and
click OK.

7. Collect the single sign-on logon and logoff URLs and obtain a certificate
for signature validation from AD FS.

a. On the AD FS management console, go to AD FS > Service >

Endpoints.

b. Look for the SAML 2.0/WS-Federation type endpoint and collect the
URL path.

Note
The URL path will be used when you configure logon and logoff URLs
on Trend Micro Email Security.

• Logon URL: <adfs_domain_name>/adfs/ls/

• Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0

c. Go to AD FS > Service > Certificates.

d. Look for the Token-signing certificate, right-click it, and then select
View Certificate.

e. Click the Details tab and click Copy to File.

f. Using the Certificate export wizard, select Base-64 Encoded X.509

(.CER).

g. Assign a name to the file to complete the export of the certificate

into a file.

Configuring Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based

directory and identity management service.

269
Trend Micro Email Security Administrator's Guide

Make sure you have a valid subscription in Azure AD that handles the sign-in
process and eventually provides the authentication credentials of
subaccounts to the administrator console.

Procedure
1. On the Azure AD management portal, select an active directory that you
want to implement SSO.
2. Click Enterprise applications in the navigation area on the left and click
New application.
3. On the Browse Azure AD Gallery (Preview) screen, click Create your
own application.
4. On the Create your own application panel that appears on the right,
specify a name for your application, for example, Trend Micro Email
Security Administrator Console, and click Create.

5. Under Getting Started in the overview of your application, click 1.

Assign users and groups, click Add user/group, select a specific user or
group for this application and click Assign.
6. In the navigation area of your application, click Single sign-on.
7. Click SAML to configure the connection from your application to Azure
AD using the SAML protocol.
a. Under Basic SAML Configuration, click Edit, specify the identifier
and reply URL, and click Save.

270
 About Trend Micro Email Security

Note
Specify the identifier for your region as follows:
https://ui.<domain_name>/uiserver/subaccount/ssoLogin

Specify the reply URL for your region as follows:

https://ui.<domain_name>/uiserver/subaccount/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:

• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

Click No, I'll test later when you are prompted to choose whether to
test single sign-on with Trend Micro Email Security
Administrator Console. You are advised to perform a test after all
SSO settings are complete.
b. Under User Attributes & Claims, click Edit, and specify the identity
claim.
User attributes and claims are used to get the email addresses of
logon subaccounts to authenticate their identity. By default, the

271
Trend Micro Email Security Administrator's Guide

source attribute user.mail is preconfigured to get the email

addresses. If the email addresses in your organization are defined
by another source attribute, do the following to add a new claim
name:
Click Add new claim. On the Manage claim screen, specify the
claim name, leave Namespace empty, select Attribute as Source,
select a value from the Source attribute drop-down list, and click
Save.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim name specified
here.

c. Under SAML Signing Certificate, click Edit, specify an email

address for Notification Email Addresses, and click Save. Click
Download next to Certificate (Base64) to download a certificate file
for Azure AD signature validation on Trend Micro Email Security.
d. Under Set up Trend Micro Email Security Administrator Console,
record the login and logout URLs.

Configuring Okta

This section describes how to add Trend Micro Email Security as a new
application and configure SSO settings on your Okta Admin Console.

Procedure
1. Navigate to the Admin Console by clicking Admin in the upper-right
corner.

Note
If you are in the Developer Console, click < > Developer Console in the
upper-left corner and then click Classic UI to switch over to the Admin
Console.

272
 About Trend Micro Email Security

2. In the Admin Console, go to Applications > Applications.

3. Click Add Application, and then click Create New App.
The Create a New Application Integration screen appears.
4. Select Web as the Platform and SAML 2.0 as the Sign on method, and
then click Create.
5. On the General Settings screen, type a name for Trend Micro Email
Security in App name, for example, Trend Micro Email Security
Administrator Console, and click Next.

6. On the Configure SAML screen, specify the following:

a. Type https://ui.<domain_name>/uiserver/subaccount/
ssoAssert?cmpID=<unique_identifier> in Single sign on URL
based on your serving site.

Note
In the preceding and following URLs:
• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

273
Trend Micro Email Security Administrator's Guide

b. Select Use this for Recipient URL and Destination URL.

c. Type https://ui.<domain_name>/uiserver/subaccount/ssoLogin
in Audience URI (SP Entity ID).

d. Select EmailAddress in Name ID format.

e. Select Okta username in Application username.

f. (Optional) Click Show Advanced Settings, specify the following:

This step is required only if you want to configure a logoff URL on

the Trend Micro Email Security administrator console. The logoff
URL is used to log you off and also terminate the current identity
provider logon session.

i. Next to Enable Single Logout, select the Allow application to

initiate Single Logout check box.

ii. Type https://ui.<domain_name>/uiserver/subaccount/

sloAssert?cmpID=<unique_identifier> in Single Logout URL.

iii. Type https://ui.<domain_name>/uiserver/subaccount/

ssoLogout in SP Issuer.

iv. Upload the logoff certificate in the Signature Certificate area.

You need to download the logoff certificate from the Trend

Micro Email Security administrator console in advance. Go to
Administration > Administrator Management > Logon
Methods. Click Add in the Single Sign-on section. On the pop-
up screen, locate the Identity Provider Configuration section,
select Okta as Identity provider and click Download Logoff
Certificate to download the certificate file.

v. Keep the default values for other settings.

g. Under ATTRIBUTE STATEMENTS (OPTIONAL), specify email in

Name, and select Unspecified in Name format and user.email in
Value.

274
 About Trend Micro Email Security

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the attribute name specified
here.

h. Click Next.
7. On the Feedback screen, click I'm an Okta customer adding an internal
app, and then click Finish.
The Sign On tab of your newly created Trend Micro Email Security
application appears.
8. Click View Setup Instructions, and record the URL in Identity Provider
Single Sign-On URL and download the certificate in X.509 Certificate.

End User Management

Trend Micro Email Security allows you to perform the following end user
management tasks:
• Changing end user passwords
• Managing multiple Trend Micro Email Security End User Console
accounts
• Configuring the way that end users access the End User Console

Changing End User Passwords

If an end user loses their password, the system administrator can reset that
password.

Procedure
1. Go to Administration > End User Management > Passwords.
2. Type the managed email address of the end user.

275
Trend Micro Email Security Administrator's Guide

3. Type and confirm the new password to be associated with the account.

Important
Passwords must contain 8 to 32 alphanumeric characters. Trend Micro
recommends using a long password. Strong passwords contain a mix of
letters, numbers, and special characters.

Managed Accounts
End users can manage multiple Trend Micro Email Security End User
Console accounts by using a single account to log on. After an end user
begins managing an account, they can view the quarantined messages and
set the Approved Senders associated with that account.
End users log on with their primary account, and then specify one of their
managed accounts or All managed accounts at the top of the screen to view
Quarantined messages and set Approved Senders for the specified account or
accounts.

Figure 1. Example of the Managed Account Control

After an end user begins managing an account, that managed account will be
unable to log on to the End User Console. The managed account will be able

276
 About Trend Micro Email Security

to log on again only if the account management relationship is removed. To

allow the account to log on again, the primary account can remove the
managed account from the Managed Accounts screen of the End User
Console.

Adding a managed account does not change the credentials for that account.
Disabling the feature does not change the account management relationship
of accounts that end users have already added.

End users can always remove accounts from their list of managed accounts.
However, end users can only add management of accounts under the
following conditions:

• The account is a registered End User Console account.

• The account is not currently a managed account of another End User

Console account.

• The end user is able to open the confirmation email message sent to the
account address.

• The end user has the End User Console password for the account.

Removing End User Managed Accounts

The primary account can remove the managed account from the Managed
Accounts screen of the End User Console.

To remove an account management relationship using the Trend Micro

Email Security administrator console, use the following procedure.

Procedure

1. Go to Administration > End User Management > Managed Accounts.

2. Select the primary account and managed account pair or pairs in the
list.

3. Click Remove.

277
Trend Micro Email Security Administrator's Guide

Logon Methods
Trend Micro Email Security allows you to control the way that end users
access the End User Console.
On the Logon Methods screen, you can enable or disable the following logon
methods:
• Local Account Logon
If this method is enabled, end users can log on to the End User Console
with their user name and password of the local managed accounts they
have registered on the End User Console. Enforcing two-factor
authentication adds an extra layer of security to the end user accounts.
• Single Sign-On
Once you enable single sign-on (SSO) and complete required settings,
end users can log on to the End User Console through SSO with their
existing identity provider credentials. You can create multiple SSO
profiles so that different end users can log on to the End User Console
from different identity provider servers through SSO.
When creating an SSO profile, you need to specify the domains to which
the profile applies. Assume that subaccount A manages domain A, B and
C, subaccount B manages domain B and subaccount C manages domain
C. The relationship between SSO profiles, managed domains and
subaccount permissions are as follows:

SSO Profile Managed Domains Subaccount Permission

Profile 1 Domains A and B • Subaccount A: read

and edit
• Subaccount B: read
only
• Subaccount C: cannot
read, edit or delete

278
 About Trend Micro Email Security

SSO Profile Managed Domains Subaccount Permission

Profile 2 Domain C • Subaccount A: read

and edit
• Subaccount B: cannot
read, edit or delete
• Subaccount C: read
and edit

Profile 3 All domains • Subaccount A: read

only
• Subaccount B: read
only
• Subaccount C: read
only

Trend Micro Email Security currently supports the following identity

providers for SSO:

• Microsoft Active Directory Federation Services (AD FS)

• Azure Active Directory (Azure AD)

• Okta

Configuring Local Account Logon

Procedure

1. Go to Administration > End User Management > Logon Methods.

2. In the Local Account Logon section, configure the settings for local
account logon.

a. Click the toggle button to enable Local Account Logon.

This allows end users to log on to the End User Console with their
user name and password of the local managed accounts.

279
Trend Micro Email Security Administrator's Guide

b. Click the toggle button to enforce two-factor authentication.

Two-factor authentication adds an extra layer of security to the end
user accounts.
After enforcing two-factor authentication, end user accounts must
provide the following authentication credentials each time they log
on to the End User Console:
• Local account and password
• A one-time password generated by the Google Authenticator
app
c. From the Source of managed accounts drop-down list, select the
source of accounts to be managed when end users log on to the End
User Console.
• Aliases synchronized from directories: If you select this
option, the logon users will have all the aliases synchronized
from LDAP directories as their managed accounts.
• Manually added accounts: If you select this option, the logon
users will have all the accounts they added manually as their
managed accounts.

Configuring Single Sign-On

Before specifying SSO settings on the administrator console, configure the
identity provider you choose for single sign-on, that is, AD FS 4.0, Azure AD
or Okta:
• Configuring Active Directory Federation Services on page 283
• Configuring Azure Active Directory on page 288
• Configuring Okta on page 291

Note
Gather required settings from your identity provider before setting up the
administrator console.

280
 About Trend Micro Email Security

Procedure

1. Go to Administration > End User Management > Logon Methods.

2. In the Single Sign-On section, click the toggle button to enable SSO.

3. Click Add to create an SSO profile.

4. Configure general information for SSO.

a. Specify an SSO profile name.

b. Specify an identifier that is globally unique at your site.

The End User Console URL is generated.

If you have to change the unique identifier due to conflict with

another identifier, make sure you also change it in your identity
provider configuration.

5. Select the domains to which the current profile applies:

• All domains: applies this profile to all domains.

Note
You can create only one profile that is applied to all domains.

• Specified domains: applies this profile to specified domains.

Select domains from the Available pane and click Add > to add
them to the Selected pane.

6. Complete identity provider configuration for SSO.

a. Select your identity provider from the Identity provider drop-down

list.

b. Specify the logon and logoff URLs for your identity provider.

281
Trend Micro Email Security Administrator's Guide

Note
Use the logon URL collected from AD FS, Azure AD or Okta
configurations.
The logoff URL logs you off and also terminates the current identity
provider logon session.

c. (For Okta only) Click Download Logoff Certificate to obtain the

certificate file to upload to your federation server.
d. (Optional) Enable signature validation.

Note
A signature is returned from the identity provider server during SSO.
To avoid forgery logon by attackers, the signature must be checked
against the certificate file you obtained from your identity provider.

i. Click the Signature validation toggle button.

ii. Locate the certificate file you downloaded from AD FS, Azure
AD or Okta configurations and upload it for signature
validation.
e. Specify the identity claim type based on the claim you configured
for AD FS, Azure AD or Okta. For example, if you use email as the
claim name, type email.
f. (Optional) Enable SSO management by group.

Note
If you enable this function, only end users with valid email addresses
in the specified group can be logged on to the End User Console
through SSO:

i. Click the Group allow list toggle button.

ii. Specify the group claim type based on the group claim you
configured for AD FS, Azure AD or Okta. For example, if you
use euc_group as the group attribute name, type euc_group.

282
 About Trend Micro Email Security

iii. Specify group claim values based on the group claim you
configured for AD FS, Azure AD or Okta. If your identity
provider is AD FS or Okta, type group names; if your identity
provider is Azure AD, type group IDs.
7. Click Save to save the profile.
8. Click Save to save SSO settings.
Once you have completed the configuration, an end user can log on
using the End User Console URL generated in Step 4 to initiate SSO from
the identity provider to the End User Console. The identity claim type
and group claim type specified in Step 6 are used to get the mapping
claim values from your identity provider. In this case, Trend Micro
Email Security obtains the email address and user group of the logon
account to verify the identity of the end user. Once verified, the end user
will be successfully logged on to the End User Console.

Configuring Active Directory Federation Services

Active Directory Federation Services (AD FS) provides support for claims-
aware identity solutions that involve Windows Server and Active Directory
technology. AD FS supports the WS-Trust, WS-Federation, and Security
Assertion Markup Language (SAML) protocols.
This section uses Windows 2016 as an example to describe how to configure
AD FS as a SAML server to work with Trend Micro Email Security. Make sure
you have installed AD FS successfully.

Procedure
1. Go to Start > All Programs > Windows Administrative Tools > AD FS
Management.
2. On the AD FS management console, go to AD FS, right-click Relying
Party Trusts, and then choose Add Relying Party Trust.
3. Complete settings for each screen in the Add Relying Party Trust wizard.
a. On the Welcome screen, select Claims aware and click Start.

283
Trend Micro Email Security Administrator's Guide

b. On the Select Data Source screen, select Enter data about the
relying party manually and click Next.
c. On the Specify Display Name screen, specify a display name, for
example, Trend Micro Email Security End User Console, and
click Next.
d. On the Configure Certificate screen, click Next.

Note
No encryption certificate is required, and HTTPS will be used for
communication between Trend Micro Email Security and federation
servers.

e. On the Configure URL screen, select Enable support for the SAML
2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service
URL, and then click Next.

284
 About Trend Micro Email Security

Note
Specify the SAML 2.0 SSO service URL for your region as follows:
https://euc.<domain_name>/uiserver/euc/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:

• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

f. On the Configure Identifiers screen, type the identifier for the

relying party trust, click Add, and then click Next.

Note
Specify the identifier for the relying party trust for your region as
follows:
https://euc.<domain_name>/uiserver/euc/ssoLogin

g. On the Choose Access Control Policy screen, choose an access

control policy and click Next.
h. Continue clicking Next in the wizard and finally click Close.

285
Trend Micro Email Security Administrator's Guide

4. From the Edit Claim Issuance Policy for Trend Micro Email Security
End User Console dialog box, click Add Rule in the Issuance Transform
Rules tab.

5. Complete settings for each screen in the Add Transform Claim Rule
wizard.

a. On the Select Rule Template screen, select Send LDAP Attributes

as Claims for Claim rule template and click Next.

b. On the Configure Rule screen, specify a claim rule name and select
Active Directory for Attribute store.

c. Select LDAP attributes and specify an outgoing claim type for each
attribute. For example, select E-Mail-Addresses and type email as
the outgoing claim type.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim type specified
here.

d. (Optional) Configure group claim type settings for user groups.

i. On the Select Rule Template screen, select Send Group

Membership as a Claim for Claim rule template and click
Next.

ii. On the Configure Rule screen, specify a claim rule name, click
Browse under User's group, and select AD groups.

iii. Specify the outgoing claim type and outgoing claim values. For
example, type euc_group and the AD group names.

Important
When configuring the group claim type for an SSO profile on Trend
Micro Email Security, make sure you use the group claim type
specified here.

286
 About Trend Micro Email Security

e. Click Finish.

f. Click OK to close the wizard.

6. From AD FS > Relying Party Trust, double-click the relying party trust
file you created earlier.

a. From the Test Properties dialog box, click the Advanced tab.

b. Select SHA1 from the Secure hash algorithm drop-down list and
click OK.

7. Collect the single sign-on logon and logoff URLs and obtain a certificate
for signature validation from AD FS.

a. On the AD FS management console, go to AD FS > Service >

Endpoints.

b. Look for the SAML 2.0/WS-Federation type endpoint and collect the
URL path.

Note
The URL path will be used when you configure logon and logoff URLs
on Trend Micro Email Security.

• Logon URL: <adfs_domain_name>/adfs/ls/

• Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0

c. Go to AD FS > Service > Certificates.

d. Look for the Token-signing certificate, right-click it, and then select
View Certificate.

e. Click the Details tab and click Copy to File.

f. Using the Certificate export wizard, select Base-64 Encoded X.509

(.CER).

g. Assign a name to the file to complete the export of the certificate

into a file.

287
Trend Micro Email Security Administrator's Guide

Configuring Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based

directory and identity management service.
Make sure you have a valid subscription in Azure AD that handles the sign-in
process and eventually provides the authentication credentials of end users
to the End User Console.

Procedure
1. On the Azure AD management portal, select an active directory that you
want to implement SSO.
2. Click Enterprise applications in the navigation area on the left and click
New application.
3. On the Browse Azure AD Gallery (Preview) screen, click Create your
own application.
4. On the Create your own application panel that appears on the right,
specify a name for your application, for example, Trend Micro Email
Security End User Console, and click Create.

5. Under Getting Started in the overview of your application, click 1.

Assign users and groups, click Add user/group, select a specific user or
group for this application and click Assign.
6. In the navigation area of your application, click Single sign-on.
7. Click SAML to configure the connection from your application to Azure
AD using the SAML protocol.
a. Under Basic SAML Configuration, click Edit, specify the identifier
and reply URL, and click Save.

288
 About Trend Micro Email Security

Note
Specify the identifier for your region as follows:
https://euc.<domain_name>/uiserver/euc/ssoLogin

Specify the reply URL for your region as follows:

https://euc.<domain_name>/uiserver/euc/ssoAssert?
cmpID=<unique_identifier>

In the preceding and following URLs:

• Replace <unique_identifier> with a unique identifier. Record
the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.
• Replace <domain_name> with any of the following based on your
location:
• North America, Latin America and Asia Pacific:
tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:
tmems-jp.trendmicro.com

Click No, I'll test later when you are prompted to choose whether to
test single sign-on with Trend Micro Email Security End User
Console. You are advised to perform a test after all SSO settings are
complete.
b. Under User Attributes & Claims, click Edit, and specify the identity
claim.
User attributes and claims are used to get the email addresses of
logon subaccounts to authenticate their identity. By default, the

289
Trend Micro Email Security Administrator's Guide

source attribute user.mail is preconfigured to get the email

addresses. If the email addresses in your organization are defined
by another source attribute, do the following to add a new claim
name:

Click Add new claim. On the Manage claim screen, specify the
claim name, leave Namespace empty, select Attribute as Source,
select a value from the Source attribute drop-down list, and click
Save.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the claim name specified
here.

(Optional) Click Add a group claim. On the Group Claims screen,

specify the groups associated with the end user, select Group ID as
Source attribute, select Customize the name of the group claim,
specify the group claim name, for example,euc_group, and click
Save.

Important
When configuring the group claim type for an SSO profile on Trend
Micro Email Security, make sure you use the group claim name
specified here.

c. Under SAML Signing Certificate, click Edit, specify an email

address for Notification Email Addresses, and click Save. Click
Download next to Certificate (Base64) to download a certificate file
for Azure AD signature validation on Trend Micro Email Security.

d. Under Set up Trend Micro Email Security End User Console,

record the login and logout URLs.

290
 About Trend Micro Email Security

Configuring Okta

This section describes how to add Trend Micro Email Security as a new
application and configure SSO settings on your Okta Admin Console.

Procedure
1. Navigate to the Admin Console by clicking Admin in the upper-right
corner.

Note
If you are in the Developer Console, click < > Developer Console in the
upper-left corner and then click Classic UI to switch over to the Admin
Console.

2. In the Admin Console, go to Applications > Applications.

3. Click Add Application, and then click Create New App.
The Create a New Application Integration screen appears.
4. Select Web as the Platform and SAML 2.0 as the Sign on method, and
then click Create.
5. On the General Settings screen, type a name for Trend Micro Email
Security in App name, for example, Trend Micro Email Security End
User Console, and click Next.

6. On the Configure SAML screen, specify the following:

a. Type https://euc.<domain_name>/uiserver/euc/ssoAssert?
cmpID=<unique_identifier> in Single sign on URL based on your
serving site.

291
Trend Micro Email Security Administrator's Guide

Note
In the preceding and following URLs:

• Replace <unique_identifier> with a unique identifier. Record

the unique identifier, which will be used when you create an SSO
profile on the Trend Micro Email Security administrator console.

• Replace <domain_name> with any of the following based on your

location:

• North America, Latin America and Asia Pacific:

tmes.trendmicro.com

• Europe, the Middle East and Africa:

tmes.trendmicro.eu

• Australia and New Zealand:

tmes-anz.trendmicro.com

• Japan:

tmems-jp.trendmicro.com

b. Select Use this for Recipient URL and Destination URL.

c. Type https://euc.<domain_name>/uiserver/euc/ssoLogin in
Audience URI (SP Entity ID).

d. Select EmailAddress in Name ID format.

e. Select Okta username in Application username.

f. (Optional) Click Show Advanced Settings, specify the following:

This step is required only if you want to configure a logoff URL on

the Trend Micro Email Security administrator console. The logoff
URL is used to log you off and also terminate the current identity
provider logon session.

i. Next to Enable Single Logout, select the Allow application to

initiate Single Logout check box.

292
 About Trend Micro Email Security

ii. Type https://euc.<domain_name>/uiserver/euc/sloAssert?

cmpID=<unique_identifier> in Single Logout URL.

iii. Type https://euc.<domain_name>/uiserver/euc/ssoLogout

in SP Issuer.
iv. Upload the logoff certificate in the Signature Certificate area.
You need to download the logoff certificate from the Trend
Micro Email Security administrator console in advance. Go to
Administration > End User Management > Logon Methods.
Click Add in the Single Sign-on section. On the pop-up screen,
locate the Identity Provider Configuration section, select Okta
as Identity provider and click Download Logoff Certificate to
download the certificate file.
v. Keep the default values for other settings.
g. Under ATTRIBUTE STATEMENTS (OPTIONAL), specify email in
Name, and select Unspecified in Name format and user.email in
Value.

Important
When configuring the identity claim type for an SSO profile on Trend
Micro Email Security, make sure you use the attribute name specified
here.

h. (Optional) Under GROUP ATTRIBUTE STATEMENTS (OPTIONAL),

specify euc_group in Name, select Unspecified in Name format
and specify filter conditions.

Important
When configuring the group claim type for an SSO profile on the
Trend Micro Email Security, make sure you use the group attribute
name specified here.

i. Click Next.
7. On the Feedback screen, click I'm an Okta customer adding an internal
app, and then click Finish.

293
Trend Micro Email Security Administrator's Guide

The Sign On tab of your newly created Trend Micro Email Security
application appears.

8. Click View Setup Instructions, and record the URL in Identity Provider
Single Sign-On URL and download the certificate in X.509 Certificate.

Directory Management
You can import LDAP Data Interchange Format (LDIF) or comma-separated
values (CSV) files into Trend Micro Email Security. This helps Trend Micro
Email Security to better filter and process messages for valid email
addresses. Messages to invalid email addresses will be rejected.

Trend Micro Email Security uses user directories to help prevent backscatter
(or outscatter) spam and Directory Harvest Attacks (DHA). Importing user
directories lets Trend Micro Email Security know legitimate email addresses
and domains in your organization.

Trend Micro Email Security also provides a synchronization tool that enables
you to synchronize your current groups, email accounts and email aliases
from Open LDAP, Microsoft Active Directory, Microsoft AD Global Catalog,
Office 365/Azure Active Directory and IBM Domino servers to the Trend
Micro Email Security server.

The Directory Management screen includes the following tabs:

• Directory Synchronize

• Downloads: Displays the download paths or links to the Directory

Synchronization Tool, Directory Synchronization Tool User's Guide,
REST API Client, and REST API Online Help.

• Synchronization Summary: Displays the total number of email

aliases, groups, and valid recipients last synchronized from all
directory sources.

• Synchronization History: Displays the number of email aliases,

groups, and valid recipients synchronized each time.

294
 About Trend Micro Email Security

• Directory Import
• Import User Directory: Selections for importing a new user
directory file.
• Imported User Directory History: The current user directory file(s)
that Trend Micro Email Security is using.
• Export
• Valid recipients: Exports the existing valid recipients to a CSV file.
• Groups: Exports the existing groups to a CSV file.
• Email aliases: Exports the existing email aliases to a CSV file.

Synchronizing User Directories

The Directory Synchronize tab displays downloads, synchronization
summary, and synchronization history. This screen consists of the following
sections:
• Downloads: Displays the download paths for the Directory
Synchronization Tool and Directory Synchronization Tool User's Guide.
• Synchronization Summary: Displays the total number of email aliases,
groups, and valid recipients last synchronized from all directory
sources.
• Synchronization History: Displays the number of email aliases, groups,
and valid recipients synchronized each time.

Element Description

Timestamp Time when a synchronization happened

295
Trend Micro Email Security Administrator's Guide

Element Description

Sync Objects Objects that have been synchronized, such

as email aliases, groups, and valid
recipients

Note
Since version 2.0.10088 of the
Directory Synchronization Tool, the
number of email aliases, groups,
and valid recipients synchronized
every time has also been recorded
here.

Sync Tool Location Information about the machine where the

synchronization tool is installed, including
its IP address, FQDN or host name

Result Whether the synchronization is successful

or unsuccessful, or whether any groups,
email aliases or policies were added or
removed

Importing User Directories

You can import LDAP Data Interchange Format (LDIF) or comma-separated
values (CSV) files into Trend Micro Email Security. This helps Trend Micro
Email Security to better filter and process messages for valid email
addresses. Messages to invalid email addresses will be rejected.

296
 About Trend Micro Email Security

Important
Before you import an LDIF or CSV directory file, note the following:

• Trend Micro Email Security only recognizes ANSI-encoded LDIF (with the
extension .ldf) and ANSI or UTF-8-encoded CSV (with the extension .csv)
files. Do not include blank lines or other irrelevant data in the file that you
import. Use caution when creating a file.

• When importing user directory files, Trend Micro Email Security replaces
all records for a managed domain at once. If any email addresses for a
managed domain are imported, all other email addresses for that domain
are removed. Newly imported email addresses for that domain, and
records for other managed domains, will be kept. If you import an updated
user directory file that does not have any information for one of your
domains, the entries for those domains remain the same and are not
overwritten.

Every time you import a directory file, it overwrites the old version. If you
import an updated directory file that has information for one of your
domains, all entries for those domains are overwritten. Use caution when
importing a directory.

• You can only see the directories that are associated with your
administrator account. If you are sharing your Trend Micro Email Security
service with another administrator (for example, a value-added reseller)
who logs on with his/her specific account information, Trend Micro Email
Security will not show the directories for that account.

• Every time you add more users to your network, you must import your
updated user directories; otherwise, Trend Micro Email Security will reject
email from newly added users.

WARNING!
Trend Micro strongly suggests that you do not import more than 24 directories
in a day. Doing so could overwhelm system resources.

Temporarily disable all valid recipients before import a file. When you are
confident that all entries are correct, re-enable all valid recipients. To disable or
enable valid recipients, go to Inbound Protection > Connection Filtering >
Recipient Filter and click Disable All or Enable All.

297
Trend Micro Email Security Administrator's Guide

Procedure
1. Next to Format, select the format type:
• LDIF
• CSV

Note
If you create a CSV file, divide the records into fields for
email_address and Firstname Lastname and separate them using a
comma and optional quotation marks. Use of spaces or other
delimiters is not supported. Use one record per line.
For example:

Valid

[email protected],Bob Smith
[email protected],Sally Jones

"[email protected]","Bob Smith"
"[email protected]","Sally Jones"

Not Valid

[email protected],Bob Smith,[email protected],Sally Jones

Microsoft Excel will save a two column chart as a CSV using valid
formatting.

2. Next to Name, type a descriptive name for the file.

3. Next to File location, type the file directory path and filename or click
Choose File and select the .ldf or .csv file on your computer.
4. Click Verify File to read the file and show a summary of how many email
addresses were found.
After the progress bar completes, a summary screen appears showing
the following:

298
 About Trend Micro Email Security

• Import Summary: A summary of the information above

• Domains and Number of Users to Replace Current Users: The

domains that you specified when you subscribed to the Trend Micro
Email Security service

• Unauthorized Domains: Any domains that are included in your

directory file, but are not officially registered with your Trend Micro
Email Security service

Note
Trend Micro Email Security does not provide service for these
domains and their corresponding email addresses.

5. Click Import.

This will import and then enable the email address list.

Exporting User Directories

You can export valid recipients, groups and email aliases to a comma-
separated values (CSV) file.

Procedure

1. Choose to export valid recipients, groups or email aliases and do the

following:

• Select a domain from the Valid recipients drop-down list and click
Export to CSV.

• Select a group from the Groups drop-down list and click Export to
CSV.

• Next to Email aliases, click Export to CSV.

299
Trend Micro Email Security Administrator's Guide

Note
In the exported file, the primary email alias displays at the beginning
of each line.

Installing the Directory Synchronization Tool

The Directory Synchronization Tool automates the import of directory files
for valid recipient email addresses, user groups and email aliases. The
Directory Synchronization Tool provides functionality similar to the Import
User Directory feature on the Directory Import screen.

Procedure
1. Go to Administration > Service Integration.
2. On the API Access tab, click Add to generate a key.
The API Key is the global unique identifier for your Directory
Synchronization Tool to authenticate its access to Trend Micro Email
Security. A new API Key is enabled by default.
If you want to change your API Key later on, click Add to generate a new
key and use the new key in your requests. You can click the toggle button
under Status to disable the old key or delete it if both of the following
conditions are met:
• Requests can be sent successfully with the new key.
• The old key is not used by any other applications that have access to
Trend Micro Email Security.
A maximum of two API Keys are allowed at a time.

Important
The API Key allows your Directory Synchronization Tool to communicate
with Trend Micro Email Security. Keep the API Key private.

300
 About Trend Micro Email Security

3. In the Downloads list, click download to download the desired items.

• Directory Synchronization Tool: Provided for synchronizing

accounts and groups between local directories and the Trend Micro
Email Security server.
• Directory Synchronization Tool User's Guide: Available for more
information on using the synchronization tool.
4. Save the tool on a local drive.
5. Follow the installation steps to install the tool.

Co-Branding
Trend Micro Email Security enables you to display a service banner, for
example, your company logo, on the top banner of the Trend Micro Email
Security administrator console and End User Console. This is a cost-effective
way to promote your company and brand awareness.
After configuring co-branding settings, provide your customers with the web
address to access their co-branded administrator console or End User
Console if you are a reseller. The web address may vary for different regions.
Table 67. Administrator Console Addresses

Account Type Console Address

Customer For these accounts, the web addresses of the administrator console still
Licensing Portal remain unchanged.
accounts and
Licensing For detailed web addresses, see Accessing the Trend Micro Email Security
Management Administrator Console on page 26.
Platform
accounts

301
Trend Micro Email Security Administrator's Guide

Account Type Console Address

Local Append /co-brand/ and the Trend Micro Email Security account name to
subaccounts the base URL.
added by the
administrator For example, to access the co-branded administrator console for the
account named “adminB”, type the following address for your region:
• North America, Latin America and Asia Pacific: https://
ui.tmes.trendmicro.com/co-brand/adminB

• Europe, the Middle East and Africa: https://

ui.tmes.trendmicro.eu/co-brand/adminB

• Australia and New Zealand: https://ui.tmes-

anz.trendmicro.com/co-brand/adminB

• Japan: https://ui.tmems-jp.trendmicro.com/co-brand/
adminB

SSO accounts For these accounts, the console address is the URL generated in Step 4 in
Configuring Single Sign-On on page 264.

Table 68. End User Console Addresses

Account Type Console Address

Local accounts Append /euc-co-brand/ and the Trend Micro Email Security managed
domain to the base URL.
For example, to access the co-branded End User Console for the managed
domain “example.com”, type the following address for your region:
• North America, Latin America and Asia Pacific: https://
euc.tmes.trendmicro.com/euc-co-brand/example.com

• Europe, the Middle East and Africa: https://

euc.tmes.trendmicro.eu/euc-co-brand/example.com

• Australia and New Zealand: https://euc.tmes-

anz.trendmicro.com/euc-co-brand/example.com

• Japan: https://euc.tmems-jp.trendmicro.com/euc-co-
brand/example.com

SSO accounts For these accounts, the console address is the URL generated in Step 4 in
Configuring Single Sign-On on page 280.

302
 About Trend Micro Email Security

Service Integration
Currently, Trend Micro Email Security integrates with the following Trend
Micro products:
• Apex Central
For more information about Apex Central, see Apex Central on page 23.
• Remote Manager
For more information about Remote Manager, see Trend Micro Remote
Manager on page 25.
Furthermore, Trend Micro Email Security supports API openness to allow
integration with external systems via APIs. For example, Trend Micro Email
Security opens REST APIs to allow customers to query domains; query, add,
replace, and delete directory users; and retrieve policy event logs and mail
tracking logs for the purpose of third-party SIEM application integration.

API Access
Trend Micro Email Security allows connection from the Directory
Synchronization Tool to automate the import of directory files for valid
recipient email addresses, user groups and email aliases. Also, Trend Micro
Email Security provides programmatic access through REST APIs, allowing
customers to perform create, read, update and delete operations on
resources within Trend Micro Email Security.
To use these features, API Keys are required to authenticate the external
systems' access to Trend Micro Email Security.
The API Access tab lets you obtain and manage your API Keys.

Obtaining an API Key

Procedure
1. Go to Administration > Service Integration.

303
Trend Micro Email Security Administrator's Guide

2. On the API Access tab, click Add to generate a key.

The API Key is the global unique identifier for your application to
authenticate its access to Trend Micro Email Security. A new API Key is
enabled by default.

If you want to change your API Key later on, click Add to generate a new
key and use the new key in your requests. You can click the toggle button
under Status to disable the old key or delete it if both of the following
conditions are met:

• Requests can be sent successfully with the new key.

• The old key is not used by any other applications that have access to
Trend Micro Email Security.

A maximum of two API Keys are allowed at a time.

Important
The API Key allows your application to communicate with Trend Micro
Email Security. Keep the API Key private.

Apex Central
Trend Micro Apex Central consolidates your organization's Virtual Analyzer
and user-defined suspicious object lists and synchronizes the lists among
integrated managed products. After Trend Micro Email Security is registered
to Apex Central, Apex Central automatically synchronizes the Virtual
Analyzer and user-defined suspicious object lists with Trend Micro Email
Security at a scheduled time interval. In addition to its own scanning
mechanism, Trend Micro Email Security implements these lists during URL
and file scanning.

The Apex Central tab lets you configure the following suspicious object lists:

• Suspicious URL list

• Suspicious file list

304
 About Trend Micro Email Security

For more information about how Apex Central manages suspicious object
lists, see the Apex Central Administrator's Guide.

Configuring Suspicious Object Settings

Trend Micro Apex Central consolidates and synchronizes the Virtual
Analyzer and user-defined suspicious object lists with Trend Micro Email
Security. Enable this feature to implement the lists during scanning.
Before you begin configuring this feature, make sure that:
• You have installed Apex Central, and your Apex Central has a serving
Deep Discovery product, which can be a Deep Discovery Inspector, Deep
Discovery Email Inspector, or Deep Discovery Analyzer.
• Your Trend Micro Email Security has been registered to a required
Trend Micro Apex Central.
• You have enabled Web Reputation settings in the spam policy you want
to apply the suspicious URL list to.

Procedure
1. Go to Administration > Service Integration.
2. Click Apex Central.
3. Select the Enable check box to enable this feature.
4. Under Security Level for Files, specify the security level for files to
determine whether to take actions on the files:
• High: Applies actions on files that exhibit any suspicious behavior.
• Medium: Applies actions on files that have moderate to high
probability of being malicious.
• Low: Applies actions on files have high probability of being
malicious.
Suspicious URLs are detected during Web Reputation scanning.
Therefore, when you configure Web Reputation settings in your spam

305
Trend Micro Email Security Administrator's Guide

policy, specify the security level to determine whether to take actions on

the URLs.

Note
Trend Micro Email Security classifies all files and URLs in the user-defined
suspicious object lists as the "High" risk.

5. Check additional information about suspicious object list

synchronization from the Apex Central.

6. Click Save.

Remote Manager
The Remote Manager tab shows the settings you must configure to integrate
with Remote Manager.

To enable Trend Micro Remote Manager to monitor and manage Trend

Micro Email Security:

1. Contact your reseller administrator to add Trend Micro Email Security

as a managed product on the Remote Manager web console and obtain
the authorization key generated by Remote Manager.

2. Go to Administration > Service Integration and click Remote Manager.

3. Type your authorization key you obtained and click Connect.

To prevent Trend Micro Remote Manager from managing Trend Micro Email
Security:

1. Go to Administration > Service Integration and click Remote Manager.

2. Click Discontinue.

3. After you get a confirmation message, click OK.

306
 About Trend Micro Email Security

License Information
The License Information screen provides a summary of the following:

• Purchased version: Displays the product license version you purchased.

• Activation code: Displays the activation code.

• Expiration date: Displays the date on which your license expires.

• License type: Displays either “Full” or “Trial” version.

• Seat count: Displays the total number of seats assigned to your license.

Immediately after your license expires, it will go through a grace period,

wherein the service continues as expected. After the grace period, your
service will be suspended, and your data will be permanently deleted. To
prevent unnecessary disruptions to your email service, please renew your
license before it expires.

There are two ways to manage your licenses:

• From the Licensing Management Platform

The Licensing Management Platform allows partners to self-provision

and auto-renew licenses. Contact your reseller or MSP to add, renew or
extend your licenses.

• From the Customer Licensing Portal

Visit the Customer Licensing Portal website at https://

clp.trendmicro.com and activate, register and manage your products on
the portal. For details, see the supporting documentation at:

http://docs.trendmicro.com/en-us/smb/customer-licensing-portal.aspx

If you want to convert a trial license into a full license or upgrade from Trend
Micro Email Security Standard to Trend Micro Email Security, do the
following:

1. Log on to the Customer Licensing Portal website (https://

clp.trendmicro.com).

307
Trend Micro Email Security Administrator's Guide

2. From the Customer Licensing Portal page, click Provide Key.

3. Provide your activation code and click Continue.

Activating Sandbox as a Service

To activate Sandbox as a Service, obtain the Activation Code from your Trend
Micro sales representative or reseller and provide the Activation Code on the
Customer Licensing Portal.

Note
If you have not activated the license for Sandbox as a Service or your license
expires, all your Virtual Analyzer settings in virus and spam policies cannot
take effect.

Procedure

1. Log on to the Customer Licensing Portal using your Trend Micro

account and password.

2. Click the My Products/Services menu tab.

3. Click Provide Key.

The License Key screen appears.

4. Type your Activation Code.

5. Click Continue.

The My Products/Services screen appears and displays the updated

license information.

6. Log on to the Trend Micro Email Security administrator console.

7. Check whether the license activation is successful.

Wait for some time because the license activation may take as long as 20
minutes to finish. If you keep seeing the error message about the

308
 About Trend Micro Email Security

Sandbox as a Service license after that, contact technical support for

assistance.

Migrating Data from Hosted Email Security

If you are a customer of Trend Micro Hosted Email Security and want to
switch to Trend Micro Email Security, Trend Micro Email Security allows you
to migrate your existing data from Hosted Email Security.

There are two ways to migrate your data:

• Provisioning wizard

When you log on to the Trend Micro Email Security administrator

console for the first time, a provisioning wizard will be launched, asking
whether to migrate your data from Hosted Email Security before
provisioning your account. If you choose to migrate data, follow the on-
screen instructions to perform migration. If you choose not to migrate
data, you will proceed with provisioning.

• Data migration tool

If you decide to migrate data after going though all the features on the
administrator console, choose Administration > Hosted Email Security
Migration Tool to run the tool for data migration. The data migration
tool is only available after you choose not to migrate data in the
provisioning wizard. Follow the on-screen instructions to perform
migration with the tool.

The following procedure details how to use the wizard for data migration and
provisioning.

Procedure

1. In the provisioning wizard, choose Migrate data from Hosted Email

Security.

The migration starts, and the progress is displayed in the wizard.

309
Trend Micro Email Security Administrator's Guide

The migration process may take up to one hour depending on the size of
your account, domain and policy settings.
2. Click Next once the migration is done.
You are ready to proceed with provisioning.

Note
If you have any settings in Trend Micro Email Security, your current
settings will be overwritten during the migration process.

3. Provide your administrator profile information.

Keep you information current because Trend Micro will send you
important maintenance plans, urgent incidents and new features.
a. Type your first name and last name.
b. Specify your email address.
c. Optionally specify your mobile number, click Send Verification
Code, and type the verification code sent to your mobile phone.
d. Click Next.
An email message will be sent to your registered email address.
Check your mailbox and click the verification link in the message to
proceed.
4. Set your company identifier.

310
 About Trend Micro Email Security

Note
Your domain settings will then be migrated from Hosted Email Security.
Trend Micro generates a custom subdomain for your company based on
the company identifier you set. For example, if your company identifier is
"example", your MX record for incoming email messages will be generated
based on your location.
• North America, Latin America and Asia Pacific:
example.in.tmes.trendmicro.com
• Europe, the Middle East and Africa:
example.in.tmes.trendmicro.eu
• Australia and New Zealand:
example.in.tmes-anz.trendmicro.com
• Japan:
example.in.tmems-jp.trendmicro.com

You still need to perform further setup tasks to get Trend Micro Email
Security up and running. For details, see Setting Up Trend Micro Email
Security After Data Migration on page 314.

Data That Will Be Migrated

The following data and settings will be migrated to Trend Micro Email
Security:
• Dashboard customization settings
• Sender Filter settings
• Keywords and expressions in policy objects
• Notifications in policy objects
• Stamps in policy objects

311
Trend Micro Email Security Administrator's Guide

• Web Reputation Approved List

• BEC settings

• Scan exceptions and settings

• IP reputation settings

• Time-of-Click Protection settings

• Sender address types in quarantine settings

• End user logon method settings

• Synchronization authentication key for Directory Synchronization Tool

• Administrator profile information

• Administrator subaccounts

Note
If the subaccount names that you migrate from Hosted Email Security
already exist in Trend Micro Email Security, those subaccounts will be
renamed, and you will be prompted with the details.

• Co-branding settings

• Policy rule order

Note
The order of policy rules can be customized for a single domain in Hosted
Email Security. After migration, policy rules are categorized by different
types of rules in Trend Micro Email Security, but the order for each type of
rules is retained. For example, for virus policy rules of a single domain,
the original order will still be applied.

• Domain settings, including inbound sever information, outbound sever

information and domain status

• All policy rules

312
 About Trend Micro Email Security

• Recipient Filter settings

• Approved and blocked senders

• TLS Peers

• SPF settings

• DKIM verification and signing settings

• DMARC settings

• Quarantine digest settings

• End user managed accounts

Data That Will Not Be Migrated

The following data and settings will not be migrated to Trend Micro Email
Security:

• Mail tracking logs

• Quarantine messages and logs

• Policy event logs

• Audit logs

• DMARC records

• Statistical data on the dashboard

• Last trigger time of policy rules

• Synchronization history of valid recipients, groups and email aliases

• Single sign-on settings for end user accounts

• Remote Manager integration settings

313
Trend Micro Email Security Administrator's Guide

Setting Up Trend Micro Email Security After Data Migration

To ensure your organization achieves effective email security protection,
Trend Micro Email Security recommends you perform the following tasks
after data migration:
1. Verify the migrated data on the Trend Micro Email Security
administrator console.
For details about the migrated data, see Data That Will Be Migrated on
page 311.
2. Set up Trend Micro Email Security after migration, for example, adjust
your domain and account settings.
a. Check the status of the domain you added for provisioning and
make sure your domain has been properly configured.
Perform the following operations if necessary:
• Verify your domain to prove that you own the domain.
• Modify your firewall settings to accept email messages from
Trend Micro Email Security.
• Change the MX record of your domain to point to the Trend
Micro Email Security server.
• Modify the SPF record for your domain.
For details, see Configuring a Domain on page 61.
b. Obtain the web address for you to access the Trend Micro Email
Security administrator console based on your licensing agreement
with Trend Micro.
For details, see Accessing the Trend Micro Email Security Administrator
Console on page 26.
c. Share the End User Console web address for your region with your
end users:
• North America, Latin America and Asia Pacific:

314
 About Trend Micro Email Security

https://euc.tmes.trendmicro.com

• Europe, the Middle East and Africa:

https://euc.tmes.trendmicro.eu

• Australia and New Zealand:

https://euc.tmes-anz.trendmicro.com

• Japan:

https://euc.tmems-jp.trendmicro.com

3. If you want to enable single sign-on (SSO) for end user accounts,
complete required settings.

For details, see Configuring Single Sign-On on page 280.

4. Install the latest version of the Directory Synchronization Tool.

For details, see Installing the Directory Synchronization Tool on page 300.

Migrating Data from IMSS or IMSVA

If you are a customer of InterScan Messaging Security Suite (IMSS) or
InterScan Messaging Security Virtual Appliance (IMSVA) and want to switch
to Trend Micro Email Security, Trend Micro Email Security allows you to
migrate your existing data from IMSS 9.1 or IMSVA 9.1.

Data That Will Be Migrated

All settings in IMSS or IMSVA will be migrated to Trend Micro Email Security
completely or partially except those listed in Data That Will Not Be Migrated
on page 323. Among the settings that are partially migrated, some are
modified to adapt to Trend Micro Email Security due to the feature
differences between IMSS or IMSVA and Trend Micro Email Security.
Therefore, you need to confirm or fix these settings according to the on-
screen instructions after migration.

315
Trend Micro Email Security Administrator's Guide

The following table lists some examples of the settings that will be partially
migrated and describes the feature differences.

Note
For details about all the settings that are completely or partially migrated, see
the data migration report downloaded from the Trend Micro Email Security
administrator console when the migration completes.

316
 About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > The following The following The following LDAP users in IMSS
Policy List settings on the submenus settings in the or MISVA are
Step 1: Select under the Senders section migrated as static
Recipients and Inbound of the email addresses in
Senders screen: Protection and Recipients and Trend Micro Email
Outbound Senders tab: Security.
• Sender Protection
menus: • Sender
• Recipient
• Virus Scan • Recipient
• Sender to
recipient • Spam • Sender to
exception Filtering recipient
exception
• Content
Filtering
• Data Loss
Preventio
n (DLP)

Condition • Inbound Condition Only content

match settings Protection match settings filtering supports all
on the Step 2: > Content in the Advanced condition matched
Select Filtering section of the (AND).
Scanning Scanning
Conditions • Outbound Criteria tab
screen Protection
> Content
Filtering

True file type • Inbound True file type Trend Micro Email
settings in the Protection settings in the Security does not
Attachment > Content Advanced support MSI, PNG,
section of the Filtering section of the 7-Zip, or Microsoft
Step 2: Select Scanning Windows shortcuts.
Scanning • Outbound Criteria tab
Conditions Protection
screen > Content
Filtering

317
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > The settings of • Inbound The settings of None

Approved List the following Protection the following
approved lists: > Domain- approved lists:
based
• DKIM • DKIM
Authentica
approved approved
tion >
list list
DomainKe
• Web ys • Web
reputation Identified reputation
approved Mail approved
list (DKIM) list
Verificatio
• URL n (Ignored • URL
keyword peers of keyword
list the Default exception
domain) list

• Administra
tion >
Policy
Objects >
Web
Reputatio
n
Approved
List
• Administra
tion >
Policy
Objects >
URL
Keyword
Exception
List

318
 About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > Name and Administration Name and Trend Micro Email
Policy address settings > Policy address settings Security does not
Objects > of an address Objects > of an address support wildcarded
Address group Address Groups group domains in the
Groups format
*@*.example.com.
If an address group
is used as senders
(or sender
exceptions) in
outbound policies
or recipients (or
recipient
exceptions) in
inbound policies
and the group
contains email
addresses from
unmanaged
domains, Trend
Micro Email Security
will create a copy of
the address group,
delete those email
addresses from the
copy, and suffix the
copy name with " -
internal".

Policy > Match settings Administration Match settings Trend Micro Email
Policy of a keyword or > Policy of a keyword or Security does not
Objects > expression Objects > expression support keywords
Keywords & Keywords and or expressions
Expressions Expressions whose match type is
Only when
combined score
exceeds threshold.

319
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Policy > Variables list in Administration Variables list in Trend Micro Email
Policy the settings of a > Policy the settings of a Security does not
Objects > policy Objects > policy support the
Policy notification Notification notification following variables:
Notification
• %HEADERS%
• %RULETYPE%
• %ENTITY%
• %QUARANTINE
_PATH%
• %QUARANTINE
_AREA%
• %PROTOCOL%
• %HOSTNAME%
• %MAILCHARSE
T%
• %SUSPICIOUS
_URL%

320
 About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Sender The following Inbound IP address Trend Micro Email

Filtering > settings of an Protection > settings in the Security does not
Approved List approved list: Connection IP addresses support the
Filtering > IP section following settings:
• IP
Reputation >
addresses • IP addresses
Approved IP
resolved from
• Groups of Addresses
domains
computers
• Private IP
addresses
Note
• IP addresses in
Trend
disabled
Micro
approved lists
Email
Security
migrates
IP
addresse
s and
groups of
computer
s from
IMSVA
only if
the
Email
Reputati
on and
IP
Profiler
check
box to
the right
of Apply
to is
selected.
This
restrictio
n does
not apply
to IMSS.
321
Trend Micro Email Security Administrator's Guide

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Sender The following Inbound IP address Trend Micro Email

Filtering > settings of a Protection > settings in the Security does not
Blocked List blocked list: Connection IP addresses support the
FilteringIP section following settings:
• IP
Reputation >
addresses • IP addresses
Blocked IP
resolved from
• Groups of Addresses
domains
computers
• Private IP
addresses
Note
• IP addresses in
Trend
disabled
Micro
blocked lists
Email
Security
migrates
only IP
addresse
s and
groups of
computer
s whose
Action is
Block
Permane
ntly.

Sender DMARC settings Inbound DMARC settings Trend Micro Email

Filtering > Protection > Security does not
DMARC Domain-based support DMARC
Note Authentication exception lists in the
DMARC > Domain- format of IP
settings based Message addresses.
are Authentication
available , Reporting and
only in Conformance
IMSVA. (DMARC)

322
 About Trend Micro Email Security

Navigation in
Navigation
Source Trend Micro Destination Feature
in IMSS or
Settings Email Settings Differences
IMSVA
Security

Administratio Advanced Outbound Advanced Trend Micro Email

n > IMSVA settings of DKIM Protection > settings of DKIM Security does not
Configuratio signatures DomainKeys signatures support exempt
n > DKIM Identified Mail domains.
Signature (DKIM) Signing
Note
DKIM
signature
s are
available
only in
IMSVA.

Data That Will Not Be Migrated

The following table lists the settings on the IMSS or IMSVA management
console that will not be migrated to Trend Micro Email Security and
describes the reason. All settings on the EUQ management console will not
be migrated.

Note
For details about all the settings that are not migrated, see the data migration
report downloaded from the Trend Micro Email Security administrator console
when the migration completes.

323
Trend Micro Email Security Administrator's Guide

Navigation in IMSS or
Settings Remarks
IMSVA

Dashboard All settings The dashboard is a statistical

summary of past mail traffic
and scanning results. Trend
Micro Email Security provides
a more powerful dashboard
feature.

System Status All settings Trend Micro Email Security is

a cloud-based product. It is
unnecessary to display
system status information.

Cloud Pre-Filter All settings Trend Micro Email Security is

a cloud-based product. It is
unnecessary to display cloud
pre-filter information.

324
 About Trend Micro Email Security

Navigation in IMSS or
Settings Remarks
IMSVA

Policy > Policy List • Settings on the Step 1: Trend Micro Email Security
Select Recipients and does not support these
Senders screen settings.
• POP3 option of the
This rule will apply
to drop-down list
• Settings on the Step 2:
Select Scanning
Conditions screen
• C&C email settings
check box in the C&C
Email section
• Received time range
check box in the
Others section
• Unable to decrypt
messages check box
in the Others section
• Spoofed internal
messages check box
in the Others section
• Settings on the Step 3:
Select Actions screen
• Postpone delivery to
check box in the
Modify section
• Archive modified to
check box in the
Monitor section

325
Trend Micro Email Security Administrator's Guide

Navigation in IMSS or
Settings Remarks
IMSVA

Policy > Scanning All settings Trend Micro Email Security

Exceptions provides more powerful scan
exception configuration,
which is different from the
configuration in IMSS or
IMSVA. You need to manually
configure scan exception
settings in Trend Micro Email
Security.

Policy > Policy Objects > Predefined DLP compliance Trend Micro Email Security
DLP Compliance templates already provides predefined
Templates DLP compliance templates.

Policy > Policy Objects > Predefined expressions, file Trend Micro Email Security
DLP Data Identifiers attributes, and keyword lists already provides predefined
DLP data identifiers.

Policy > Scan Engine All settings Advanced Threat Scan

Engine is enabled
automatically in Trend Micro
Email Security.

Policy > Internal All settings IMSS or IMSVA uses the

Addresses Internal Addresses menu to
determine mail traffic
direction in policy
configuration. This is
unnecessary in Trend Micro
Email Security.

Policy > Smart Protection All settings Smart Protection is enabled

automatically in Trend Micro
Email Security.

Policy > Encryption All settings These settings are designed

Settings for on-premise products.
Trend Micro Email Security
completes all encryption
settings on the cloud server
automatically.

326
 About Trend Micro Email Security

Navigation in IMSS or
Settings Remarks
IMSVA

Sender Filtering > All settings Trend Micro Email Security

Overview provides block traffic details
under Logs > Mail Tracking.

Sender Filtering > Rules All settings Trend Micro Email Security
does not support this feature.

Sender Filtering > All settings Trend Micro Email Security

Suspicious IP does not support this feature.

Reports All settings Trend Micro Email Security

provides a more powerful
report feature.

Logs All settings Trend Micro Email Security

provides a more powerful log
query feature.

Mail Areas & Queues All settings Trend Micro Email Security
provides a more powerful
quarantine query feature.
Other mail queue
management is not
supported by Trend Micro
Email Security.

Administration All settings except DKIM These features provided by

signatures IMSS or IMSVA are mainly for
on-premise products while
Trend Micro Email Security is
a cloud-based product.

Prerequisites for Data Migration

Before migrating data from IMSS 9.1 or IMSVA 9.1, make sure the following
has been done:
• Add, provision, and verify the domains you want to manage through
Trend Micro Email Security.
For details, see Adding a Domain on page 59.

327
Trend Micro Email Security Administrator's Guide

• Synchronize with LDAP servers using the Directory Synchronization

Tool if IMSS or IMSVA has enabled LDAP settings.
The Directory Synchronization Tool is available under Administration >
Directory Management.
For details, refer to Directory Synchronization Tool User's Guide.
• Enable IMSS or IMSVA to support Trend Micro Email Security migration
by doing the following:
1. On the IMSS or IMSVA management console, go to Administration
> Updates > System & Applications and check the build number.
If the build number does not meet the following requirements,
install the latest service pack and hotfix.
• IMSS 9.1.0.1357 or later
• IMSVA 9.1.0.2011 or later
2. Enable the hidden key in the IMSS or IMSVA admin database by
running the following SQL statements:

Note
IMSS and IMSVA use the same configuration file imss.ini.

insert into tb_global_setting (section, name, value,

inifile)

values ('imp_exp', 'enable_ems_migrate', '1',

'imss.ini');

• Export configuration files from the IMSS or IMSVA management console

under Administration > Import/Export.

328
 About Trend Micro Email Security

Migrating Data to Trend Micro Email Security

Procedure

1. Go to Administration > IMSS/IMSVA Migration Tool.

2. Read the on-screen instructions, and click Get Started.

3. On the pop-up screen, click Choose File..., select the configuration file
you exported, select Overwrite or Merge, and click Next.

Trend Micro Email Security begins to create a migration task, analyze

the configuration file, and generate a data analysis report.

Note
This process may take several minutes, depending on the size of the
configuration file.

4. At Step 2 on the pop-up screen, view pre-migration check results to

determine which settings will be migrated to Trend Micro Email
Security and which will not.

a. Select an option from the Show drop-down list to show the settings
in a specific state.

• Not supported: Settings in this state are not supported in Trend

Micro Email Security and will not be migrated. If you need
these settings, you have to add them in Trend Micro Email
Security manually.

• Error: There are some critical issues about the settings in this
state, but the settings will still be migrated to Trend Micro
Email Security. During migration, some improper settings may
be removed or modified. The settings in Trend Micro Email
Security may be unexpected after migration, and the
corresponding policies will be disabled temporarily. You need
to fix these error settings and enable the policies manually
after migration.

329
Trend Micro Email Security Administrator's Guide

• Warning: There are some minor issues about the settings in

this state, and the settings will be automatically handled by
Trend Micro Email Security. You only need to confirm these
warning settings after migration.
• Successful: Settings in this state will be migrated to Trend
Micro Email Security without any issue.
b. View the detailed description of the settings in the table.
c. Click Download Report to download the data analysis report.
d. (Optional) If the data analysis report contains too many error
settings, click Cancel, modify the settings, and restart migration.
Clicking Cancel at this step will not import the settings into Trend
Micro Email Security.
5. Click Next to proceed with the migration.
Trend Micro Email Security begins to analyze the configuration file,
import settings in the configuration file, and generate a data migration
report.

Note
This process may take several minutes, depending on the size of the
configuration file.

6. At Step 3 on the pop-up screen, view the migration results to find which
settings are migrated to Trend Micro Email Security and which are not.
a. Select an option from the Show drop-down list to show the settings
in a specific state.
• Not supported: Settings in this state are not supported in Trend
Micro Email Security and are not migrated. If you need these
settings, you have to add them in Trend Micro Email Security
manually.
• Error: There are some critical issues about the settings in this
state, but the settings are still migrated to Trend Micro Email

330
 About Trend Micro Email Security

Security. During migration, some improper settings may be

removed or modified. The settings in Trend Micro Email
Security may be unexpected after migration, and the
corresponding policies are disabled temporarily. You need to
fix these error settings and enable the policies manually after
migration.
• Warning: There are some minor issues about the settings in
this state, and the settings are automatically handled by Trend
Micro Email Security. You only need to confirm these warning
settings after migration.
• Successful: Settings in this state are migrated to Trend Micro
Email Security without any issue.
b. View the detailed description of the settings in the table.
c. Click Download Report to download the data migration report.
7. Click Finish
Under Inbound Protection and Outbound Protection, you will find that
the Migration status drop-down list and Migration status column are
added on the policy list screens. Deselect the Show migration status
check box in the migration tool if you do not want Trend Micro Email
Security to show the Migration status drop-down list and Migration
status column any more.
You still need to verify the migrated data after the migration. For details,
see Verifying Data After Migration on page 331.

Verifying Data After Migration

To ensure your organization achieves effective email security protection,
Trend Micro Email Security recommends you perform the following tasks
after data migration:

331
Trend Micro Email Security Administrator's Guide

Procedure
1. Verify migrated policy data under Inbound Protection and Outbound
Protection.
a. Go to the the following locations respectively:
• Virus Scan
• Spam Filtering
• Content Filtering
• Data Loss Prevention (DLP)

Note
After migration, policy rules are categorized into the following four
types: virus scan, spam filtering, content filtering, and DLP.

b. Select Error or Warning from the Migration status drop-down list.

c. Follow the on-screen instructions in the Migration status column to
fix error settings or confirm warning settings and enable the
corresponding policies.
d. Reorder policy rules.
You can manually reorder the policy rules in each domain after
migration if they do not meet your requirements. For details, see
Reordering Policy Rules on page 145.
2. Verify other migrated data.
a. Go to Inbound Protection > Connection Filtering > IP Reputation >
Settings to verify email reputation settings.
b. Go to the following locations respectively to verify approved and
blocked IP addresses:
• Inbound Protection > Connection Filtering > IP Reputation >
Approved IP Addresses

332
 About Trend Micro Email Security

• Inbound Protection > Connection Filtering > IP Reputation >

Blocked IP Addresses

c. Go to Inbound Protection > Domain-based Authentication >

DomainKeys Identified Mail (DKIM) Verification to verify the
Global DKIM Enforcement rule.

d. Go to Inbound Protection > Domain-based Authentication >

Domain-based Message Authentication, Reporting and
Conformance (DMARC) to verify DMARC settings.

e. Go to Inbound Protection > Spam Filtering > Time-of-Click

Protection to verify time-of-click protection settings.

f. Go to Outbound Protection > DomainKeys Identified Mail (DKIM)

Signing to verify DKIM signature settings.

g. Go to Administration > Policy Objects to verify policy object

settings.

FAQs and Instructions

Table 69. Frequently Asked Questions (FAQs)

Question Answer

What is Trend Micro Trend Micro Email Security provides always-up-to-the-minute

Email Security? email security with no maintenance required by IT staff to stop
spam, viruses and other malware before they reach your network.
Trend Micro Email Security is a cloud service that can benefit any
size organization. We provide the hardware, software, and
messaging expertise to cleanse your email messages of spam,
viruses, worms, Trojans, and phishing (identity theft) attacks. The
cleaned email messages are sent directly to your MTA for final
delivery to your end users. Trend Micro Email Security can also use
LDAP directories to help prevent backscatter (or outscatter) spam
and Directory Harvest Attacks (DHA).

333
Trend Micro Email Security Administrator's Guide
Question
What are the advantages
of Trend Micro Email
Security?
How can I upgrade?
How can I migrate
configurations from the
trial Trend Micro Email
Security management
console to the
production
management console
after purchasing Smart
Protection Complete
with a full license?
Will email message
delivery be delayed?
334
Answer
As a cloud service, Trend Micro Email Security can stop attacks
before they get a chance to reach your network. In addition to
stopping spam, viruses, worm, Trojans, and other malware, Trend
Micro Email Security can protect your network from attacks that:
• Attempt to block your Internet connection (Denial of Service)
• Steal your email addresses for spammers (Directory Harvest
Attacks)
Trend Micro Email Security is a cloud service and so there is no
need to buy additional hardware or software. The service is
managed by security professionals, relieving your IT staff of the
burden of installing, maintaining, and fine-tuning a complex email
security system.
Attach the Customer Licensing Portal account you created with the
Trend Micro Email Security trial license to your Smart Protection
Complete full license first.
1. Log on to Customer Licensing Portal (https://
clp.trendmicro.com) using your account credentials.
2. Go to My Products/Services and click Provide Key.
3. On the License Key screen, type your registration key, not the
activation code, in the Provide your Activation Code or
product key text box, and then click Continue.
4. Select the check box and click Continue to finish the process.
After you re-log on to the Trend Micro Email Security production
management console, all configurations are migrated and your
license is updated.
The time required to process each message is measured in
milliseconds. Any delay in the delivery of your messages is
negligible and will not be noticed by the end user.
 About Trend Micro Email Security

Question Answer

How much does the Trend Micro Email Security is priced on a per user basis under an
service cost? annual contract. The cost per user drops as the number of users
increases.
There is no set-up fee or additional support costs from Trend Micro.
There may be a small fee (unlikely) associated with changing your
MX record. Contact your web-hosting service to review their pricing
policies.

Is Trend Micro Email All messages are processed automatically and transparently. Many
Security confidential? messages are rejected before they are even received based on the
Who reads my mail? reputation of the IP that is attempting to send the message.
Messages that are received are processed through a multi-layered
spam and virus filtering system that does not include any human
intervention. Messages are never stored unless your MTA becomes
unavailable.

What do I need in order To use this service you only need to have an existing Internet
to access the gateway or workgroup email connection and a web browser for
administrator console? accessing the online reporting and administrator console.
To access the console through Trend Micro Licensing Management
Platform, you need the service web address and account
information.

How do I get started To get started using Trend Micro Email Security, do the following:
using Trend Micro Email
Security? 1. Submit account activation information
2. Log on to the Trend Micro Email Security administrator
console
3. Provision a Trend Micro Business Account
4. Configure the domain you added and add additional domains
if needed
5. Import user directories that will be applied by policies
6. Configure policies to design your organizational protection
solution
For details, see Getting Started with Trend Micro Email Security on
page 26.

335
Trend Micro Email Security Administrator's Guide

Question Answer

How do I redirect my
mail exchanger record
(MX record)?
Before redirecting your MX record to the service, make sure you
have added and configured your domain to your Trend Micro Email
Security.
To redirect your MX record:
1. For details about adding an MX record for the Trend Micro
Email Security server, see step 1 in Configuring a Domain on
page 61.
2. Check Trend Micro Email Security welcome email message,
which contains the specific MX record information.
3. Do one of the following:
• Manual configuration
If you manage your own DNS, you can manually edit your
MX record (this applies to self-managed, smaller
accounts).
• Through a support technician
If you are unsure how to configure the MX records for your
domain, contact your Internet Service Provider's (ISP)
help desk or your Domain Name Service (DNS) technician
for assistance. If your DNS is managed by a third-party or
ISP, either they can do this for you or they may have a
simple Web interface allowing you to make the change
yourself. It can take up to 48 hours for any changes to
propagate throughout the system.
After making the modifications to the MX record, Trend Micro Email
Security becomes the point of entry of messages for your domain.
After the DNS record modifications take effect (up to 48 hours), all
inbound email traffic is routed through Trend Micro Email Security.

Tip
After the modifications take affect, test the message route by
sending messages from another email service provider (for
example, Yahoo! Mail or Gmail) to a recipient in your
domain. If you receive the message from that email service
provider, the MX record is configured correctly.

336
 About Trend Micro Email Security

Question Answer

Where can I locate the The MX record determines the message routing for all email
instruction to redirect messages sent to your domain.
the MX record to point to
Trend Micro Email The Trend Micro Email Security welcome email message from
Security? Trend Micro specifically provides details about where to redirect
your MX record.

How do I accept email To ensure that you are able to receive email messages processed by
messages from the the service:
service?
• Configure your firewall to accept traffic from Trend Micro Email
Security IP addresses
• Configure your MTA to accept transactions from these IP
addresses

Can I try Trend Micro Yes.

Email Security on a
limited number of email
addresses?
Tip
Trend Micro recommends that you use a test domain for trial
purposes. Doing so allows you to experience the service and
test how it functions for different types of users.

Does Trend Micro Email Trend Micro Email Security does not store or archive email
Security store or archive messages by default. All messages are processed and immediately
email messages? passed through to the customer's MTA. Messages are not spooled
or stored in memory unless your MTA becomes unavailable.
However, if you create a policy to quarantine messages (spam for
example) these email messages will be stored at our data center for
up to 30 days.
With Email Continuity enabled by default, Trend Micro Email
Security provides a standby email system that gives virtually
uninterrupted use of email in the event of a mail server outage. If
an outage occurs, Trend Micro Email Security will keep your
incoming email messages for 10 days. Once your email server is
back online within the 10-day period, these messages will be
restored to your email server.

337
Trend Micro Email Security Administrator's Guide
Question
How do I reset or resend
an End User Console
password?
What does the service
do when my MTA is
unavailable?
Where does outgoing
mail go?
What happens when my
license expires?
338
Answer
One of my users lost or cannot remember their password.
Go to Administration > End User Management > Passwords and
fill out the form. The end user will receive an email message with
an activation web address and will need to click the activation web
address and then enter the appropriate email address and a new
password on the Trend Micro Email Security End User Console
logon screen.
For more information, see Changing End User Passwords on page
275.
If your MTA becomes unavailable for whatever reason, your
message stream is automatically queued for up to ten (10) days or
until such time that your server comes back online.
You should not lose any of your valuable email messages due to
hardware or software failure, power outages, network failure or
simple human error.
By default, your outbound email messages are handled directly by
your own MTA and passed out to other networks as it is currently
handled. However, with Trend Micro Email Security (full version)
you can choose to redirect your outbound email traffic through
Trend Micro Email Security services.
Opting for Outbound Filtering:
When you activate Trend Micro Email Security, you will be informed
of what MTA to send your outbound messages to if you choose to
utilize outbound filtering.
For complete instructions on enabling outbound filtering, see
Configuring a Domain on page 61.
Immediately after your license expires, it will go through a grace
period, wherein the service continues as expected. After the grace
period, however, your inbound messages will be stamped with a
notification and you will lose access to the administrator console.
Eventually, your data will be permanently deleted. To prevent
unnecessary disruptions to your email service, please renew your
license before it expires.
 About Trend Micro Email Security

Question Answer

How does Trend Micro Trend Micro Email Security is configured in Opportunistic Transport
Email Security Layer Security (TLS) mode. In this mode, the MTA servers will
implement the initially check if the sending or receiving MTA can perform SMTP
Transport Layer Security transaction in TLS mode. If so, the entire session and process will
(TLS) protocol? be done in TLS mode.

About MX Records and Trend Micro Email Security

Important
Make sure the MX record is entered exactly as provided in the Trend Micro
Email Security welcome email message.

An MX record (DNS mail exchanger host record) determines the message

routing for all messages sent to a domain. To route messages destined for
your domain through the Trend Micro Email Security MTA, you must point
your MX record to the fully qualified domain name (FQDN) provided in the
welcome email message that Trend Micro sent you after you registered.
To disable Trend Micro Email Security, point your MX record to route all
inbound SMTP traffic to your own mail server.
If you are unsure how to configure the MX records for your domain, contact
your Internet Service Provider or your DNS technician.
The following external links to MX record configuration help pages are
provided for your convenience:
• GoDaddy
http://support.godaddy.com/help/article/680/managing-dns-for-your-
domain-names
• Network Solutions
http://www.networksolutions.com/support/mx-records-mail-servers-2/
• Enom

339
Trend Micro Email Security Administrator's Guide

http://www.enom.com/help/hostinghelp.asp?
displaymenu=ok&hosthelp=9

• DreamHost

http://wiki.dreamhost.com/MX_record

• Yahoo! SmallBusiness

https://help.smallbusiness.yahoo.net/s/article/SLN17921#add

Feature Limits and Capability Restrictions

The following table outlines the limits on both inbound and outbound
messages.
Table 70. Message Limits

Per Message Limit

Size • Trend Micro Email Security Standard

license: 50 MB
• Trend Micro Email Security license: 150
MB

Number of recipients per message 500 recipients

The following table details the limits on End User Console settings.
Table 71. End User Console Limits

Per Seat Limit

Approved sender list entries 100 entries

Blocked sender list entries 100 entries

Retention period for quarantined messages 30 days

The following table shows message retention information.

340
 About Trend Micro Email Security

Table 72. Retention Schedule

Item Retention Period

Quarantined email messages (all regions) 30 days

Message tracking information 90 days

Message queue when customer MTA is unavailable Up to 10 days

Viewing Your Service Level Agreement

Trend Micro provides a Service Level Agreement (SLA) for Trend Micro
Email Security that is intended to help your organization receive secure,
uninterrupted email service.

The Service Level Agreement covers availability, latency, spam blocking,

false positives, antivirus, and support. Specific service-level guarantees are
included in the most current version of the Trend Micro Email Security
Service Level Agreement, which you can view or download from this screen.

Important
Provisions of the Service Level Agreement may vary among regions, so be sure
to select your region and language when using this screen. Trend Micro
reserves the right to modify the service at any time without prior notice. The
current version of the Trend Micro Email Security service level agreement is
available for review by paid customers and by customers conducting a trial.

To view the Service Level Agreement for your region:

Procedure

1. Go to Help > Service Level Agreement.

The Service Level Agreement screen appears.

2. From the drop-down list, select your language/region.

341
Trend Micro Email Security Administrator's Guide

Tip
Disable any pop-up blockers for your browser in order to download the
Service Level Agreement.

Trend Micro Email Security displays an Adobe Reader (PDF) document

of the Service Level Agreement for the language and region that you
selected.

Technical Support
Learn about the following topics:

• Contacting Support on page 342

• Sending Suspicious Content to Trend Micro on page 344

• Troubleshooting Resources on page 345

Contacting Support
Depending on how you subscribed to your Trend Micro SaaS offering, the
method of obtaining additional assistance differs. Refer to the following table
to better understand how to contact your support representative.

Purchase Channel Contact Method

Trend Micro direct Use the online Support Portal to file a case with Trend Micro support
purchase representatives.
For more information, see Using the Support Portal on page 343.

Service Provider Contact your service provider directly if you have questions about the
offering service or are experiencing problems. Service Providers have more
information about your specific environment and may be able to
address your concerns quickly. Most product consoles include a
support link that should provide the necessary contact information.

342
 About Trend Micro Email Security

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the
most up-to-date information about both common and unusual problems.

Procedure
1. Go to https://success.trendmicro.com/business-support.
2. Use the Search Support text box to search for available solutions or
keywords.
3. Click the All Products drop-down and select your product.
4. If no solution is found, click Contact Support and select the type of
support needed.

Tip
To submit a support case online, visit the following URL:
http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24

hours or less.

Speeding Up the Support Call

To improve problem resolution, have the following information available:
• Steps to reproduce the problem
• Appliance or network information
• Computer brand, model, and any additional connected hardware or
devices
• Amount of memory and free hard disk space
• Operating system and service pack version

343
Trend Micro Email Security Administrator's Guide

• Version of the installed agent

• Serial number or Activation Code
• Detailed description of install environment
• Exact text of any error message received

Sending Suspicious Content to Trend Micro

Several options are available for sending suspicious content to Trend Micro
for further analysis.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message
transfer agent for inclusion in the global approved list:
https://www.ers.trendmicro.com/
Refer to the following Knowledge Base entry to send message samples to
Trend Micro:
https://success.trendmicro.com/solution/1112106

File Reputation Services

Gather system information and submit suspicious file content to Trend
Micro:
https://success.trendmicro.com/solution/1059565
Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a
phishing site, or other so-called "disease vector" (the intentional source of
Internet threats such as spyware and malware):

344
 About Trend Micro Email Security

https://global.sitesafety.trendmicro.com/
If the assigned rating is incorrect, send a re-classification request to Trend
Micro.

Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend
Micro online resources.

Threat Encyclopedia
Most malware today consists of blended threats, which combine two or more
technologies, to bypass computer security protocols. Trend Micro combats
this complex malware with products that create a custom defense strategy.
The Threat Encyclopedia provides a comprehensive list of names and
symptoms for various blended threats, including known malware, spam,
malicious URLs, and known vulnerabilities.
Go to https://www.trendmicro.com/vinfo/us/threat-encyclopedia/#malware
to learn more about:
• Malware and malicious mobile code currently active or "in the wild"
• Correlated threat information pages to form a complete web attack story
• Internet threat advisories about targeted attacks and security threats
• Web attack and online trend information
• Weekly malware reports

Download Center
From time to time, Trend Micro may release a patch for a reported known
issue or an upgrade that applies to a specific product or service. To find out
whether any patches are available, go to:
https://www.trendmicro.com/download/

345
Trend Micro Email Security Administrator's Guide

If a patch has not been applied (patches are dated), open the Readme file to
determine whether it is relevant to your environment. The Readme file also
contains installation instructions.

Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
document, please go to the following site:
https://docs.trendmicro.com/en-us/survey.aspx

346
Index
A E
Advanced Threat Scan Engine, 155 expressions, 126, 127
about, 155 customized, 127, 131
ATSE, 155 criteria, 128, 129
about, 155 predefined, 127

C F
condition statements, 140 file attributes, 126, 136–138
criteria creating, 137
customized expressions, 128, 129 importing, 138
predefined, 136
keywords, 133, 134
wildcards, 137
customized expressions, 127–129, 131
criteria, 128, 129 K
importing, 131 keywords, 126, 131
customized keywords, 132 customized, 132–135
criteria, 133, 134 predefined, 132
importing, 135
L
customized templates, 140
logical operators, 140
creating, 141
importing, 142 P
PCRE, 128
D Perle Compatible Regular Expressions,
data identifiers, 126 128
expressions, 126 predefined expressions, 127
file attributes, 126
keywords, 126 S
Data Loss Prevention, 126 support
data identifiers, 126 resolve issues faster, 343
expressions, 127–129, 131 T
file attributes, 136–138 templates, 139–142
keywords, 131–135 condition statements, 140
templates, 139–142 customized, 140–142
documentation feedback, 346 logical operators, 140

IN-1
Trend Micro Email Security Administrator's Guide

W
wildcards, 137
file attributes, 137

IN-2