Trendmicro IDF

anishpeter used Ask the Experts™
Anyone used Intrusion Detection Firewall from Trendmicro in client workstations
Is this efficient - Can prevent zero day exploits ?
Is it overkilling worstations ( makes it slow)?
What about Buffer overflow  attacks?
Can it prevent know exploits?
What about network backdoors?
can it prevent worms spreading across client machines?

I need independant opinions from experts. Pl comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Trend Micro consistently has one of the lower records for customer satisfaction, support, and efficacy:
And why would you want to pay for IPS when one of the best is public domain (free):
btanExec Consultant
Distinguished Expert 2018
One thing about IDF (Intrusion Defense Firewall) is a network level  plugin for the officescan HIPS for Endpoint. Assume that you already saw their datasheet and whitepaper

Its key strength focus on the various filter it is supporting at the network perspective like any FW and IDS/IPS. E.g. Stateful FW, DPI, Exploit, Vulnerability, Custom filter. I will say if the threat is known, it is easy kill and if it just "happen" to bypass all the Enterprise network appliance (e.g. due to SSL to the browser) or simply going into the internet via 3G or untrusted n/w (w/o vpn etc), this is another layered defense to deter attacker onslaught. But then, that we are saying security through diversity (diff player in defending - not relaying in all single provider).

But this isnt a web appl FW, so web exploit via the OWASP top 10 vulnerability may not necessary be detected - understanding the logic of the HTTP / Web 2.0 traffic and parameters used...then again, network layer is still essential as SAN Institute also mentioned "It is only when we can see our networks as individual components that we can adequately secure these levels." (OSI stack levels)...but then IDF is prime to do network level (TM will have other to cover the appl level e.g. at browser guard etc)

I am doubtful whenever zero days are mentioned to be detected. If it does, it is most likely a known unknown (just you dont know but already out in the wild in stealth). Behaviour,  Heuristic and Rule based is another level to tap besides only signature - especially all threats are riding on the HTTP/HTTPS...whitelisting is another way on top of blacklisting. HIPS would already be supporting it

Another area, you may want to note is also the performance. There are two quick article which I say TM seems to be not too bad though on average in scan speed and caching. Also it is only Windows system support only (if I am not wrong)

Overall, I will also want to look out for self healing and product anti tampering mechanism which are just as critical. If malware does penetrate through, they will target and  "switch off" the security services esp the HIPS, so what will be the defense or layer to deter it.

btw, I believe it has the location awareness to switch network profile when you are in wireless, intranet etc. Then again other hips also has that so what is the differences which I will ask as well...


Hi Breadtaan,
 Thanks for your detailed analysis. I was going through NSS Labs report , ENDPOINT PROTECTION PRODUCTS 2010 GROUP TEST SUMMARY.  Trendmicro is slected as no 1 in Endpoint Security. But was behind from Mcafee in these aereas.
1. Memory only Payloads  -  Mcafee-100%, Trendmicro -0%
2. Payload Encording - Mcafee - 60% , Tredmicro -40%

How you feel the result?
Also Mcafee representative told me No buffer overflow attack prevention is avilable for trendmicro and the datasheet of trendmicro also not mentioning anything about it.  what do u think
I think trendmicro will be more memory and cpu starving as compared to Mcafee and Kaspersky (some other reports.

I got the Endpoint suite including IDF with same expense of my license this year. I installed it. I can find almost 200-300 Deep inspection rules and almost 12 rules for 2012.  how u rate this? very less ,  as compared to other products?

about application control - i can  black list some applications. but are u thinking, it is effective? what about whitelisting programs like lumension do. pl comment
Exec Consultant
Distinguished Expert 2018
>How you feel the result?

I do not have the 2010 report but NSS lab has been a respected independent lab which some public tender quoted them as reference to get the appropriate capability recognition. They do paid service but in this test, this is not supposed to be the case, of course the vendor will want to fare well too. I do not doubt their testing capabiity and the scope of of the test does cover common scenarios as below. For the scoring and ranking, I leave it out but would be more interested where the failure is commonly missed out. There again, it is 2010 technology.

¿ Exploits downloaded from the web (aka drive-by downloads)
¿ Malware downloads from the web
¿ Malware sent in email, opened by outlook clients
¿ Malware accessed via network file share and USB flash drive
¿ Evasion techniques used to disguise the malware and exploits used above

I saw finding stating "Malware protection varies greatly depending on the entry point for most vendors. AV engines are not uniformly applied to keep malware off the machine." and "No vendor has coverage for all of the basic evasions, a serious concern, which allows cyber criminals to easily circumvent EPP products". These would be something to find out why TM HIPS would fall into as weak spot in current 2012 engine and capability.

> what do u think

I am not so sure why the concern since you can easily ask TM instead to verify - I am not surprised if competitor say something against. But then again buffer overflow can be detected by signature in IDS if payload is available - e.g. NOP sled or even blocking known faulty or malicious application ports doing such overflow. IDF prime to do DPI so it should be checking against the payload if it is avail and alert if pattern match (signature based). Unless, we are saying attack is doing evasion techique and obfuscating the payload in staged attacks which is more sophisticated and behavioural based.

I saw it is reflected in one of the TM blog - Server (Deep Security) Endpoint (OfficeScan with Intrusion Defense Firewall Plug-In) For CVE-2010-3333: Rule #1004498 (Microsoft Word .RTF File Parsing Stack Buffer Overflow Vulnerability)

Likewise I also saw them mentioning for Browserguard in (search for "buffer overflow"), so I am not taken over if there isnt mentioned in the brochure but it is still good to get TM to advice accurately, too many hearsay

Importantly, as end user, we do not want to have false sense of security - one thing to note is also TM OfficeScan leverages on their cloud-based Smart Protection Network infrastructure, where bulk of signatures aren’t deployed to the endpoints. If there is no SPN< they would be lacking a fair amt as well too.

>I think trendmicro will be more memory and cpu starving as compared to Mcafee and Kaspersky
Will be great if those competitor cna shed more info if they really say least TM is putting it in public the info (though I am not saying it is the best estimate but at least they shared it openly).

>how u rate this? very less ,  as compared to other products?

Do we want to rate by the number of rules provided by each HIPS? Is that the best way of assessment? My point is as long as it gets the job done in a secure and fast manner not worst off in security state then before, I would see them better in fulfilling the job to be done. There is too many ramification to drill into the specific why no of rules and defence does not correlate well or in term of efficiency and effectiveness - we cannot compared apple with orange since all HIPS wrote their own engine - unless we are saying the rules can be ported to each other easily - snort rules ?? there is also tones of way to achieve one same rule but each can be performance impacting and hence some split into different rule sets etc...Let the outcome be the judge ...

>but are u thinking, it is effective?

I suggest whitelisting as end user better know what is allowed rather than what is not allowed and the latter is growing with major effort to keep up. Whitelist rightfully does not grow at that pace and is managed with more control and visibility. This is part of the goverance and policy process enforced at Enterprise level. I am not so sure about Lumension but in the past, CoreTrace was one of the better one in this domain. They are actually acquired by Lumension the question to Lumension, how is this going to be embraced with the suite and we wouldnt want to have a break in the different component not managed centrally. Operational fatigue is one key challenges to address..

Actaully Windows has Applocker that does nto too bad for whitelisting appl and GPO to check on device control for USB and WPD. The HIPS rightfully should have some sort of this as I shared SEP has that ...


Trendmicro IDF is recommemd and cost effective

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial