Update to Trend Vision One File Security Storage

Trend Vision One File Security protects not only your storage, but has additional features that allow you to protect your files and your CI/CD pipeline. File Security:

Provides flexible deployment using Amazon Web Services (AWS) CloudFormation templates, a software development kit (SDK), command line interface (CLI), or service gateway.
File scanning is automatically triggered when someone uploads new files or changes existing files in the cloud storage.
Can be added to your CI/CD pipeline to detect malware before files are distributed to your production pipeline or storage.
Can be used behind your firewall in either on-premises or cloud environments.
Gives you flexibility by enabling workflow integration.
Supports event-driven architectures.
Applies machine learning through the SDK and Virtual Appliance to increase malware detection with expanded capabilities designed to detect novel threats.
Is available in either credit-based or pay-as-you-go models.

1. Delete your AWS Organization deployment

Trend Vision One File Security does not currently support AWS Organization deployment. If you are using Organization deployment, you must delete the Trend Vision One Organization accounts and replace it with individual cloud accounts.

On AWS CloudFormation console, remove the AWS CloudFormation stack.
Go to the Trend Vision One Cloud Account app and delete the Trend Vision One CAM Organization accounts.

2. Update to Trend Vision One File Security

You now need to add your AWS accouts to FIle Security using the CloudFormation template.

Open the Trend Micro Vision One console.
Go to Cloud Security > Cloud Accounts.
Click AWS under the Inventory tab.
Click Add Account.
Select CloudFormation and click Single AWS Account.
In the Account Name field, enter a name for the AWS account.
You can add a Description of the account to help identify it.
In the All Features list, scroll down and enable File Security Storage.
Open the File Security Storage section.
From the Deployment list, select at least one region. This is the region where you will deploy File Security Scanner.
In a new browser tab, log in to your AWS account.
Go back to the Trend Vision One console and click Launch Stack.
Clicking Launch Stack opens the Quick Create Stack screen in your AWS account in the browser tab that you opened in the previous step.
Scroll down to the File Storage Security section, and provide the following parameters:
- In the FileSecurityStorageKMSKeyARNsForBucketSSE field, provide a comma-separated list of ARNs for the KMS master keys used to encrypt S3 bucket objects. Leave this field blank if you have not enabled SSE-KMS for the S3 buckets.
- In the FileSecurityStorageObjectCreatedEventFilter field, provide a JSON string of the event pattern to filter the object-created event.
- In the FileSecurityStorageScannerEphemeralStorage field, provide the size, in MBs, of the scanner Lambda function's temp directory.
- In the FileSecurityStorageQuarantineBucket field, enter the bucket in which you want to quarantine malicious files. By default this parameter is global, but you can make it by-region or a combination of both global and by-region. Leave this field blank to disable quarantining.
- In the FileStorageSecurityCleanBucket field, enter the bucket in which you want to promote clean files after scanning. By default this parameter is global, but you can make it by-region or a combination of both global and by-region. Leave this field blank to disable promoting clean files.
- In the FileSecurityStorageScanResultTagFormat field, enter the format of the scan results tagged on the scanned object.
Scroll to the bottom of the Quick Create Stack screen, select the acknowledgment options, and click Create stack.
In the Trend Vision One console, click Done.

3. Disable the Cloud One File Security Storage EventBridge rule

Disable the rule with the prefix matching “-OnS3ObjectCreatedRule”

default value is “Account-Scanner-TM-FileStorageSecurity”. If you have customized the stack name, find the stack name that you entered in your Cloud One File Storage Security deployment.

4. Enable the EventBridge

When you add a region to File Security Storage, the scanner is automatically deployed in that region. However, you need to turn on EventBridge in each bucket to allow the scanner access to the files being uploaded to that bucket. When EventBridge is turned on, File Security can scan that bucket. File Security cannot scan a bucket when the Status is EventBridge off or Scanner is not deployed.

In Trend Vision One, go to Cloud Security > File Security > Inventory, and select the account.
Select the region.
Select the buckets in which you want to enable EventBridge.
From the Change Status list, select Turn on EventBridge.
Verify the selected buckets.
Select Turn On EventBridge.
The Status changes to EventBridge on and the indicator circle turns green.

5. Test upload sample files into protected S3 buckets

You should run the test by uploading 1 eicar file and 1 clean file.

Verify if the scan result is tagged correctly on the S3 files:

clean file:


{
    "fss-scan-detail-code": 0,
    "fss-scan-date": "YYYY/MM/DD hh:mm:ss",
    "fss-scan-result": "no issues found",
    "fss-scan-detail-message": "-",
    "fss-scanned": true
}

malicious file (eicar):


{
    "fss-scan-detail-code": 0,
    "fss-scan-date": "YYYY/MM/DD hh:mm:ss",
    "fss-scan-result": "malicious",
    "fss-scan-detail-message": "-",
    "fss-scanned": true
}

Verify if the scan results are successfully sent to Trend Vision One File Security.
- The AWS accounts and S3 buckets are displayed on the Inventory tab.
- The scan statistics and detection are displayed on the Scan Activity tab.

If Trend Vision One File Security Storage works, remove Cloud One File Storage Security Stack.

Topics on this page