Create policies

Policies allow collections of rules and configuration settings to be saved for easier assignment to multiple computers. You can use the Policy editor to create and edit policies that you can then apply to one or more computers. You can also use the Computer editor (which is very similar to the Policy editor) to apply settings to a specific computer, but the recommended method is to create specialized policies rather then edit the settings in the Computer editor.

You can automate policy creation and configuration using the Workload Security API. For examples, see Create and Configure Policies.

Create a new policy

1. Click Policies > New > New Policy.

2. Enter a name for the policy. If you want the new policy to inherit its settings from an existing policy, select a policy from the Inherit from list and click Next.

   For information on inheritance, see Policies, inheritance, and overrides.

3. Select whether you want to base this policy on an existing computer's configuration and then click Next.

4. If you selected Yes in step 3:

   1. Select a computer to use as the basis for the new policy and click Next.

   2. Specify which protection modules will be enabled for the new policy. If this policy is inheriting its settings from an existing policy, those settings will be reflected here. Click Next.

   3. On the next screen, select the properties that you want to carry into the new policy and click Next. Review the configuration and click Finish.

5. If you selected No in step 3, specify which protection modules will be enabled for the new policy. If this policy is inheriting its settings from an existing policy, those settings will be reflected here. Click Finish.

6. Click Close. Next, you can edit the settings for the policy, as described in Edit the settings for a policy or individual computer.

Alternative ways to create a policy

There are additional ways to create a policy.

Import policies from an XML file

You can download a default XML file to use in a policy:
Policy XML for Windows Desktop
Policy XML for macOS

You can import a policy from an XML file as follows:

1. Click New > Import From File.

   When importing policies, ensure that the system where you created the policies and the system that will receive them both have the latest security updates. If the system that is receiving the policies is running an older security update, it may not have some of the rules referenced in the policies from the up-to-date system. The import policy might update some default scan configurations or rules using the suggested default setting. Please check the import wizard for policy update information.

2. Click Choose File and select the XML file.

3. From Import under, select:

   • Base Policy if using macOS.
   • Windows if using Windows desktop.

4. Click Next.

5. Close the wizard.

Your new policy will match the settings from the XML file you selected.

Duplicate an existing policy

To duplicate an existing policy, from the Policies tab, right-click the existing policy that you want to duplicate and select Duplicate.

A duplicate of the policy will appear on the list.

Use hypersensitive mode

When Trend Cloud One Workload Security is integrated with Trend Vision One and hypersensitive mode is enabled on Trend Vision One as well as on Trend Cloud One Workload Security Activity Monitoring to provide enhanced threat detection, you can duplicate an existing policy to use this mode, assuming you perform the following:

• Navigate to Malware Scan Configurations and enable the Anti-Malware module, Behavior Monitoring configuration, as well as Predictive Machine Learning.
• Enable the Application Control, Log Inspection, and Intrusion Prevention modules within the policy.

Note that hypersensitive mode is currently supported only on Windows.

If you experience issues related to hypersensitive mode, contact Trend Micro Support for assistance.

Create a new policy based on the recommendation scan of a computer

You can create a new policy based on the recommendation scan as follows:

1. From the Computers tab, right-click a computer and select Actions > Scan for Recommendations.

2. When the scan is complete, return to the Policies tab and click New to open the New Policy wizard.

3. When prompted, choose to base the new policy on an existing computer's current configuration.

4. Select Recommended Application Types and Intrusion Prevention Rules, Recommended Integrity Monitoring Rules, and Recommended Log Inspection Rules from the computer's properties.

A new policy is created consisting only of recommended elements on the computer, regardless of which rules are currently assigned to that computer.

Edit the settings for a policy or individual computer

The Policies page shows your existing policies in their hierarchical tree structure. To edit the settings for a policy, select it and click Details to open the policy editor.

The following sections are available in the Computer or Policy editor:

• Overview (the Overview section of the policy editor and Overview section of the computer editor are different)

• Anti-Malware

• Web Reputation

• Device Control

• Firewall

• Intrusion Prevention

• Integrity Monitoring

• Log Inspection

• Application Control

• Interface Types

• Settings

• Overrides

Assign a policy to a computer

1. Go to Computers.

2. Select your computer from the Computers list, right click and choose Actions > Assign Policy.

3. Select the policy from the hierarchy tree and click OK.

The policy is sent when the next agent heartbeat occurs.

For more information on how child policies in a hierarchy tree can inherit or override the settings and rules of parent policies, see Policies, inheritance, and overrides.

After assigning a policy to a computer, you should still run periodic recommendation scans on your computer to make sure that all vulnerabilities on the computer are protected. See Manage and run recommendation scans for more information.

Disable automatic policy updates

By default, any changes to a security policy are automatically sent to the computers that use the policy. You can change this so automatic sending is disabled, and you must manually send the policy.

1. Open the Policy editor for the policy to configure.

2. Go to Settings > General > Send Policy Changes Immediately.

3. Next to Automatically send Policy changes to computers, select Yes to allow automatic sending of policy changes. To disable automatic sending, and only allow manually sending, select No.

4. Click Save to apply the changes.

Send policy changes manually

If you make a policy change and want to send the policy changes manually to a particular computer, follow these instructions:

1. Go to Computers.

2. Double-click your computer from the Computers list.

3. In the navigation pane, make sure Overview is selected.

4. In the main pane, click the Actions tab.

5. Under Policy, click Send Policy.

The policy is sent when the next agent heartbeat occurs.

Export a policy

To export a policy to an XML file, select a policy from the policies tree and click Export > Export Selected to XML (For Import).

When you export a selected policy to XML, any child policies that the policy may have are included in the exported package. The export package contains all the actual objects associated with the policy except: intrusion prevention rules, log inspection rules, integrity monitoring rules, and application types.