Endpoint Security (EPS)

Resources that you provision in your AMS Advanced environment automatically include the installation of an endpoint security (EPS) monitoring client. This process ensures that the AMS Advanced-managed resources are monitored and supported 24x7. In addition, AMS Advanced monitors all agent activity, and an incident is created if any security event is detected.

Note

Security incidents are handled as incidents; for more information, see Incident response.

Endpoint security provides anti-malware protection, specifically, the following actions are supported:

• EC2 instances register with EPS

• EC2 instances deregister from EPS

• EC2 instances real-time anti-malware protection

• EPS agent-initiated heartbeat

• EPS restore quarantined file

• EPS event notification

• EPS reporting

AMS Advanced uses Trend Micro for endpoint security (EPS). These are the default EPS settings. To learn more about Trend Micro, see the Trend Micro Deep Security Help Center; note that non-Amazon links may change without notice to us.

AMS Advanced Multi-Account Landing Zone (MALZ) default settings are described in the following sections; for non-default AMS multi-account landing zone EPS settings, see AMS Advanced Multi-Account Landing Zone EPS non-default settings.

Note

You can bring your own EPS, see AMS bring your own EPS.

General EPS settings

Endpoint security general network settings.

EPS defaults
Setting	Default
Firewall Ports (Instances’ Security Group)	EPS Deep Security Manager agents (DSMs) must have port 4120 open for the Agent/Relay to Manager communication, and port 4119 for the Manager Console. EPS Relays must have port 4122 open for the Manager/Agent to Relay communication. No specific ports should be open for customer instance inbound communication because agents initiate all requests.
Communication Direction	Agent/Appliance Initiated
Heartbeat Interval	Ten minutes
Number of missed heartbeats before an alert	Two
Maximum allowed drift (difference) between server times	Unlimited
Raise offline errors for inactive (registered, but not online) virtual machines	No
Default policy	Base policy (described next)
Activation of multiple computers with the same host name	Is allowed
Alerts for pending updates are raised	After seven days
Update source	Trend Micro Update Server (https://ipv6-iaus.trendmicro.com/iau_server.dll/)
Event or log data deletion	Events and logs are deleted from the DSM database after seven days.
Agent software versions are held	Up to five
Most recent rule updates are held	Up to ten
Logs storage	By default, log files are stored securely in Amazon S3, but you can also archive them to Amazon Glacier to help meet audit and compliance requirements.

Base policy

Endpoint security base policy default settings.

EPS base policy
Setting	Default
Enabled Modules	Anti-Malware
Disabled Modules	Web Reputation
	Firewall
	Intrusion Protection
	Integrity Monitoring
	Log Inspection
	Application Control

Anti-malware

Endpoint security anti-malware settings.

EPS anti-malware defaults
Setting	Default	Notes
Real-Time Scan	Scan everything	Quarantine all suspected viruses. Enable IntelliTrap and spyware/grayware protection. Spyware and Grayware trigger Anti-Malware and result in a quarantine of the item.
	Every Day/All Day (24 hours)
Manual Scan	Scan everything	Must be requested, then follows default real-time scan configuration.
Scheduled Scan	Scan everything	Set for the last Sunday of every month, 6am.
Smart Protection	Disabled	N/A
Quarantined Files	Trend Micro Deep Security Manager (DSM)	Appx 1GB of disk reserved for quarantine.
Scan Limitation	Trend Micro DSM	Scan files of all sizes.
Allowed Spyware or Grayware	None	N/A
Local Event Notification	Yes	N/A