topic Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN. in General Topics

Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

V.Sambath — Fri, 21 Nov 2025 06:54:11 GMT

We have the Trend Micro agent installed on the endpoints, and it is running smoothly. However, the application is still being identified as "ssl", even though the packet captures show the correct SNI value in the Client Hello. In the Server Hello, both the SAN and CN fields contain multiple wildcard entries ending with *.trendmicro.com.
The URL category is successfully identified as “Trendmicro.”

We filtered for the Server Hello packets and confirmed that the certificate includes the Common Name and SAN fields with multiple wildcard entries ending in *.trendmicro.com.

We are not opting for App Override or creating a custom application because the other firewalls are able to identify this traffic correctly even without decryption.

Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

JayGolf — Mon, 24 Nov 2025 23:27:17 GMT

Hi @V.Sambath ,

Do all endpoints behind this firewall experience the same misclassification or is it from a single client? Also, whatis the App-ID content version on the firewall vs. the other firewalls that identify it correctly?

Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

reaper — Tue, 25 Nov 2025 16:50:57 GMT

app-id does not solely rely on SNI to identify some applications which may be the case here. have you enabled ssl decryption so the content/payload can be identified by app-id?

Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

V.Sambath — Thu, 27 Nov 2025 10:56:27 GMT

Hello @JayGolf

- On all endpoints where Trend Micro is installed, the traffic is being detected only as “ssl"
- The PA firewalls have the latest content updates installed. When I mentioned “other firewalls,” I was referring to the Fortinet firewalls.

Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

V.Sambath — Thu, 27 Nov 2025 11:15:14 GMT

Hi @reaper

I am confident that enabling SSL decryption might help here. However, I also have Fortinet firewalls where the SSL Deep Inspection profile is not enabled, and those firewalls are still able to identify the application "trendmicro" without decryption. Since Trend Micro is a well-known application, I’m a bit surprised that PAs does not appear to have signatures for it.

Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

reaper — Mon, 08 Dec 2025 16:17:22 GMT

that's where a choice actually pops up:

since this is ssl encryoted traffic, there can't be a 'signature' to identify it and the only identifier is the SNI on the certificate

maybe forti chose to blanket all the traffic using the sni whereas palo identifies this as a web category but not necessarily an application

you can easily create a custom app for an SNI by the way

Re: Trendmicro application identified as "ssl" despite of proper SNI, CN, SAN.

V.Sambath — Thu, 26 Mar 2026 14:26:15 GMT

Palo alto incorporated the request and released a fix through the content updates.