WHITE PAPER MARCH 1, 2002 TREND MICRO, INC.

10101 N. DE ANZA BLVD.

CUPERTINO, CA 95014
T 800.228.5651 / 408.257.1500
F 408.257.2003
WWW.TRENDMICRO.COM

Trend Micro Control Manager:

Centralized Antivirus Management
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 2
WHITE PAPER
MARCH 1, 2002

TABLE OF CONTENTS

3 The Need For a Centrally Managed Antivirus Strategy

4 Managing Diverse Antivirus Scanners on the Network

5 Trend Micro’s Antivirus Defense

7 Containing a Virus Outbreak

10 Preventing Virus Outbreaks Through Central Management

11 Antivirus Software Update

13 Effective Antivirus Defense Is Impossible Without Central Management

14 About Trend Micro

March 1, 2002
Trend Micro, Inc.

©2002 by Trend Micro, Inc.

All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval
system, or transmitted without the prior written consent of the publisher. InterScan, eManager, Trend
VCS, Trend Micro Control Manager, ScanMail, ServerProtect, OfficeScan, MacroTrap, Active Update,
and SmartScan are trademarks or registered trademarks of Trend Micro, Inc. All other company and
product names are trademarks or registered trademarks of their respective owners.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 3
WHITE PAPER
MARCH 1, 2002

THE NEED FOR A CENTRALLY MANAGED ANTIVIRUS STRATEGY

The complexity of modern computer networks has made the management of antivirus software
very challenging for IT administrators. When the first computer viruses emerged more than ten
years ago, the primary mode of transmission was via diskettes being swapped among different
computers. Viruses would spread slowly among computers within a company and to home com-
puters as employees exchanged infected diskettes. Computer virus infections were localized,
and sometimes took months to spread around the world. The infection rate was gradual.

1. ICSA Labs Seventh Annual Computer Virus
Prevalence Survey 2000.
As computers became more common in businesses and homes, and became connected via
email and Internet connections, virus writers started developing viruses that capitalized on the
connected architecture. More than 87% of computer viruses are spread via email1 and many
are capable of sending confidential information through the Internet. In addition, today’s network
has several potential virus entry points that must be protected including: email, Internet, FTP
gateways, shared drives, network connections, and backup tapes. Compared to the computer
viruses of just five years ago, the infection rate of new computer viruses is extremely rapid.

PROTECTING THE MAJOR PARTS OF THE NETWORK

Trend Virus Control System (Trend VCS™) was the first management tool in the virus-control
industry to offer administrators complete control over all antivirus programs installed on the
local area network or wide area network. Trend Micro Control Manager further improves and
simplifies the administration of corporate virus control policy, and thereby offers lower overall
virus protection costs. Administrators are given the ability to configure, monitor, and maintain
the antivirus through a single console — across platforms — including:

• Internet gateways
• Email/groupware servers (Microsoft Exchange and Exchange 2000, Lotus Notes, etc.)
• File servers (Windows NT, Windows 2000, Novell NetWare)
• Workstations (DOS, Windows 3.1, Windows 95/98/ME/NT/2000)
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 4
WHITE PAPER
MARCH 1, 2002

MANAGING DIVERSE ANTIVIRUS SCANNERS ON THE NETWORK

Antivirus software requires relatively high levels of active management to ensure its successful
operation. Virus pattern files, scan engines, and program updates must be regularly deployed
to all of the antivirus installations on the network. Since the typical network contains many dif-
ferent antivirus programs, the effort to do a network-wide update can be substantial. Once all
of the potential virus entry points on a network are protected with antivirus software, the man-
agement challenge becomes how to regularly update many different antivirus scanners
successfully with a minimum of effort.

Fortunately, a centrally controlled antivirus system enables the management of diverse antivirus
software on your network simultaneously and from a single management console.

Management of all antivirus products running on the network must be coordinated to ensure
that all virus entry points are blocked and that virus outbreaks are stopped before they spread
and overwhelm your network resources. In addition, it is essential that you can verify that all
antivirus progams on the network are using the most recent antivirus pattern file, scan engine
and program version to detect the latest virus threats.

Antivirus software is only as effective as your latest antivirus pattern file. When using antivirus
software that is centrally managed, you can automatically download the latest antivirus pattern
file from your software vendor and then deploy it to all of the antivirus programs on your
network. In addition, a centrally controlled antivirus strategy shows the real-time status of the
pattern file versions that are being used throughout the network.

Central management provides real-time information about the status of your antivirus software.
You are able to see the status of all of your antivirus programs from a single web-based man-
agement console.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 5
WHITE PAPER
MARCH 1, 2002

TREND MICRO’S ANTIVIRUS DEFENSE

Protecting your network against computer viruses is analogous to protecting your office or factory
against burglars — fortify the perimeter to keep them out, and then implement systems to prevent
their spread if they penetrate your defenses. The four main virus entry points that need to be
protected with antivirus software using an up-to-date virus pattern file are the following:

• Internet gateways (SMTP, FTP, HTTP servers)

• Mail/groupware servers
• File servers
• Workstations

Trend Micro sells antivirus software that protects each of these resources.

UPDATE AND MANAGEMENT ISSUES WHEN DEALING WITH MULTIPLE ANTIVIRUS PROGRAMS
Diligent network administrators who install antivirus software on all of their network’s potential
virus entry points create a new challenge for themselves. How can you manage four separate
programs and antivirus systems to ensure that every program is using the most current virus
pattern file and scan engine? Since the scan engine, the core of all virus scanning programs,
is the same in all Trend Micro antivirus programs, they all use the same pattern file.

Trend Micro Control Manager is a web-based management console that is able to manage
several antivirus programs, simultaneously, via a browser. The Trend Micro Control Manager
interface replaces your antivirus program’s native interface. Administrators are able to view the
entire picture of their network’s antivirus security and formulate and enforce antivirus policy.
Trend Micro Control Manager provides the following features:

• Enables administrators to remotely and simultaneously configure, monitor, maintain, and deploy
Trend Micro antivirus and security software across the enterprise
• Offers flexible user management for job delegation and efficient use of security resources
• Records virus activity, system events, and status into a central database, enabling administra-
tors to identify weak points in the network and maintain up-to-date virus protection
• Improves utilization of network bandwidth through customizable software deployment plans
• Eliminates the need for platform-specific computer skills when administering the variety of
antivirus programs often found on the network
• Allows the automatic, single-point update of virus pattern files for all Trend Micro software
• Installs on an NT server in minutes, then deploys Agents that register every antivirus product
detected on the network
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 6
WHITE PAPER
MARCH 1, 2002

• Uses “push” technology for Agent installation, configuration changes, and virus pattern
updates, and represents the newest frontier in antivirus management
• Saves time and money in the administration of antivirus products – including most Trend Micro
and other antivirus products
• Three-tiered management model reduces network load
• Interactive and event-driven communication minimizes network traffic
• Allows administrators to enforce an enterprise-wide virus protection policy

TREND MICRO INTERSCAN VIRUSWALL® FOR SMTP, HTTP, AND FTP INTERNET SERVERS
The widespread deployment of Internet access in companies has created a new way for viruses
to penetrate your network. Viruses can hitch a ride on FTP file transfers or spread to worksta-
tions when network users visit insecure sites. In addition, the web has created an entirely new
class of malicious web scripts, Java applets, and ActiveX controls.

InterScan VirusWall filters Internet traffic to keep viruses out of your network. Optional modules
help network administrators manage and monitor their employees’ web usage and browsing habits.

TREND MICRO SCANMAIL® FOR EXCHANGE/EXCHANGE 2000/LOTUS NOTES

Email is now ubiquitous in large and small organizations and on home computers. It’s the premier
communication and collaboration tool for knowledge workers. Unfortunately, it’s also the most
likely conduit for computer viruses to enter your network.

ScanMail prevents computer viruses from being propagated through your company’s email or
groupware servers. There are versions for Microsoft Exchange, Microsoft Exchange 2000, and
Lotus Notes. In addition to scanning incoming message attachments at the server to keep mes-
sages out of user mailboxes, it continually scans message volume passing through the server
to prevent your network users from infecting others, either inside or outside your network, with
infected attachments.

TREND MICRO SERVERPROTECT® FOR FILE SERVERS

Network file servers can be a breeding ground for computer viruses. Workstation users might
copy a virus-infected file to a central server, thereby putting any other network user at risk
should they attempt to open or run the file. In addition, since file servers are frequently backed
up to tapes or other media for archive purposes, any virus-infected files that are backed up
pose a risk of re-infecting the network when the tapes are used to restore the server.

ServerProtect guards Windows NT and Novell NetWare servers, monitoring all file access activity
to prevent a virus from ever being copied to the server. It integrates with several industry-
leading backup and network management tools to keep your servers virus-free.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 7
WHITE PAPER
MARCH 1, 2002

TREND MICRO OFFICESCAN CORPORATE EDITION FOR WINDOWS WORKSTATIONS

The human element of antivirus policy management becomes complex when you’re dealing
with hundreds or thousands of employees with varying degrees of knowledge about antivirus
and network security issues.

OfficeScan Corporate Edition is client/server antivirus protection. Client programs are deployed
to every workstation on the network to provide local scanning. The client programs are managed
by a central server via a management console. Administrators can deploy client software, monitor
antivirus status, update virus pattern files, and uninstall client software, all from a central point.

CONTAINING A VIRUS OUTBREAK

In order to prevent or contain a virus outbreak, the system administrator must do the following:

• Install and enable antivirus software on all of the potential virus entry points on the network.
These include workstations, file servers, email/groupware servers and conduits of Internet
traffic like SMTP, HTTP, or FTP servers.
• Update all of the antivirus products running on your network to catch the virus.
• Verify that all servers and desktops get the update.
• After preventing the spread of the virus, you must scan the entire network for residual viruses.
• Verify that all viruses are cleaned or deleted.
• Block the virus entry points on your network and warn the parties that are sending you viruses.
• Review what caused the virus outbreak and develop a strategy to stop these potential threats
in the future.

INSTALLING ANTIVIRUS SOFTWARE TO ALL VULNERABLE POINTS ON YOUR NETWORK

When formulating your company’s antivirus policy, you must analyze all of the virus entry points
on your network and then install the appropriate antivirus software. Remember that viruses
enter and spread through networks through four main points:

• Internet, i.e., SMTP, HTTP, FTP servers

• Email/groupware servers
• File servers
• Workstations

Companies must evaluate vulnerabilities and then choose the appropriate antivirus software.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 8
WHITE PAPER
MARCH 1, 2002

UPDATE ALL ANTIVIRUS SOFTWARE ON YOUR NETWORK

Viruses are primarily detected through a process called pattern matching. This is done by com-
paring the structure of a file being scanned with the structure of known viruses in a database called
the virus pattern file. In order to provide protection against the latest viruses, it is essential that all
of your antivirus scanning software uses the most recent version of the virus pattern file.

Antivirus scanning programs also use a component called the scan engine that must be peri-
odically updated to ensure protection against the latest viruses. Scan engines, however, do not
have to be updated as frequently as the virus pattern file.

VERIFY THAT ALL SERVERS AND DESKTOPS ARE UPDATED SUCCESSFULLY

After attempting to update all of the antivirus programs on your network, you must verify the
updates were deployed successfully. Network conditions and many other factors sometimes
prevent the successful deployment of software updates. For example, the antivirus software on
a notebook computer might not be updated when disconnected from the network. This poses
a security risk when the user returns to the network and logs on. A centrally managed antivirus
system will be able to provide the pattern file, scan engine and program version information
for all the antivirus programs running on all of the servers and workstations on your network.

SCAN THE ENTIRE NETWORK FOR RESIDUAL VIRUSES

Once the antivirus software on your network has been updated, you need to scan all of your
workstations and servers to clean or delete any virus-infected files. Viruses on hard drives can
lie dormant, only to re-infect when someone tries to open or run the host file. In addition, you
must guard against virus-infected files from being copied to tape drives or other backup media.
If backup media contains viruses, your network can be re-infected when the tape drives are
used to restore the network after a drive failure.

VERIFY THAT ALL VIRUSES ARE CLEANED

It is essential to perform a thorough manual scanning of all the workstations and servers on your
network after a virus outbreak. Don’t forget to scan the messages on your email server. You must
make sure that your network is completely virus-free to prevent the risk of re-infection. When
scanning is complete, view the antivirus program’s log file to ensure than any virus-infected
files were successfully cleaned. If the file could not be cleaned, double-check to ensure that it
was deleted, quarantined or renamed so that it no longer poses a threat to your network.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 9
WHITE PAPER
MARCH 1, 2002

IMMEDIATELY BLOCK THE VIRUS SOURCE

Most antivirus products have comprehensive logging functions that keep a record of all virus
incidents on the network. Immediately after the virus outbreak is contained, the administrator
should analyze the virus source and ensure that it is no longer vulnerable to virus infection. For
example, if the antivirus program that detected a virus was on a file server, the log entry would
display the name of the user who tried to copy the file from their workstation to the server. You
would immediately want to scan the source workstation for virus-infected files and educate the
user about the virus threat.

For every virus incident in your antivirus program’s log files, ask yourself why the virus infec-
tion happened. If you determine that any of the entry points to your company’s network are
unprotected, make sure that you install antivirus software in those areas and make sure that it
is functioning properly.

REVIEW THE VIRUS EVENTS AND CHANGE YOUR VIRUS POLICY

View the virus outbreak as a learning experience and fine-tune your company’s antivirus policy
to prevent similar occurrences in the future. Some suggestions:

• If the virus entered your network as an email attachment, you might want to consider banning
attachments of certain types. For example, the ILOVEYOU virus entered companies as a file
with a *.VBS file extension. Most companies would not have a legitimate need to exchange
files of this type, so it would be prudent to prohibit *.VBS attachments. Be careful, however,
not to make your antivirus policy so restrictive that it hampers your company’s operations. For
example, Word and Excel files are also common hosts for computer viruses but there is legit-
imate businesses need to exchange these types of files.
• Were a small number of employees responsible for a disproportionate number of your
company’s virus incidents? If so, more attention should be paid to what these employees are
doing and to educate them about the risks that computer viruses pose.
• Are all of your antivirus programs regularly being updated with the newest virus pattern and
scan engine files? Remember that your company’s antivirus is only as effective as your latest
pattern file. Regular updates are crucial in order to stay protected against the latest viruses.
• Antivirus software can only detect viruses after the fact. The administrator’s job is to analyze
the raw data from the antivirus scanner and make management decisions about how these
incidents can be eliminated in the future. Use the log files to formulate and fine-tune your
company’s antivirus policy.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 10
WHITE PAPER
MARCH 1, 2002

PREVENTING VIRUS OUTBREAKS THROUGH CENTRAL MANAGEMENT

Fast-spreading Internet-aware viruses like Melissa, ILOVEYOU, etc., pose a special challenge
to the antivirus administrator. In order to safeguard your network against them, you must get
real-time data from all of your antivirus scanners and ensure that every one is updated and
using the most recent virus pattern file.

The following are the benefits of a centrally managed antivirus system:

UPDATES ALL ANTIVIRUS SOFTWARE QUICKLY FROM A SINGLE POINT

Regular updates of the virus pattern file, and periodic updates of the scan engine are essential
to maintain the effectiveness of your antivirus software. If several antivirus programs are installed
on your network, a centrally managed antivirus system is able to update all of them simultane-
ously. In addition, updates are performed in a manner that efficiently uses network bandwidth.
For example, the pattern file will be downloaded from the software vendor once, and then be
deployed throughout the network from a local network server. Multiple antivirus programs will
use the same pattern file to reduce the bandwidth overhead of pattern deployment.

Without a centrally managed antivirus management system, every antivirus program must be
individually updated and managed. Tedious and time-consuming chores have a higher prob-
ability of being neglected, thus putting your network at risk.

VIRUS PATTERN FILE AND COMPONENT INFORMATION AT A GLANCE

Since using a currrent virus pattern file and scan engine is essential to maintaining an effec-
tive defense against the risk of virus infection, it’s important to be able to verify that all of your
antivirus programs are up to date. A centrally managed antivirus system enables you to see the
virus pattern and component information being used by all of the antivirus programs on your
network. You can immediately see whether your update was successful and view any programs
where the update was unsuccessful. This gives you the information to zero in on your network
resources that pose a potential security threat.

SCANS ALL OF YOUR NETWORK RESOURCES WITH A SINGLE COMMAND

It’s important to be able to scan all of the servers and workstations on your network to verify
that they are indeed virus-free. A centrally managed antivirus system enables you to scan your
network resources, remotely, from a central point using any of the antivirus programs installed
on your network. This enables the administrator to take action quickly once a virus outbreak
has been contained to prevent existing viruses on the network from re-infecting your company’s
computing resources.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 11
WHITE PAPER
MARCH 1, 2002

Most antivirus programs also permit the scheduling of future scans. When this function is avail-
able from the management console of a centrally managed antivirus system, the administrator
can schedule scans when network usage is at a minimum.

CONTINUAL MONITORING OF SERVERS AND WORKSTATIONS ON YOUR NETWORK

Antivirus software must be monitored so that any virus incidents are quickly dealt with. A typical
network, however, requires many antivirus software installations, to protect different resources
such as workstations, file servers, email servers, etc.

In order to make monitoring of your antivirus software easier, a centrally managed antivirus
system is required to view the status of your antivirus software in aggregate.

SHOWS VIRUS INFECTED NETWORK RESOURCES

Any virus incidents, regardless of where they might occur, will be shown in a management
console, complete with a comprehensive log that explains the nature of the incident. The logs
enable the administrator to combat the virus and modify the company’s antivirus policy to
prevent a similar infection in the future.

ANTIVIRUS SOFTWARE UPDATE

The following are some general guidelines to prevent virus outbreaks from affecting your
company’s operations.

REGULAR MAINTENANCE OF ANTIVIRUS SOFTWARE

Virus outbreaks are typically caused by new viruses that cannot yet be detected by the antivirus
software. This is the reason why they spread so quickly – despite the fact that the vast majority
of companies have installed antivirus software. Antivirus software companies continually monitor
the emergence of new viruses and typically update their virus pattern files within hours of the
detection of a new virus. It is important to download the most current virus pattern file, deploy
it to all the antivirus software on your network and verify that the update was successful.

A centrally managed antivirus system automates the process of updating antivirus software and
provides real-time information about the success of an update.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 12
WHITE PAPER
MARCH 1, 2002

PROGRAM ISSUES MUST BE MONITORED

Antivirus software must be functioning properly in order to protect your network. A centrally
managed antivirus system provides real-time status information about your antivirus programs
on the network. This enables the administrator to fix software problems before a virus sneaks
through an unprotected entry point.

For example, most antivirus programs can be configured to only scan files with certain exten-
sions. If files that have the potential to harbor viruses are not being scanned, your network is
not being protected, even though the antivirus scanner may be enabled and running.
Administrators should check the configuration of their antivirus software to ensure that all risky
files are being scanned.

ANTIVIRUS COMPONENTS UPDATE FAILURE

Special attention must be paid to ensure that your antivirus scanning programs are using the most
current pattern file, scan engine and program version. Occasionally, an update fails to be deployed
successfully. It’s important that a system administrator be informed about an update failure.

A centrally managed antivirus system provides log information that shows the success or failure
of a pattern or program component update.

INTENTIONAL VIRUS ATTACKS FROM INSIDE AND OUTSIDE THE NETWORK

Antivirus software attempts to prevent viruses from entering a computer or network. However,
if a virus does enter the network due to software failure or an employee’s negligence, it’s impor-
tant that the virus is not allowed to spread unimpeded.

A centrally managed antivirus software system uses software installed on many different network
resources to catch viruses. For example, if a virus-infected email attachment reaches a user’s
inbox due to malfunctioning or outdated software on the email server, then antivirus software on
the workstation would detect the virus as soon as it was opened and halt the virus’s execution.

VIRUS OUTBREAKS
A centrally managed antivirus system must be able to prevent virus outbreaks from overwhelming
your network resources. The keys to guarding your company against virus outbreaks are:

• Rapid development and release of new virus pattern files by the antivirus vendor
• Ability to download the virus pattern file once and then deploy it to all antivirus products
throughout your network
• Comprehensive log information about the virus events on your network
• The ability to scan all of your network resources remotely and verify that no virus code remains
on your company’s servers and workstations
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 13
WHITE PAPER
MARCH 1, 2002

ANTIVIRUS POLICY MUST BE MODIFIED AND MONITORED

A centrally managed antivirus software system should be viewed as a tool to administer and
enforce your company’s antivirus policy. For example, your company’s antivirus policy might
include the following:

• Prevent specified types of file attachments from entering the network.

• Scan media left in drives before shutdown to prevent accidental booting from infected disks.
• If a user is detected attempting to copy a virus to a file server, the user’s log-on privileges to
the server should be suspended.

A centrally managed antivirus system should support you in enforcing these policies through
configuration of your antivirus software from a central point. In addition, the centrally managed
antivirus system should consolidate and present the settings from all of your antivirus programs.

EFFECTIVE ANTIVIRUS DEFENSE IS IMPOSSIBLE

WITHOUT CENTRAL MANAGEMENT

In a large network, it’s impossible to effectively manage your antivirus software without a central
management control system. A centrally managed antivirus system gives you the following:

FAST AND EFFICIENT UPDATES

Fast updates are essential to stopping a virus outbreak. A centrally managed antivirus software
system enables you to download virus pattern files, scan engines and program updates as soon
as they are released by the antivirus software vendor. In addition, the updated files only have
to be downloaded via the Internet once because deployment of the files to the antivirus pro-
grams on your network is performed from the saved copy on your network.

COMPREHENSIVE, UNIFIED LOG FILES GIVE YOU THE BIG PICTURE

Relevant, accurate information is essential for the fight against computer viruses. A centrally
managed antivirus system is able to combine all of the log entries from your network’s antivirus
software so that you can see your network’s complete antivirus status. You no longer have to
check separate programs on your file servers, mail servers and workstations, since everything
can be viewed from a single management console.

REAL-TIME STATUS OF YOUR NETWORK ANTIVIRUS

Many centrally managed antivirus systems are able to communicate using the HTTP protocol
so that the status of your network’s antivirus software is displayed in real time in the manage-
ment console. This gives the administrator a current snapshot of the network’s antivirus status
and informs them immediately of any virus incidents that might occur.
TREND MICRO TREND MICRO CONTROL MANAGER: CENTRALIZED ANTIVIRUS MANAGEMENT 14
WHITE PAPER
MARCH 1, 2002

ABOUT TREND MICRO

Trend Micro provides centrally controlled server-based virus protection and content filtering
products and services. By protecting information that flows through Internet gateways, email
servers, and file servers, Trend Micro allows companies and service providers worldwide to
stop viruses and other malicious code from a central point before they ever reach the desktop.

Trend Micro’s corporate headquarters is located in Tokyo, Japan, with business units in North
and South America, Europe, Asia, and Australia. Trend Micro’s North American headquarters
is located in Cupertino, CA. Trend Micro’s products are sold directly and through a network of
corporate, value-added resellers and service providers. Evaluation copies of all of Trend Micro’s
products may be downloaded from its award-winning web site, http://www.trendmicro.com/.