OSCE - 10.6 - ATS - 08august2011 - Letter (1) 20110818 - 634492890825071294

Da
Tr d Mi o rend icro Of eScan 10 ffice 0.6

TCSP/TC CSE Training Co T ourse
Stu udent Textbo T ook
Trend Micro OfficeScan 10.6
Student Textbook
Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Portions of this manual have been reprinted from the Trend Micro OfficeScan 10.5 Installation and Upgrade Guide, copyright 1998-2010, Trend Micro, Inc.; Trend Micro OfficeScan 10.5 Administrators Guide, copyright 1998-2010, Trend Micro, Inc.; and the Trend Micro Smart Scan for OfficeScan Getting Started Guide, copyright 2009-2010, Trend Micro, Inc. Copyright 1998-2011 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Trend Micro, the Trend Micro t-ball logo, TrendLabs, and OfficeScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Alexander Sverdovskva Released: August 2010 v3.61
2011 Trend Micro Inc.
Administrator Track
Table of Contents
Chapter 1: Trend Micro OfficeScan Course Overview ......................................... 11 1.1 > Course Objectives .............................................................................................................. 11 1.2 > Target Audience and Prerequisites ............................................................................. 12 1.3 > How to Use This Material ............................................................................................... 12 Chapter 2: OfficeScan Endpoint Security for Clients and Servers .................. 13 2.1 > What Does Network Security Require? ...................................................................... 14 2.1.1 What Is Your Role in a Comprehensive Security Strategy? ............................. 14 2.1.2 Targeted Access Points and Typical Vulnerabilities.......................................... 14 2.2 > Stopping Costly and Rapidly Evolving Malware Threats ....................................... 16 2.2.1 The Cost of Malware Attacks Is Rising .................................................................. 17 2.2.2 Attacks Are So Common, Some Have Stopped Counting ............................... 18 2.2.3 Exploitable Vulnerabilities Continue to Be Discovered.................................... 18 2.2.4 Creativity Expands the Variety of Exploits ......................................................... 18 2.2.5 Widespread Use of HTTP Opens the Door to Web Threats ............................ 19 2.2.6 Mobile Computing Introduces New Challenges ................................................. 19 2.2.7 Lack of Policy Enforcement Leads to Vulnerability ........................................ 20 2.2.8 Protection from Zero-day Exploits Requires Rapid Response ..................... 20 2.3 > OfficeScan Features & Benefits .................................................................................20 2.4 > OfficeScan Centralized Management......................................................................... 21 2.4.1 Web-Based Management Console .......................................................................... 21 2.4.2 Vulnerability Scanner.............................................................................................. 22 2.4.3 Configurable and Scalable Update Management ............................................. 22 2.4.4 Configurable Event and Outbreak Notifications .............................................. 24 2.4.5 Server Quarantine Folder ...................................................................................... 24 2.4.6 Comprehensive Logging ........................................................................................ 24 2.4.7 Database Backup Integration ................................................................................ 24 2.4.8 Local and Remote Server Installation ................................................................ 25 2.4.9 Trend Micro Control Manager Integration ......................................................... 25 2.4.10 Integration with Cisco NAC .................................................................................. 25 2.5 > Advanced OfficeScan Client Functionality ..............................................................26 2.5.1 Comprehensive Detection, Prevention, Removal and Quarantine ............... 26 2.5.2 Support for Multiple Platforms and Use Models .............................................. 28 2.5.3 Multiple Client Deployment Options .................................................................... 29 2.5.4 OfficeScan Client Firewall ...................................................................................... 30 2.6 > Trend Micro Advanced Security Technologies .......................................................30 2.6.1 Trend Micro IntelliScan ............................................................................................ 30 2.6.2 SSL Support............................................................................................................... 30 2.6.3 MD5 Message Authentication ................................................................................ 31 2.6.4 Damage Cleanup Services ...................................................................................... 31 2.6.5 IntelliTrap .................................................................................................................... 31 2.6.6 Scan-action Enhancement ...................................................................................... 31 2.7 > New in OfficeScan 10 .................................................................................................... 32 2.7.1 Smart Scan.................................................................................................................. 32
Student Textbook
2.7.2 Active Directory Integration .................................................................................. 32 2.7.3 Role-based Administration..................................................................................... 32 2.7.4 Device Control .......................................................................................................... 32 2.7.5 Expanded Platform Support .................................................................................. 33 2.7.6 Additional Product Enhancements ...................................................................... 33 2.8 > New in Service Pack 1 for OfficeScan 10 .................................................................. 33 2.8.1 Smart Feedback......................................................................................................... 33 2.8.2 Behavior Monitoring ................................................................................................ 34 2.8.3 Enhancements to Existing Capabilities............................................................... 34 2.9 > New in OfficeScan 10.6 ................................................................................................. 36 2.10 > Chapter Summary and Review Questions ..............................................................38
Chapter 3: OfficeScan Application Architecture .............................................. 39 3.1 > Architectural Components and Design Features .................................................... 40 3.2 > OfficeScan Server Architecture .................................................................................. 41 3.2.1 Web Server.................................................................................................................. 42 3.2.2 Console and Client CGIs .......................................................................................... 43 3.2.3 OfficeScan Master Service ..................................................................................... 43 3.2.4 Database Server Service ........................................................................................ 43 3.2.5 Database..................................................................................................................... 44 3.2.6 Control Manager Agent .......................................................................................... 44 3.2.7 ActiveUpdate Server ............................................................................................... 44 3.3 > Smart Scan Server Architecture............................................................................... 45 3.4 > Client-software Architecture ..................................................................................... 46 3.4.1 OfficeScan Client Console ....................................................................................... 46 3.4.2 Threat Detection and Response Components .................................................. 47 3.4.3 Client Application Services and Program Data................................................. 49 3.4.4 Protection for Client Installation Files and Running Services ...................... 50 3.4.5 The Trend Micro Antivirus Scan Engine .............................................................. 51 3.4.6 The Virus Pattern File ............................................................................................. 52 3.4.7 Anti-Spyware Engine ............................................................................................... 52 3.4.8 OfficeScan Proxy Service and Web Reputation Services .............................. 53 3.4.9 The Damage Cleanup Services ............................................................................. 53 3.4.10 The Common Firewall Driver ............................................................................... 54 3.4.11 The Network Virus Pattern File ............................................................................ 55 3.4.12 Client-Server Communication ............................................................................. 55 3.4.13 Normal and Roaming Client Operation Modes ................................................ 55 3.4.14 Update Agents......................................................................................................... 58 3.4.15 Cache Files for Scans............................................................................................. 59 3.5 > Chapter Summary and Review Questions ................................................................62 Chapter 4: OfficeScan Server Installation ......................................................... 63 4.1 > Deployment Planning .................................................................................................... 64 4.1.1 Identify Potential Impact on Network Traffic ..................................................... 64 4.1.2 Consider Smart Scan Server Options .................................................................. 66 4.1.3 Determine the Number of Clients and Plan Update Agents ........................... 67 4.1.4 Verify Target Server(s) Meet Minimum System Requirements .................... 68 4.1.5 Evaluate Your Actual System Requirements ..................................................... 69 4.1.6 Determine Whether You Need to Install a Dedicated Server......................... 70
Administrator Track
Table of Contents
4.1.7 Select a Network Location for Your OfficeScan Server(s) ............................. 70 4.1.8 Verify that Clients Meet the Minimum System Requirements ...................... 70 4.1.9 Plan the Placement of Client Program Files ....................................................... 71 4.1.10 Determine the Number of Domains ..................................................................... 71 4.1.11 Decide How to Deploy the Clients......................................................................... 72 4.1.12 Configure VPN Clients ............................................................................................ 72 4.2 > Installing the OfficeScan Server Software .............................................................. 73 4.2.1 Installation Procedures............................................................................................ 73 4.3 > Performing a Silent Installation .................................................................................. 91 4.3.1 Creating the Response File ...................................................................................... 91 4.3.2 Running Silent Installation ...................................................................................... 91 4.4 > Verifying the Installation .............................................................................................92 4.5 > Chapter Summary and Review Questions............................................................... 94
Chapter 5: OfficeScan Management Console..................................................... 95 5.1 > Using the OfficeScan Management Console .............................................................96 5.1.1 Launching the Management Console .................................................................... 96 5.1.2 Navigating the Management Console .................................................................. 97 5.1.3 Understanding the Client Tree............................................................................... 98 5.2 > The Summary Page .......................................................................................................99 5.2.1 Product License Status (Activated Services Summary) ............................... 100 5.2.2 Networked Computers Summary ....................................................................... 100 5.2.3 Outbreak Status Summary ................................................................................... 102 5.2.4 Update Status for Networked Computers Summary ..................................... 102 5.3 > Security Compliance ................................................................................................... 102 5.3.1 Compliance Reports ................................................................................................ 102 5.3.2 Scheduling Compliance Reports.......................................................................... 107
5.3.3 Security Compliance Reporting for Clients Outside of OfficeScan-Server Management................................................................................................................ 108 5.4 > Smart Protection Server Settings ............................................................................ 116 5.4.1 Configuring Smart Protection Lookup Sources ................................................ 117 5.4.2 Configuring the Integrated Smart Protection Server ..................................... 121 5.4.3 Configuring Smart Feedback Options ................................................................ 122 5.5 > Client Management ..................................................................................................... 124 5.5.1 Client Grouping ......................................................................................................... 124 5.5.2 The Client Management Toolbar .......................................................................... 131 5.5.3 Client Status Information ...................................................................................... 132 5.5.4 Client Search Functions ........................................................................................ 135 5.5.5 Client Management Tasks..................................................................................... 136 5.5.6 Client Management Settings ................................................................................ 139 5.5.7 Update Agent Settings ..........................................................................................149 5.5.8 Client Privileges and Other Settings ..................................................................150 5.5.9 Enable/Disable Unauthorized Change Prevention and/or Firewall Services .........................................................................................................................................154 5.5.10 Web Reputation Services Settings ....................................................................154 5.5.11 Behavior Monitoring ............................................................................................. 160 5.5.12 Device Control ........................................................................................................ 163 5.5.13 Spyware/Grayware Approved List .................................................................... 167 5.5.14 Export/Import Settings ........................................................................................168
Student Textbook
5.5.15 Client Management: Logs ....................................................................................168 5.5.16 Client Management: Managing the Client Tree ..............................................169 5.5.17 Client Management: Export Data ........................................................................ 171 5.6 > Global Client Settings ................................................................................................. 172 5.7 > Computer Location...................................................................................................... 179 5.8 > Firewall Policies and Profiles Configuration.......................................................... 180 5.9 > OfficeScan Client Installation Options .................................................................... 180 5.10 > Client Connection Verification ................................................................................. 181 5.11 > Outbreak Prevention .................................................................................................. 182 5.11.1 Blocking Shared Folders......................................................................................... 183 5.11.2 Blocking Ports ......................................................................................................... 184 5.11.3 Denying Write Access to Files and Folders.......................................................186 5.11.4 Activating the Outbreak Prevention Policy...................................................... 187 5.11.5 Restoring Network Settings to Normal ............................................................. 187 5.12 > Notifications and Event Monitoring ....................................................................... 187 5.12.1 Administrator Notifications................................................................................. 188 5.12.2 Client User Notifications ...................................................................................... 193 5.13 > Administration Settings............................................................................................ 194 5.13.1 Creating Users and Assigning Roles ..................................................................194 5.13.2 Active Directory Settings....................................................................................202 5.13.3 Proxy Settings ...................................................................................................... 204 5.13.4 Connection Settings ............................................................................................ 205 5.13.5 Inactive Clients ..................................................................................................... 206 5.13.6 Quarantine Manager ........................................................................................... 206 5.13.7 Product License..................................................................................................... 207 5.13.8 Control Manager Settings ................................................................................. 208 5.13.9 Web Console Settings ............................................................................................ 211 5.13.10 Database Backup ................................................................................................... 211 5.14 > Plug-in Manager ......................................................................................................... 212 5.14.1 Plug-in Program Installation ................................................................................ 214 5.14.2 Plug-in Program Management ........................................................................... 215 5.14.3 Troubleshooting the Download of a Plugin ..................................................... 216 5.15 > Chapter Summary and Review Questions ............................................................ 217
Chapter 6: Client Software Deployment........................................................... 219 6.1 > Minimum Requirements for Client Software ......................................................... 220 6.2 > Deployment Options for OfficeScan Client Software ......................................... 222 6.2.1 Deploy Client Software Via Browser-based Installation ................................ 223 6.2.2 Deploy Client Software Using Remote Install ................................................. 225 6.2.3 Deploy Client Software Using Login Script Setup.......................................... 226 6.2.4 Deploy Client Software Using the Client Packager Tool ..............................228 6.2.5 Deploy Using the Image Setup Tool .................................................................. 234 6.2.6 Deploy Using the Vulnerability Scanner Tool ................................................. 235 6.2.7 Deploy Through the Security Compliance ....................................................... 236 6.2.8 Windows Server Core 2008 Support ................................................................ 237 6.3 > Verifying the OfficeScan Client Installation ......................................................... 238 6.3.1 Check Files, Services, Processes, and Registry Keys ..................................... 239 6.3.2 Check the Installation Log ................................................................................... 239
Administrator Track
Table of Contents
6.3.3 Verify the Client Status Icon Appears in the System Tray ......................... 240 6.3.4 Verify the Client Installation Using Vulnerability Scanner ......................... 240 6.4 > Post-Installation Considerations for Servers and x64 Desktop Platforms .... 241 6.5 > Chapter Summary and Review Questions ............................................................. 243
Chapter 7: Updates ............................................................................................ 245 7.1 > OfficeScan Update Architecture .............................................................................. 246 7.1.1 Updatable Components.......................................................................................... 246 7.1.2 Component Duplication for OfficeScan Updates ............................................ 249 7.2 > Smart Scan Update Infrastructure ......................................................................... 250 7.3 > Conventional OfficeScan Update Infrastructure .................................................. 251 7.3.1 Update Priority......................................................................................................... 252 7.4 > Viewing Update Information .................................................................................... 253 7.5 > Configuring Server Updates ..................................................................................... 253 7.5.1 Configuring Scheduled Updates ..........................................................................254 7.5.2 Updating the Server Manually ............................................................................255 7.5.3 Specifying Custom Server-Update Sources ....................................................256 7.6 > Deploying Updates to Clients................................................................................... 256 7.6.1 Creating an Update Agent ....................................................................................256 7.6.2 Configuring Automated Client Updates............................................................ 257 7.6.3 Manually Deploying Updates .............................................................................. 258 7.6.4 Configuring the Update Source ..........................................................................259 7.6.5 Update Source Priority ........................................................................................ 260 7.7 > Rolling Back an Update .............................................................................................. 261 7.8 > Chapter Summary and Review Questions ............................................................. 263 Chapter 8: OfficeScan Client User Interface .................................................. 265 8.1 > Unlocking the Capabilities of the Client Console .................................................. 266 8.1.1 Loading/Unloading the OfficeScan Client ..........................................................266 8.1.2 Launching the Client Console .............................................................................. 267 8.2 > Client-Configurable Scan Settings ......................................................................... 267 8.3 > Manual Scan Settings ................................................................................................ 268 8.3.1 Configuring Manual Virus Scan Settings .......................................................... 268 8.3.2 Manual Spyware/Grayware Scanning Options ............................................... 270 8.4 > Real-Time Scan Settings .......................................................................................... 270 8.4.1 Specifying When in Real-time to Scan Files ..................................................... 270 8.4.2 Specifying Files to Scan for Real-time Scanning ............................................ 271 8.4.3 Specifying Actions to Take Against Threats .................................................... 271 8.4.4 Real-time Virus-Scan Target Settings .............................................................. 272 8.4.5 Real-time Spyware/Grayware Scan Action Options ..................................... 272 8.5 > Scheduled Scan Settings .......................................................................................... 272 8.6 > Drag-and-Drop Scanning........................................................................................... 274 8.7 > The Client Console Tabs............................................................................................ 275 8.7.1 The Manual Scan Tab ............................................................................................. 275 8.7.2 The Manual Scan Results Tab ............................................................................. 276 8.7.3 The Firewall Tab ..................................................................................................... 277 8.7.4 The Mail Scan Tab .................................................................................................. 279 8.7.5 The Behavior Monitoring Tab .............................................................................. 281 8.7.6 The Logs Tab...........................................................................................................282
Student Textbook
8.7.7 The Toolbox Tab .....................................................................................................283 8.7.8 Client Plug-in Manager .........................................................................................283 8.8 > Performing Updates on the Client .......................................................................... 284 8.9 > OfficeScan Client Real-Time Monitor ..................................................................... 284 8.10 > Proxy Settings ........................................................................................................... 285 8.11 > Chapter Summary and Review Questions ............................................................ 286
Chapter 9: OfficeScan Firewall ......................................................................... 287 9.1 > Client Firewall Overview ............................................................................................ 288 9.2 > Firewall Architecture ................................................................................................. 288 9.2.1 Personal Firewall Module ..................................................................................... 289 9.2.2 Common Firewall Module .................................................................................... 289 9.2.3 Dataflow ................................................................................................................... 292 9.3 > Configuring the OfficeScan Firewall ....................................................................... 293 9.3.1 Configuring Firewall Policies ................................................................................ 293 9.3.2 Firewall Profiles ......................................................................................................299 9.3.3 Firewall Outbreak Monitor ...................................................................................302 9.4 > Firewall Logs ............................................................................................................... 303 9.5 > Chapter Summary and Review Questions ............................................................. 304 Chapter 10: OfficeScan Tools ............................................................................ 307 10.1 > Overview of OfficeScan Tools ................................................................................. 308 10.2 > Vulnerability Scanner................................................................................................ 310 10.2.1 Launching the Vulnerability Scanner ................................................................ 310 10.2.2 Configuring the Settings for Vulnerability Scanner....................................... 311 10.2.3 Starting a Scan ....................................................................................................... 314 10.2.4 Running a DHCP Scan .......................................................................................... 314 10.2.5 Scheduling Scans ................................................................................................... 314 10.2.6 Modifying the TMVS.ini File................................................................................. 315 10.2.7 Running the Vulnerability Scanner in Silent Mode ........................................ 316 10.3 > Server Tuner Tool .......................................................................................................317 10.4 > Gateway Settings Importer Tool ............................................................................ 318 10.5 > Restore Encrypted Virus Tool ................................................................................. 319 10.6 > Client Mover I .............................................................................................................. 321 10.7 > Touch Tool .................................................................................................................. 322 10.8 > ServerProtect Normal Server Migration Tool .................................................... 322 10.8.1 Target Computer Search ..................................................................................... 325 10.8.2 Logon Information ............................................................................................... 325 10.8.3 ServerProtect Normal Server List ................................................................... 325 10.9 > Scheduled Update Configuration Tool .................................................................. 326 10.10 > Chapter Summary and Review Questions .......................................................... 327 Chapter 11: Logs .................................................................................................. 329 11.1 > Overview of OfficeScan Logs .................................................................................... 330 11.1.1 Uploading Virus Logs from the Client to the Server ........................................ 331 11.1.2 Virus Logs .................................................................................................................. 331 11.1.3 Update Logs ............................................................................................................. 333 11.1.4 System Event Logs ................................................................................................. 334 11.1.5 Connection Verification Logs .............................................................................. 335
Administrator Track
Table of Contents
11.1.6 OfficeScan Firewall Logs....................................................................................... 335 11.1.7 Behavior Monitoring Logs ..................................................................................... 336 11.1.8 Device Control Logs ............................................................................................... 337 11.1.9 Saving Logs as Files ............................................................................................... 338 11.2 > Log Maintenance ........................................................................................................ 338 11.3 > Chapter Summary and Review Questions............................................................. 340
Chapter 12: Troubleshooting .............................................................................. 341 12.1 > Troubleshooting Common Problems ...................................................................... 342 12.1.1 Server Installation Error........................................................................................ 342 12.1.2 Recover a Corrupt Database ............................................................................... 342 12.1.3 Client Errors ............................................................................................................ 342 12.1.4 Upgrade Issues ....................................................................................................... 343 12.1.5 Console Issues ....................................................................................................... 344 12.2 > Case Diagnostic Tool (CDT) .................................................................................... 346 12.2.1 Using the CDT ......................................................................................................... 347 12.3 > Manually Enabling Debug Mode.............................................................................. 350 12.3.1 Enabling Debug Mode on OfficeScan Servers................................................ 350 12.3.2 Enabling Debug Mode on OfficeScan Clients .................................................. 351 12.3.3 Enabling Debug Mode for the Vulnerability Scanner ................................... 352 12.3.4 Enabling Debug Mode for DCS ........................................................................... 352 12.3.5 Special Log ............................................................................................................. 353 12.3.6 Installation Debug ................................................................................................. 353 12.3.7 Policy Server Debug ............................................................................................. 353 12.3.8 CTA Debug .............................................................................................................. 353 12.3.9 Posture Plug-In Debug .........................................................................................354 12.3.10 Additional Files to Collect for Technical Support ........................................354 12.3.11 Control Manager Agent Debug ..........................................................................354 12.4 > Viewing Dr. Watson Logs ......................................................................................... 355 12.5 > Problems with Updates ............................................................................................ 355 12.6 > Problems with CPU Utilization ............................................................................... 356 12.7 > Escalating Problems to Trend Micro Support ..................................................... 357 12.8 > Trend Micro Support Contacts ............................................................................... 358 Appendix A: Notification Tokens ...................................................................... 359 Appendix B: Managing Data Protection and Using Digital Asset Control .. 360 B.1 > Data Protection Installation ...................................................................................... 360 B.2 > Data Protection License ............................................................................................ 361 B.3 > Deploying Data Protection to Clients .................................................................... 363 B.4 > Digital Asset Templates............................................................................................ 376 B.5 > Digital Asset Control Channels ............................................................................... 379 B.6 > Digital Asset Control Actions .................................................................................. 383 B.7 > Digital Asset Control Exceptions ............................................................................ 385 B.8 > Creating Digital Asset Control Policies ................................................................. 386 B.9 > Digital Asset Control Widgets.................................................................................. 392 B.10 > Digital Asset Control Logs ...................................................................................... 394 B.11 > Uninstalling Data Protection ................................................................................... 395 B.12 > Device Control Permissions .................................................................................... 396
Student Textbook
B.13 > Device Control Notifications................................................................................... 398 B.14 > Device Control Logs ................................................................................................. 399
Appendix C: Virtual Desktop Infrastructure (VDI) Support Plug-in ............. 401 C.1 > What Is Virtual Desktop Infrastructure? ................................................................. 401 C.2 > Trend Micro OfficeScan VDI Support ..................................................................... 402 C.3 > Using the Virtual Desktop Support Plug-in ........................................................... 404 Appendix D: Cisco Network Admission Control (NAC) .................................. 407 D.1 > Cisco NAC Overview ................................................................................................... 407 D.2 > Definition of Terms .................................................................................................... 409 D.3 > Dataflow ........................................................................................................................ 410 D.4 > Configuration ............................................................................................................... 415 D.5 > Files and Services ...................................................................................................... 423 Appendix E: Configuring the Cisco ACS and NAD .......................................... 425 E.1 > The Cisco ACS .............................................................................................................. 425 E.2 > NAD Configuration ..................................................................................................... 430 Appendix F: Trend Micro Smart Protection Network (SPN) ......................... 435 F.1 > What is Trend Micro SPN? ......................................................................................... 435 F.2 > A Multilayered Framework for Enterprise-Wide Protection............................... 441 Appendix G: Standalone Smart Scan Server Deployment & Management . 443 G.1 > Standalone Smart Scan Server Deployment ......................................................... 443 G.2 > Managing Standalone Smart Scan Servers .......................................................... 449 G.3 > Command-line Reference for Standalone Smart Scan Servers ....................... 455 Appendix H: IPv6 Support in OfficeScan ........................................................ 458 H.1 > IPv6 Support for OfficeScan Server and Clients .................................................. 458 H.2 > Configuring IPv6 Addresses .................................................................................... 460 H.3 > Screens That Display IP Addresses ........................................................................ 461 H.4 > Logs................................................................................................................................ 461 H.5 > Control Manager Console ......................................................................................... 462 Appendix I: Answers to Review Questions...................................................... 463
10
Administrator Track
Ch ter 1: Tre M o hapt end Micro Offic O ceSca Co e Ov an ourse vervie ew

In this cou urse, you will le earn how to use Trend Mic OfficeSca u cro an software to detect mal lware infections on network se o ervers, desktop and laptop Specifically you will lear how to inst ps, ps. y, rn tall, configure, and manage OfficeScan, so that you can prevent malw outbreaks and mitigate the O o ware s e alware can cau on your ne use etwork. In add dition, you wil learn how to monitor ll o damage ma OfficeScan by viewing lo and creatin reports. n ogs ng
1.1 > Cours Objec se ctives

After takin this course, you should be able to com ng mplete these ob bjectives:
Knowled dge
equirements o Trend Micr Describe the pur rpose, features functions, b s, benefits, and re of ro ficeScan Off
Describe the pro ogram architec cture, database structure, an communica e nd ations process ses
ed use in OfficeScan
Un nderstand vario methods of deploying c ous o client installati ions Describe the Off ficeScan comp ponents that s support Cisco NAC Ide entify the purp pose of each OfficeScan deb O bugging tool Kn now which wir reless systems are supported and how to deploy and m d manage them
Skills
Per rform pre-inst tallation tasks for OfficeSca an Install OfficeSca on clients an servers and verify install an nd d lation Con nfigure Office eScan for a pa articular enviro onment Update OfficeSc componen such as the virus pattern file, scan eng can nts e n gine,
yware/graywar scan and cle patterns, a other files re ean and s spy onsole Administer Offic ceScan from a web-based m management co
Tro oubleshoot co ommon proble in OfficeS ems Scan
2011 Trend Mic Inc. icro
11
Student Textbook
1.2 > Target Audience and Prerequisites

This course is designed for end users and resellers who are responsible for protecting networks from virus attacks. The following professionals benefit most from this course:
Systems engineers Systems administrators
Before you take this course, Trend Micro recommends that you have the following knowledgebase:
General knowledge of TCP/IP Working knowledge of Microsoft Windows desktop and Server 2003/2008 operating
systems
Ability to describe physical components commonly used for network communication Ability to differentiate between the various types of network architectures Familiarity with Secure Sockets Layer (SSL) communication
1.3 > How to Use This Material

This training course is designed to combine an instructor-led presentation with a hands-on lab experience. Consequently, this course includes two manuals: this student manual, which provides the framework for the course, and a lab manual, which provides step-by-step instructions for completing tasks. References to the lab textbook are included in the appropriate places in this student textbook. To ensure that you learn the skills you need to install and manage OfficeScan, this course is based on a learning model comprised of the following:
Chapters
The student manual is divided into chapters. In addition to defining important concepts and terms, each chapter outlines the various administration tasks you need to perform. Each chapter starts with a list of objectives so that you can see how the chapter fits into your overall course goal. After reading the chapter, you should be able to fulfill the chapter objectives.
Chapter Objectives
Summary and Review Questions
Each chapter ends with a summary that outlines the important information explained in the chapter and includes review questions that test your understanding of the chapter material. After reading a chapter, you should be able to answer the questions easily. If you cannot answer a question, you should review the chapter.
Answers to review questions appear in Appendix I: Answers to Review Questions on page 463.
12
Administrator Track
Ch ter 2: Off Scan End nt hapt 2 ficeS dpoin Secu S urity for Clien and C nts Serv S vers
Chapter Objectives s
After comp pleting this ch hapter, you sho be able to ould o:
Exp plain the purp pose of Office eScan Describe the feat tures and bene of Office efits eScan
13
Student Textbook
2.1 > What Does Network Security Require?

Most of the value of todays computer systems corresponds directly to the extent to which they can be connected with one another. Their openness to modification and control through programmability and easy-to-use interfaces plays an equally important role. By design, computer systems today are architecturally open and massively interconnected. Networked computing is indispensable to nearly every business process. Unfortunately, this means that when disruptions or failures occur, or when vulnerabilities are exploited, the negative impacts are costly. Imagine that you could use a phone to call a telephone number, take control of handset on the other end, make prank calls, access long distance services, and even disable all future use by the rightful owner. Perhaps you also retrieve messages from the answering machine and reprogram it to record future calls and call you back whenever a new message is received. For todays data networks, this scenario is a common reality.
2.1.1 What Is Your Role in a Comprehensive Security Strategy?

Network security remains a high priority for IT administrators at all levels of business. One major goal is to block unwanted access to the network and thereby reduce the risk of data corruption, data theft, and systems damage. Unfortunately, in many cases unwanted access can be determined only after a threat materializes. Consequently, in addition to access-control measures, IT administrators must implement tools and establish policies for actively monitoring network assets, detecting threats early, and responding to potential threats quickly and effectively. OfficeScan 10 provides a broad range of security protection for client and server systems that supports these goals. Though providing truly comprehensive security is not the focus of this training, to understand the benefits of OfficeScan best, you should have a basic idea of what providing comprehensive security entails. IT professionals who have a clear understanding of the basic elements of threats, along with generic prevention and recovery strategies, will have a clear advantage in being able to effectively plan for, design, implement, sell, or administer any single solution or suite of security products.
2.1.2 Targeted Access Points and Typical Vulnerabilities

Any comprehensive security strategy must begin with considering two major areas of focus: 1) access points (or entry points) into networked systems, and 2) the types of threats against which you can defend yourself by implementing various monitoring, filtering, and scanning applications.
14
Administrator Track
Chapter 2: OfficeScan Endpoint Security for Clients and Servers
Points of Access to Networked Systems

All network access points are vulnerable to intrusion, monitoring, and/or control. The table below briefly describes each major access point and examples of security solutions commonly implemented to address areas of vulnerability.
Access Point
Network Medium
Characteristics
Physical and logical circuit connections Wired or wireless Local or wide area
Security Solution
Layer-2 encryption VPN Disabling unused ports/jacks Facilities security Circuit-level gateways TCP/IP filtering Separate management subnet Password policy Encryption (ex: SSH and HTTPS) Password policy Screen-saver logins Biometrics Facilities security Security policy and user training Password policy User authentication framework (domain management) Update/patch management Malware scanning, monitoring, vulnerability assessment and policy enforcement Proxy servers Firewalls Intrusion detection Mail gateway scanning Server-side protection Network monitoring Security policy Encryption Boot-sector scanning File scanning and execution monitoring Security policy Desktop policy enforcement File scanning and execution monitoring
Network Management Applications Keyboard-VideoMouse Consoles
Configuration & monitoring interfaces/utilities SNMP/RMON, Telnet, HTTP, and proprietary protocols Physical interface to client and server machines Susceptible to human engineering
Operating System
Execution environment Resource allocation Access control for file systems Access control for shared resources
User Applications and their Network Interfaces
File sharing Email and groupware Browsers Chat/IM clients Remote consoles Auto-updates Content subscription Floppy, CD-ROM, and DVD disk drives Portable storage (disk drives and memory sticks) Standalone applications
Local Disk Drives
USB/FireWire/Serial & Parallel Ports
Table 1.1: Network Entry Points and Security Measures
The table above shows that to provide comprehensive network security, you must consider a wide range of potential vulnerabilities across multiple systems (including routers, servers, specialty devices, and end-user PCs). You must also define acceptable practices and enforce restrictions on end-users themselves through a written security policy.
15
Student Textbook
Types of Security Threats

Though security threats are wide-ranging, each one creates a profile that can be described according to the threats mode, its method, and potential impact. The table below provides a framework for describing the where, how, and why any individual type of threat. Every threat involves some kind of intrusion into the network. This intrusion may be a hacker attempting to log on to an internal system, or as simple as an SMTP connection from a remote mail server over which an email message with an attachment will be sent.
Threat Stage
Intrusion Transmission Infection Theft/monitoring Replication Action Automated execution Scripted exploration/exploitation Viral -local copy to host files Worm - node to node Programmed agent - web threats, trojans, bot-net agents, key-loggers, etc.
Method
Manual execution Local or remote Accidental - by user Intentional - by hacker
Impact Goal
Disruption Damage Theft Monitoring Partial control Total control
Table 1.2: Descriptive Matrix of Threat Stages, Methods, and Goals
After intrusion, not all threats pass through all stages. A hacker, for example, after a successful intrusion, may or may not transmit harmful or disruptive files to the network, and may or may not take any files from the network. He or she may reconfigure a device in such way that may be disruptive or harmful, or he or she may do nothing further at all. With viral infections, intrusion, transmission, and action do not describe all of the typical malware writers goals. Viruses also seek to copy themselves to other files and eventually other systems, thereby expanding the scope of impact. Likewise, the methods used may also assume multiple characteristics. The components of many web threats, for example, are often loaded accidentally by the user, but are later activated either programmatically or by direct contact from a malware writer/hacker. Subsequent activities may include further intrusions, as well as the transmission and/or downloading of additional components that may include any number of additional behaviors that are viral, worm-like, trojan-like, and so on.
2.2 > Stopping Costly and Rapidly Evolving Malware Threats

Unfortunately, it is easy to become short-sighted with regard to security, focusing on only one aspect of the total challenge. One administrator, for example, may focus so much on technical solutions for access control, using VPNs and enforcing the use of strong passwords, that he or she forgets to train users on how and when (if ever) they should give a password to a client or an unexpected caller from technical support.
16
Administrato Track or
Chapter 2: OfficeScan E r Endpoint Secur rity for Clients a Servers and
Another ad dministrators concern abou front-door attacks, pro ut r otecting front-end web serv vers and other applications, that he or she neglects the u a upkeep of anti i-spam and an nti-spyware solutions, leaving the net l twork vulnera to web th able hreats and othe client vulne er erabilities that often install bac door trojan and keylog ck ns ggers that enab data theft, give hackers r ble remote contro of ol clients, and consume sys d stem resources s. Virtually an nything that a computer hac can do us step-by-s cker sing step procedure can also be es programme for automa (and repe ed ated etitive) playbac from virtua anywhere on the local ck ally network or the Internet. Collectively, such software is called ma r e alware. The t threat that mal lware poses is ser rious, and dam mage caused by malware can be costly. b n Unfortunat tely, the comp puter industry discovers tho ousands of new vulnerabiliti every year. w ies . Malware at ttacks are grow not only in cost and fr wing requency, but the each new generation of f exploits is more ambitiou and more difficult to det and remo than the one before. Mu of m us d tect ove uch todays mal lware is no lon written by technical en nger b nthusiasts for mere bragging rights, but b g by trained pro ofessionals wh hose goal is tot control of the target. tal
Figure 2.1: Rise in Unique Malware Sam e mples by Year1
2.2.1 The Cost of Malware Attacks I Rising 2 e M A Is

Malware ca auses network downtime an loss of prod k nd ductivity, sales transactions, consumer confidence and, of cour data. Com e, rse, mpanies may sp pend weeks cl leaning device and restorin es ng network se ervices, and may never recou losses due to lost busine opportunit or damage to up ess ties e their reputa ation. The imp is signific pact cant. According to the ICSA Labs* Tenth Annual Compu Virus Pre L A uter evalence Surve it takes an ey, ys services in resp ponse to a sin outbreak. Costs ngle average of 31 person-day to clean up and restore s mployee down time, missed b business oppo ortunities, and paid d averaged $130,000 USD, including em I des n ive technical overtime. ICSA conclud that these numbers may be conservati because t respondent to our surve have histo ts eys orically undere estimated reco overy costs by at least factor of r seven when one conside both direct and indirect c n ers t costs.
AV-T Considerab more viruses, worms and other malware than e Test. bly w r ever. Data comp piled by Andreas Marx (listed in ar rticles in the AVText news arch 11 January 2008). Retrieved from: www.av-te st.org/index.php A hive 2 f p?menue=2&sub b=Newsarchiv&la ang=0
17
Tr rend Micro Off ficeScan 10.6
Student T Textbook
2.2.2 Att 2 tacks Are So Com e mmon, Som Have Stopped Counting me d g
The numbe of reported malware atta er d acks increases every year. In 2000, the CE * Coordin n ERT nation Center reco orded 21,756 reported malw attacks. R ware Reported attac increased on average more cks than 37,000 per year, thr 0 rough 2003 wh annual inc hen cidents reache 137,529. CE ed ERT notes th hat each report incident may involve one site or hun ted o ndreds (or eve thousands) of sites and may en ) be ongoing for long per g riods of time. After 2004, CERT stated that attacks against Inter d s rnet-connected systems hav become so d ve commonpl lace that a ne metric wou need to be developed to give meaning to their ongoing ew uld e o g analysis. Su ubsequent data does, howev indicate th the trend h been cont a ver, hat has tinuous to the present.
2.2.3 Exp 2 ploitable Vulnerab V bilities Continue to Be Disco o overed

With softw applicatio and execut ware ons tion environm ments that run based on mil llions of lines of code, there seems to be an endless sup of weakn e pply nesses that ma alware writers can exploit. According to the CERT Coordination Center and iillustrated in th chart below thousands o n he w, of ty ties ar. new securit vulnerabilit are discovered every yea
Figure 2.2: CERT/CC-recorded annual growth from 2 2004 to 2006 averaged ove 45%. 6 er (2008 include estimated Q4 reporting.) es Q
2.2.4 Cre 2 eativity Expands the Variet of Exp E t ty ploits

Not only is the number of threat incid s dents increasin but the op ng, ptions for expl loiting vulnerabilit is expandi The figure below illustr ties ing. e rates the relati ionship of the major types o e of malware th hreats. In addit to viruses trojans, and worms, spyw and grayw are also tion s, d ware ware becoming increasingly so i ophisticated an expansive in their scope nd e.
18 8
2011 Trend Micro Inc. d
Administrator Track
Malware
Virus
Trojan Horse
Worm
Grayware
Hacking Tool
Commercial Tool
Application Cracker
Information Stealer
DOS/DDOS
Remote Access Tool/ Program Backdoor Program
Phone Dialer
Password Stealer
Key Logger
Adware
Spyware
Cookies
Browser Helper Object
Figure 2.3: Types of Malware and Grayware
2.2.5 Widespread Use of HTTP Opens the Door to Web Threats

Firewalls can police access to and from individual computers and block access to service ports and selected destinations. But providing end users, especially knowledge workers, relatively open access to the World Wide Web is as important to business today as providing these same types of workers with telephones thirty years ago. To mitigate the security risks and other challenges of open access, IT managers commonly deploy firewalls and proxy servers, along with additional web-filtering services to filter content and police access. However, malware writers are increasingly exploiting the unique aspects of the Web and its use models to expose users to drive by installations and other propagation techniques that neither traditional proxy servers nor web-filtering services are designed to detect and prevent.
2.2.6 Mobile Computing Introduces New Challenges

Mobile users introduce additional risk. They connect to other networks, increasing the chance of infection. But because they connect to the local network only occasionally, it is even more difficult to ensure that critical updates are applied promptly and correctly. Despite these deficiencies, nothing prevents users from using these devices to log on to the network. Devices can log on to the network in any state: They may not be running antivirus software, they may have outdated pattern files, or they may not have the latest patches for their operating system. Devices may even be infected with a virus or other type of malware. After users log on to the network, the malware attacks become internal threats, infecting devices from inside what used to be the trusted network. Additionally, end-user circulation of sensitive information through messaging systems, as well as lawsuits incurred through the circulation of inappropriate content (the hostile workplace scenario) can compromise a companys intellectual property and competitive advantage.
19
Student Textbook
2.2.7 Lack of Policy Enforcement Leads to Vulnerability

Companies lack the tools to ensure that their networked devices are properly patched. IT departments are often overburdened with immediate problems and cannot keep up with required preventative maintenance. At the desktop, users are focused on completing job assignments and are not trained properly, if at all, to provide maintenance or even understand the importance of basic security practices.
2.2.8 Protection from Zero-day Exploits Requires Rapid Response

The time between the release of a patch and the appearance of malware written to exploit the vulnerability is getting shorter. For example, the patch for the vulnerability that Nimda exploited was released on 17 October 2000. Nimda itself was released almost a year later, on 18 September 2001, giving companies some time to apply the patch before it became truly critical to do so. Blaster malware, on the other hand, appeared on 11 August 2003, only three-and-a-half weeks after the relevant patch release. In February 2004, the Sasser worm surfaced two weeks after its associated patch release, and two vulnerability announcements in August 2005 lead to wormbased exploits within days. Earlier in 2005, the Sanity worm was likely the first zero-day exploit.
2.3 > OfficeScan Features & Benefits

Trend Micro OfficeScan provides centrally managed end-point protection for servers, desktops, laptops, notebooks, and other Windows-based computing devices from malware, including viruses, trojans, worms, and network viruses, plus protection from spyware, grayware, web threats and other mixed-threat attacks. Deploying OfficeScan client software is easy. You can then monitor security events in real time using a single web-based console, verify that OfficeScan clients are up to date, and perform other administrative functions. OfficeScan also helps you to identify vulnerable devices, stop malware outbreaks and other threats from spreading. The following sections outline the main features of OfficeScan. Two additional sections identify and describe features new in OfficeScan 10 and the subsequent update, Service Pack 1. The main features of OfficeScan include:
Centralized management & control Web-based management console Plug-in framework Vulnerability scanner Configurable and scalable update management Configurable event and outbreak notifications Server quarantine folder Comprehensive logging
20
Administrator Track
Database backup Local and remote server installation options Trend Micro Control Manager integration Integration with Cisco NAC Advanced client functionality Comprehensive detection, prevention, removal and quarantine Support for multiple platforms and use models
64-bit client support Roaming mode for mobile clients Check Point SecureClient Support for VPNs
Multiple client deployment options OfficeScan client firewall Advanced security technologies SSL support MD5 message authentication Damage Cleanup Services
2.4 > OfficeScan Centralized Management

To effectively manage your networked devices and protect the data they store, you must either employ a large IT staff or take advantage of management tools and applications, like OfficeScan, that are specifically address these challenges. Trend Micro has engineered OfficeScan from the ground up as a centrally managed, network application. OfficeScan consolidates and automates administrative tasks without sacrificing the flexibility and control that you need to organize, configure, deploy, monitor, and enforce the use of client security software. Some of the benefits of OfficeScan include: comprehensive monitoring and reporting, scalable deployment methods, policy enforcement, near real-time control over end-user configurations, and automated updates. The OfficeScan features that facilitate these and other benefits are discussed below.
2.4.1 Web-Based Management Console

The OfficeScan web-based management console allows you to perform software updates, client configuration changes, and emergency procedures at any time from any supported browser. Customizable reports provide better visibility into client security and can be imported easily into SQL-readable fields for flexible data management. You can group client workstations into domains. You can then apply your antivirus policy to all clients in the domain as easily as to a single workstation. You can also apply the antivirus policy
21
Student Textbook
to one or many workstations from one or many domains; you do not need to apply the same antivirus policy to every client within a domain. To help you manage clients, the client tree provides access details about the status of OfficeScan clients. You can see the current version of each OfficeScan component, determine if OfficeScan firewall, intrusion detection system (IDS), or update agent functionality is enabled. For infections, you can view the name of the virus and the date and time the infection was detected. In addition, OfficeScan includes two features to help you locate clients on your network: Simple Search and Advanced Search. You can use Simple Search to search for clients that have a specific IP address. You can use the Advanced Search feature to locate clients that meet certain criteria and to display their log information. You can search for clients based on an IP address, or range of addresses, the operating system they use, or the status their virus pattern file, scan engine, virus cleanup template, or damage cleanup service. You can also locate clients that are not using the OfficeScan firewall or currently supporting Outbreak Prevention.
Domain Grouping
OfficeScan now gives you the ability to select whether you want OfficeScan to use computer names from NetBIOS domains, Domain Name Services (DNS) domains, or Microsoft Active Directory domains. You can still configure OfficeScan domains separately; this feature affects only the names of the computers when they appear in the client tree.
Plug-in Framework for Additional Client Software

Value-added client applications for OfficeScan clients can be developed outside of product releases. OfficeScan plug-in capability allows you to take advantage of new services and technologies as soon as they become available. Plug-in Manager displays programs available for the OfficeScan server and OfficeScan clients. You can then install, deploy, and manage them from the management console. Examples of OfficeScan plug-ins include Trend Micro Mobile Security client software for Smartphones and other handheld devices and Intrusion Defense Firewall, a more advanced, highly customizable firewall compared to the OfficeScan firewall, for desktops and laptops.
2.4.2 Vulnerability Scanner

A vulnerability scanner is included to help you detect workstations that are not protected by antivirus software. When you enter a range of IP addresses, the vulnerability scanner checks every workstation within the specified range and reports the current antivirus software version (including third-party software) installed on each device.
2.4.3 Configurable and Scalable Update Management

OfficeScan provides support for both a conventional approach to update management and a new approach based on Trend Micro Smart Scan architecture. Smart Scan architecture offloads a large number of pattern-file signatures from client end-points and stores them on one or more
22
Administrator Track
Smart Scan servers. Smart Scan is designed to reduce the impact of the ever-increasing volume of pattern-file updates that consume network bandwidth and end-point resources. Automated update capability for both conventional and Smart Scan clients helps keep antivirus software up-to-date without end-user intervention. For conventional-scan clients, OfficeScan supports on-demand (manual) updates and automated (scheduled) updates. OfficeScan update flexibility also extends to conventional-scan mobile users who have the option to download updates directly from the Trend Micro website. Mobile Smart Scan clients can rely on publicly available Trend Microhosted Smart Scan servers when they are outside the firewall. For conventional-scan clients, you can even configure updates for individual components separately.
Distributed Update Agent (Mirroring) Capability

Conventional OfficeScan system architecture includes the option to deploy multiple update agents. Update agent capability is built into every OfficeScan client. You can enable this functionality through the management console, designating any number of clients to become update agents. Update agents provide a mirroring function for the distribution of component updates so that the burden of handling downloads can be distributed to key points throughout the network. This reduces the load on the central server and can eliminate a large number redundant data transfers over wide-area and local-area network backbones.
Update Notification Infrastructure and Decision Tree

When the OfficeScan server downloads an update from the Trend Micro ActiveUpdate server, it notifies clients that one or more updates are available. OfficeScan clients respond by connecting to the OfficeScan server and downloading the update. If you configure the Trend Micro ActiveUpdate server as a secondary update source, roaming users and remote users can download updates directly from Trend Micro as needed.
Incremental Updates
Incremental updates are available for conventional-scan clients. This can significantly decrease the size of downloads. Incremental updates are available for virus pattern files and Damage Cleanup Services, including the Damage Cleanup pattern files, the Spyware/Grayware pattern files, and the Spyware/Grayware cleanup patterns.
Multiple Update Sources

OfficeScan enables you to configure multiple update sources for OfficeScan server, as well as deploy and configure multiple Smart Scan servers. OfficeScan server checks all named update sources for pattern updates and, then, the Trend Micro ActiveUpdate server. Multiple update sources can be used for manual and scheduled updates. For conventional-scan client updates, you can also configure multiple update sources (up to 1,024).
Rollbacks
A new pattern file may occasionally trigger false positives. OfficeScan enables you to roll back to a previous version of the virus pattern file and the scan engine. You can roll back the virus pattern file and the scan engine separately.
23
Student Textbook
2.4.4 Configurable Event and Outbreak Notifications

OfficeScan includes a number of default notification messages that you and other administrators can receive whenever virus/malware or spyware/grayware is detected on an OfficeScan client. You can modify these messages to suit your requirements. You can also define the criteria that must be met before outbreak notification is sent. Outbreaks are defined by a specified number of threats detected within a specified period of time. An outbreak notification is then sent whenever threat detections exceed this threshold.
2.4.5 Server Quarantine Folder

You configure OfficeScan to automatically forward infected files to a quarantine folder. You can limit the size of this folder, and, you can configure OfficeScan to clean or delete the infected files if the folder exceeds the maximum size limit. You can also send files that OfficeScan cannot clean to Trend Micro for analysis.
2.4.6 Comprehensive Logging

If an OfficeScan client detects a security threat, it reports the event to the server and a log entry is written to the OfficeScan server database. OfficeScan keeps a number of system, update, scan, and detection event logs that you can use to create compliance reports and to fine tune your network security strategy and client configurations. Among other things, logs can help you identify those machines that pose the greatest threat to the health of your network. Logs also provide you with information about the general status of your network security profile and can help provide assurance that updates scheduled scans and other maintenance activity is operating normally.
Virus Log Consolidation to Conserve Bandwidth

A single network virus can often cause a large number of outbreaks in a short time. If OfficeScan detects multiple, recurring infections caused by the same network virus, it can consolidate the virus log entries and send them to the OfficeScan server once an hour. This reduces the amount of network bandwidth required for log reporting and also reduces the number of virus detection notifications sent to your IT administrators.
2.4.7 Database Backup Integration

You can configure, schedule, and initiate server database backups directly through the OfficeScan web-based management console. The management console gives you options for backing up the database immediately or for backing it up on a regular schedule. In addition, you can specify a directory on the local machine or a UNC path to back up the database to a remote location.
WARNING! The backup path must be either local or a UNC path. OfficeScan will not successfully
back up the database to a mapped drive.
24
Administrator Track
2.4.8 Local and Remote Server Installation

OfficeScan is easy to install. The wizard-based installation program guides you through a choice of local and remote installations. You can even install OfficeScan to multiple computers simultaneously. You can also install the OfficeScan client and the OfficeScan server software on the same computer. OfficeScan also supports silent installations, which enable you to install the server component without user intervention. (For instructions, see Performing a Silent Installation on page 91.)
2.4.9 Trend Micro Control Manager Integration

For customers using Trend Micro Control Manager (TMCM) to manage multiple Trend Micro products enterprise-wide, the OfficeScan server includes an integrated Management Control Protocol (MCP) agent for use with Control Manager servers, version 3.5 Patch 2 or later. The Control Manager MCP agent receives notifications and downloads command and configuration data from the Control Manager server. The MCP agent running also sends logs to the Control Manager server to provide a consolidated view of antivirus-related events across all Trend Micro products within the network. MCP agent support also allows you replicate antispyware and antivirus settings across multiple OfficeScan servers using TMCM.
For more information about Control Manager please visit the Trend Micro website: http://www.trendmicro.com.
NOTE OfficeScan firewall settings cannot be replicated using TMCM.
2.4.10 Integration with Cisco NAC

Cisco Network Admission Control (NAC) is a set of general technologies and solution designs for Ciscos Self-Defending Network initiative. NAC-enabled network infrastructure devices (switches, routers, wireless access points, remote-access gateways, etc.) require connecting devices to present security credentials for access to the network. Client security credentials are validated by a Cisco Secure Access Control Server (ACS) that, in concert with the OfficeScan policy server, returns a decision (allow, deny, restrict, or quarantine) to the network device. If, for example, the OfficeScan client is not present or not up-to-date, you can automatically restrict network access until it, as well as other aspects of the clients security posture, is compliant with your policy. NAC security credentials are managed locally by the Cisco Trust Agent (CTA) which is in turn integrated with the OfficeScan client. OfficeScan allows for easy and automated distribution of the CTA along with the installation of the OfficeScan client. OfficeScan includes CTA versions 1.0.x and 2 .1.x for support of NAC and NAC2 infrastructures. OfficeScan also supports the Host Credential Authorization Protocol (HCAP) and can provide automatic policy updates on the Cisco Secure ACS as well as automated updates to clients. In the event of an outbreak or other emerging threat, NAC enables the entire network to respond quickly to help isolate problems and prevent damage.
25
Student Textbook
For information about Cisco NAC and OfficeScan server installation, see Installing Additional Software Components on page 85. For configuration information related to Cisco NAC, see Appendix E: Configuring the Cisco ACS and NAD on page 425.
2.5 > Advanced OfficeScan Client Functionality

OfficeScan client software supports real-time, scheduled, and manual scanning. Clients report scanning-events and other status information in real-time to the server from which they were installed. Network-wide data on virus/malware detections, startups, shutdowns, and update status can be monitored directly from the management console. These capabilities and others are discussed below.
2.5.1 Comprehensive Detection, Prevention, Removal and Quarantine

Client capabilities include real-time, manual (on-demand), and scheduled scanning. End users can execute commands and change their settings only if you initially grant these privileges through the configuration options in the web-based management console. You can also just as easily prevent users from being able modifying the scan settings and also from uninstalling and/or unloading the client software. Although client configurations are managed by the OfficeScan server, all active security functions, including scanning, cleaning, web-access control (reputation services), and firewall protection, are actually implemented directly in the OfficeScan client software. An introductory overview of the capabilities of the OfficeScan client is provided below.
ActiveAction
ActiveAction is an option you can choose when configuring virus scans. This option provides automated, virus-handling rules based on the type of virus detected. ActiveAction is easy to enable and functions without user or administrator intervention.
Spyware/Grayware Protection and Cleanup

OfficeScan 10.0 can protect your organization against many types of grayware, including:
Adware Browser helper objects Dialers Remote access programs Back door programs Cookies Hacker tools Spyware
The OfficeScan components include a spyware/grayware scan pattern for detecting types of grayware and a spyware/grayware cleanup pattern that DCS can use to rid your system of these threats, including shutting down running processes so they can be cleaned. OfficeScan enables you to configure an exclusion list for spyware/grayware so that you can choose to keep applications that OfficeScan identifies as grayware.
For more information on OfficeScan anti-spyware capability, see section 3.4.7 Anti-Spyware Engine on page 52.
26
Administrator Track
Web-threat Protection Through Web Reputation Services

In addition to file-based scanning, OfficeScan includes the capability to detect and block access to sites that harbor web-based security threat, including phishing attacks. Access to a URL is allowed or denied based on a scoring system that includes a configurable threshold setting, or security level, that you select for OfficeScan clients. Clients check the score of each URL by querying Trend Micro reputation servers. The client software also includes a location-awareness capability that allows you to establish policies for mobile clients to use when plug-in or wirelessly attach to an outside network and use an unspecified internal gateway.
For more information see section 3.4.8 OfficeScan Proxy Service and Web Reputation Services on page 53, and section 5.5.10 Web Reputation Services Settings on page 154.
NTFS Alternate Data Stream (ADS) File Scanning Capability

The Trend Micro scan engine can scan alternate data stream (ADS) files. In the NTFS file system, ADS files can be attached to other files and remain invisible to the user. Malicious users can take advantage of ADS to hide malicious code behind other files.
Microsoft Outlook Mail Scanning

NOTE can configure Outlook Mail Scan using the client console only. Additionally, You Outlook Mail Scan relies on a separate scan engine. To keep it up-to-date, you must periodically check for mail-scan updates manually. OfficeScan also supports POP3 scanning.
Many viruses are hidden in email attachments and may even be embedded in email content. Outlook Mail Scan can perform real-time scanning for incoming Microsoft Outlook messages and attachments as they are downloaded from the Exchange server. Mail Scan can also perform manual scans on individual folders.
For information about enabling end-user access privileges to Outlook mail-scan functions, see Mail Scan Privileges on page 151.
Performance / CPU-Usage Control

Performance control enables you to define a threshold for CPU usage (20%, 50%, or none), at which OfficeScan clients scan files at a slower rate. By pausing after each file is scanned, OfficeScan client can spread full-system scanning operations over a longer period of time. Setting a CPU-usage threshold leaves extra CPU resources available for competing tasks so that end users can simultaneously work with email, word processor, spreadsheet, and other productivity applications without the typical slowdowns in application performance. The high setting does not adjust the scanning rate. This enables the scanning process to complete as quickly as possible, but can thwart and end users ability to perform other tasks simultaneously, especially during full-system scans. The medium setting causes the client to pause the scanning process between files when CPU consumption is above 50%. The low threshold begins to modify the scanning rate at 20% CPU utilization.
27
Student Textbook
Manual Outbreak Prevention

With Manual Outbreak Prevention, you can immediately deny write privileges to files and block access to ports and shared folders. It allows you to self-configure custom outbreak policies to guard against or contain a security threat that may be entirely unique to your organization or against which you are particularly vulnerable and must take immediate action, ahead of a forthcoming Trend Micro outbreak-prevention policy.
2.5.2 Support for Multiple Platforms and Use Models

OfficeScan provides client software support for Intel and AMD 32-bit and x64-based platforms and Windows XP, Vista, 7, Server 2003, and Server 2008, along with support for Microsoft and VMware virtualization platforms.
For a complete list of hardware requirements and supported operating systems, see section 6.1 > Minimum Requirements for Client Software on page 220.
Some OfficeScan client features are not available on all operating systems. The table below summarizes key features and their availability based on operating system.
Windows Operating System Features
Manual, Real-time, & Scheduled Scan Component update (manual and scheduled) Web reputation Roaming mode POP3 mail scan Update Agent
XP
Server 2003
Server 2008
Vista / 7
Security Compliance
Damage Cleanup Services Plug-in Manager OfficeScan firewall Behavior Monitoring Device Control Microsoft Outlook mail scan SecureClient support Support for Cisco NAC
(No x64) (No x64)
Table 2.3: Available Client Features by Operating System
28
Administrator Track
NOTE Support for Windows 95, 98, Me, and NT operating systems and the IA64 architecture was discontinued with OfficeScan 8.0. Support for Windows 2000 was discontinued in OfficeScan 10.5. If you are upgrading an installation that supports any of these legacy systems, see Accommodating Unsupported Client Operating Systems on page 71. Tip If you have legacy x64 standalone clients (prior to version 7.3), they can be migrated to an OfficeScan server using the IpxFer.exe tool..
Roaming Mode for Mobile Clients

Installing OfficeScan client software on laptops provides security-threat protection even when these computers are not connected to your network. While in roaming mode, the OfficeScan client temporarily disables communication with the server and stores event logs locally. The OfficeScan client runs in the background, protecting the computer while it is disconnected. You can assign roaming privileges to clients that will be disconnected from the network for an extended time. For clients with roaming privileges, OfficeScan can automatically download the virus-pattern and scan-engine updates directly from the Trend Micro update server using whatever Internet connection is available.
Support for Check Point SecureClient for VPNs

OfficeScan can be integrated with Check Point VPN-1 SecureClient software to verify policy compliance, that is, whether the OfficeScan client is functioning and is up-to-date, before VPNaccess from mobile/remote users is granted.
NOTE SecureClient integration with OfficeScan has been rigorously tested and has received Check Point Software Technologies OPSEC certification.
2.5.3 Multiple Client Deployment Options

OfficeScan enables you to deploy client software, even on large networks, simultaneously and quickly. OfficeScan provides you with seven deployment options to choose from:
Login scripts Trend Micro Client Packager program Hard-disk imaging Remote installation Vulnerability Scanner Notifying clients to install from a webpage Microsoft System Management Server (SMS)
OfficeScan can uninstall third-party antivirus software products for easy migration and, also, provides protection from viruses during the transition process.
29
Student Textbook
2.5.4 OfficeScan Client Firewall

The OfficeScan firewall helps protect clients against hacker attacks, Internet worms, including attacks that originate from inside your network, as well from outside over the Internet. The OfficeScan firewall provides stateful, packet-level inspection of these protocols for incoming and outgoing TCP, UDP, and ICMP traffic.
For a more detailed description of the capabilities of the OfficeScan firewall, see section 3.4.10 The Common Firewall Driver on page 54.
2.6 > Trend Micro Advanced Security Technologies

2.6.1 Trend Micro IntelliScan
Instead of relying on the file name alone to determine whether a file is of a type known to be capable of harboring malware, OfficeScan uses IntelliScan to identify the true file type, and whether it is a type that OfficeScan should scan.
True file-type detection
IntelliScan first examines the header of the file using true file-type identification and checks if the file is an executable, compressed, or other type of file that may be a threat. IntelliScan examines all files to be sure that the file has not been renamedthe extension must conform to the file's internally registered data type. For example, Microsoft Word documents are file extension independent, even if you rename a document from legal.doc to legal.lgl, Word will still recognize and open the document, along with any macro viruses it contains. IntelliScan will identify the file as a Word document regardless of the file extension, and scan it accordingly.
File extension checking
IntelliScan also uses extension checking, that is, the file name itself. The list of extension names to be scanned is updated with each new pattern file. For example, when there was a new vulnerability discovered with regard to .jpg files, the .jpg extension was immediately added to the extension-checking list for the next pattern update.
Using IntelliScan provides these benefits:

Performance optimization Shorter scanning period
IntelliScan does not affect crucial applications on the client because it uses minimal system resources.
Because IntelliScan uses true file type identification, it scans only those files that are vulnerable to infection. The scan time is therefore significantly shorter than when you scan all files.
2.6.2 SSL Support

OfficeScan supports Secure Sockets Layer (SSL) to protect the communication between the server and the console. You can access the OfficeScan server from any location without compromising your companys network security.
30
Administrator Track
2.6.3 MD5 Message Authentication

While SSL provides advanced encryption to protect against eavesdropping (the duplication and decoding of transmitted data), it also requires a comparatively large amount of processing power to establish each SSL connection. For transfers of pattern-file and program-file updates, eavesdropping is not a problem, because this data is always publicly available to all current subscribers. However, validating update data once it is received is important. Message Digest 5 (MD5) creates a 128-bit hash value, which is similar to checksum and is unique to the data that it represents. MD5 assures that data has not been altered by an intermediary device or due to network or machine error.
2.6.4 Damage Cleanup Services

With Damage Cleanup Services (which is licensed separately), OfficeScan cleans computers of file-based viruses and network worms, as well as virus and worm remnants, including registry entries, trojans, and other latent code. DCS can also remove many types of grayware, including spyware and adware that may be already running on the system. When enabled, DCS starts and runs automatically as a background process on the client. You do not need to configure it, and the user experience is also transparent.
For more information about Damage Cleanup Services and its components, see The Damage Cleanup on page 53.
2.6.5 IntelliTrap
Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps defend your network by blocking files containing real-time compressed executable code. Note that IntelliTrap is a heuristic technology, and therefore can potentially block some files that are actually not threatening. IntelliTrap is a component of the Virus/Malware scan settings.
2.6.6 Scan-action Enhancement

Some files require further investigation to determine whether they are infected with a virus or other instance of malware. To mitigate the impact of potential false positives, OfficeScan will temporarily take no action on certain suspicious files. After Trend Micro determines the correct status of the file, the scan action will be adjusted accordingly.
31
Student Textbook
2.7 > New in OfficeScan 10

OfficeScan 10 includes enhancements to the server and the client software in these areas:
Smart Scan Active Directory integration Role-based administration Device control Expanded platform support Enhanced CPU performance, user control, and web reputation management
2.7.1 Smart Scan

Smart Scan moves security capabilities from the endpoint to the cloud. An integral part of the Trend Micro Smart Protection Network, Smart Scan provides these benefits:
Fast, real-time security status lookup capabilities in the cloud Faster overall distribution of protection against emerging threats Lower network bandwidth consumption for pattern updates. The bulk of pattern
definition updates are delivered to the cloud only and not to all endpoints.
Lower overhead cost associated with corporate-wide pattern deployments Lower kernel memory consumption on endpoints, with minimal increases over time
2.7.2 Active Directory Integration

OfficeScan leverages Microsoft Active Directory services to enforce security compliance within the organization. By regularly polling the directory, OfficeScan can detect computers without security software and install the client to the computer. OfficeScan also allows you to assign management-console access privileges to users by using their Active Directory accounts.
2.7.3 Role-based Administration

Role-based administration lets you delegate management tasks to other administrators and allows non-administrators to view management console items. You can create user roles with defined access privileges to OfficeScan management console functions and then assign these roles to users. You can manage users by creating custom user accounts or by using existing Active Directory accounts. Single sign-on support enables users to log on to the OfficeScan management console from Trend Micro Control Manager.
2.7.4 Device Control

Device control can limit access to storage devices and network resources, regulating potential avenues for data leakage and malware infection. You can configure OfficeScan client software to allow or deny end-user access to these resources:
32
Administrator Track
Plug-in devices (to include blocking auto-run functionality for USB devices) Optical disks Floppy disks Network resources
2.7.5 Expanded Platform Support

OfficeScan 10 supports server and client installations on Windows Server 2008 and VMware virtualization platforms.
For a complete list of hardware requirements and supported operating systems, see section 6.1 > Minimum Requirements for Client Software on page 220 and 4.1.4 Verify Target Server(s) Meet Minimum System Requirements on page 68.
2.7.6 Additional Product Enhancements

Performance Control
improves the efficient use of CPU resources by monitoring the usage level selected (configurable using the OfficeScan management console) and actual CPU consumption on the client. The OfficeScan client can then adjust the scanning speed if the CPU-usage level has been set to medium or low.
Added controls for scheduled scanning More granular Web reputation settings
allow users with scheduled-scan privileges to postpone, skip, or stop scheduled scan.
now allow you to configure web reputation policies and assign them to one, several, or all OfficeScan clients
2.8 > New in Service Pack 1 for OfficeScan 10

Service Pack 1 for OfficeScan 10 includes enhancements to the server and the client software in these areas:
Smart Feedback Behavior monitoring Enhancements to various existing capabilities Expanded platform support Client self-protection capability New default configuration for server platforms Management console refresh and timeout options Client update options for Common Firewall drivers
2.8.1 Smart Feedback

Trend Micro Smart Feedback provides continuous communication between Trend Micro products as well as Trend Micro 24/7 threat research centers and technologies. Each new threat
33
Student Textbook
identified during the routine reputation checking of one customer automatically updates the Trend Micro threat databases to help to better protect all customers. By continuously processing the threat intelligence gathered through our extensive global network of customers and partners, we have created a better together security infrastructure that delivers automatic, real-time protection against the latest threats.
2.8.2 Behavior Monitoring

Service Pack 1 includes enhancements to the OfficeScan behavior monitoring capability. Behavior monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Behavior monitoring also monitors and restricts activities related to the configuration and running of the operating system to protect program files and registry keys and keep security-related processes running.
NOTE Behavior-monitoring features are not currently supported on x64 platforms.
2.8.3 Enhancements to Existing Capabilities

Expanded Platform Support
Service Pack 1 supports server and client installations on Windows Server 2008 Hyper-V, Windows Server 2008 R2 Hyper-V, and virtualization applications such as VMware and Microsoft Hyper-V Server 2008 R2. Service Pack 1 also supports client installations on Windows 7 (build 7600.16385).
For a complete list of hardware requirements and supported operating systems, see section 6.1 > Minimum Requirements for Client Software on page 220 and 4.1.4 Verify Target Server(s) Meet Minimum System Requirements on page 68.
Enhanced Client Self-Protection

With Service Pack 1, administrator options for protecting the OfficeScan clients program files, registry keys, and running processes from user tampering (as well as manipulation by rogue programs) are also extended to the protection of the OfficeScan client services. These services include: OfficeScan NT Listener (TMListen.exe) OfficeScanNT RealTime Scan (NTRTScan.exe) OfficeScan NT Proxy Service (TMProxy.exe) OfficeScan NT Firewall (TmPfw.exe) Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe) When this feature is enabled, users can no longer stop OfficeScan-related client services by using either the Microsoft Service Management Console or the netstop command.
34
Administrator Track
Optimized Default Client Configuration for Server Platforms

To maximize performance for servers, Service Pack 1 disables the following features for OfficeScan client software installed on Windows Server 2003 and 2008: Behavior monitoring Device-access control Client firewall Registry and process protection Context-specific notices within the user interface of the management console call attention to the default configuration for servers when the default is different than for normal clients. Each notice also provides a link to more information for enabling these services on server platforms.
Client Update Options for Common Firewall Drivers

When updates to the Common Firewall Driver become available and are distributed to OfficeScan clients, the capabilities of the new driver cannot be used without restarting the service, which disrupts network connectivity. In some instances, the benefits of updating the driver do not outweigh the costs of an immediate disruption to the workflow of end users. Service Pack 1 enables you to configure the OfficeScan client to update the Common Firewall Driver on the next restart. This allows users to receive other non-disruptive updates as soon as they are available, but postpones updating the firewall driver until the next time the machine is shut down and restarted.
NOTE OfficeScan clients must be running version 8.0 SP1 or newer to use this feature. Clients running older software will still be prompted to restart immediately whenever updates to the Common Firewall Driver are deployed.
Management Console Refresh and Timeout Options

Service Pack 1 includes new options to:
Configure the Summary page to refresh automatically at a selected rate, such as every 30
seconds (When enabled, the minimum refresh rate is 10 seconds; the maximum is 300.)
Enable and configure a custom timeout setting for the console using the console
interface, instead of having to edit an .INI file (Options range from 10 to 60 minutes in ten-minute increments.) These options are implemented on a new configuration page that you can access by clicking Administration > Web Console Settings on the main navigation menu.
35
Student Textbook
2.9 > New in OfficeScan 10.6

OfficeScan 10.6 is an update release that includes new features, and updates to existing features, along with a rollup of all prior bug fixes included Service Pack 1, along with those released subsequently. OfficeScan 10.6 improves client and server application performance, streamlines and expands integration with distributed components, adds several significant features to and extends Active Directory integration, and enhances existing features with minor, but important, refinements in the form of additional on-off options, threshold settings, and display views. Specific additions and improvements include:
Improved client-tree management
tools in the form of
Expanded Active Directory support for multiple forests and trusted domains, along with a comprehensive reorganization of Active Directoryrelated features and configuration options within the management console Support for multiple tiers (nested folders/groupings) within the client tree A new custom client-grouping feature for creating your own Active Directorybased and/or IP-addressbased sorting rules to make it easier to configure and maintain client groupings for large numbers of clients within the client tree
Integration of Web Reputation Services within the locally distributable, cloud-based Smart Scan server infrastructure and a regrouping of Smart Protection Network components
under a single heading within the navigation menu of the management console.
Activity sequencing for virtual-machinebased clients
running on a VMware vCenter Server or Citrix XenServer virtual-machine management platforms
Significantly enhanced security-compliance assessment
capability that summarizes data across a large number of profile metrics, provides better access to configuration options, lists query results in a new data format, and expands support for querying and reporting the status of machines that are outside of the local OfficeScan servers management. in the form of Expanded functionality, configuration options, and reporting for update agents that allow you to select from multiple agent relay functions and also run a coverage analysis report to see which clients are configured to check with which relay agents Application filtering added to the client firewall that allows you to block or allow network traffic based on the application from which data may be sent or for which data may be received A probable virus category added to the list detection events for which you may define a custom action to be taken (pass, clean, delete, or quarantine) Trend Micro VSAPI 9.0 integration provides new options for OLE-exploit detection and the ability to use wildcards in scan exception lists.
Expanded client-control capabilities
The ability to enable and disable the unauthorized-change prevention service and/or the client firewall based on client-tree selections of one or more clients, whereas formerly these options were available only as global client settings Exception lists for device-control settings that allow you to define 1) applications that should be allowed to run and 2) applications that should be allowed to run and be allowed full access to all system resources
36
Administrator Track
Windows Server Core 2008 is a "minimal" installation of Windows Server 2008.
Most OfficeScan client features available on Windows Server 2008 work on Server Core. The only feature that is not supported is roaming mode.
IPv6 support for OfficeScan.
IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and clients that satisfy the IPv6 requirements Digital Asset Control and expands the range of devices monitored by Device Control. Clients can now scan HTTPS traffic for web
The Data Protection module provides
Check the reputation of HTTPS websites.
threats.
Increased granularity for defining user roles
based on the menu items, now including individual client-tree toolbar menu items, for which the individual permissions to view and to configure may be granted or revoked to improve the integrity of event data collected from clients and, on many networks, aggregated by Trend Micro Control Manager.
Time synchronization for log data
OfficeScan 10.6 improves the overall performance of the management console by migrating certain CGI functions to ISAPI extensions, which average five to ten times faster. On the client side, certain CGI calls to the OfficeScan server have also been rewritten as ISAPI extensions. Additionally, a loading progress indicator has been added to management-console page displays to avoid blank renderings. OfficeScan 10.6 also includes a number of additional backend improvements that do not result visible changes from within the management console or end-user client console but that do enable an individual OfficeScan server to support more total clients, up to approximately 50,000.
37
Student Textbook
2.10 > Chapter Summary and Review Questions

Summary
Companies face a number of challenges in combating todays malware attacks, and Trend Micro OfficeScan is a strong weapon in the fight against malware. This centrally managed antivirus software protects servers, desktops, notebooks, laptops, wireless devices, and personal digital assistants (PDAs) from malware and grayware attacks. OfficeScan clients scan for viruses and report all virus incidents to the OfficeScan server in real time.
Review Questions
1. OfficeScan supports SSL with which of the following web servers? (Choose all that apply.) a) Apache 2.0.52 b) IIS 4.0 c) Apache 1.3 d) IIS 6.0 e) Netscape Enterprise Server 6.1 f) IIS 5.0
2. What does Virus Outbreak Monitor do? a) Monitors the viruses detected on a client b) Monitors the viruses detected on the network c) Monitors the number of new network sessions d) Alerts you when a new virus is discovered 3. Which OfficeScan feature includes the Intrusion Detection System (IDS)? a) DCS b) The OfficeScan firewall c) OfficeScan for Wireless d) The Policy Server for Cisco NAC 4. Which of the following types of threats can a spyware/grayware scan detect? a) Viruses b) Trojan horses c) Back door programs d) Worms
38
Administrator Track
Ch ter 3: Off Scan hapt 3 ficeS Appl A licati Archi ion A itecture
Ide entify the three main compo e onents of the O rchitecture OfficeScan ar Describe the Off ficeScan serve architecture er e Describe the Off ficeScan client architecture t
39
Student Textbook
3.1 > Architectural Components and Design Features

The OfficeScan 10.6 architecture consists of three main components:
OfficeScan server Smart Scan server OfficeScan client software Web-based management console
The OfficeScan server software provides the core services of the OfficeScan architecture. It consists of a number of programs and information files. The default installation directory for OfficeScan is: C:\ProgramFiles\TrendMicro\OfficeScan. The server provides a repository for client configurations, virus logs, and up-to-date client software. The server also hosts the web-based management console and other control-center functions that provide centralized administration for all clients.
Scalability
To support of larger numbers of clients (more than 1,500), OfficeScan enables you to configure selected clients to function update agents to relieve the throughput burden on the main server and increase the efficiency of the system-wide update process by reducing redundant data transport over local- and wide-area backbone links.
Client support
You can install OfficeScan clients on any computer running Windows XP or later including 32-bit and 64-bit workstation and server editions. The client software provides antivirus/malware scanning, spyware/grayware detection, firewall protection, update capability, and support for additional features and services.
Client-server communication
The client communicates with the server to receive configuration settings, to download component updates, and to upload logs. OfficeScan uses Message Digest 5 (MD5) to validate data integrity of the data transferred. (For a brief description, see MD5 Message Authentication on page 31.) Client-server communication is typically frequent and ongoing. For example, when you use the management console to request firewall logs, the OfficeScan server notifies clients to check for instructions from the server. The clients subsequently upload their logs. The same happens when new updates ready for distribution. The clients (and client update agents) then download updates from the server or their designated update agent.
Management Console
The OfficeScan management console user interface is browser-based, relying on standard technologies such as HTTP/S, HTML, Common Gateway Interface (CGI), and Java. The console gives you access to comprehensive management functions for the server and its clients. You can configure and enforce antivirus policies, update components, scan clients, and install client software on new machines.
NOTE is an industry standard scripting protocol for linking server-side application code CGI with dynamic web-pages that compose a user interface which is thereby deliverable by webservers and readable by browsers.
40
Administrator Track
Chapter 3: OfficeScan Application Architecture
The figure below illustrates the conventional OfficeScan architecture and shows how the various components interact.
Figure 3.1: Conventional OfficeScan Architecture
NOTE Trend Micro Control Manager enables you to manage all the Trend Micro products on your network from a central location, including OfficeScan. For more information, go to http://www.trendmicro.com.
3.2 > OfficeScan Server Architecture

The OfficeScan server performs two major functions:
It installs, monitors, and manages OfficeScan clients. It downloads updates from the Trend Micro ActiveUpdate server and distributes them to
clients and update agents. The OfficeScan server stores configuration data for the clients that it manages. When an OfficeScan client is installed and registered, it contacts the OfficeScan server and requests the configuration settings that it should use. When you modify a client configuration, the OfficeScan server notifies affected clients to download the new settings. In addition to storing client configurations, the OfficeScan server stores server-side configurations such as web-server and proxy-server information, the password for the OfficeScan management console, and product licensing information. To configure the client and the server, you can use the OfficeScan management console or the Control Manager management console, if you are running Control Manager. Server components that facilitate updating client and server information include:
Web server Client and console CGIs Master service Database (DB) server service OfficeScan database
41
Student T Textbook
Figure 3.2: OfficeScan Se erver Architec cture
Following sections expla each of the major comp onents shown above in mo detail. ain e n ore
3.2.1 Web Server 3 b

The Office eScan server re equires a web server to hos t the web-bas manageme console an to sed ent nd accept clien requests an forward the to the mas ter service. OfficeScan supp nt nd em ports two web b servers:
Mic crosoft Intern Informatio Server (IIS) version 6.0 o higher on S net on ), or Server 2003 an 7.0 nd
or higher on Serv 2008 h ver

Apache web serv version 2.0 or higher ( Apache We server exist on the com ver 0.x (If eb ts mputer
but the version is not 2.x, Offi t s ficeScan will in nstall and use v version 2.2.5. The existing Apache Web serv is not rem ver moved.) pecify which web server to use during the OfficeScan s w u e server installat tion. You can sp
For more in nformation on web server req w quirements, inc cluding those f use with SS please see for SL, 4.1.4 Verif Target Server(s) Meet Minimum System Requirements on page 68. fy s
SSL Sup pport for Se ecure Communication ns

When insta alling an Offic ceScan server, you can selec to use HTT ct TPS/SSL for c connection fro om the web-ba ased managem console. You can also d ment Y disable SSL af installation. fter SSL tunnel prevents hackers from sniffing packe traversing the network. A ling h ets Although OfficeScan encrypts the passwords en n ntered on the w console b web before sending them to the g OfficeScan server, hacke can still sn the packet and, without decrypting th packet, rep n ers niff he play it to gain ac ccess to the co onsole. A certificat is required to enable an SSL connectio The certific contains server te t S on. cate identificatio informatio along with the servers pu on on t ublic key. By d default, self-si igned SSL certificates issued by the OfficeScan server during iinstallation hav a validity p e ave period of three e tificate after it expires, how t wever, connect tion attempts u using an expir red years. You can use a cert w isplay a warnin message. ng certificate will cause the browser to di
4 42
Administrator Track
3.2.2 Console and Client CGIs

The OfficeScan server can process multiple CGI (Common Gateway Interface) requests simultaneously, which offers significant performance advantages. Introduced in version 7.0, the OfficeScan server relies on two separate CGI mechanisms to make simultaneous CGI processing possible:
Console CGIs for sending server commands to the master service Client CGIs for sending client commands to the master service
Both console CGIs and client CGIs are stored on the OfficeScan server. The OfficeScan management console invokes console CGIs through the web server running on the OfficeScan server. OfficeScan clients invoke client CGIs through the web server also. Client CGIs facilitate the transfer of client logs, registration information, and other administrative data to the OfficeScan server. For example, if a client detects an infected file, the client invokes a client CGI to send the file to the master service. The master service then takes the action specified by your configuration. If the specified action for infected files is, say, quarantine, the file will then be sent to the quarantine folder.
3.2.3 OfficeScan Master Service

The master service (ofcservice.exe) responds to requests from OfficeScan clients, the management console, and Control Manager. For client requests, the web server listens for connection requests on (default) port 8080 and forwards requests to the master service. The master services passes information back to clients using this same connection.
NOTE can check the status of this service using the Microsoft Management Console. It You appears as OfficeScan Master Service and lists no dependencies. The service also appears as a running process, OfcService.exe, in the Windows Task Manager.
During the initial installation of the server software, the setup program generates a random port number (you may specify one of your own instead) on which OfficeScan clients will listen for connection from the server. When the server needs to contact the client for updates or configuration changes, the server sends a call-back request to the client communication port. The client, in turn, contacts the server for any available data. The master service is also responsible for checking the Trend Micro ActiveUpdate server for newly available virus-patterns, spyware/grayware scan and cleanup patterns, scan-engine, and program and configuration updates. The master service then notifies clients to contact the server. Clients return log messages to the master service to confirm that updates and configuration changes have been processed.
3.2.4 Database Server Service

The database server service (DbServer.exe) is the interface between the master service and the database. It is managed by the master service and is the only component for which direct access to the database is allowed. The master service notifies the database-server service when OfficeScan is shutting down to prevent database corruption.
43
Student Textbook
NOTE database server service does not appear as a service in the Microsoft The Management Console. You can check its runtime status using Windows Task Manager where it appears as DbServer.exe.
The database backup process is a component of the database-server service. The master service communicates with the backup process, controlling the schedule by which backups are performed.
3.2.5 Database
OfficeScan client data and configuration information is stored in the OfficeScan database. Client information includes data such as IP address, computer name, status information, and configuration settings. Status information includes the virus pattern file version, the scan engine version, and the infection count. The client configuration settings include real-time scan settings, manual scan settings, and scheduled scan settings. The OfficeScan 8.0 database engine itself can support a large number clients (up to 50,000) and query millions of records in a single second. Other application modules and system limitations restrict the maximum supportable number of clients per server to less than this number (currently, about 6000). The current database engine (introduced in version 7.0) overcomes certain limitations of MSDE which restricted client support to about 3000 clients per server.
NOTE achieve acceptable performance for more than ~1,500 clients, you should use a To hardware platform that exceeds minimum requirements and plan to designate one or more clients to be update agents.
3.2.6 Control Manager Agent

The Control Manager Agent (OfcCMAgent.exe) provides integrated client functionality for Trend Micro Control Manager and interfaces with the OfficeScan Master Service. The Control Manager agent manages communication with the Control Manager server. If you do not register OfficeScan with a Control Manager server, this service does not run.
NOTE can check the status of this service using the Microsoft Management Console. It is You appears as OfficeScan Control Manager Agent and lists no dependencies. When the service is running, it will also appear as a process, OfcCMAgent.exe, in the Windows Task Manager.
3.2.7 ActiveUpdate Server

The Trend Micro ActiveUpdate server is Trend Micros distribution point for pattern file and program updates for Trend Micro products. Updates include scan engine updates, virus pattern file updates, and program updates. During virus outbreaks, Trend Micro responds quickly to update virus pattern files. Updates can be issued more than once each week, and even daily. The scan engine and other components are also updated regularly.
NOTE Trend Micro recommends updating the components hourly to help ensure that the OfficeScan server has current component versions.
44
Chapt 3: OfficeSca Application A ter an Architecture
3.3 > Smar Scan Server Archit rt r tecture e

Traditional malware scan l nning identifie infected file by comparing several has values of th file es es sh he content wit a list of has values store in a pattern file. If a file is marked sus th sh ed n spect in the fir rst pass of has comparison the scan eng employs a multi-phase approach to further drill down sh n, gine on it. In all of todays co l onventional en ndpoint securiity solutions, t pattern fil is located on the this le n endpoint and has to be distributed reg d gularly to prov protection against the l vide n latest threats. Trend Micr File Reputa ro ation technolo decouples the pattern fi from the lo scan engin ogy s ile ocal ne and conduc pattern file lookups ove the network to a Smart Sc Server. Th Smart Scan cts e er k can hat n Server may reside on the customer pre y e emises or even on the Inter n rnet. This in-the-cloud appr roach alleviates th challenge of deploying a large number of pattern fil to hundred or thousand of he o r les ds ds endpoints. With Trend Micros new approach, as soon as the p d w s pattern is upda on the Sm Scan Serv ated mart ver, protection is immediatel available to all clients leve ly eraging that sc server. Fil Reputation can le t enges by prov viding shorter time to prote ect addresses todays enterprise endpoint security challe while assur less comp ring plexity.
Figure 3.3: Smart Scan Data Flow D
Smart Client C
The centra scanning com al mponent of Trend Micros endpoint secu T urity solution is the Smart C Client. Comparabl to the scan engine in trad le ditional conten scanning, th Smart Clien interacts wi nt he nt ith Smart Scan Servers to de n etermine with certainty whe ether a file is i infected or no and what action ot is to take on that file. o
Smart Query Filter Q r

A component of the Sm Client, Sm Query Filt is designed to prevent th Smart Clien mart mart d he nt ter from query the Scan Server for eve single file t needs to b scanned. T Smart Que ying S ery that be The ery Filter lever rages complex mathematical models to de x l eterminewit a high degr of accuracy th ree whether th file scanned can be found in the actual pattern file. he d d Due prima to its prin arily nciples of oper ration, the Sm Query Filt does not g mart ter generate false negatives and only a sma number of false positives If a file is no whitelisted by the Sma a all s. ot d art Query Filte the local sig er, gnature cache is queried to find the signa e ature for this f For offlin file. ne scenarios where no Smar Scan Server can be querie the Smart Query Filter r w rt r ed, references an index of the pattern fi allowing it to determine whether any g f ile, given file is N NOT in the pa attern file on the Smart Scan Se erver.
45
Student Textbook
Smart Scan Server

The Smart Scan Server may be deployed as a standalone server and with OfficeScan 10.6 is deployed as an integrated component of the OfficeScan server by default. Locally hosted Smart Scan servers provide easy access to endpoints. This minimizes gateway network traffic and reduces the latency of cloud pattern lookups. The Smart Scan Server receives and immediately stores pattern files from Trend Micro. If necessary, the Smart Scan Server also signals updates to the clients Smart Query Filters which take place on the next Smart Client query. Generally, the Smart Scan Server is the only component of the solution that receives frequent updates.
For information on deployment considerations for Smart Scan servers, see 4.1.2 Consider Smart Scan Server Options on page 66. For information on configuration of integrated Smart Scan server settings, see 5.4 > Smart Protection Server Settings on page 116. For information on installing and configuring standalone Smart Scan servers, see Appendix G:
Standalone Smart Scan Server Deployment & Management on page 443.
3.4 > Client-software Architecture

While the OfficeScan server provides the central command and control infrastructure for managing OfficeScan clients, it is the OfficeScan client software itself that implements the endpoint security technologies that provide threat-prevention and cleanup services to client computers. The client also logs events and sends data to and requests data from the OfficeScan server.
3.4.1 OfficeScan Client Console

OfficeScan client software has essentially two user interfaces:
The management console provides a back-end interface for administrators only The client console provides the front-end client interface that end users may use to
perform on-demand scanning and other tasks based on the privileges you allow. You can limit or expand the functionality of the client console by granting and revoking privileges to individual functions. You can grant privileges to users so they can modify various settings and perform on-demand scans and updates using the OfficeScan client console. You can also revoke these privileges. Granting privileges exposes user-interface access to the associated functions. Revoking privileges may remove interface tabs from display and/or gray-out options listed on drop-down and popup menus. You can, for example, restrict the client console from access to scan settings, as well as from being able to unload and/or uninstall the client program.
46
Administrator Track
3.4.2 Threat Detection and Response Components

The OfficeScan client software protects servers, workstations, and laptops from viruses, trojans, spyware, and other malicious programs. The OfficeScan client software provides three methods of scanning:
Real-time scanning Scheduled scanning Manual scanning
Manual scanning options include full-scan and single file scanning capability. You can configure scan settings and initiate manual scanning through the web-based management console or the client console interface. The components that together provide the OfficeScan client with its threat detection and response capability are listed below. Trend Micro releases updates for each of these components as new threats are discovered.
NOTE Additional information for the major components listed below, including the client program, scan engine, pattern files, damage cleanup, and the client firewall, appears in following sections within this chapter.
Core Components
Client program Implemented
as four main services and additional processes (see Client Application Services and Program Data below), the OfficeScan client program provides a framework for the components listed below, including a watchdog function (Trend Micro Unauthorized Change Prevention Service) that monitors client status and automatically restarts services if they are ever stopped.
Cisco Trust Agent enables
communication between the client and routers that support Cisco NAC (requires that the Policy Server for Cisco NAC be deployed). of workaround solutions to customer-specific issues or newly discovered vulnerabilities that you can download from the Trend Micro website and deploy to OfficeScan clients and/or the OfficeScan server.
Hot fixes and security patches Consists
Antivirus Components
Scan engines (32-bit and 64-bit) Consist
of the program code through which actual
scanning functions are implemented.

Virus pattern file Provides
conventional-scan OfficeScan clients with virus signatures, which are the unique patterns of bits that identify each virus type. conventional-scan signatures for detecting real-time compression files that packed as executable files. a list of approved compression files.
IntelliTrap pattern file Provides
IntelliTrap exception pattern files Contains
47
Student Textbook
Smart Scan pattern file
Hosted by Smart Scan servers, clients do not download this file. It is updated hourly by default and optionally every 15 minutes and contains a majority of the pattern definitions available.
Smart Scan agent pattern file Smart
Scan clients download this pattern from the update source using the same methods for downloading other OfficeScan components. It is updated daily and contains the patterns that cannot be hosted by the Smart Scan server.
Anti-Spyware Components
Spyware engines (32-bit and 64-bit) Scans Spyware pattern fie Contains
for, detects, and removes spyware.
signatures for spyware/grayware in executable program files, data files, memory modules, the Windows registry and URL shortcuts. to the standard spyware pattern file, but used for real-time anti-spyware scanning. Only conventional scan clients use this pattern. Smart Scan clients use the Smart Scan Agent Pattern for real-time spyware/grayware scanning. Clients send scan queries to a Smart Scan Server if the risk of the scan target cannot be determined during scanning.
NOTE This component is used only if purchase and activate Antivirus and Web Threat Protection services.
Spyware active-monitoring pattern file Similar
Venus Spy Trap technology (32-bit and 64-bit) Monitors
newly loaded executables and enables spyware/grayware files to be deleted as they are discovered.
NOTE This component is used only if you activate (purchase) the web-threat protection service. If both antivirus and web-threat protection services are activated, it i t d Anti-rootkit driver (32-bit) This kernel mode driver is used by the spyware scan engine
that enables the client to bypass any potential redirection by rootkits.
Proxy Services Components

OfficeScan Proxy Service Provides
silent (transparent) proxy services that enable the OfficeScan client to provide Web Reputation Services. HTTP protocol handling for traffic captured by the OfficeScan proxy service and handles rating requests and other functions related to Trend Micro Web Reputation Services.
Web Threat Security Module Includes
Damage Cleanup Services

Virus cleanup engine (32-bit and 64-bit) Used Virus cleanup template Used
by Damage Cleanup Services uses to scan for and remove viruses, trojans and trojan processes and other malware.
by the virus cleanup engine to identify viruses, trojan files and other processes to be eliminated.
48
Administrator Track
OfficeScan Firewall
Common firewall driver (32-bit and 64-bit) Provides Common firewall/network-virus pattern file Like
client firewall and scanning services.
the virus pattern file, this file contains virus signatures that can be detected as it passes through the network interface and before it is written to disk or any other file system.
Web Reputation
URL filtering engine
Facilitates communication between OfficeScan and the Trend Micro URL Filtering Service. The URL Filtering Service is a system that rates URLs and provides rating information to OfficeScan.
Behavior Monitoring Components

Behavior monitoring detection pattern contains Behavior monitoring driver runs
the rules for detecting suspicious behavior.
in kernel-mode and monitors system events and passes them to Behavior Monitoring Core Service for policy enforcement. in user-mode and provides rootkit detection, regulates access to external devices, and protects files, registry keys, and services.
Behavior monitoring core service runs
Behavior monitoring configuration pattern Digital signature pattern
is used by the behavior monitoring driver to identify normal system events and exclude them from policy enforcement.
contains digital signatures used by the behavior monitoring core service to determine whether a program responsible for a system event is safe. is used by the behavior monitoring core service to check system events against the policies in this pattern.
Policy enforcement pattern
3.4.3 Client Application Services and Program Data

Fully enabled (though not including the Cisco Trust Agent), the OfficeScan client software runs as four system services and two main additional processes, all of which are installed (by default) to the C:\ProgramFiles\TrendMicro\OfficeScanClientfolder.
OfficeScan NT Listener (TmListen.exe)
provides communication with the server performs scanning functions provides network protocol-level monitoring
OfficeScan NT RealTime Scan (NTRtScan.exe) OfficeScan NT Proxy Service (TmProxy.exe)
and supports web reputation services

OfficeScan NT Firewall (TmPfw.exe)
provides firewall services Only for computers
Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe)
running an x86 type processor The executable names in plaintext above are the process names for the associated service. Additional, processes include:
PccNTMon.exe monitors running processes and processes being loaded A randomly named process that implements the watchdog service (described below)
49
Student Textbook
Client configuration information
is stored in three places:
OfficeScan database on the server ofcscan.ini file on the client Windows system registry on the client
For a complete list of client services and registry entries, see section 6.3 > Verifying the OfficeScan Client Installation on page 238.
3.4.4 Protection for Client Installation Files and Running Services

Client security features also extend to the file-system settings that the client setup program applies to the installation directory and an active watchdog service that monitors client status and restarts the client if it is ever disabled.
File-System Security Options for Client Installations

You can control user access to the OfficeScan client installation directory and registry settings by selecting from two security settings.
Normal High
Full rights to the OfficeScan client program directory and the OfficeScan client registry entries are given all users (everyone). The client installation directory inherits the rights of the Program Files folder and the clients registry entries inherit permissions from the HKLM\Software key. For most Active Directory configurations, this automatically limits normal users (those without administrator privileges) to read-only access.
During the OfficeScan server installation you will select a default setting for new clients. After installation, you can change this setting through the management console.
NOTE more information on changing this client security setting, please see section For 5.5.8 Client Privileges and Other Settings on page 150.
The normal setting leaves OfficeScan client program files more vulnerable to attack by malicious programs or otherwise compromised user accounts. The high security option limits OfficeScan installation folder and registry access to Windows administrator and power-user profiles. The table below shows the permissions assigned for the high setting.
Admin
Full Control Modify Read & Execute List Folder Content Read Write
Creator Owner
Power User
SYSTEM
Terminal User*
Users
50
Administrator Track
Table 3.1: OfficeScan Client Installation Directory Permissions
(* Windows Terminal Service)
Access privileges that users have to the OfficeScan client registry entries when the high setting is selected are shown below.
Administrators
Full Control Read
Creator Owner
Power User
SYSTEM
Terminal User*
Users
Table 3.2: OfficeScan Registry Permissions
(* Windows Terminal Service)
Unauthorized Change Prevention Service

The Trend Micro Unauthorized Change Prevention Service provides a watchdog function to prevent OfficeScan services from being stopped and settings from being changed. The service provides two layers of change protection:
Change prevention Change reversal
Blocks unauthorized changes from happening in the first place
Undoes unauthorized changes if change prevention is absent or
circumvented The change-prevention service monitors the status of the real-time scan process, NTRtScan.exe (as well as other processes). The real-time scan process, in turn, protects all digitally signed .exe, .dll, and .sys files in the OfficeScan client folder, as well as other important, unsigned files.
Client self-protection settings are part of the OfficeScan global client settings. For more information and instructions on how to change these settings, please see section 5.6 > Global Client Settings on page 172.
3.4.5 The Trend Micro Antivirus Scan Engine

The heart of the OfficeScan client is the scan engine. Originally developed when file-based viruses were still a newly emerging threat, today, the scan engine is capable of detecting Internet worms, mass-mailers, trojan horse threats, phishing sites, and network exploits as well as viruses. The scan engine detects both actively circulating (in the wild) threats and known-andcontrolled viruses that have been developed for research and that are not in circulation. Instead of scanning every byte of every file, the scan engine and pattern file work together to identify the tell-tale characteristics of the virus code, along with the precise location within a file that the virus would be. Upon detection, the virus can be removed and the integrity of the former host file restored. The scan engine automatically deletes older virus pattern files (to conserve disk space) and also takes advantage of incremental pattern updates (to conserve bandwidth). The scan engine can decode all major encoding formats (such as MIME and BinHex). It can also recognize and scan compressed files, such as .zip,.arj, and .cab files. For maximum protection, scan-engine components must be up-to-date. Trend Micro ensures this in two ways:
51
Student Textbook
Frequent updates to the virus pattern file, which can be downloaded and read by the
engine without the need for any changes to the engine code itself
Technological upgrades in the engine software prompted by a change in the nature of
virus threats, such as a rise in mixed threats like SQL Slammer, for example The Trend Micro scan engine is certified annually by international computer security organizations, including ICSA (International Computer Security Association).
3.4.6 The Virus Pattern File

The Trend Micro scan engine uses an updatable data file, called the virus pattern file, to identify the latest viruses and other Internet threats such as trojan horses, mass mailers, worms, and mixed attacks. New virus pattern files are created and released several times a week, and any time a particular threat is discovered. All Trend Micro antivirus programs using the ActiveUpdate function can detect the availability of a new virus pattern file on the Trend Micro server and/or can be scheduled to automatically poll the server every week, day, or hour to get the latest file.
NOTE Trend Micro recommends scheduling automatic updates at least hourly, which is the default setting for all shipped products.
You can download virus pattern files from the following website, where you can also find the current version, release date, and a list of all the new virus definitions that are included in the file:
http://www.trendmicro.com/download/pattern.asp
3.4.7 Anti-Spyware Engine

OfficeScan includes an improved spyware scanning and cleanup engine that can detect and clean more spyware/grayware than before, with fewer false positives. OfficeScan anti-spyware capability includes:
Real-time Detection Spyware/Grayware Restore Real-time spyware/grayware scanning for file system prevents or stops spyware execution. After taking action on a spyware/grayware, OfficeScan clients back up spyware/grayware data, which the OfficeScan server can restore anytime if the spyware/grayware is deemed safe. You can choose spyware/grayware data segments to restore. Assessment mode was designed to allow you to first evaluate whether spyware/grayware is legitimate or not and then take action based on your evaluation. For example, you can add the legitimate ones to the spyware/grayware approved list. Currently rising in use, rootkits corrupt regular operating system functions that application programs assume are valid and, thereby, gain control of the target computer. Rootkits are extremely hard to remove without rebuilding the computer.
Assessment Mode
Rootkit Detection
52
Administrator Track
3.4.8 OfficeScan Proxy Service and Web Reputation Services

The OfficeScan proxy service runs automatically when web reputation services are enabled. The proxy service intercepts HTTP connections at the transport layer using a low-level TDI (transport-driver-interface) driver that runs in kernel mode on the Windows host. The TDI driver redirects outgoing ports that are commonly used for HTTP to the proxy service. The proxy service receives this data on interprocess TCP port 6999 and interfaces with HTTPhandling and URL-filtering services that provide web-reputation functions.
For a more detailed description of Web Reputation Services, see section 5.5.10 Web Reputation Services Settings on page 154.
3.4.9 The Damage Cleanup Services

Damage Cleanup Services (DCS) performs these tasks:
Detects and removes live trojans and other active infections Kills processes that trojans and other malicious applications create Repairs system files that trojans and malicious applications modify Deletes files and applications that trojans and malicious applications leave behind
Damage Cleanup Services relies on these components:

Virus cleanup engine (VCE)
Scans for remnants of and damage caused by viruses, trojans, worms and other malware and cleans up what it finds.
Virus cleanup template (VCT)
Is used by the virus cleanup engine to help identify trojan files and processes and other malware; it includes information about fix damage caused by malware threats and remove any lingering remnants.
NOTE VCTs are updated frequently, therefore, Trend Micro recommends that you update your components immediately after you have installed and activated Damage Cleanup Services.
The VCE runs automatically on the client computer on these occasions:

When end users perform a manual cleanup from the client console When you perform Cleanup Now on the client from the Security Dashboard When end users run a manual scan or clean After hot fix or patch deployment When the Security Server restarts
The VCE is a background process the operation of which is transparent to end users and administrators. It does not require configuration.
NOTE Certain clean-up processes may require the host computer to be restarted to complete the removal of a threat. In which case, an on-screen notification is displayed for the affected user.
53
Student Textbook
3.4.10 The Common Firewall Driver

The Common Firewall Driver is the core of the OfficeScan firewall that protects computers from hacker attacks and network viruses by creating a barrier between the host computer and the network. The firewall uses the Network Virus Pattern file to examine each packet as it comes off the network to determine if it is infected with a network virus. OfficeScan firewall also provides these features:
Address Filtering & Port-blocking Intrusion Detection System (IDS) Firewall Outbreak Monitor Network Virus Scanning Allows you to alternately allow or deny connection attempts from named port numbers and/or IP addresses. Monitors incoming and outgoing traffic for patterns that may indicate: an intrusion attempt, a denial of service (DoS) attack, or a successful intrusion if the client appears to be attacking your own network. Monitors the number of infractions entered in the firewall log. You can configure the number of infractions per period of time that constitute an outbreak and have OfficeScan notify you of the event. Uses a network virus pattern file to scan incoming and outgoing traffic for Internet worms. This scanning occurs at the packet level.
NOTE can use the OfficeScan firewall on Windows XP machines that also have the You Microsoft Internet Connection Firewall enabled. However, you must manage your policies carefully to avoid creating conflicting policies that produce unexpected results. For example, if you configure one firewall to allow traffic from a certain port but the other firewall blocks traffic from the same port, the traffic will be blocked. For information on how to configure Internet Connection Firewall, see your Microsoft documentation.
Stateful Inspection
The OfficeScan firewall provides stateful inspection, monitoring all connections to the client and tracking connection states and packet sequences. Doing so, the firewall can identify certain intrusion and denial-of-service attempts and block problem traffic before it is processed by host protocol stack.
Intrusion Detection
The OfficeScan firewall also includes an Intrusion Detection System (IDS). When enabled, the IDS can identify patterns in packet formation and traffic sequences that may indicate an attack on the client. The OfficeScan firewall can help prevent these well-known intrusions:
Conflicted ARP LAND Attack Ping of Death Teardrop Too Big Fragment Fragmented IGMP Overlapping Fragment SYN Flood Tiny Fragment Attack
Firewall Notifications and Outbreak Prevention

The OfficeScan firewall can send a customized notification message to specified recipients when firewall violations exceed certain thresholds, which may signal an attack. The firewall also
54
Administrator Track
integrates with Outbreak Prevention policies to be able tighten security against specific threats during an outbreak.
3.4.11 The Network Virus Pattern File

The Network Virus Pattern file contains a regularly updated database of the unique patterns of bits and bytes that signal the presence of a network virus. The common firewall driver is able filter out viruses at the packet-level before they are reassembled into a complete file by the TCPlayer and passed on to the application layer and the file system. This early intervention stops viruses at the doorstep, and thus never allows them to be copied in their full form into memory or in storage. Trend Micro updates the network virus pattern file frequently, as often as hourly, to ensure OfficeScan can identify new network viruses.
3.4.12 Client-Server Communication

OfficeScan clients report to a single OfficeScan server. Clients send event logs and status information to the server, which provides the management console with up-to-date information. Reported events include startup and shutdown, update success or failure, start of a scan, malware detection, and so on. The OfficeScan server listens for OfficeScan client connections on TCP port 8080 (default). The client listens for notifications (call-back requests) from the server on a TCP listening port that is specified for all clients during the OfficeScan server installation.
NOTE OfficeScan server setup program generates a default number for client TCP The listening port. You can accept the default or you can specify your own number.
Though the client keeps a TCP listening port open, for security reasons, data sent to the client from the server consists mainly of call-back requests. Instead of accepting actual commands or configuration changes directly from the listening port, the client accepts only requests to contact the server and request configuration data on its own. This increases security by requiring a hacker to either compromise the of the OfficeScan server or the routing infrastructure from client to server, as well as spoof the servers hosting functions that respond to client requests. Either way, in the real world if a hacker were to penetrate that far into the network, the OfficeScan system would not be a likely target for further intrusion. The call-back communication model also increases security by enabling the client functions to be more readily locked down. In other words, the fewer types of legitimate messages that the client must be programmed to handle over the open port, the easier it is to readily discard malformed data intended to create buffer overflows or other effects.
3.4.13 Normal and Roaming Client Operation Modes

OfficeScans centralized, up-to-the-minute (near-real-time) management and reporting capability requires that OfficeScan clients and the OfficeScan server have continuous network access to each another. However, laptops, notebooks, and other mobile computers typically have only intermittent connectivity.
55
Student T Textbook
OfficeScan client softwa supports mobile clients t cannot m n are m that maintain contin nuous communication with the OfficeScan server through roaming mode.. Each OfficeS e s h Scan client is capable of operating in roaming mode as well as no r e, ormal mode.
NOTE with many other client functions, roam As y ming mode is a privilege that you can t
selectively grant (enable) or revoke (disable) by usi the manag ing gement console,.
Normal Mode M
Normal mo is designe for worksta ode ed ations and serv running t OfficeScan client that ca vers the n an maintain co ontinuous net twork access to the OfficeS can server. An icon in syste tray indica n em ates the status of the client. o The icons used to indica client statu in normal m u ate us mode are show below. wn
Icon De escription No ormal client (b blue icon) Pa attern file is ou utdated Sc Now, manu scan, or scheduled scan is running can ual Re eal-time scan is disabled i Re eal-time scan is disabled and the pattern f is outdated i d file d Re eal-time scan is not running or has been s topped (red ic i con) Re eal-time scan is not running or has been s topped, and th pattern i he file is outdated (red icon) f d Disconnected fr rom the server r Disconnected, and the pattern file is outdat n ted Disconnected, and real-time scan is disable d s Disconnected, re eal-time scan is disabled, an the pattern file is nd outdated o Disconnected, and real-time scan is not run s nning or has be een stopped (red icon) s Disconnected, re eal-time scan is not running or has been s g stopped, and the patter file is outdated (red icon) a rn Table 3.3: Normal Mode Status Indicato (System T N S ors Tray Icons) Real-time Sc can Enabled Enabled Enabled Disabled Disabled Disabled Disabled Enabled Enabled Disabled Disabled Disabled Disabled
NOTE exclamat The tion-point icon
means the pattern file i s outdated; the no symbol e means that real-time sc is disabled, and a red ba se icon means real-time sca is not runnin can s an ng, e otherwise the icon is blue.
5 56
Roaming Mode g
Roaming mode is for lap m ptops, noteboo and other mobile comp oks, r puting devices that do not h have continuous access to the OfficeScan server. s e s When in ro oaming mode, OfficeScan clients: , c
Dis splay a differen set of statu icons compa nt us ared to norma mode, and t al thus do not sh how
the disconnecte icon when unplugged fr ed n rom the netwo (see the ta below) ork able
Att tempt to conta the OfficeScan server le frequently and store event logs locally until act ess y
reconnected with the server h

Do ownload virus-pattern and scan-engine up pdates directly from the Tre Micro upd y end date
serv using wha ver, atever Interne connection may be availa et able
Do not respond immediately to manual-upd o t date command issued from the managem ds m ment
con nsole, but do seek updates when Scan Now is executed by end users ( s w w (who have suf fficient privileg ges), when a scheduled upd time arrive or when re date es, econnected to the o Off ficeScan serve er
Icon
Description D Roaming client (blue icon) R t Real-time scan is disabled R n Pattern file is outdated P o Real-time Scan is disabled an the pattern file is outdate R n nd n ed Real-time Scan Service is no running (red icon) R n ot d Real-time Scan Service is no running & th pattern file is outdated R n ot he (red icon)
Real-time S Scan Enabled Disabled Enabled Disabled Disabled Disabled
Table 3.4: Roaming Mode Status Indica R e ators (System Tray Icons)
Smart Scan Mode S

Status information repor by the sys rted stem tray icon when using S n Smart Scan in ncludes:
The connection status with the OfficeScan server (online offline, or ro e e e, oaming) The connection status with a Smart Scan Se e S erver
Icon
Description D Smart Scan clie can conne to a Smart Scan Server. S ent ect Smart Scan clie can conne to a Smart Scan Server. S ent ect
Real-time S Scan Enabled Disabled
57
Student T Textbook
Icon
Description D Smart Scan clie can conne to a Smart Scan Server. S ent ect Smart Scan clie cannot con S ent nnect to a Sm art Scan Serv er. Smart Scan clie cannot con S ent nnect to a Sm art Scan Serv er. Smart Scan clie cannot con S ent nnect to a Sm art Scan Serv er. Offline Smart Scan client can connect to a Smart Scan S O S n Server. Offline Smart Scan client can connect to a Smart Scan S O S n Server. Offline Smart Scan client can connect to a Smart Scan S O S n Server. Offline Smart Scan client can O S nnot connect t a Smart Sca Server. to an Offline Smart Scan client can O S nnot connect t a Smart Sca Server. to an Offline Smart Scan client can O S nnot connect t a Smart Sca Server. to an Roaming Smart Scan client can connect to a Smart Scan Server. R c o n Roaming Smart Scan client can connect to a Smart Scan Server. R c o n Roaming Smart Scan client can connect to a Smart Scan Server. R c o n Roaming Smart Scan client cannot connec to a Smart S R c ct Scan Server. Roaming Smart Scan client cannot connec to a Smart S R c ct Scan Server. Roaming Smart Scan client cannot connec to a Smart S R c ct Scan Server.
Real-time S Scan Stopped Enabled Disabled Stopped Enabled Disabled Stopped Enabled Disabled Stopped Enabled Disabled Stopped Enabled Disabled Stopped
3.4.14 Up 3 pdate Age ents

To support more conven t ntional-scan clients more ef c fficiently, Offi ficeScan allows you to confi s igure one or mor clients to fu re unction as an update agent. U Update agents p the role o update serv to play of ver other client You can sig ts. gnificantly red duce the burde otherwise p en placed on the OfficeScan se erver and the net twork segmen on which it resides by usiing update age nt ents. When usin update agen OfficeScan establishes a hierarchy for the update p ng nts, n r process. The OfficeScan server distrib n butes updates to the update agents, and th update age distribute e he ents updates to other clients. If you create update agents using the Cli Packager tool, you can s ient t eceive updates from a sourc other than the OfficeSca server. (For ce an r configure them also to re more infor rmation, see Chapter 6: Client Software Deplloyment on pag 219.) C t ge
5 58
Administrator Track
By designating update agents in remote offices, you can reduce WAN traffic. Likewise, you can install one or more update agents on each LAN segment to reduce local backbone traffic.
NOTE Update agent capability eliminates the Master and Remote Agents used in OfficeScan 5.5. These agents required Apache Web server on each agent. The new update agents do not require a web server.
For more information about update agents, see Chapter 7: Updates on page 245.
3.4.15 Cache Files for Scans

The OfficeScan client now builds cache files, which contain information about safe files that have been scanned previously and files that Trend Micro deems trustworthy. Cache files provide a quick reference during on-demand scans, thus reducing the usage of system resources. Ondemand scans (Manual Scan, Scheduled Scan, and Scan Now) are now more efficient, providing up to 40% improvement in speed performance.
Cache Settings for Scans
The OfficeScan client can build the digital signature and on-demand scan cache files to improve its scan performance. When an on-demand scan runs, the client first checks the digital signature cache file and then the on-demand scan cache file for files to exclude from the scan. Scanning time is reduced if a large number of files are excluded from the scan.
Digital Signature Cache
The digital signature cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Clients do not scan files whose caches have been added to the digital signature cache file. The OfficeScan client uses the same Digital Signature Pattern used for Behavior Monitoring to build the digital signature cache file. The Digital Signature Pattern contains a list of files that Trend Micro considers trustworthy and therefore can be excluded from scans. Clients build the digital signature cache file according to a schedule, which is configurable from the web console. Clients do this to:
Add the cache for new files that were introduced to the system since the last cache file
was built
Remove the cache for files that have been modified or deleted from the system
During the cache building process, clients check the following folders for trustworthy files and then add the caches for these files to the digital signature cache file:
%PROGRAMFILES% %WINDIR%
The cache building process does not affect a computers performance, because clients use minimal system resources during the process. Clients are also able to resume a cache building task that was interrupted for some reason (for example, when the host machine is powered off or when a wireless computers AC adapter is unplugged).
On-demand Scan Cache
The on-demand scan cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Clients do not scan files whose caches have been added to the on-demand scan cache file.
59
Student Textbook
Each time scanning runs, the client checks the properties of threat-free files. If a threat-free file has not been modified for a certain period of time (the time period is configurable), the client adds the cache of the file to the on-demand scan cache file. When the next scan occurs, the file will not be scanned if its cache has not expired. The cache for a threat-free file expires within a certain number of days (the time period is also configurable). When scanning occurs on or after the cache expiration, the client removes the expired cache and scans the file for threats. If the file is threat-free and remains unmodified, the cache of the file is added back to the on-demand scan cache file. If the file is threat-free but was recently modified, the cache is not added, and the file will be scanned again on the next scan. The cache for a threat-free file expires to prevent the exclusion of infected files from scans, as illustrated in the following examples:
It is possible that a severely outdated pattern file may have treated an infected,
unmodified file as threat-free. If the cache does not expire, the infected file remains in the system until it is modified and detected by Real-time Scan.
If a cached file was modified and Real-time Scan is not functional during the file
modification, the cache needs to expire so that the modified file can be scanned for threats. The number of caches added to the on-demand scan cache file depends on the scan type and its scan target. For example, the number of caches may be less if the client only scanned 200 of the 1000 files in a computer during Manual Scan. Since files must remain unmodified for a relatively short period of time, more caches can be added to the cache file. The caches also expire longer, which means that more files are skipped from scans. If on-demand scans are seldom run, you can disable the on-demand scan cache, since caches would have expired when the next scan runs. To configure cache settings for scans go in the OfficeScan console to:
NETWORKEDCOMPUTERS>CLIENTMANAGEMENT
1. In the client tree, click the root domain icon to include all clients or select specific domains or clients. 2. Click Settings > Privileges and Other Settings. 3. Click the Other Settings tab and go to the Cache Settings for Scans section. 4. Configure settings for the digital signature cache. 4.1. 4.2. 5.1. 5.2. 5.3. Select Enable the digital signature cache. In Build the cache every __ days, specify how often the client builds the cache. Select Enable the on-demand scan cache. In Add the cache for safe files that are unchanged for __ days, specify the number of days a file must remain unchanged before it is cached. In The cache for each safe file expires within __ days, specify the maximum number of days a cache remains in the cache file.
5. Configure settings for the on-demand scan cache.
60
NOTE prevent al caches added during a sca from expirin on the same day, caches To ll an ng e
expire randomly within the maximum number of da you specified. For examp if 500 files m ays ple, s were added to the cach today and the maximum n he number of day you specified is 10, a fract ys tion of the cac ches will expire the next day and the majo y ority on the su cceeding days On the 10th d s. day, all caches that remain will expire. s w
6. If you selected doma ain(s) or client(s) in the clie tree, click S ent Save. If you c clicked the roo ot n e llowing option ns: domain icon, choose from the fol 6.1. Apply to All Clients: App settings to all existing c plies o clients and to any new clien nt added to an existing/future domain. Fut e e ture domains a domains n yet created at are not d the time you configured the settings. Apply to Fut ture Domain Only: Appli settings on to clients a ns lies nly added to futur re domains. Thi option will not apply settiings to new cl is n lients added to an existing o domain.
6.2.
61
Student Textbook

Summary
OfficeScan consists of a server component, a client component, and a web-based management console component. The OfficeScan server is the major repository for all client configurations, virus logs, and the most up-to-date versions of the client software. In addition, the server functions as the control center, managing clients from a central location. The OfficeScan client protects network computers from viruses, Trojans, spyware, and other malicious programs. The client communicates with the server to receive configuration settings, to download component updates, and to upload logs. The OfficeScan web-based management console enables comprehensive management of the server and the client. Using the OfficeScan management console, you can access management services running on the server to monitor and control clients and to configure and enforce your companys antivirus policy.
Review Questions
1. What is one of the main functions of the server component of OfficeScan? a) Protect the network from malware b) Protect the server from malware c) Download updates and distribute them to clients d) Scan for malware 2. What is a major reason for increased performance in OfficeScan, since version 7.0? a) Simultaneous processing of CGI requests b) The storing of client information in a database c) OfficeScan now supports SQL d) The OfficeScan Master Service processes CGIs faster 3. What does the High Security setting for clients do? a) Enables the OfficeScan firewall b) Locks the .exe and .dll files in the OfficeScan client directory c) Increases the number of files that the client scans for malware d) Changes the rights to the directories and registries on the client
62
Administrator Track
Ch ter 4: Of hapt 4 fficeS Scan Serv ver Insta ion I allati

Plan the deploym ment of Office eScan in a netw work Ide entify the syste requiremen for Office em nts eScan server so oftware Install OfficeSca server softw an ware Install OfficeSca client softw an ware on the ser rver Install componen of Cisco Network Adm nts N mission Contro (NAC) on th server ol he Ver the installa rify ation of the OfficeScan serv and other components O rver r
63
Student Textbook
4.1 > Deployment Planning

Before installing the OfficeScan server, you need to consider hardware and software configurations and traffic patterns in your network. Completing the following tasks will help you plan the best way to deploy OfficeScan:
Understand traffic in an OfficeScan network Determine whether to deploy integrated and/or standalone Smart Scan servers Determine the number of clients and plan update agents Verify that the proposed servers meet minimum system requirements Determine whether you need to install a dedicated server Verify that clients meet the minimum system requirements Decide which privileges to allow users at the client console Plan the placement of client program files Determine the number of domains Decide how to deploy clients Configure VPN clients
4.1.1 Identify Potential Impact on Network Traffic

Understanding the existing traffic patterns in your network, as well as the traffic that will be generated after installing OfficeScan, will help you plan the placement of servers and update agents. It will also help you set OfficeScan management policies that will not adversely affect your network.
Analyze Existing Traffic Patterns

When considering existing traffic patterns, consider the average traffic during the following time periods:
A 24-hour period during the work week The peak hour of the day A shorter periodsuch as 10 minutes The times at which a large number of people may be logging on to the system
simultaneously, such as the start of the work day Balance your organizations tolerance for potentially slower response times, especially during peak-load hours, with the cost of adding additional bandwidth and/or redesigning your network segmentation.
Plan for OfficeScan Traffic

OfficeScan generates network traffic when the server and client communicate with each other. You need to plan for the network traffic that OfficeScan will generate.
64
Administrator Track
Chapter 4: OfficeScan Server Installation
SERVER TRAFFIC The server generates traffic when it:

Connects to the Trend Micro update server on the Internet to check for and download
updated pattern files, scan engines, hot fixes, and programs

Notifies clients to download updates Notifies clients about configuration changes Notifies clients of a manual outbreak prevention policy Notifies clients about Damage Cleanup Services (DCS) Notifies clients to send firewall logs Reports to Trend Micro Control Manager (only if registered to a TMCM server)
CLIENT TRAFFIC Clients generate traffic when they:

Start up Perform manual and scheduled updates Switch from roaming mode to normal mode Send statistics to the OfficeScan server Connect to the Trend Micro rating server to get website ratings for sites that are non-
HTTPS and also not listed as safe on the OfficeScan server.
Network Traffic During Pattern-File Updates

Typically, OfficeScan generates significant network traffic only when updating pattern files, the scan engine, Damage Cleanup Services (DCS) templates and engine, firewall rules, spyware/grayware scan and cleanup patterns, or client software. To analyze the impact of an update on network traffic, you can multiply the size of the file by the number of clients to which it must be deployed. Typical sizes for these files as they are used for conventional-scan OfficeScan clients are shown in the table below.
NOTE Though the file sizes shown in the table below are accurate at the time of this printing, these sizes will vary with new releases. Smart Scan clients, for example, use fewer, smaller patterns that conventional scan clients.
To reduce the network bandwidth used by updates, OfficeScan supports incremental updates for virus pattern files, viurs cleanup templates, and spyware/grayware scan and cleanup patterns. This means that OfficeScan downloads only those parts of the updated files that are new or that have been changed, instead downloading the full file every time. For clients that are not updated regularly, downloading the full file may still be required. Trend Micro releases new pattern files regularly. When an especially threatening new virus or other security risk is actively circulating, Trend Micro will release a new pattern file as soon as a detection routine for the threat is available.
65
Student Textbook
File Type Antivirus/malware pattern file Anti-virus/malware scan engine Anti-spyware/grayware scan pattern file Anti-spyware/grayware active-monitoring pattern file Anti-spyware/grayware scan engine 64-bit Anti-root-kit driver Viurs cleanup pattern Virus cleanup engine 64-bit Network virus pattern file Network virus scan engine (common firewall driver) IntelliTrap pattern files Table 4.1: Typical Sizes for Update Files
Approximate File Size 36 MB 1 MB 7 MB 15 MB 1.3 MB 2.1 MB 60 KB 2.3 MB 300 KB 600 KB 140 KB 2 MB 1 MB 24 MB compressed 760 KB compressed 6.9 MB compressed 8 MB compressed 600 KB compressed 800 KB compressed 120 KB compressed 2 MB compressed 290 KB compressed 1.8 MB compressed 90 KB compressed 150 KB compressed 400 KB compressed
4.1.2 Consider Smart Scan Server Options

Beginning with OfficeScan 10.5, the integrated Smart Scan server is always installed as part of the base installation package of the main OfficeScan server. Trend Micro recommends installing additional standalone Smart Scan servers for load distribution and/or failover. Smart Scan clients that fail to connect to their primary server will attempt to connect to the next server on a list of Smart Scan servers, which is configurable using the OfficeScan management console. OfficeScan provides two types of local, or customer-deployable, Smart Scan servers. Both servers provide the same functions and capabilities.
Integrated Smart Scan Server
The OfficeScan installation program includes an integrated Smart Scan server that installs on the same computer where the OfficeScan server installed. You can manage the integrated Smart Scan server with the OfficeScan management console. Relying on an integrated deployment of the Smart Scan server is currently recommended for networks with 1,000 OfficeScan clients or less. A standalone Smart Scan server installs on a VMware server. Unlike the integrated server, settings for the standalone server cannot be managed from the OfficeScan management console. The standalone server has its own console where you can manage settings and configurations. Trend Micro recommends using standalone Smart Scan servers for maximizing performance, incorporating redundancy, and use in all networks with more than 1,000 OfficeScan clients.
Standalone Smart Scan Server
For information on installing and configuring standalone Smart Scan servers, see Appendix G:
Standalone Smart Scan Server Deployment & Management on page 443.
66
Administrator Track
Smart Scan clients managed by one OfficeScan server can connect to the integrated Smart Scan Server service on another OfficeScan server without having to migrate those clients to the new Office Scan server, and without any changes to management of the configuration of the client. Only Smart Scan queries are directed to the new server; all other OfficeScan client functions remain directed to the original OfficeScan server. You should consider the following issues in preparing to deploy local Smart Scan servers:
Smart Scan Server is a CPU-bound application. Increasing CPU resources increases the
number of client connections that can be handled. For standalone servers, the number of processors allocated to the virtual machine will affect the performance of the server.
You may require additional memory if you have a large number of concurrent Smart
Scanserver connections from OfficeScan clients.

Network traffic may become bottlenecked if the network infrastructure cannot support
the traffic associated with your required number of simultaneous connections.

Because the integrated Smart Scan server and the OfficeScan server run on the same
computer, the computers performance may reduce significantly during peak traffic for the two servers. Consider using standalone Smart Scan servers as the primary Smart Scan server for clients and the integrated server as a backup server to reduce the traffic directed to the OfficeScan server computer.
The OfficeScan firewall is intended for client computer use and may affect performance
when enabled on server computers. If you install the integrated Smart Scan server, consider disabling the OfficeScan firewall, though also ensure that the server is otherwise protected according to your organizations security requirements.
4.1.3 Determine the Number of Clients and Plan Update Agents

Determine how many clients you plan to protect with OfficeScan. You may need to plan to designate one or more clients as Update Agents. Built into the client software, this feature enables a client to function as an update server for other clients, thus reducing the traffic load on your main OfficeScan server.
NOTE Smart Scan clients that use Update Agents will still get some of their patterns from the Smart Scan server,
Clients running Windows XP, Vista, 7, or Server 2003/2008 may be designated as update agents. Each update agent is configured to support a maximum of 250 connections by default. The minimum recommended available disk space is 1 GB. By using multiple update agents, an adequately configured OfficeScan server can support approximately 6000 clients or more.
Tip You can modify the Update Agent connection limit by editing the ofcscan.ini file or using the Server Tuner tool that is described later in Chapter 10: OfficeScan Tools on page 307.
Tip The most common reason that an Update Agent may fail to obtain and deploy updates is insufficient disk space.
You will likely want at least one Update Agent for all the clients at any remote site. You may also want at least one Update Agent per network segment or VLAN.
67
Student Textbook
For information on configuring Update Agents, see Section 7.6 > Deploying Updates to Clients on page 256.
4.1.4 Verify Target Server(s) Meet Minimum System Requirements

The machine(s) on which you will install the OfficeScan server software must meet the minimum system requirements. The software installation also requires that you have local or domain administrator access to the target system. Minimum system requirements are as follows:
Hardware
Processor
Windows Server 2008 1 GHz Intel Pentium or equivalent for x86 processors 1.4 GHz for AMD x64 processors 2 GHz recommended, AMD x64 and Intel 64 architectures supported Windows Server 2003 800 Mhz Intel Pentium or equivalent for x86 processors If also installing the Integrated Smart Scan Server 1.86GHz Intel Core Duo processor or equivalent NOTE: OfficeScan cannot be installed on Windows 2008 running in the Server Core environment.
Memory
Without Integrated Smart Scan Server 512 MB of RAM (1 GB recommended, 2 GB for Windows Server 2008) With Integrated Smart Scan Server 1 GB of RAM
Disk space
3.1 GB for local installation of the OfficeScan server, OfficeScan client, Policy Server for Cisco NAC, and integrated Smart Scan server 3.5 GB for remote installation of the OfficeScan server, OfficeScan client, and integrated Smart Scan server Gigabit network adapter
Network
Software
Operating system
Windows Server 2003 Windows Server 2003 & 2003 R2 Standard, Enterprise, and Datacenter Editions with Service Pack 2 or later, 32-bit and 64-bit versions Windows Storage Server 2003 & 2003 R2, 32-bit and 64-bit versions
Windows Server 2008 Windows Server 2008 Standard, Enterprise, Datacenter and Web Editions with Service Pack 1 or later, 32-bit and 64-bit versions Windows Server 2008 R2 Standard, Enterprise, Datacenter and Web Editions, 64-bit versions
NOTE: OfficeScan will not install on Windows 2008 if is running in the Server Core environment.
68
Administrator Track
Virtualization platforms OfficeScan supports server installation on guest Windows 2003/ 2008 operating systems hosted on these virtualization platforms:
Web server
VMware ESX/ESXi Server 3.5 and 4 (Server Edition) VMware Server 1.0.3 or later (Server Edition) VMware Workstation and Workstation ACE Edition 6.0 Microsoft Virtual Server 2005 R2 with Service Pack 1 Microsoft Windows Server 2008/2008 R2 64-bit Hyper-V Microsoft Hyper-V Server 2008 R2 64-bit
Microsoft Internet Information Server (IIS) Windows Server 2003, version 6.0 Windows Server 2008, version 7.0 Apache Web server 2.0.x (for Windows Server 2003/2008) If Apache Web server exists on the computer but the version is not 2.x, OfficeScan will install and use version 2.2.5. The existing Apache Web server is not removed.
Other
Administrator or Domain Administrator access on the server computer File and printer sharing for Microsoft Networks installed on the server computer If you plan to install the Cisco Trust Agent (CTA) on the same computer as the OfficeScan server, do not install OfficeScan server on Windows Server 2003 x64 Edition. See the Administrators Guide for more information on CTA requirements.
Web Console
Browser
Microsoft Internet Explorer 7.0 or later
Table 4.2: OfficeScan Minimum System Requirements
4.1.5 Evaluate Your Actual System Requirements

Larger networks obviously require more computing power, chip memory, and disk storage than smaller networks do. Ideally, the computer on which you would install OfficeScan server software would have:
2 GHz or faster dual processors At least 2 GB of RAM
The number of clients that a single OfficeScan server can manage depends on several factors, including available system resources and the network topology. On average:
A single OfficeScan server equipped with 2 GHz dual processors and 2 GB of RAM can
manage 3000 to 5000 clients

A single OfficeScan server equipped with 3 GHz dual processors and 4 GB of RAM can
manage 5000 to 8000 clients
69
Student Textbook
4.1.6 Determine Whether You Need to Install a Dedicated Server

You must decide whether to install OfficeScan server components on a server that has other uses (file/print/application server) or to dedicate a server to running OfficeScan. OfficeScan can be successfully installed on a server that is running other applications. When selecting a server on which to host OfficeScan, consider:
The CPU load that the server currently handles The other functions that the server will be required to perform.
NOTE OfficeScan server installation must restart the Microsoft Internet Information The Server (IIS). Therefore, do not install OfficeScan on a machine running other services may lock or place heavy application loads on IIS.
Trend Micro recommends that you install to a machine that is not running mission-critical or resource-intensive applications.
4.1.7 Select a Network Location for Your OfficeScan Server(s)

OfficeScan is flexible enough to operate successfully from a variety of possible locations within you network. For example, the OfficeScan server can work with:
Both the server and its clients positioned behind a single firewall An (additional) firewall situated in between the server and its clients
If a firewall is located between the server and its clients, you must configure the firewall to allow traffic between the client listening port and the server listening port. If a router or firewall in between the server and its clients performs network address translation (NAT), there are several issues to consider:
Clients behind a NAT boundary will appear offline in the management console The OfficeScan server will not be able to initiate connections to clients. This means that
instant notifications for available updates and configuration changes are not possible. Updated and configuration changes can, however, be regularly scheduled in the client software before the client software is deployed.
For more information on managing clients across NAT boundaries, see Section 7.5 > Configuring Server Updates on page 253.
If you are using Trend Micro Control Manager (TMCM), up-to-date communication will
be limited to the polling interval of the Control Manager agent on the OfficeScan server. This is referred to in TMCM and Trend Micro Management Control Protocol (MCP) documentation as the one-way communication for managing TMCM clients.
4.1.8 Verify that Clients Meet the Minimum System Requirements

During the planning phase, it is important to make a complete inventory of the devices you expect to become OfficeScan clients (including Palm Pilots and Personal Digital Assistants).
70
Administrator Track
Verify that each device meets the minimum system requirements as described in section 6.1 > Minimum Requirements for Client Software on page 220
Accommodating Unsupported Client Operating Systems

With versions 8.0 and later, OfficeScan no longer supports Windows 95, 98, Me, and NT operating systems, and support for IA64 architecture is also discontinued. If you are upgrading OfficeScan and you have current clients with these operating systems:
Do not upgrade all of your OfficeScan servers to this OfficeScan version. Designate an un-upgraded OfficeScan server to manage these clients. Before upgrading, open the management console and move the clients to the designated
server. You can access the Move Clients page by clicking Clients > Move. If you have already upgraded OfficeScan but have not moved unsupported clients to an unupgraded server:
After the upgrade, the clients will be removed from the list of clients managed by the
OfficeScan server. The clients status becomes Disconnected.

The clients' information will be saved to a file (unsupCln.txt). This file will be available
in the OfficeScan installation folder after server upgrade. The location is: {Installation
Path}\PCCSRV\Private\unsupCln.txt
Ensure you have an earlier version of OfficeScan server that will manage clients on these
unsupported platforms.
Use a tool to move clients to the earlier version of the OfficeScan server. This tool
notifies clients that an earlier version of OfficeScan server will manage them. When clients receive the notification, they will register to that server. The tool can also verify if the clients were moved successfully. See Using Client Mover for Legacy Platforms in the OfficeScan Installation and Upgrade Guide for more information
4.1.9 Plan the Placement of Client Program Files

In order to use the OfficeScan management console to configure scanning for all clients in a domain, it is essential for client program files to be in the same directory on those clients. During OfficeScan server installation, you can specify the path where client files will be installed. You can accept or modify the default path. Trend Micro recommends you use the default settings unless you have a good reason (such as insufficient disk space) to change them. The default client installation path is C:\ProgramFiles\TrendMicro\OfficeScanClient.
4.1.10 Determine the Number of Domains

For easier management, you need to plan how many OfficeScan domains you want to create. IT administrators typically put clients in groups based on the departments to which they belong, the functions they perform, or the clients geographic location. You can also put clients that are at a greater risk of infection in the same group so that you can apply a more secure configuration to all of them at the same time. If your OfficeScan domains are based on geographic location and you have administrators at each location, you can delegate the task of managing the domains to the local administrators. You might also consider grouping clients according to scan method, Smart Scan or conventional scan.
71
Student Textbook
4.1.11 Decide How to Deploy the Clients

If you have a heterogeneous client base (that is, if your network has different Windows operating systems, such as XP, Vista, 7, Server 2003 and 2008), identify how many clients are using each Windows version. Also, identify clients using x86 architecture and clients using x64 architecture. You can use this information to decide which client-deployment method will work best in your environment.
NOTE OfficeScan 8.0 adds support for Microsoft Vista and expands support for x64platforms. However, support for legacy Microsoft Windows 9x, Me, NT4, and IA64 platforms is discontinued. If you have clients running these operating systems, please see Accommodating Unsupported Client Operating Systems on page 71 above.
OfficeScan provides these eight client-deployment methods:

Login Script Client Packager Image Setup Trend Micro Vulnerability Scanner (TMVS) Remote Install Notify Install Microsoft System Management Server (SMS)
Each deployment method is explained in Chapter 6: Client Software Deployment on page 219.
You need to determine which methods are most suitable for your environment. For example, for single-site deployment, IT administrators often use the login script method. Using this method, a call to an executable called autopcc.exe is added to the Windows login script so that when a client without OfficeScan client software logs on to the network, the server automatically launches the client setup wizard. You can also choose a combination of client-deployment methods.
4.1.12 Configure VPN Clients

If you plan to install the OfficeScan client on computers that connect to the server through a virtual private network (VPN), you should keep the following in mind:
The client and server must be able to communicate with one another through the VPN.
Ensure that the server and clients can ping and telnet each other using their IP addresses or domain names.
Instruct users to restart the OfficeScan tmlisten service after establishing the VPN
connection with the main office. Restarting tmlisten causes the OfficeScan client to attempt to connect to the OfficeScan server to register itself and check for updates.
You cannot use login scripts to install OfficeScan on VPN clients. You can use Client
Packager to install OfficeScan on your VPN clients or you can notify clients to install OfficeScan from an internal web page (browser-based installation).
72
Administrator Track
4.2 > Installing the OfficeScan Server Software

The OfficeScan setup program supports several installation scenarios. You can:
Install to the local computer Install to one or more remote computers Install to the local computer and one or more remote computers Upgrade an existing OfficeScan server, version 8.0 SP1 with patch 2, or later version Include deployment of the OfficeScan client software to the target server(s) Include the installation of Cisco NAC software Perform silent installations
Using the Remote Installation Option

The remote installation option allows you to launch the installation program on one computer but install the OfficeScan server software to another computer. If you will install/upgrade remotely, the setup program will analyze the target for minimum hardware/software requirements. Before you proceed:
Ensure that you have administrator rights to all target computers Take note of the host name and user name and password for your targets Verify that your target computers meet hardware and software requirements Make sure the computer has Microsoft IIS server 5.0 or higher when using IIS as the web
server. If you use Apache Web Server, the setup program will automatically install it if it is not already installed on your target(s).
Upgrading Existing Installations

If the setup program detects an earlier version of OfficeScan on the target computer, it will automatically give you the option to upgrade.
If you upgrade the local machine,
OfficeScan will preserve existing configuration settings such as server name, proxy server configuration, and port numbers. You will not be able to modify these settings during upgrade. After the upgrade is complete, you may then use the OfficeScan web console to modify these settings if you wish to do so.
If you upgrade a remote computer,
you will need to re-enter these settings when the setup configuration processes prompts you to do so.
4.2.1 Installation Procedures

The basic installation process includes approximately 20 steps, depending on the installation options you choose, which are outlined below. Some steps include multiple options, each of which are also explained.
73
Student T Textbook
1. Locate and Launc the Setu Program e ch up m

Locate the OfficeScan CD or the directory path to the OfficeSca installation files and laun C an nch M reen and an In nstallShield pr rogress indicat tor Setup.exe. The Trend Micro OfficeScan splash scr appears.
Figure 4.1: Launching the Setup Progra e am
After the in nstallation pro ogram is unpacked and start the Welco screen ap ted, ome ppears (shown n above on th right). Click Next on thi screen to co he is ontinue.
NOTE cancel the installation an exit the set wizard at a time, press Cancel. To nd tup any s
2. Review and Acce the Sof w ept ftware Lice ense Agree ement
To install OfficeScan, yo are required to accept th Software License Agreem O ou d he ment. To do so o select I ac ccept the term of the licens agreement and click Ne ms se ext.
Figure 4.2: Software Lice ense Agreement
3. Review Installatio Require w on ements

The installa ation program provides you information regarding the pre-installatio planning a m u e on and preparation for OfficeSc server inst n can tallation (and u upgrading) an the post-ins nd stallation deploymen of OfficeSca client softw nt an ware.
7 74
Chapter 4: Offi iceScan Server Installation
The Client Deployment page lists the installation pa ackage sizes fo installing O for OfficeScan clie ent P v g scan method t clients wi use that ill software. Package sizes vary according to both the s (conventional or Smart Scan) and the distribution m S method to be u used for deliv vering the actu ual L emote installat tion, and software. Listed distribution methods include web iinstallation, re autopcc.exe (install-scrip installation. pt) he n e u rview of the ba andwidthClicking th Help button on this page provides you with an over consumptio issues relat to client deployment. on ted d
You can find this informat tion and additional client-inst tallation inform mation in this t textbook in sec ction 6.2 > Deplo oyment Options for OfficeSca Client Softw an ware, on page 222. e
Figure 4.3: Client Installa ation Information
After reviewing the infor rmation on ea of these pa ach ages, click Ne to proceed to the next s in ext d step the installation process.
4. Select an Installa t ation Destination

You are prompted for an Installation Destination. Y may selec from two lo n You ct ocations:
On the computer on which ha launched t setup prog n ave the gram To a remote com mputer or to multiple compu m uters simultan neously.
NOTE When installin to multiple computers, yo may install the local comp ng ou puter as well b by
including its host name in the target list. l
After you make your sele m ection, click Next. N
Figure 4.4: Installation Destination Selection D
75
Student T Textbook
If you selec to install to one or more remote comp ct puters, the setu program pr up rompted you to provide ho names for your target co ost y omputers. The program also provides a b e o browse option to make selecting computer easier. rs The promp for specifyin remote/mu pt ng ultiple targets will appear af you have specified an fter installation path, proxy server options web server o n s s, options, and th computer i he identification method to be used (dom name or IP address) an have entere your activation key(s). Th main I nd ed hese steps are de escribed below Guidelines for specifying multiple/rem target co w. g mote omputers are a also provided below in the or in which these options appear durin the installat b rder s ng tion process.
5. Select Whether to Pre-scan Target Co t t n omputer(s) )

You can ch hoose whether to scan the target comput for security risks before installing the r t ter y software. To do so, selec Scan the ta T ct arget compute and click N er Next. The ins stallation prog gram scans the ta arget system, collects inform c mation about its resources, and displays i progress. its Setup will scan for virus/ s /malware, spy yware/graywa and Trojan programs. H are, n However, prescanning sc cans only the most vulnerab areas of th computer. T ble he These include:
Boo area and bo directory ot oot Win ndows folder Pro ogram files fol lder
Figure 4.5: Pre-scan Options (left) and Scanning and Data Collection Progress (right) d
If you selec Do not sca the target computer, th installation program gath resource ct an c he hers information only and dis n splays a progre indicator. ess If you are installing to th local compu i he uter, scanning will begin im g mmediately upo clicking N on Next. If you are installing to re i emote/multipl computers, scanning doe not occur u le es until the actual l installation after the inst n, tallation confi iguration is co omplete.
AVAILABL ACTIONS FOR PRE-SCA DETECTION LE F AN NS If the pre-s scanning process detects a virus, Trojan o similar type of malware, you can choo v or e ose among these actions:
Delete
Deletes an infected file i
Clean Cleans
a clea anable file bef fore allowing f access to t file; and fo uncleanable files, full the or e tak a specified subsequent action (the def kes d a fault is renam me)
7 76
Renam me
Changes the filename extension of in t e nfected file to .vir to brea application ak ass sociation by extension. If opened, howev any virus/ ver, /malware it co ontains may be e executed. full ac ccess to the fil without tak any action Users will b able le king n. be co opy/delete/op the file as if no detection had occurre pen i n ed.
Pass Allows
You can ta these actio against spy ake ons yware/graywa are:
Clean Terminate Pass Logs
as ssociated proc cesses and dellete registries, files, cookies and shortcuts s wh applicable here e. the inci ident for later assessment Deni access (cop open) to th detected sp ies py, he pyware/grayw componen ware nts
A Deny Access
6. Specif an Instal fy llation Path h

After your selection of pre-scan options is complete you are pro p e, ompted to specify an Installation d s ceScan. You m type differ may rent Path. The default path is C:\ProgramFiles\Trend Micro\Offic path or bro owse to locate an existing one. To accept the default path, simply cli Next. e t ick
Figure 4.6: Installation Path Specificat tion for New In nstallations
NOTE specified installation pa will be use for new serv installation only. For The ath ed ver ns
upgrades, the existing path will be used. p
7. Enable e/Specify Proxy Serv Configur P ver ration

The Office eScan server uses HTTP for client-server communicati and to dow u r r ion wnload updat tes from the Trend Micro ActiveUpdate server. T A s If your Off ficeScan serve will need to use a proxy s er server to acces the Internet you can enter ss t, your proxy settings as pa of the insta y art allation config guration. You may also ente or change th er hese settings usi the Office ing eScan web-bas manageme console af the installa sed ent fter ation is compl lete.
77
Student T Textbook
Figure 4.7: Proxy Server Configuration Options n
If your netw work does no require a pro server con ot oxy nfiguration, le eave the option box unchecked n and click Next. N
8. Select t/Configure Web Serv Options e ver s

Many Offic ceScan server components, including the management console and client-server e t communication modules rely on web-server service and must b integrated w a web-ser s, es be with rver installed on the host mac n chine. Both Microsoft Inter M rnet Informat tion Server (II and Apach IS) he Web Server are compatib with Offic ble ceScan.
Figure 4.8: Specifying the Web Server Type and List tening Ports
If the setup program det p tects an existin IIS on the target computer, you may c ng choose either option. Yo may also ch ou hoose either op ption if IIS an Apache 2.0 installation are detected If, nd 0.x ns d. however, neither web server is current installed, O n tly OfficeScan wil install Apach 2.0.63 ll he automatica and the II option will be grayed out (the setup pr ally, IS t rogram does n support an not n automated installation of IIS). f Take note of the HTTP and SSL port numbers. Th will be the ports that yo must use to t hese e ou o m onsole when th installation is complete. If you enable SSL, he n access the OfficeScan management co the SSL po will be used for OfficeSc manageme console ac ort d can ent ccess, and the HTTP port w will not be used d.
USING APACHE WEB SERVER Apache Web serv 2.0.63 or later is require and can be used only wit Windows X ver l ed th XP, rver d Ser 2003, and Server 2008.
7 78
Administrator Track
To use SSL, you must let the OfficeScan setup program install version 2.0.63, if Apache
Web server is not already installed. To use SSL on an existing Apache 2.0x installation, you must pre-configure it to use SSL before installing OfficeScan. If you want the setup program to upgrade an existing Apache installation to version 2.0.63, uninstall the Apache server before performing the OfficeScan installation; otherwise, OfficeScan will use the currently installed version.
By default, the administrator account is the only account created on the Apache Web
server. Trend Micro recommends creating another account from which to run the web server; otherwise the OfficeScan server is vulnerable to being compromised if a malicious hacker takes control of the Apache server.
Before installing the Apache Web server, refer to the Apache website for the latest
information on upgrades, patches, and security issues.

USING IIS For Windows 2003, IIS 6.0 is required; for Server 2008, IIS 7.0 or later is required.
WARNING! Make sure that you do not install the web server on a computer that is running
applications that might lock IIS. This can prevent a successful installation. See your IIS documentation for more information.
If you select IIS, you can choose to run OfficeScan web-based components as:
An IIS virtual website (default) This Under the IIS default website This
option creates a new IIS website object, and allows you to specify the HTTP listing-port number (the default is port 8080).
option installs OfficeScan components under the IIS default website object. The listening-port number (default port 80) is not configurable from the OfficeScan installation program.
SPECIFYING THE HTTP PORT NUMBER If you select to install OfficeScan using either the Apache Web Server or as an IIS virtual website, you can specify the listening port to be used for HTTP traffic. The installation program populates this field with 8080 by default. You may use any available port number.
NOTE Though TCP port numbers range from 1 to 65535, you should choose a port number higher than 1024. Ports 1 to 1023 are well-known or common ports regulated by the Internet Corporation for Assigned Names and Numbers (ICANN). Note also that there are now over 300 registered port numbers between 1024 and 49151, most of which are below 4096.
Though ports 49152 to 65535 are the ports reserved explicitly for private use, and thus guaranteed to be unassigned to common applications, port numbers like 8080, 8081, 8088, 8089, 8888, etc. are popular choices among administrators for alternate web-service ports. In fact, Port 8080 is now the ICANN official alternate port number for web service.
ENABLING SSL If you want to use SSL to protect web-based management console sessions, you must enable it on this screen during installation.
Control Manager will generate a self-signed server certificate upon installation. You can also specify the length of time for which the server certificate will be valid. As with HTTP communication, you may configure the port number that the client and server will use for secure communications. Note that the default port number when selecting to use
79
Student T Textbook
Apache We Server or an IIS virtual website is not the well-know port numb 443, but is 4343 eb a w wn ber instead.
NOTE later access the web-bas managem ent console yo must use th HTTPS To sed ou he
designation for SSL and if you are no using the w d, ot well-known po number 44 you must ort 43, specify th port numbe after the ser he er rver name or I P address. For example: r https://se erver.company y.com:4343/of fficescan.
9. Choos a Compu Identif se uter fication Me ethod

The Comp puter Identifica ation configur ration determiines how Offi iceScan clients will attempt to s access the OfficeScan se erver. Your ch hoices are by d domain name or IP address.
Figure 4.9: Specifying Ho OfficeScan Clients Will A ow Attempt to Con ntact the Server
NOTE Name and IP address detail above is not s shown if you h have selected t install to to
remote/m multiple destina ations.
There are several factors that you shou take into a s s uld account when making this d n decision. If, fo or example, yo select IP ad ou ddress and lat change the servers IP ad ter e ddress, the ser will lose rver communication its client The only way to restore communicatio is to redep all the clie ts. w on ploy ents. The same situation appli if the serve is identified by domain n s ies er d name and you change the se ervers domain nam me.
WARNING If the server obtains an ad G! r ddress from a DHCP server, choose domain name or ma ake
the IP addr ress static or ensure that the DHCP lease is configured to be permane lease. Also e e ent o, consider us sing a static or permanent assignment eve if you do ch r en hoose domain name.
In most ne etworks, the se ervers IP address is more liikely to chang than its dom name, thus it ge main is usually preferable to id p dentify the ser by domain name. rver n However, you must also consider the reliability and scope of you DNS implem y d ur mentation. If you choose, do omain name, al clients must be able to resolve the nam to contact t server. If y ll t me the your DNS system is unreliable or is not imp plemented for proper resol r lutions throug ghout your onsider wheth by IP addr would be more reliable her ress e. network, co Additionall if the serve computer has multiple ne ly, er etwork interfa cards (NIC Trend Mic ace Cs), cro recommends using one of the IP addr o resses instead of the domain name to ens n sure successfu ul er ation. Althoug you must a ensure tha this IP addr will be sta gh, also at ress atic, client-serve communica as explaine above. ed
8 80
10. Regis stering the Product an Obtainin Activati Keys nd ng ion

To comple the installat ete tion, you will need one or m more activatio codes. OfficeScan now on includes th product se hree ervices, each with its own a w activation code e.
Ant tivirus include the firewall feature. es Dam mage Cleanup Services is bundled with A Antivirus, but requires its ow code. wn Web Reputation and Anti-spyw ware includes Web-threat p protection and anti-spyware d
serv vices.
NOTE may insta a full versio of OfficeSca or a free ev You all on an valuation (trial) version. Both
require ac ctivation codes. The codes you enter dete y ermine the feat tures and func ctions that are e enabled in the software You can upg n e. grade a trial ve ersion to a full version at any time. y
To register your product and receive an activation c r t a code online fo either full- o trial-version or or n installation click Regist Online. If you already h n, ter f have your activ vation code(s) click Next. ),
Figure 4.10 Access to On 0: nline Registrat tion to Obtain Activation Co odes
Enter your activation co r odes as shown below, then c click Next.
Figure 4.11: Entering Activation Codes to Enable Prod duct Features s
11. Choos to Install the Integr se l rated Smar Scan Ser rt rver
The integra Smart Sca Server is in ated an nstalled with th OfficeScan server. The i he n integrated serv ver supports HTTP and HT H TTPS protocol HTTPS is a more secure but is also m ls. e more compute intensive.
81
Student T Textbook
Figure 4.12: Selecting Wh hether to Insta the Integrat Smart Sca Server all ted an
The HTTP port numbe used for SS connection depends on the web serve (Apache or IIS) PS er SL ns er r that you ha selected fo the OfficeS ave or Scan server.
OfficeScan Web Server Settings
Apache we server eb SSL enab bled Apache we server eb SSL disabled IIS default web site t SSL enab bled IIS default web site t SSL disabled IIS virtual web site SSL enab bled IIS virtual web site SSL disabled
Officescan Server SSL Port 4343 443 4343
Smart Scan n Server SSL Port L 4343 3 4345 5 443 3 443 3 4345 5 4345 5
Table 4.3: HTTP/SSL Por Numbers for OfficeScan a Integrated Smart Scan S H rt and d Servers
12. Choo to Install the Integrated Web Reputation Service ose

Installing a local instance of the Web Reputation Se e R ervice server s software can h decrease help bandwidth consumption for client que n eries made by the URL Filt y tering Engine to the Trend Micro atabase at the time of each HTTP request If an integra Web Rep t H t. ated putation Servic is ce Security da installed, cl lients can quer the OfficeS ry Scan server us the port n sing number specif fied. If the listed port number is already in use by anothe application on your netw d r er work, you can change it to a custom nu o umber before clicking Next t.
8 82
Figure 4.13: Selecting to Install the Inte egrated Web R Reputation Service
13. Identify and Vali idate Remo ote/Multipl Installati Destina le ion ations
NOTE This step applies only if you selected to in u nstall to a rem mote computer or to multiple r e
computer in Step 3. Select an Installation Destina rs S ation.
To specify the target com mputer(s), you can manually type the com u y mputer's fully qualified dom main DN), UNC-ty host name or IP addres You may al click Brow to use ype e, ss. lso wse name (FQD Microsoft networking to search for an select comp n o nd puter(s).
Figure 4.14 Specifying Remote/Multiple Installation Destinations (Displayed onl when 4: ly selecting re emote/multiple destinations in step 3.) s
In situation where you have a large list of targets, y can also im ns h you mport compu names fro a uter om text file by clicking Import List. Afte all computer pass the req er rs quired analysis (for which y s you will be prompted on the next screen), the setup pro ogram will inst to machin in the orde in tall nes er which they are listed in the text file. y t In the text file:
Spe ecify one computer name per line Use UNC forma (for example \\msserve e at e, ernameor\\ \fqdn.compan ny.comor
\\1 192.168.0.12)
On these chara nly acters are allow a-z, A-Z,, 0-9, period (..), and hyphen (-) wed: n
When you finish adding target compu uters to the ins stallation desti ination list, cli Next. ick
83
Student T Textbook
Figure 4.15: Validating th Specified Ta he argets for Rem mote/Multiple Installation De estinations e/multiple dest tinations in ste 3.) ep (Displayed only when selecting remote
The setup program will then require you to validate the list of tar p t y e rgets by clickin the Analyz ng ze button (sho in the fig above). The analysis att own gure T tempts to vali idate hardware and software e e requiremen and assess the installatio status for an prior versio of the sof nts on ons ftware to be ny installed.
NOTE least one computer must pass to conti At c t inue with the i nstallation.
e ceeds, you will be prompted for the admi l d inistrator usern name(s) and During the analysis proc password(s of your targ s) gets. After the analysis, the s setup program displays the results. m
Figure 4.16 Results of th Target Analysis for Remo 6: he ote/Multiple Installation Des stinations (Displayed only when selecting remote e/multiple dest tinations in ste 3.) ep
If at least one computer passes the analysis (even th o hough one or more targets m fail), the setup may program will allow you to continue wi the configu w t ith uration of the installation. S e Subsequent installation tasks will not however, be applied to ta n t, e argets that fail..
NOTE future upgrades or rein For nstallations, yo can export t list of targ computers to a ou the get
text file by clicking Exp port in the scre above. een
When the setup program completes it analysis of a targets, click Next. s m ts all
8 84
14. Installing Additional Softw Compo ware onents

In addition to installing the OfficeScan server softw n t ware, you may select to insta these addit y all tional software co omponents.
Off ficeScan client t Pol Server for Cisco Netwo Admission Control (NA licy r ork n AC) Cisco Trust Agen (CTA) for Cisco NAC nt C
NOTE you selecte the remote/ If ed /multiple insta llation option in Step 3, the setup program m
does not show the Cisco NAC options on the Insta ll Other Office o s eScan Program screen, as ms depicted below. NAC ins stallation options are availa ble for local in nstallations on nly.
NOTE you are upg If grading the OfficeScan serve locally, the setup program does not display er m
the Insta Other Office all eScan Program screen. Cli ms pgraded autom matically after the r ients will be up server ins stallation is complete and the system retu rns to normal operation.
Select whet ther also to in nstall the Offic ceScan client, policy server for Cisco NA and Cisco Trust AC, Agent for Cisco NAC. Click Next. C C
Figure 4.17: Options for Installing Addit tional Softwar Components re
SELECTING WHETHER TO INSTALL THE OFFICES CAN CLIENT ON THE SER G T T RVER The Office eScan server so oftware is ded dicated to man naging OfficeS Scan clients. It is the Office eScan client softw that prov ware vides the actua protection a al against security risks. ty
Therefore, to protect your OfficeScan server agains security risk you need to install the cl n st ks, o lient n a O rver software.. Choosing to install the clie ent program on the server, as well as the OfficeScan ser during serv installation is a convenie way to ens ver n ent sure that your server is auto omatically protected. Though, you can separately install the cliient software a y afterwards.
UNDERSTA ANDING THE CISCO NAC OPTIONS Like Office eScan, Cisco NAC architect includes a server comp N ture ponent (Policy Server for Ci y isco NAC) and a client comp ponent (Cisco Trust Agent o CTA). or
To use Cisco NAC, you must have Ci isco routers th support it and you must connect to a Cisco hat t Secure Adm mission Contr Server (AC If you are not currently using NAC, you should no rol CS). e y ot install the NAC compon N nents. If you are using NAC please Appe a C, endix D: Cisco N Network Admis ission Control (NA on page 407 for more information. AC) 4 i
85
Student T Textbook
15. Parti icipating in the Smart Feedback Program t k

Smart Feed dback shares anonymous th a hreat informati with the S tion Smart Protecti Network f ion for analysis. Pa articipation in this program help Trend M Micro better un nderstand the development and e t spread of security risks. You can end participation a anytime using the manag s Y p at gement consol le.
Figure 4.18 Option to Share Informatio with the Tre Micro Sma Protection Network 8: on end art n
To choose to participate in the Trend Micro Smart Feedback Pro e ogram, you sim select y mply yes nd r ndustry type to help Trend M o Micro underst tand your or no an opt whether Select the In organizatio then, click Next. on,
16. Set th Console and Client he e t-Install/Un ninstall Pas sswords

The setup program requ p uires you to en a passwor to protect th web-based management nter rd he d t console and a password to protect the unauthorized unloading an uninstallati of the clie e d nd ion ent software. Passwords must be betw ween 1 and 24 characters. En the passw nter words you would like to use and e, click Next.
Figure 4.19: Setting Pass swords for Man nagement Con nsole Access a Client Cont and trol
NOTE Save this If yo enter the sa ou ame password for both func d ctions, you will be prompted to l
confirm your decision. Trend Micro re y T ecommends us sing different passwords to better protect t access to the managem ment console.
8 86
17. Speci ifying Clien Install Pa Listenin Port and Security Level nt ath, ng d
The Office eScan Client In nstallation scr reen allows yo to specify th installation path for ou he n OfficeScan clients. You can also speci the client liistening port f connection from the se n ify for ns erver. (Note: The options are not available when upgrad an existin installation.) ese e e ding ng
CLIENT INSTALLATION PATH Client softw must be installed in th same direct ware he tory on each c client. The def fault path is Program Files\Trend Micro\OfficeSc Client. Yo may change the path afte completing the M can ou e er server insta allation by editing the ofcsc can.ini file in the OfficeSc PCCSRV directory. But if n can t, you change the path afte deploying cl e er lients, you mu then redep them. ust ploy
Figure 4.20 Specifying the Client Liste 0: ening Port and Security Lev d vel
The variables for you to use in specify the client installation path include: ying
$BO OOTDISK The drive letter of the disk from which the c e m computer boo (default C:\ ots \) $WI INDIR The di irectory where Windows is installed (defa C:\Windo e ault ows) $Pr rogramFiles The Program Files directo that is auto m ory omatically set u in Window up ws
and is usually use for installin software (d d ed ng default C:\Pro ogram Files)
CLIENT LISTENING POR RT The setup program rand p domly generate a high port number and enters it in the Port numbe es e er: field. This port is used fo OfficeScan client-server communications and must be the same f all or n t for clients that are managed by the Office t eScan server. I the random generated p does not If mly port conflict wit network settings, you ma use it if you choose. Oth th ay u herwise, enter a port numbe that er is available for use across your entire network. n CLIENT SECURITY LEV E VEL The securit level option allows you to restrict nonty n o -administrativ ve-level user ac ccounts from accessing th OfficeScan program file directory an registry entr he n es nd ries.
Norma al
gives all us (everyon full rights to the files in the OfficeSc client prog sers ne) n can gram dir rectory and to the OfficeScan client regis entries. o stry the Of fficeScan clien program dir nt rectory to inherit the existin rights of th ng he rget r's iles and gistry entries t inherit to tar computer Program Fi directory a causes reg pe ermissions from the HKLM m M\Software key With this se y. etting, by defa normal ault, users (that is, th hose without Active Directo administra privileges) are limited to A ory ator ) o ad-only permi issions. rea
High causes
87
Student T Textbook
18. Enab bling or Disa abling the Client Firew C wall

The Office eScan firewall helps protect OfficeScan cllients from ha acker attacks a network and viruses by closely monito c oring open po and block potentially malicious co orts king y onnection atte empts. The setup option to enab or disable the firewall d ble determines wh hether the firew will be en wall nabled d uring subseque installation of the clien ent ns nt. or disabled by default du OfficeScan automatically disables the firewall servic on Window Server 2003 n y ce ws 3/2008 platfor rms. You can, however, select to enable the firewall on s h e server platform by default as well. Select ms t whether to enable the fir o rewall. Click Next. N
Figure 4.21: Enabling/Dis sabling the Fire ewall for Subs equent Client Deployments
You can ch hange this sett later using the managem ting g ment console.
19. Choo osing Asses ssment Mo Options ode s

Assessmen mode allows you to make sure that Off nt s e ficeScan is pro operly detectin ng spyware/gr rayware. Auto omated spywar re/grayware c cleaning termin nates processe and deletes es s registry ent tries, files, coo okies and shor rtcuts associat with the de ted etected threat In assessmen t. nt mode, Offi ficeScan logs spyware/grayw detection but does no clean them. ware ns ot
Figure 4.22 Enabling Assessment Mod and Selectin the Length of the Assess 2: de ng sment Period
Depending on the type of software yo use in your organization and the role o your user g o ou r of groups, it is possible that you will wan make exclus nt sions for certa software p ain products that n wise t empt to remo When the assessment p ove. e period OfficeScan would otherw flag as a threat and atte expires, Of fficeScan can then take auto omated action based on th choices you made during the ns he u assessment period. t
8 88
You can als enable asses so ssment mode at any point aft the OfficeS a ter Scan server ins stallation. For m more information and further discussion, see Global Spywa n are/Grayware S Settings on page 174.
You can en nable assessme mode to be active for o to four we ent b one eeks. After you have made y u your selections, click Next.
20. Enab bling or Dis sabling the Web Reput tation

The setup option to enab or disable the web repu ble utation determ mines whether this feature w be will d nstallations of the client. enabled or disabled by default during subsequent in n y on Windows Serv 2003/2008 ver OfficeScan automatically disables the web reputatio service on W platforms. You can, how wever, select to enable the w reputation on server pla o web n atforms by de efault o w n. . as well. Select whether to enable the web reputation Click Next.
Figure 4.21: Enabling/Dis sabling the Web Reputation f Subsequen Client Deplo for nt oyments
You can ch hange this sett later using the managem ting g ment console.
21. Specifying the Programs Folder for S P F Shortcuts

NOTE This configura ation option is provided for new local insta s allations only.
Specify the folder to be used for addin OfficeScan program sho e u ng n ortcuts to the S Start button m menu.
Figure 4.23 Specifying a Start Menu Folder for Offic 3: F ceScan Shortc cuts
89
Student T Textbook
19. Revie the Insta ew allation Con nfiguration n

Review you installation configuration choices. If th appear to be correct, cli Install. A ur n hey ick horizontal progress bar reports the sta of the ins r atus stallation proc cess.
Figure 4.24 Reviewing In 4: nstallation Con nfiguration an Beginning th Install nd he
NOTE remote in For nstallations, th installation program will c he copy the remote installation log,
named o ofcmasr.log, to the Windows directory of the local mach s hine. On the re emote machine (and also in the Window directory), this log is calle ofcmas.log For more in ws t ed g. nformation, se ee Chapter 12: Troublesho 1 ooting on page 341.
20. Com mpleting the Installatio e on

When the installation is complete, the Installation C i e Complete noti ification appea This ars. notification is different for local instal n f llations compa ared to remot installations For local te s. installation you are give options to: ns, en :
Vie the readme file ew e Op the web-ba pen ased managem console ment
For remote installations, these options are not availlable; in which case, when t installation is e , s h the n complete (shown on the left below), click OK. e c nstallations, se elect the action you wish to take and cl Finish. n(s) lick For local in
Figure 4.25 Finishing Re 5: emote (Left) an Local (Righ Installation nd ht) ns
9 90
Administrator Track
4.3 > Performing a Silent Installation

The OfficeScan silent installation option allows you to perform multiple local installations without having to launch the graphical interface of the setup program and repeatedly configure the installation options for each installation. To take advantage of the silent installation, you must want all your server installations to be configured the same. Silent server installation involves a two-step process. 1. Create a Response File by running the setup wizard and recording the installation parameters to an .iss file. 2. Run the OfficeScan Setup Program in Silent Mode from a command prompt and instruct the setup program to bypass the graphical interface and use the response file to obtain configuration parameters. If you plan to upgrade OfficeScan servers, make sure to create the response file from a computer with an OfficeScan server installed. Similarly, if you plan to perform fresh installation, create a response file from a computer without an OfficeScan server installed.
4.3.1 Creating the Response File

To record the server setup configuration to a response file: 1. Open a command prompt and change the working directory to the folder where the OfficeScan setup program setup.exe is located. 2. Type setup.exer[enter].(The rswitch configures the setup program to record the installation details to a response file). 3. Follow the setup procedure outlined by the setup program. Only the local install option will be available when creating a response file (the remote install option is grayed out). Your installation configuration will be recorded to a response file. After completing these steps, the response file (named setup.iss) will be created in the Windows directory on the C:\ drive.
NOTE This recording procedure does not install OfficeScan; it only records the server setup configuration to a response file.
4.3.2 Running Silent Installation

You can now perform the silent server installation: 1. Copy the installation package (includes all installation files and folders, along with the setup.exe file) and setup.iss to the target computer. 2. Open a command prompt and change the working directory to the location of setup.exe. 3. Type setup.exesf1{path}setup.issf2{path}setup.log.These switches are explained in the table below.
91
Student Textbook
Switch
-s
Definition
Commands the setup program to perform silent installation Tells the setup program where the response file is located. If the path contains spaces, enclose the path with quotation marks ("); for example, -f1"C:\osce script\setup.iss". Tells the setup program where to create the log file. If the path contains spaces, enclose the path with quotation marks ("); for example, f2"C:\osce log\setup.log".
-f1{path}setup.iss
-f2{path}setup.log
Table 4.4: Execution Parameters for SETUP.EXE.
4. Press [Enter]. The setup program then silently installs the server software on the computer.
NOTE can use the same silent installation process to upgrade an OfficeScan server from You an earlier version.
4.4 > Verifying the Installation

Below are instructions for verifying the installation of the OfficeScan server software.
CHECK THE LOCATION OF KEY FILES IN THE PROGRAM FOLDER As a first step in verifying the successful installation of OfficeScan server software, check to ensure that this key file, the OfficeScan Master Service, is located on your computer:
C:\ProgramFiles\TrendMicro\OfficeScan\PCCSRV\web\service\ofcservice.exe
CHECK OFFICESCAN SERVICES AND PROCESSES Verify using the Windows Management Console that the OfficeScan service is running:
OfficeScan Master Service (OfcService.exe) OfficeScan Active Directory Integration Service (OSCEIntegrationService.exe), if role-
based administration is implemented

Trend Micro Smart Scan Server (iCRCService.exe) Trend Micro Local Web Classification Server (LWCSService.exe), if installed Trend Micro Policy Server for Cisco NAC (PolicyServer.exe), if installed OfficeScan Control Manager Agent (OfcCMAgent.exe) , if installed
Next, verify using the Windows Task Manager that these processes are running:
DbServer.exe iCRCService.exe (if Smart Scan Server is installed) LWCSService.exe (if the Local Web Classification Server is installed) OfcService.exe OfcCMAgent.exe (only if registered to a Control Manager server)
92
Administrator Track
OSCEIntegrationService.exe (if implemented)
CHECK REGISTRY KEYS Verify that the proper registry keys are on the server. Open a command prompt and enter regedit. Look for the registry keys located in the following registry path.
HKEY_LOCAL_MACHINE\Software\TrendMicroInc. HKEY_LOCAL_MACHINE\Software\TrendMicro
CHECK INSTALLATION LOGS You may also view the logs that the setup wizard created during installation. Errors and successful actions performed by the setup wizard will be recorded in ofcmas.login the Windows directory. If you performed a silent installation, you may also view the setup.log that was created in the path you specified. In the setup.log, check the value for ResultCode: Zero 0 indicates that silent server installation was successfully completed.
For more information about what is contained in ofcmas.log, see Chapter 12: Troubleshooting on page 341.
Lab Exercise 1: Validate Lab Setup Lab Exercise 2: Install OfficeScan
93
Student Textbook

Summary
Before installing the OfficeScan server, you need to consider hardware and software configurations and traffic patterns in your network. Also, determine how many clients you will be protecting with OfficeScan and which of those clients will be update agents. The setup wizard greatly simplifies OfficeScan installationjust launch the wizard and follow the prompts. To perform a silent installation, first create a response file, then launch the silent installation from the command prompt.
Review Questions
1. Which of the following areas is not scanned during the pre-scan? a) The boot area and boot directory b) The Windows folder c) The program files folder d) Memory 2. Which of the following does the server pre-scan NOT scan for? a) Boot viruses b) Adware c) Worms d) Trojan horses 3. Which of the following components CANNOT be installed using the setup wizard? a) Trend Micro Policy Server for Cisco NAC b) Outlook mail scanning c) OfficeScan client software d) The CTA 4. How does the setup wizard assign the port that will be used for OfficeScan client-server communication? a) It scans ports and selects one that is not being used. b) It does not assign one; you must input one manually. c) It reads the port assignment from Control Manager configurations. d) It randomly assigns a high-numbered port.
94
Administrator Track
Ch ter 5: OfficeS hapt 5 Scan Mana ment Con M agem nsole

Nav vigate the man nagement con nsole Adjust Smart Sca settings an Deploy Outbreak Prevention k Set criteria for Virus Outbreak Monitor V k Use the managem e ment console to scan clients s Use the managem e ment console to set client p privileges Cre and modi roles and users eate ify u Con nfigure Office eScan adminis stration option ns
95
Student Textbook
5.1 > Using the OfficeScan Management Console

The management console gives you complete control over antivirus and other malwareprotection policies for your desktops, laptops, and servers. The console allows you to manage all the OfficeScan clients on your network, as well as the OfficeScan server settings. This chapter describes:
The Summary page Security Compliance Smart Protection settings Outbreak Prevention features
NOTE
For installing clients remotely or notifying clients to go to an internal web page to install client software, see Chapter 6: Client Software Deployment on page 219. For updating OfficeScan clients globally, see Chapter 7: Updates on page 245. For managing the OfficeScan firewall, see Chapter 9: OfficeScan Firewall on page287. For using administrative and client tools, see Chapter 10: OfficeScan Tools on page 307. For using logs, see Chapter 11: Logs on page 329.
Virus Outbreak Monitor Clients Administration
5.1.1 Launching the Management Console

You can launch the management console using any of these methods:
Enter the URL in the address bar of Internet Explorer
Some of the details for the URL are configurable during the server installation, including the port number, whether SSL must be used, and whether the self-signed public-key certificate (for SSL only) uses the DNS name or the IP address of the server.
If you are not using SSL
and are using the default HTTP port 8080, the URL is:
http://<OfficeScan_server_name_or_IP_address>:8080/officescan If you are using SSL
and are using the default HTTPS port 4343, the URL is:
https://<OfficeScan_server_name_or_IP_address>:4343/officescan Launch one of the Start Menu shortcuts on the OfficeScan server
By default, the server installation program places a shortcut to the OfficeScan management console on the desktop of the server and another one in the Start menu: Start > Programs > Trend Micro OfficeScan Server-[name] > OfficeScan Web Console (HTML). To access the management console for the first time, you must log on using the root account and the password that was configured for the root account during the OfficeScan server installation. Enter the root for the user name and the password that was specified during installation of the server. Click Log On.
96
Ch hapter 5: OfficeS eScan Manageme Console ment
Figure 5.1: OfficeScan Ma O anagement Console Logon P Page
NOTE can configure user acc You counts and ass sign roles to us sers which def fine the privile eges
available to them. This chapter cover all of the fea rs atures and fun nctions of the management how to create n new accounts, , console, including how to create new users. For inf ormation on h ew a ee ating Users an d Assigning Roles on page 194. create ne roles, and assign them, se 5.13.1 Crea
5.1.2 Nav 5 vigating the Manag gement C Console

Navigating the managem console is simple. The sidebar on th left is the m navigation tool g ment he main n for gaining access to adm g ministrative tasks. The conte area on th right display summary ent he ys information configuratio parameters and other m n, on s management to ools. Drop-dow menus on the wn Networked Computers page provide access to clien d p a nt-managemen and configu nt uration tools.
Figure 5.2: The OfficeSca Managemen Console Sid an nt debar
97
Student T Textbook
5.1.3 Und 5 derstandin the Client Tree ng e

The Office eScan client tre allows you to organize O ee OfficeScan clie ents, create an apply nd configurati profiles, se ion elect groups of clients or in o ndividual client for adminis ts strative actions and display sear results bas on client profiles and/o status. rch sed p or
Figure 5.3: The Client Tre ee
s Several Of fficeScan featu rely on the client tree as a client-selec ures ction and resu ults-display too ol. Consequen the client tree appears in multiple co ntly, i ontexts on a va ariety of pages within the s management console. More specificall M ly:
The client tree pr e rovides a fram mework for sellecting, organi nizing, and per rforming a wid de
ran of management function on the Net nge ns tworked Com mputers > Cli ient Management pag This is a frequently used page for Offi ge. d ficeScan mana agement and c control that en nables you to create pol u licies, assign client privilege and analyze client status. es, e r The client tree al provides cl e lso lient-selection capability for these functio n ons:
The Scan Now for All Domains fun N D nction at the t of the mai navigation top in
column (this same functio is also availlable directly w s on within certain content pages as s well) plying, and oth herwise mana aging outbreak prevention p k policies on the e Creating, app Networked Computers > Outbreak P Prevention p page ates lect clients o option on the Manual (on-demand) upda using the manually sel N C pdate page Updates > Networked Computers > Manual Up urity-risk logs using the Log > Networ gs rked Comput Logs > ter Viewing secu Security Ris page sks C ents using the Cisco NAC > Agent Dep e ployment pag ge Deploying Cisco NAC age e ns mmary page th display hat The client tree is also used by those function of the Sum sum mmary details for clients wh you click t total numb of clients categorized by hen the ber y con nnection status, malware-de etection status components, -update status, and so on.
9 98
In the Offi iceScan client tree, the Off ficeScan Serve is the toper -level containe below whic you er, ch may add cli groups. In the OfficeSc interface, these groups are called do ient n can omains. The OfficeScan installation creates a Defa n c fault domain automatically.
NOTE With OfficeSc 10.5, you can configure a can c automated clie grouping b ent based on NetB BIOS,
Active Directory, or DN domain by using the Netw NS u worked Compu uters > Client Grouping pag ge. a stom rules bas on IP addr sed ress ranges an nd/or multiple Active Directo ory You can also create cus is domains. When the custom client gr roups option i selected, an additional me option nam n enu med Custom Client Group appears in the Networke d Computers s ps section of the navigation column of management console.
When basic sorting optio are enable on the Net c ons ed tworked Com mputers > Cli ient Groupin ng page, the Manage Client Tree dropdow menu on t toolbar of the Client Ma M wn the f anagement pa age allows you to add domai move them and as dele them as ne ins, m, ete eeded, as well as move clien nts d other. When cu ustom client-g grouping is en nabled, the con nfiguration of the f from one domain to ano client tree is determined by the custom i mizable rules t you create on the Netw that e worked Computer > Custom Client Group > Manage Client Grou page. rs ps e ups
For more in nformation abo how to configure the auto out omated groupi of clients, s section ing see 5.5.1 Client Grouping on page 124. t n
5.2 > The Summary Page S e

After succe essfully loggin on, the man ng nagement con sole displays t summary p the page (see the figure below). Th page summ his marizes the cur rrent status of your product licenses and overall threat f t protection. It also lets yo take action in response t conditions t require im . ou to that mmediate interventio such as an outbreak or a large number of outdated components. on, r To access this page click Summary in the sidebar. T Summary page provide t k n The y es:
Pro oduct license status s Networked comp puters summa ary Ou utbreak status Update status summary
Figure 5.4: The Summary Page y
99
Student T Textbook
5.2.1 Prod 5 duct Lice ense Stat (Activ tus vated Ser rvices Su ummary)
The top section of the Summary page lists the serviices you have purchased an have activat e nd ted. piration/renew notices als display in th area, as dep wal so his picted in the f figure below. T The Service exp management console dis splays reminde ers:
14 days before an evaluation/t n trial-version liicense expires 60 days before a full-version li icense expires 30 days before th grace period ends (applie only to fullhe es -version licens ses)
Figure 5.5: Summary Pag License Exp ge piration Notice es
If a license has expired and the grace period is over component updates will b disabled. a p r, be Scanning will continue to work for ful w o ll-version licen using outnse -of-date comp ponents.
NOTE There is no gr race period for evaluation/t rial-version lic censes; update and scanning es
are disabl along with all other clien features upo expiration o the evaluati led nt on of ion/trail period d.
Clicking m more info takes you to the Administ tration > Pro oduct License page where you e can view ad dditional detai about the status of your licences, view renewal instr ils s w ructions, and e enter new activat codes. tion
5.2.2 Net 5 tworked Compute Summ C ers mary

The Netwo orked Computers section of the Summar page display information in two sectio f ry ys n ons. The tabbed section on th left display the number of clients tha are online, o d he ys at offline, and in roaming mode. The data table on the All tab shows segmented d by scan m m a s data method. The Convention Scan and Smart Scan tab allow you t focus on ad nal S bs to dditional summ detail als mary so segmented by each of th two scan methods. hese
Figure 5.6: Summary Pag Detail for Networked Com ge N mputers
The Smart Scan Server summary identifies the scan servers to wh smart clie connect. Using s n hich ents rovided, you access the con a nsoles of the S Smart Scan ser rvers listed. the links pr
10 00
Numerical data the Netw worked Comp puters summar that is unde ry erlined provid hyperlinks t de that s d ria such as online or infecte ed. initiate client-tree-view searches based on the criteri indicated, s The results are displayed in the clients d -tree view on t Networke Computer > Client the ed rs Managem ment page.
Figure 5.7: Content Display after Clicki a Number in the Networked Computer Summary ing rs
Detectio Status on
The detecti status sect ion tion shows total number of detections in two categorie f n es, virus/mal lware and sp pyware/grayw ware, along w the total n with number of infe ected comput ters. Clicking on a total numb of infected computers s hows search results in th same way as n ber d h he s clicking a total in the Co onnection Status section, sim to the fig milar gure above.
Top 10 Security Ris Statistics sk s

ary Clicking th link, Top 10 Security Ris Statistics o the Summa page displ additional he 1 sk on lays l tables summ marize specifi threats and the computer with the hig ic rs ghest numbers of threats s detected (shown in the figure below). f
Figure 5.8: Top 10 Securi Risk Statistics for Netwo Computers ity ork s
101
Student Textbook
As illustrated in the figure above, clicking the name of a threat opens a new browser window and displays the corresponding entry for the threat in the Trend Micro online Virus Encyclopedia. To return to the Summary page from the Top-10 statistics page, click the Back button. You can also reset the top-10 statistics in any category by clicking on the corresponding Reset Count button. Clicking on a numbered total displays the corresponding query results in the client tree on the Networked Computers > Client Management page, as described above. To return to the Summary page from the Client Management page, click Summary in the navigation column.
5.2.3 Outbreak Status Summary

The outbreak monitor monitors the number of detection/violation incidents within a timeframe (number of hours) that you select. If incidents exceed the thresholds you specify, an outbreak is declared. The console displays the status of current outbreaks in the Outbreak Status section of the Summary page, along with the date of the last outbreak. When OfficeScan detects an outbreak, you can immediately enforce prevention measures to contain the outbreak. Conversely, you can declare the outbreak over by clicking Reset.
5.2.4 Update Status for Networked Computers Summary

The Update Status section of the Summary page provides a compact list of available components and programs that protect your networked computers from security risks. For each component, you can view its current version and how many of your online clients are currently up-to-date. The Outdated column (when the number is non-zero) contains links that allow you to deploy manual, on-demand updates (Update Now) to those clients, if you choose to do so.
5.3 > Security Compliance

Security Compliance can help you to identify flaws, deploy solutions, and reduce the time required to secure your network environment. Security Compliance features can help you balance your organizations needs for security and functionality. You can use Security Compliance to collect information on two types of computers:
Managed computers
Are managed by the OfficeScan server and that are already part of the OfficeScan client tree such that they comply with update, settings, services, and scan compliance policies.
Unmanaged (outside) computers
Are computers within your Active Directory network domains but that not managed by the OfficeScan server to comply with security policies.
5.3.1 Compliance Reports

Compliance Report ensures that computers on the network or those already part of the OfficeScan client tree have the correct services, latest components, consistent settings, or that the computer successfully performs scanning.
102
Complianc reports are created and vi ce c iewed using th Security C he Compliance > Compliance Assessmen > Complia nt ance Report page.
Figure 5.9: Compliance Report Page R
Informat Provided By the Compliance Report tion C e

OfficeScan provides fou tabbed secti n ur ions of summ data on th Compliance Report page mary he e e:
Service es
Identifies whether com s mputers in the network have the correct s e services and if these f ser rvices have be disabled. This is becaus e specific user might have the ability to een T rs dis sable OfficeSc services or there might be some issue with these s can r es services.
NOTE Services, Scan Compliance, and Settings t N The S n tabs are limited to the displa ay
information ab bout clients run nning OfficeSc 10.5 or late Only the Co can er. omponents tab b provides inform p mation about clients running earlier versio of the client software. c g ons
Compo onents
Ident tifies compone inconsiste ent encies with com mputers in the network. Th e his rep determin whether th computers h port nes he have the latest components or if compon t s nents ins stalled in the clients are new than those the server ha Scheduled updates ensur c wer e as. re re tha computers have the same components as the Office at e s eScan server. H However, ther are ins stances when clients are disconnected, ha not gotten the latest updates, or ave n do ownloaded upd dates before the server. Identifies whether compute in the netw I ers work have succ cessfully perfo ormed sca tasks. Sche an eduled or Rem scans ens mote sure that comp puters do not have security thr reats but there are instances when clients have not per e s s rformed scan t tasks or were un nable to compl scanning. lete Identifies whether com s mputers in spec domains have the sam configuratio cific me on set ttings as those designated by the adminis e b strator. These configuration settings have to n e be consistent, depending on those set by th administrat for every d e t he tor domain, to ens sure les confusion. This is particu ss T ularly helpful a after moving c clients from o domain to one an nother or when the network added a new client to the d n k domain.
Scan Compliance C
Setting gs
amically based on the tab th The conten nt-display area of the Comp a pliance Report changes dyna t d hat you select at the top of the page. If no computers a discovered to be in nona t o are d -compliance, t then the content-display area in the lower half of the pag will be blan When one or more nonh ge nk. -
103
Student T Textbook
compliant computers are listed, you ca select comp e an puters as a gro or individ oup dually and then n ction button at the top of th list to attem to remedy the non-com he mpt y mpliance. click the ac
Figure 5.10: Taking Action to Bring Non n-compliant Co omputers into Compliance o
The table below identifie the individu componen associated with each tabbed section of the b es ual nts compliance report along with relevant notes about the creation a e g t and/or use of this informati ion.
Tabbed Section S
Services
Components Listed
Antivirus s Anti-spyw ware Firewall putation Web Rep Behavior Monitoring/De r evice Control ers Compute with Noncomplian Services nt Smart Sc Agent Patte can ern Virus Pat ttern IntelliTra Pattern ap IntelliTra Exception Pa ap attern Virus Sca Engine an Spyware Pattern ring Spyware Active-monitor Pattern Spyware Scan Engine eanup Template e Virus Cle Virus Cle eanup Engine rn Common Firewall Patter n Common Firewall Driver n r Behavior Monitoring Dri r iver Behavior Monitoring Co r ore
Actio Button and Notes on d

Resta OfficeScan C art Client
e Note: If one or more computers have or es, two o more non-compliant service numb Computers with Nonber s comp pliant Services will be less tha an um the su of all categories.
Componen nts
Updat Now te
e Note: If one or more computers have or ed s, two o more outdate components the numb of Computers with Outdated ber Comp ponents will be less than the sum e of all categories.
10 04
Administrator Track
Chapter 5: OfficeScan Management Console
Tabbed Section
Components Listed
Service Behavior Monitoring Configuration Pattern Digital Signature Pattern Policy Enforcement Pattern Behavior Monitoring Detection Pattern Program Version Computers with Outdated Components No scheduled or remote scan performed for the last (x) days Remote or Scheduled scan exceeded (x) hours Computers That Need to be Scanned
Action Button and Notes
Scan Compliance
Scan Now
Note: If one or more computers fall under both of the criteria, the number for Computers That Need to be Scanned will be less than the sum of the individual categories. Scan Compliance assesses clients only if Scheduled Scan is enabled.
Apply Domain Settings
Settings
Scan Method Manual Scan Settings Real-time Scan Settings Scheduled Scan Settings Scan Now Settings Privileges and Other Settings Additional Services Web Reputation Behavior Monitoring Device Control Spyware/Grayware Approved List Computers with Inconsistent Configuration Settings
Note: If one or more computers have two or more inconsistent settings, the number of computers in Computers with Inconsistent Settings will be less than the sum of all categories.
Table 5.x: Compliance Report Data Contained in Tabbed Sections
Overview of Compliance-Related Tasks

The tasks you need to perform to ensure compliance: 1. Select the domain from the Client Tree Scope and click Assess to get the latest data. 2. Select the tabs specific to the feature you want to ensure users comply with. 3. Determine which computers need an action performed. 4. Click the button provided to ensure compliance. These can restart or update the client, apply domain settings, or perform manual scan. 5. Configure Scheduled Assessments.
105
Student Textbook
Using the Compliance Report

To use the compliance report: 1. Select the domain from the Client Tree Scope and click Assess.
NOTE Only Components tab supports clients before 10.5. Services, Scan Compliance, and Settings will only display OfficeScan 10.6 clients.
2. From the Services tab: 2.1. 2.2. 2.3. View computers with non-compliant services. Select computers from the query result. Click Restart OfficeScan Client to force the clients to restart OfficeScan on their computers.
NOTE After performing another assessment and the client still appears as noncompliant, manually verify the client service.
3. From the Components tab: 3.1. 3.2. 3.3. View computers with components inconsistent with the OfficeScan server. Select computers from the query result. Click Update Now to force clients to download components.
4. From the Scan Compliance tab: Scan Compliance only assesses clients if Scheduled Scan has been enabled. 4.1. 4.2. View computers that have not successfully scanned computers. Leave the default time or specify one or both of the following:
Number of days the client had not performed scheduled or remote scan Number of hours the remote or scheduled scan task had exceeded
4.3. 4.4.
Select computers from the query result. Click Scan Now to force clients to perform a manual scan.
NOTE OfficeScan disables the option to click Scan Now if the client exceeded the time specified for remote or scheduled scan. Manually verify the client computer.
5. From the Settings tab: 5.1. 5.2. 5.3. View computers with settings inconsistent with the domain. Select computers from the query result. Click Apply Domain Settings to ensure that client settings are consistent with the domain.
RECOMMENDED TASKS:
Within the Compliance Report tabs, click a number link to display all affected computers
in the client tree.

To save the list of computers to a file, click Export.
106
5.3.2 Sch 5 heduling Complian Repor C nce rts

OfficeScan can automati n ically query th client tree fo Complianc Assessment and provide a he for ce ts e report base on a schedu Automate reports are emailed to na ed ule. ed amed recipient using the SM ts MTP settings tha you provide on the Notif at e fications > A Administrator Notification > General r ns l Settings page. An exam of a sched mple duled complian report app nce pears in the fi igure below.
Figure 5.11: Scheduled Co ompliance Rep port as Emailed to a Listed R d Recipient
Scheduled compliance re eports include client details in CSV-file at e ttachments. T There is one attachment each for serv t vices, compon nents, scan com mpliance, and settings detai as represen d ils, nted by the tabs of the same name on the Compliance R s n C Report page of the managem console. f ment To configu scheduled assessments for compliance reports: ure f e 1. Click Security Com S mpliance > Co ompliance A Assessment > Scheduled C Compliance Repor rt. 2. Enable scheduled qu e uery. 3. Specify a title for the report to be used in the su y e ubject line of the email mes ssages to be se ent.
Figure 5.12: Scheduli Compliance Reports to b Run Daily at a Selected T ing be Time
4. Select one or all of the available categories of co t ompliance inf formation:

Se ervices Co omponents Scan Compliance e Se ettings
107
Student Textbook
5. Specify the email address(es) that will receive the report. 6. Specify the schedule. 7. Click Save.
Important: For email messages containing scheduled security-compliance report information to be
sent properly, you must correctly configure the SMTP settings on the Notifications > Administrator Notifications > General Settings page.
5.3.3 Security Compliance Reporting for Clients Outside of OfficeScan-Server Management

Ensure that computers within the network domains but not managed by the OfficeScan server comply with security policies. Use this report with Active Directory and IP addresses to query and determine non-compliant computers. After querying Active Directory or IP addresses, the Web console displays the security status of computers. The security status can be any of the following:
Managed by another OfficeScan server No OfficeScan client installed Unreachable Unresolved Active Directory assessment
To use Outside Server Management, ensure that the OfficeScan server computer is part of the network to query Active Directory domains and IP addresses. The list below provides an overview of the tasks required to enforce security compliance using the Outside Server Management tool. 1. Define Active Directory/IP Address Scope and Query. 2. Check unprotected computers from the Query Result. 3. Install the OfficeScan client. Refer to Installing with Security Compliance. 4. Configure Scheduled Query. 5. Install client with OfficeScan. Refer to Installing with Security Compliance.
Defining the Active Directory/IP Address Scope and Query

The first step in using Outside Server Management is to define the Active Directory or IP address scope, which means identifying the Active Directory objects or IP addresses that the OfficeScan server will query. The first time you open the Security Compliance page, a notice that reads Active Directory domains or IP addresses have not been defined appears in yellow at the top. If you have previously configured Active Directory integration parameters on the Administration > Active Directory settings and the system detects that Active Directory synchronization has occurred or reoccurred since the page was visited, an additional notice will
108
appear indi icating that T current ou The utside server m management r report is out-o of-date. Please e perform se erver managem query to get the latest information. This notice m appear ment may independen of the notic to define th scope of th outside-serv nt ce he he ver-manageme query. ent
Figure 5.13: Outside Serv Management Scope Not Defined ver
To configu the Active Directory sco and start t query proc ure ope the cess: 1. To def the Active Directory fo the first tim verify that t OfficeSca server is fine e or me, an the configu as a mem ured mber of an Active Directory domain. If y will be def y you fining the scop pe based on IP address then simpl click Defin Active Dire o ses, ly ne ectory domai / IP addr ins ress scope or click Defin in the head of the Ac ne der ctive Directory y/IP address Scope sectio of on ge b lp the pag (top right, below the Hel icon).
Figure 5.14: Setting the Active Directory/IP Add t dress Scope fo Querying Un or nmanaged Nod des
2. In the page that ope use Active Directory an ens, e nd/or IP addr to query: ress
Fro Active Dir om rectory Scope, select the objects to query , y.
If you have not previously con y p nfigured the A Active Directo Integration parameters o the ory n on Administration > Active Dir rectory > Act Director Integration page, a link to the tive ry n Act Directory Integration page will appea in the Activ Directory s tive y p ar ve scope selection n box You must configure your Active Direc x. c r ctory domain i identification and access
109
Student T Textbook
cred dentials befor being able to define an A re Active Director scope for u with the ry use Ou utside Server Management compliance rep M c port.
NOTE N Trend Micro recommends enablin the on-dem d ng mand assessment option to o
pe erform real-tim queries for more accurat results. Disa me r te abling on-demand assessme ent ca auses OfficeSc to query th database in can he nstead of each client. Querying only the h da atabase can be quicker but is less accurat i te.
Tip If querying for the firs time, select an object with less than 100 accounts an T st h 00 nd
re ecord the time to complete the query. Use this as your p e t e performance b benchmark.
Fro IP Address Scope, speci a range of IP addresses t query. om ify to
Clic the plus or minus button to add or de ck n elete IP addres ranges. ss 3. Under Advanced Se ettings, specify the ports use by OfficeSc servers to communicate with y ed can o e S mly he ber ficeScan server OfficeScan clients. Setup random generates th port numb during Off ation. installa
Tip To vi the communication port used by the O iew t OfficeScan ser rver, go to
Networked Computers > Client Manag gement and se elect a domain Check the n. Listen Port column next to the IP addre column. Ke a record of port number t ess eep rs for your ref ference.
3.1.
Click Specify ports (hyper y rlink). The commun nication port of the local Of o fficeScan serv is listed aut ver tomatically (an nd cannot be del leted). If you have no other OfficeScan s h r servers within the scope of the Active Direct tory/IP Addre query, you will not need to enter addi ess u d itional ports.
Figure 5.15: Specifying Additional OfficeS Scan Client-Se erver Communication Ports
3.2. 3.3.
Type the port number and click Add. Re t epeat this step until you hav all the port p ve t numbers you want to add. Click Save.
Import rtant: The que may take a long time to co ery omplete, espec cially if the que scope is bro ery road.
Do not perform anoth query until the Outside S t her il Server Manage ement page disp splays the resu ult. wise, the curren query sessio terminates a the query process restar nt on and y rts. Otherw
4. Choose whether to check a comp c puters connec ctivity using a p particular por number. Wh rt hen ction is not established, Off ficeScan imme ediately treats the computer as unreachab r ble. connec The de efault port num mber is 135.
NOTE Enabling this setting sp peeds up the q query. When co onnection to a computer can nnot
be es stablished, the OfficeScan se erver no longe needs to per er rform all the other connectio on verifi ication tasks before treating a computer a unreachable b g as e.
11 10
5. To sav the scope an start the qu ve nd uery, click Sav and re-ass ve sess. (To save the settings o e only, click Save only.) ess n uery yed -right header a of the bo area ottom Progre information about the qu is display in the topconten nt-display table of the Outsi Server Man e ide nagement pag ge.
Figure 5.16: Progress Indicator for Querying Unm s r managed Computers
When the query is completed, a dialog box app d pears that notifies you that t query has the eted ully. d otification by clicking OK. The top-right t comple successfu You can dismiss this no header area of the co r ontent-display table now re y eports the date and time of the last succes e ssful query, and the Cancel button chan to a Settiings button, w nges which provides access to a s uling tool for enabling regul Outside Se e lar erver Managem assessme ment ents. schedu
Figure 5.17: Reviewin the Results of a Successf Query of U nmanaged Com ng s ful mputers
Identifying Unprote ected Computers

After you have run an in h nitial query, yo can view th most recent query results at any time b ou he t s by clicking Security Comp pliance > Out tside Server M Management The numbe of unprotec t. er cted xt iceScan client installed. computers is shown nex to No Offi Recommen nded tasks for exploring the results of a q r e query include: 1. In the Security Statu section, clic a number lin to display the list of com us ck mputers that nk pond to the as ssociated statu category. us corresp
111
Student Textbook
2. Use the search and advanced search functions to search and display only the computers that meet the search criteria. If you use the advanced search function, specify the complete name for the following items:
Computer name IP address OfficeScan server name Active Directory tree
Use the wildcard character (*) if unsure of the complete name. OfficeScan will not return a result if the name is incomplete and the wildcard character is not specified. 3. To save the list of computers to a file, click Export. 4. For clients managed by another OfficeScan server, use the Client Mover tool to have these clients managed by the current OfficeScan server. The Security Status section classifies computers as identified in the table below.
Status
Managed by another OfficeScan server No OfficeScan client installed Unreachable
Description
The OfficeScan clients installed on the computers are managed by another OfficeScan server. Clients are online and run either this OfficeScan version or an earlier version. The OfficeScan client is not installed on the computer.
The OfficeScan server cannot connect to the computer and therefore cannot determine whether there is no client installed on the computer or, if a client is installed, whether the client is managed by another OfficeScan server or is unmanaged. The computer is a part of the Active Directory domain but OfficeScan is unable to determine the status. Note: The OfficeScan server database contains a list of clients that the server manages. The computer queries the Active Directory for the GUID to compare with the list of OfficeScan clients in the database. If the computer is not in the list, the computer will be categorized as "Unresolved Active Directory Assessment".
Unresolved Active Directory Assessment
Table 5.1: Computer Classification in the Security Compliance Report
NOTE OfficeScan server database contains a list of clients that the server manages. The The computer queries the Active Directory for the GUID to compare with the list of OfficeScan clients in the database. If the computer is not in the list, the computer will be categorized as "Unresolved Active Directory Assessment". Tip For various situations, including those related to upgrades and migrations in which you cannot use the management console to change the OfficeScan server to which clients connect, you can use the Client Mover tool. For more information, see Chapter 10: OfficeScan Tools.
112
Using Ad dvanced Se earch

Use the adv vanced search function to search for only the compute that meet your search h s y ers criteria. If you use the ad y dvanced search function, sp h pecify the com mplete name fo these items: or IP add dress Compu uter OfficeScan server Active Directory tre ee ldcard charact (*) if you are unsure of t complete n ter a the name. OfficeS Scan will not r return Use the wil a result if th name is inc he complete and the wildcard c character is no specified. ot
Figure 5.18: Security Com mpliance Advanced Search
Installing the Office g eScan Clien from Sec nt curity Com mpliance
To improv security com ve mpliance, Offi iceScan provid a method for installing client softwar des re directly fro the Securit Compliance query results page. Howev this metho will not wo om ty e s ver, od ork for target computers if any of these co c a onditions are t true:
The OfficeScan server is instal e s lled on the tar rget. The target runs Windows XP Home, Windo Vista/7 H e W ows Home Basic, o Windows or
Vis sta/7 Home Premium. For these platform you must u another deployment me P ms, use ethod.
PREPARIN TO INSTAL NG LL If the targe computer ru Windows Vista/7 Busin et uns ness, Enterpri or Ultimat Edition, you ise, te u must perfo the follow steps on the computer before you ca install the c orm wing t an client through h Security Co ompliance:
1. Enable a built-in adm e ministrator account and set the password for the accou t d unt. 2. Disable the Window firewall. ws 2.1. 2.2. Click Start > Programs > Administrat Tools > Windows Fir tive rewall with Advanced Se ecurity. For Domain Profile, Privat Profile, and Public Profil set the firew state to o te d le, wall off.
3. Open Microsoft Ma M anagement Console (click St > Run an enter servi tart nd ices.msc) and start d the Remote Registry service. Whe installing th OfficeScan client, use the built-in y en he e istrator accoun and passwo nt ord. admini
113
Student T Textbook
If a Trend Micro or a thi ird-party endp point security program is in nstalled on the computer, ch e heck can matically uninst the softwa and replace it with the O tall are e OfficeScan clie ent. if OfficeSc can autom For a list of endpoint sec curity softwar that OfficeS re Scan automati ically uninstall open the ls, following files in {installationpath f h}\PCCSRV\Ad min. You can open these fil with a text les t editor like Notepad. N
tmunin nst.ptn tmunin nst_as.ptn
If the softw on the ta ware arget computer is not includ in the list, manually unin ded nstall it first. Depending on the uninstallation process of the soft g ftware, the com mputer may or may not nee to r ed restart after uninstallatio r on. Finally, bef fore starting th installation process, reco the logon credentials for each compu he n ord uter you plan to deploy the cl o lient to. Offic ceScan will pro ompt you to s specify the log credentials gon s during inst tallation.
Important You cannot use this metho to update th OfficeScan c t: u od he client. If an ear rlier OfficeScan n
client versio is already in ion nstalled on a computer and y click Install the installatio will be skipp co you ll, ion ped and the clie will not be updated to this version. ent u s
PERFORMI THE INST ING TALLATION To install the OfficeScan client from the Security C t n t Compliance pa age:
1. Select one or more computers fro the list of c c om computers in the content-d display area, an nd then cl Install, lo lick ocated in the top-left of the table header area. t 2. Specify the administ y trator logon ac ccount for eac computer a click Log on. OfficeSc ch and g can starts installing the client on the ta i c arget compute er.
Figure 5.19: Client Installation Process
Updating Queries for Comput Outsid Server M g f ters de Managemen nt

You can up pdate query re esults on the Outside Server Managemen page by sche O r nt eduling a quer to ry run at regu intervals, or you can upd results m ular o date manually.
SCHEDULING A QUERY OfficeScan can automati n ically query th Active Dire he ectory/IP addr scope bas on a sched ress sed dule. To configu the query schedule: ure s
11 14
1. Click Security Com S mpliance > Outside Server Manageme r ent. 2. Click the Settings button in the top-right head of the cont t b t der tent-display ar The Sched rea. duled Outsid Server Man de nagement Asse essment page appears.
Figure 5.20: Active Directory Quer Settings D ry
3. Ensure that the Ena e able schedule query chec ed ckbox is selec cted. 4. Specify the schedule hourly, daily weekly, or m y e: y, monthly.
NOTE you spe If ecify the 31st of each month and the mont has less tha 31 days, the o h th an
asses ssment happen on the last day of the mo nth. ns d
5. Click Save. S
Manually Updating a Query y g

To manual update your query results click the Qu lly s, uery Now bu utton shown o the Active on Directory Query Settings page. In add Q dition, when yo query resu are outdat a yellow our ults ted, warning ap ppears at the to of the Secu op urity Complian page that states: The c nce current compl liance report is ou ut-of-date. Ple perform reassessment t get the late information When this ease r to est n. s warning ap ppears, you can click the Qu n uery Now but tton to update your query o demand. e on
Figure 5.21: Security Com mpliance Page with Query No Button ow
115
Student Textbook
5.4 > Smart Protection Server Settings

Smart Protection services off-load anti-malware signatures and URLs previously stored on endpoint computers to the Smart Protection Network of Smart Protection servers. Smart Protection services are based on these core technologies:
File Reputation Web Reputation Smart Feedback
Trend Micros Smart Protection solution relies on an advanced scanning architecture, that leverages anti-malware signatures, web reputations, and threat databases that are stored in-thecloud. Smart Protection leverages file-reputation technology to detect security risks and webreputation technology to proactively block websites. Trend Micro also continues to harvest anonymously sent information from Trend Micro products worldwide to proactively determine each new threat. OfficeScan provides two types of local Smart Protection Servers:
Integrated Smart Protection Server
The OfficeScan server setup program includes an integrated Smart Protection Server that installs alongside the core OfficeScan server software is installed. After the installation, you can manage the settings for this server on the Smart Protection > Integrated Server page of the OfficeScan management console. Standalone Smart Protection Servers install on a VMware or Hyper-V server. Standalone server has a separate management console and is not managed from the OfficeScan Web console.
Standalone Smart Protection Server
The Smart Protection menu in the navigation column of the OfficeScan management console provides access to configuration parameters that allow you to determine which clients connect to which Smart Protection servers. You can also configure the integrated Smart Protection server that can be installed on the same host as the core OfficeScan server software. You can also configure the op-in/opt-out options for participation in the Trend Micro Smart Protection Network feedback program.
Understanding Smart Scan File-Reputation Checking

The Smart Protection solution for malware detection, called Smart Scan, makes use of lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns. When in Smart Scan mode, the OfficeScan client first scans for security risks locally. If the client cannot determine the risk of the file during the scan, the client connects to a Smart Protection server. Smart Scan patterns originate from the Trend Micro ActiveUpdate server and are made available to Smart Protection servers and the OfficeScan server. The Smart Scan Agent Pattern is hosted on the client update source (the OfficeScan server or a Customized Update Source) and downloaded by clients.
116
Administrator Track
Smart Protection servers host the Smart Scan Pattern. This pattern is updated hourly, but can also be updated every 15 minutes, and contains the majority of the pattern definitions. Smart Scan clients do not download this pattern. Clients verify potential threats by sending scan queries to the Smart Protection Server. Using the identification information sent in the query, Smart Scan checks the reputation of each file against an extensive in-the-cloud database. Since the malware information is stored in the cloud, up-to-date information it is available instantly to all users. High performance content delivery networks and local caching servers minimize latency during the checking process. The cloud-client architecture offers more immediate protection, eliminates the burden of pattern deployment, and significantly reduces the overall client footprint. There are no component download overlaps between the Smart Protection Server and the OfficeScan server because each server downloads a specific set of components. A Smart Protection Server only downloads the Smart Scan Pattern while the OfficeScan server downloads all the other components.
Understanding Web-Reputation Checking

Web reputation technology tracks the credibility of Web domains by assigning a reputation score based on factors such as a Web site's age, historical location changes and indications of suspicious activities discovered through malware behavior analysis. It will then continue to scan sites and block users from accessing infected ones. When a client accesses a URL, Trend Micro:
Leverages the domain-reputation database to verify the credibility of the web sites and
pages
Assigns reputation scores to web domains and individual pages or links within sites Allows or blocks users from accessing sites
To increase accuracy and reduce false positives, Trend Micro web-reputation technology assigns reputation scores to specific pages or links within sites instead of classifying or blocking entire sites since there are times that only portions of legitimate sites are hacked and reputations can change dynamically over time.
5.4.1 Configuring Smart Protection Lookup Sources

The Smart Protection Server to which a client connects depends on the client computers location. Internal clients connect to local Smart Protection Servers (integrated or standalone), while external clients connect to the Global Smart Protection Server. If you have installed local Smart Protection Servers, configure the Smart Protection server list. Internal clients use this list to send scan queries. If a client cannot connect to the first server, it will attempt to connect to the next server on the list, and so on.
117
Student T Textbook
Figure 5.22 Smart Prote 2: ection Source Settings for In nternal Clients s
You can ch hoose whether to use the standard list for clients or cre custom li r r eate ists. To config gure the Smart Protection sou P urce: 1. Click Smart Protection > Smart Protection S S t Sources > In nternal Client ts. 2. Select whether clients will use the Standard List or Custom L w t Lists. 3. Click Notify All Cli N ients. Smart Scan clients au S utomatically re to the list you have efer t configu ured.
Configur the Stan re ndard List

The standa list is used by all interna Smart Scan c ard al clients unless you configure a custom list You e t. nnecting to th Smart Prote can configu clients to use proxy sett ure u tings when con he ection Servers on s the list by going to Adm g ministration > Proxy Settin ngs. To add a se erver to the st tandard list: 1. Click Smart Protection > Smart Protection S S t Sources > In nternal Client (figure abov ts ve). 2. Click the standard list link and in from the pa that opens, click Add. t l i age
Figure 5.23: Adding a Smart Prote ection Server A Address
11 18
Administrator Track
3. Specify the Smart Protection Servers name or IP address. To obtain the Smart Protection Server address of the integrated Smart Protection Server, go to Smart Protection > Integrated Server and find the server address column of the Client Connection information table at the top of the page. To find the URL for standalone Smart Protection Servers, open the standalone servers console and see the Summary page. 3.1. 3.2. Select which reputation services should be used on this server and specify the port number for which these connections should be made. Click Test Connection to verify that a connection to the server can be established.
Tip Because the integrated Smart Scan Server and the OfficeScan server run on the
same computer, the computers performance may reduce significantly during peak traffic for the two servers. To reduce the traffic directed to the OfficeScan server computer, assign a standalone Smart Scan Server as the primary scan source and the integrated server as a backup source.
4. Click Save when the test connection is successful. From the Standard Smart Protection Server List page, you can also perform these functions:
Modify the servers address by clicking the link under Smart Protection Server Address Open the console of a local Smart Protection Server by clicking the Launch console
link
Delete a server by selecting the checkbox for the server and clicking Delete Export the list to a .dat file by clicking Export and then clicking Save. Import a list exported from another server by clicking Import and locating the .dat file Choose whether clients will refer to the servers in the order in which they appear on the
list or randomly (when you select Order, you can use the arrows in the Order column to move servers up and down the list; however, the integrated server will always be last on the list)
Configure Custom Lists

Custom lists let you manage network traffic by specifying a range of IP addresses that will query each Smart Protection server. You can also choose whether to have clients refer to the standard list when all servers on the custom list are unavailable. To configure custom lists: 1. Click Smart Protection > Smart Protection Sources > Internal Clients. 2. Click Add. 3. Specify the following:
IP address range Proxy settings clients will use to connect to the local Smart Protection Servers
119
Student T Textbook
Figure 5.24 Settings for Configuring Custom Lists 4: C
4. Specify the Smart Pr y rotection Serv vers name or I address. IP To obtain the Smart Protec e ction Server a address of the integrated Sm Protection mart n Server, go to Smart Protec ction > Integ grated Server and find the server addre r ess e nection inform mation table at the top of th page. t he column of the Client Conn To find the URL for standalone Smart P U Protection Ser rvers, open the standalone e servers conso and see the Summary pa ole age. 4.1. 4.2. Select which reputation ser rvices should b used on th server and specify the po be his ort w onnections sho ould be made.. number for which these co Click Test Co onnection to verify that a c connection to the server ca be establish o an hed.
5. Select whether clients will refer to the servers in the order in which they ap w o n n ppear on the l or list random If you sel Order, you can use the arrows under the Order co mly. lect u r olumn to move e servers up and down the list. s n 6. Click Save when the test connecti is successf S e ion ful. You can modify an IP ad m ddress range and its corresp a ponding custo list by click the link u om king under IP Range. You can also import and ex Y i xport custom llists in the sam way as stan me ndard lists.
12 20
5.4.2 Con 5 nfiguring the Integ grated Sm Prot mart tection S Server
The Integrated Smart Pr rotection serve shows statu information for the integ er us n grated server, he ired ervices, the Sm Scan patt mart tern version, a and including th URL requi to access the servers se the web-blocking list ver rsion. You can also perform manual com n m mponent updat at any time by tes e pdate Now, as well as togg services on and off and c a gle n configure upd settings. date clicking Up
Figure 5.25 Integrated Smart Protecti Server Sta 5: S ion atus and Update Settings
You can ch hoose whether to use the in r ntegrated file-r reputation serv or the int vice tegrated wibreputation service by selecting/deselec cting the corre esponding che eckboxes at th top of the p he page. g ns fo Deselecting both option causes the following:
The Trend Micro Smart Protection Server s e o service (iCRCS Servfice.exe) s stops. The integrated se e erver stops up pdating compo onents from th ActiveUpd server. he date Clie ents will not be able to send scan queries to the integra server. b d s ated
Clients can connect to th integrated the integrated file-reputatio service usin HTTP or n he t d on ng HTTPS. HTTPS allows for a more secure connectiion, while HT uses less b H TTP bandwidth.
121
Student T Textbook
To import web-reputatio service app on proved/blocke rules: ed S rated Server. 1. Click Smart Protection > Integr 2. Click Import in the Web Reputa I ation Service A Approved/Blo ocked List se ection. 3. Select a .CSV file to upload. 4. Click Upload. U
Figure 5.26: Importin Approved/B ng Blocked Rules for the Integr s rated Web Rep putation Service
To configu Smart Prot ure tection server update setting gs: 1. Click Smart Protection > Integr S rated Server. 2. To upd the patter automatica enable sch date rn ally, heduled updat and configu the update tes ure e schedu You can choose to upda hourly or e ule. ate every 15 minu utes. onent updates 3. Select the location from where yo want to dow fr ou wnload compo s. 3.1. If you choose ActiveUpdat server, ensu that the se e te ure erver has Inter connectio rnet on and, if you are using a prox server, test if Internet co xy onnection can be established d using the proxy settings. If you choose a custom update source, s up the appr e set ronment and ropriate envir update resour for this update source. Also ensure t there is a functional rces that connection between the server compute and this upd source. If you need er date f assistance setting up an upd source, c date contact your su upport provid der.
3.2.
4. Click Save. S
5.4.3 Con 5 nfiguring Smart Fe eedback O Options

Trend Micr Smart Feed ro dback provide continuous communicatio between T es on Trend Micro t products an the compa nd any's 24/7 thre research ce eat enters and tec chnologies. Ea new threat ach identified through a sing customers routine reput t gle tation check a automatically u updates all of Trend Micr threat dat ro's tabases, blocki any subseq ing quent custom encounters of a given th mer s hreat. By continu uously process the threat intelligence g sing t gathered throu its extensi global netw ugh ive work of custome and partne Trend Mic delivers au ers ers, cro utomatic, real-time protectio against the latest on e threats and provides be d etter together security. Thiis is much like an automated Neighborho e d ood Watch prog gram that coo ordinates direc community involvement in the protect ct tion against cr rime. A custome private inf ers formation is al lways protecte Threat info ed. ormation is ca ataloged based only d on the repu utation of the communication source. Trend Micr Smart Feed ro dback is design to collect and transfer r ned relevant data f from clients T Trend Micro Sma Protection Servers to Tre Micro bac art end ck-end servers so that furth analysis ca be s her an conducted, and consequ , uently, advance solutions c evolve and be deployed to protect clie ed can d ents.
12 22
The inform mation that Trend Micro col llects from yo computer i our inlcudes: File ch hecksums Web si accessed ites File inf formation, inc cluding sizes and paths a Names of executable files s
Important You do not need to particip t: n pate in Smart F Feedback to pr rotect your com mputers. Your
participatio is optional and you may op out at any tiime. Trend Mic recommend that you on a pt cro ds participate in Smart Feed dback to help provide better o p overall protect tion for all Tren Micro custo nd omers. rminate your participation to the program a p o anytime from t manageme console. the ent You can ter
For more in nformation abo how the Sm out mart Protection Network wor and the ben n rks nefits that it provides, visit www.smart tprotectionnetw twork.com.
Tip Sm mart Feedback uses the same global proxy settings (Adm k y ministration > Proxy Settin ngs
> Externa Proxy) used for Web Reputation Servic and the Glo al d ces obal Smart Sca server. an
To modify your participa ation in the pr rogram: S t 1. Click Smart Protection > Smart Feedback.
Figure 5.27: Configuring Smart Feedback Option ns
2. Select/ /deselect Ena Trend Micro Smart Fe able M eedback. 2.1. 2.2. To help Tren Micro unde nd erstand your o organization, s select the indu ustry in which your company doe business. es To send infor rmation about potential sec t curity threats i the files on your client in computers, se elect the Ena feedback of suspicious program files checkbox. able s
NOTE les sent to Smart Feedback contain no use data and are submitted only Fil er
for threat an nalysis.
2.3.
Set the criteri for sending feedback by s ia selecting the n number of det tections (5, 10 15 0, or 20) that must occur and the duration of time in min d nutes (1, 5, 10 15, 30, 45 or 60) 0, r pse dback was last sent. that must elap since feed
123
Student T Textbook
3. Specify the maximum bandwidth OfficeScan u ses when send feedback to minimize y m ding k networ interruption rk ns. 4. Click Save. S
5.5 > Client Manag t gement t

The Office eScan managem console makes it easy for you to ex ment y xecute tasks re elated to organizing, configuring, scanning, and checking the status of Off , d e ficeScan client Frequently, ts. many of th tasks that yo will need to perform on an ongoing b he ou o basis can be do using the one Networke Computers > Client Management p ed s page. Because th client tree is the core clien he s nt-selection an informatio display tool on the Client nd on l t Manageme page, the ro ent oot-level and sub-folderlev organization of the clien tree is an nt vel important component of the efficient and effective use of Office c eScan client-m management capabilities s.
5.5.1 Clie Group 5 ent ping

The groupi of clients within the clie tree can be automated in a number of ways, based on ing w ent e n f basic doma ain-names alre eady configure for the variious network p ed protocols that are in use on your t n network. The Networke Computer > Client G T ed rs Grouping page allows you to specify whe e ether to group cl lients by the NetBIOS, Acti Directory,, or DNS dom name of e N ive main each client. Th he option to create custom client groups is a feature introduced in OfficeScan v c m e n version 10.5.
Figure 5.28 Selecting a Default Client Grouping Opt ion 8:
When one of the top thr grouping settings, that is NetBIOS do ree s s omain, Active Directory do e omain, omain, are sele ected, you also retain the op o ption to create custom folders within the e e or DNS do client tree on the Netwo o orked Compu uters > Clien Manageme page, and manually drag nt ent gand-drop existing clients from one fol e s lder to anothe to fine-tune your client-tr configurat er e ree tion.
12 24
Administrator Track
Tip The top three grouping methods are intended to simplify the default client-tree-folder
assignment for newly installed clients. Afterwards, Trend Micro generally assumes that you would then move those clients from their domain-name-determined default locations to a more permanent client-tree location based on department, function, or whatever other scheme that you may want to use to organize OfficeScan clients. An important disadvantage of manual (or non-rules-based) client-tree configuration is that if a clients network-domain assignment is subsequently changed, no corresponding change occurs in the OfficeScan client-tree.
When custom client groups is selected on the Client Grouping page, an additional menu option named Custom Client Groups appears in the Networked Computers section of the main navigation column of management console, and you no longer have the ability to create new folders using the toolbar on the Client Management page. All refinements to client-tree folders and membership rules for those folders must afterwards be managed using the Networked Computers > Client Grouping page.
Tip The custom client groups option is designed to provide a top-to-bottom rules-based
method for organizing the client tree. You may then optionally schedule a regrouping process by which existing clients within the client tree may be reassigned a client-tree location based on the current domain or IP-address configuration parameters of the client. Trend Micro generally assumes that changes that may occur between regroupings is likely to be small. But, for organizations that must manage a large number of computers and coordinate the management of them across multiple application-level and network-level systems within a dynamic environment of job-role changes, asset relocations, and organizational changes, OfficeScan custom-client groups allow you to mirror the domain and IP-addressing policies that you may have already established for other management-related systems, such that changing the domain assignment or IP-address of a client because that client has changed functional contexts can now automatically correspond to a change in OfficeScan policy.
To configure client grouping method: 1. Click Networked Computers > Client Grouping. 2. Specify client grouping method. 3. Click Save or Save and create domain now.
For information about configuring the client tree using the options available on the Manage Client Tree dropdown menu on the Client Management page, see section 5.5.16 Client Management: Managing the Client Tree on page 169.
Note that that the add, rename, move, and remove domain options on this dropdown menu are not available when the custom client groups grouping method is selected. Further information about managing the client tree using custom client groups may be found in the present section, below.
Defining and Managing Custom Client Groups

OfficeScan does not create any custom client groups by default. Therefore, you must add at least one new custom client group using the Networked Computers > Client Grouping page.
125
Student T Textbook
Figure 5.29 Selecting to Add a Grouping Rule for Cu 9: ustom Client G Groups
This page displays all of the rules that you may have previously c d e created; it allow you to add new ws d rules, delet old rules, an prioritize th current list of rules; it dis te nd he splays the stat of each rul tus le along with other profile information, and it provide a button to run your curr sorting ru a es rent ules on demand d. There are two types of custom groupi t c ings that you c create: can
Active Directorybased
This typ of custom c pe client groupin allows you t map Active ng to e Di irectory struct tures to the OfficeScan clien tree. This e nt enables organi izations that h have alr ready invested a lot of effor in organizing their Active Directory sch d rt g e hemes to be a to able rep produce and them within OfficeScan eas t O sily. This type of custom client grouping allow you to crea grouping r c ws ate rules tha operate ind at dependently of your active d f directory struc cture. In some cases, existin e ng Ac ctive Directory structures co y orrespond ver well to the security group ry pings that are most eff fective for ma anaging Office eScan clients. W Where this is not the case, IP-addressba ased gro ouping rules can be used in c nstead. IP-base definitions can also be used to supplem ed ment or provide excep ptions for oth Active Dir her rectorybased rules.
IP Add dressbased
To add an Active Direct tory grouping: N C ent ient Groups > 1. Click Networked Computers > Custom Clie Groups > Manage Cli Add > Active Directory. 2. Enable and specify a name for the rule. e e
12 26
Figure 5.30: Adding a Custom Grouping Rule Ba sed on Active Directory Info ormation
3. Specify the Active Directory dom y D main(s) or folde er(s) for this c client group. 3.1. Optionally en nable Duplicat Active Dire te ectory structur into the Of re fficeScan clien tree nt to map an Ac ctive Directory folder with s y subdomains, t an OfficeSc domain in to can nstead of mapping in ndividual fold to OfficeS ders Scan domains.. Specify the OfficeScan clie O ent-tree folder that will be m r mapped to the selected Acti e ive Directory dom main(s). (Note can select o one client e: only t-tree folder de estination.) 3.2.1. To cre a new fold in the clien tree, hover the mouse ov the target eate der nt ver domain folder, and then click the +icon that appears. n t t 3.2.2. Enter a name for the new folder, and then click the check m to the righ of k mark ht xt te (Click the x to cancel.) the tex box to creat the folder. ( 3.2.3. Option nally: you can edit or delete a folder that you have just created by e selectin it, hovering the mouse o ng g over the (blue) folder name, and then sele ) , ecting the edi (pad with pe it encil) or delet (rubbish bin icon. te n) OfficeScan maps Active Directory doma to OfficeScan domains When mapp m D ains s. ping domains with hout subdoma ains, only the d domain folder will appear. I the Active r If Directory has subdomains, the OfficeSc an client tree copies the fol s , lder structure with the correspon nding subdom mains. S t he lient page. 4. Click Save. The client group displays in the list of rules on th Manage Cli Groups p When the mouse is hovered over an informatio item related to the rule, a h on d additional pro ofile mation about th rule is disp he played in the P Preview pane. inform
3.2.
127
Student T Textbook
Figure 5.31: The Man nage Client Gro oups List after Creating and Running a Ru r d ule
5. Sort th priority of the existing lis Refer to M he t st. Managing the P Priority of Cu ustom Group Sorting Rules below g w. 6. Click Save to save th changes or Save and Cr S he r reate Domain Now. If yo select to run the n ou rules now, progress is indicated to the right of t bottom ro of action b n o the ow buttons.
NOTE Clicking Save and Run rules now crea S ates the destin nation folder in the OfficeSc can
client tree but does not move exi t s isting clients t o the specified domain. Also running the d o, rules may take a long time to com mplete, especi ally if the scop is broad. pe
To add an IP address gro ouping: N C ping > Add > IP Address s. 1. Click Networked Computers > Client Group 2. Enable and specify a name for the rule. e e
Figure 5.32: Adding a Custom-Clie ent-Grouping R Rule Based on an IP Address Range s
3. Specify a single IP address or an IP address ran y I nge. 4. Specify the OfficeSc client-tree folder that w be mapped to the specifi address(es y can will d fied s).
Important You can only select one Off t: y fficeScan client t-tree folder.
4.1. 4.2.
To create a new folder in th client tree, hover the mo he ouse over the target domain n hen appears. folder, and th click the +icon that a en Enter a name for the new folder, and the click the ch e f heck mark to the right of th he text box to cr reate the folde (Click the to cancel.) er. x )
12 28
4.3.
Optionally: yo can edit or delete a folde that you ha just created by selecting it, ou r er ave d hovering the mouse over th (blue) folde name, and then selecting the edit (pad with he er g d pencil) or delete (rubbish bin) icon. b
S t he lient Groups p page. 5. Click Save. The client group displays in the list of rules on th Manage Cl When the mouse is hovered over an informatio item related to the rule, a h on d additional pro ofile mation about th rule is disp he played in the P Preview pane. inform 6. Sort th priority of the existing lis Refer to M he t st. Managing the P Priority of Cu ustom Group Sorting Rules below g w. 7. Click Save to save th changes or Save and Cr S he r reate Domain Now. If yo select to run the n ou rules now, progress is indicated to the right of t bottom ro of action b n o the ow buttons.
NOTE Clicking Save and Run rules now crea S ates the destin nation folder in the OfficeSc can
client tree but does not move exi t s isting clients t o the specified domain. Also running the d o, rules may take a long time to com mplete, especi ally if the scop is broad. pe
Managin the Prior of Cust Group Sorting Ru ng rity tom ules

If a client falls under two client groups, OfficeScan will group the client under the higher ra f o r anking client group Therefore, you should move exceptio p. m ons to the to of the list as a matter of op general pra actice. To sort the client groupi priority: e ing 1. Click Networked Computers > Custom Clie Groups > Manage Cli N C ent ient Groups.
Figure 5.33: Changin the Order of the Custom- Client-Groups Sorting Rules ng s
2. Select the client grou to move an click or to move u or move do each up nd up own corresp ponding rule. Rules that cha ange position are highlighte in red and a underscor ed are red. After being moved, the correspon b nding ID num mber for affect client grou ted uping rules (th far he left col lumn of row) reflects each rules position in the list. r n 3. Click Save. S
Disabling and Delet Custom Group So g ting m orting Rule es

In addition to enabling you to create new rules and sort the order of your grou n y n uping rules, th list he management capability of the Manage Client Group page also enables you to disable existin o e ps ng ou t rules, or yo can delete them. To delete one or more custom group sorting rules: o
129
Student T Textbook
1. Click Networked Computers > Custom Clie Groups > Manage Cli N C ent ient Groups.
Figure 5.34: Highligh hted Delete an Enable/Disa nd able Tools for C Custom Client Grouping Rules t
2. In the far left colum select one or more indiv mn, o vidual rules by clicking the c y checkbox that t corresp ponds to the rule(s) that you want to dele Select the checkbox in the header row to r u ete. w select all current rule a es. 3. Click Delete. D 4. In resp ponse to the confirmation prompt Are y sure you w to delete the selected p you want e rule(s)? click OK. ?, 5. Click Save. S To enable/ /disable custom group sorti rules: ing 1. Click Networked Computers > Custom Clie Groups > Manage Cli N C ent ient Groups. 2. Click the status icon in the status column that corresponds to the rule tha you want to t s t at o enable or disable. Al lternatively, yo can click th name of th target rule, t ou he he then select or ct eckbox on the Edit Groupin Rule page, and then click e ng deselec the enable this rule che k Save. S 3. Click Save.
Scheduli Client (Re-) Group ing pings

When you create one or more custom client groups OfficeScan creates the ap m s, ppropriate ding on n nts correspond destinatio folder(s) in the OfficeSca client tree. Existing clien are not, an to however, automatically moved. There are, however several ways that you can cause clients t be a m r, s moved to the destination folders defin by your ex t n ned xisting sorting rules: g
Ma anually running an on-dema (re-)sorting of the client tree. g and g t Ena abling the sor rting rules to run on configu r ured schedule Cau using or allow one of the client even to occur: wing ese nts Installation of th OfficeScan client he Rel loading of the OfficeScan client c Cha anging of the IP address of the client f Ena abling or disab bling roaming mode g
To schedul client group le pings: 1. Click Networked Computers > Client Group N C ping > Sche edule Domain Creation. n
13 30
Figure 5.35: Schedul ling Custom Client Grouping Rules to be R Periodically g Run
2. Select Enable sched duled groupin rule. ng 3. Specify the schedule y e. 4. Click Save. S
5.5.2 The Client Managem 5 e M ment Toolb bar

The tool ba at the top of the client-tr (introduced above) is un ar o ree d nique to this p page and provi ides you with ac ccess to a broa range of management ta that includ ad m asks de:
In-depth status checking, inclu c uding data exp porting On n-demand scan nning, client uninstallation, and spyware/ u /grayware rest toring Ma anaging all dom main-specific (policy-group specific) sett tings Qu access to client-event lo (query, dis uick c ogs splay, and dele functions) ete Cre eating, deleting and renamin OfficeScan domains and adding/removing clients g, ng n d
Figure 5.36 Client Manag 6: gement Tool Bar Menus B
The Client Management page also pro t ovides search c capabilities to find and sele clients base on o ect ed name only (simple search or a broad range of criter (advanced search). You can review sta h) ria atus information using the co an n ontent area of the client-tree view. You ca also use th status butto e he on provides to display the same informat o tion, but in a r report-type format.
131
Student T Textbook
5.5.3 Clie Statu Informa 5 ent us ation

Status information is sho for each client in the c ontent area of the client tre display. The own c f ee e ea ader identifies over 45 statu items for ea client. Bec us ach cause so much h content-are column hea information is available, you will frequ n uently need to use the horiz o zontal scroll bar (at the bott tom of the cont area) to view the inform tent v mation on whiich you want to focus. You can also use the cli tree view drop-down menu to selec from six pre ient ct eformatted vie ews tent w v s pyware view, fi firewall view, a and of the cont pane: view all, update view, antivirus view, anti-sp Smart Scan view. Each selection changes the width and position of the header row to provide n s r quicker acc to the info cess formation in each category.
Figure 5.37 Working with Client Status Information Using the Tree View Tool 7: h s
Available status informa ation includes:

Bas Informatio sic on
Com mputer name [NetBIOS/host [ tname] GUI ID Sca method an Con nnection status Sma Scan Serve status art er Sma Scan Serve URL art er Web Reputation service status b s Web Reputation service URL b s Viru us/Malware de etected Spy yware/Grayware detected Out tbreak prevent tion policy Plat tform A Architecture I address IP M MAC address U Update Agent Components U Update Agent Settings U Update Agent Program and Hotfixes D Domain R Rule name P Port L Last startup L Last shutdown n
Pro ogram Informa ation

Offi iceScan client program Date installed Date upgraded H fix Hot C Cisco Trust Ag gent program
13 32
Administrator Track
Component Information [versions]

Virus Scan Engine Smart Scan Agent Pattern (SS Client) Virus Pattern (Conventional Scan Client) Virus Cleanup Engine Virus Cleanup Template IntelliTrap Pattern IntelliTrap Exception Pattern Spyware Scan Engine Spyware Pattern Spyware Active-monitoring Pattern Behavior Monitoring Driver Behavior Monitoring Core Service Behavior Monitoring Configuration Pattern Digital Signature Pattern Policy Enforcement Pattern Behavior Monitoring Detection Pattern Common Firewall Driver Common Firewall Pattern
Firewall Information
Enabled/disabled Firewall policy Intrusion Detection System (IDS) Accumulated firewall logs Accumulated IDS logs Accumulated network virus logs Firewall logs per hour IDS logs per hour Network virus logs per hour Last firewall count sent
133
Student T Textbook
Clie Activity [d ent dates and times]

Las Startup st Las Shutdown st Clie Installation ent n C Client Upgrade e H Fix Hot
Virus/Malware Scan Informati S ion

st n Las Manual Scan Las Real-time Sc st can L Last Schedule Scan ed L Last Scan Now w
Spy yware/Graywa Scan Infor are rmation

Las Manual Scan st n Las Real-time Sc st can L Last Schedule Scan ed L Last Scan Now w
Priv vileges Inform mation

Allo uninstallation ow Allo unload ow
NOTE Unlike many other network management programs, Of ficeScan allow you to selec o k ws ct
and apply actions and settings to individually selec y s cted clients, to whole domain or the entir ns, re network. In other words to give a sin s, ngle client a un nique setting, y do not hav to create a new you ve group for it. r
The conten (right-hand) area of the tr view is no populated w client data until a doma is nt ) ree ot with a ain selected or the result(s) of a search are displayed. Th Status butt in the tree o e he ton e-view tool bar r ccess to an alt ternate view of the data disp played in the c content area fo all selected for provides ac clients. to display clie data, you c select the OfficeScan S ent can Server root object, a single dom main, or one or more clients within a dom or advanc search resu Selecting r main ced ults. g clients and clicking the Status button displays client data in a sepa S d t arate (pop-up) browser win ) ndow e ble or ngle the that includes expandable and collapsib sections fo each client. Selecting a sin client in t icking Status produced resu shown be ults elow. tree and cli
Using the Status button S n
Figure 5.38 Client Status Detail Displa 8: ayed Using the Client Manag e gement Status Button s
Client data is grouped in seven section including: b a n ns, basic informa ation, along wi program, ith component, firewall, viru us/malware sc spyware/ can, /grayware scan data, and pri n ivileges information Using this window, you can also reset statistics virus/malware, sp n. w c pyware/grayw ware, and firewal events using the buttons at the top of t page. ll g a the
13 34
5.5.4 Clie Searc Functio 5 ent ch ons

OfficeScan includes a sim search fe n mple eature and an advanced sear capability to help you lo rch ocate clients. You can use the text box and search button at the top of the Client Ma u n f anagement pa to age locate a clie ent(s) by host/NetBIOS na ame.
Figure 5.39 Search Func 9: ctions Availabl on the Clien Managemen Page le nt nt
finds first matches for characters entered in th textbox. s he Wildcards are not allowe but the sea ed, arch function behaves as though a wildca is automat ard tically he at added to th end of any text string tha you enter.
The textbo oxsearch butt tool ton
For examp if you have a hundred cl ple, e lients whose h hostnames all begin with the string acme e, pressing th search butto will take yo to the first client with a h he on ou hostname that begins with t t those characters. Pressing the search button again will tak you to the n match, an so on. n ke next nd an see the resu displayed i a group, use nd ults in Advanced Search. For ex xample, you can find clients based on IP address, oper c s rating system, or p one omponents is out hardware platform. You can also find clients based on whether o or more co date or bas on other aspects of a cli sed a ients status
To locate clients based on various oth criteria c o her
Clicking Ad dvanced Searc at the top of the Netwo ch o orked Compu uters > Client Management t page launch a search-c hes configuration page in a new browser wind (shown b p w dow below).
Figure 5.40 Advanced Search Configu 0: uration Page
135
Student T Textbook
Your search results are displayed in th client tree v d he viewer. An obj called Se ject earch Results appears in the domain-tr list on the left, and clien that match your search c ree nts h criteria are list in ted the content area to the ri ight.
Figure 5.41: Advanced Se earch Results Displayed in th Client Tree Viewer he e
You can us list of the re se esults to check other status information, perform upda and other k ates r tasks, chan settings, or view logs, th same as you would if nav nge r he u vigating a norm domain. mal
5.5.5 Clie Mana 5 ent agement Tasks T

The Tasks drop-down menu at the top of the client tree on the C m p t Client Manage ement page provides yo with these options: ou
Figure 5.42 Tasks Menu on the Toolba of the Client Management Page 2: ar t t
You may select any num mber of clients from the clie nt tree, individ dually or by se electing whole e domains or even the Off r ficeScan Serve icon to sele all online c er ect clients in all do omains. Once you have select your target clients, clicki a task item launches a ta tool that c ted t ing m ask corresponds to the o task you ha selected. ave
Scan No Task ow
Selecting Scan Now laun nches the same scan initiatio on/notificatio tool that is launched if yo on ou n only n click Scan Now for All Domains in the navigation menu. The o difference is that when you select Scan Now for All Domains from the main na n m avigation men the client-t viewer is nu, tree populated by default wit all online clients. b th
NOTE can initia manual/on-demand scan for online cl ients only. Off You ate ns fline and roaming
clients will not appear in the Scan Now tool even if you specifical select them before clickin lly m ng Scan Now w.
Selecting Scan Now from the drop-do menu on the Client Ma m own anagement pa populates t age the v nts ns rently selected Thus, if onl a d. ly client-tree viewer with only those clien or domain that are curr single clien is selected, that client only appears in th initiation/n nt t y he notification to as shown in the ool, figure below.
13 36
Figure 5.43 Starting a Manual Scan fo Single Client Using the Scan Now Tool 3: M or t
select target clients from the list and click Init t s tiate Scan No If you do not ow. o select any clients, scan-n notificatio will be sen to all clients When the O c now ons nt s. OfficeScan ser rver confirms th a client ha received a notification, a g hat as n green tick mar is placed on the client ico rk n on.
To start sc canning,
WARNING Performing a Scan Now is resource inte G! ensive. Using t high setting for CPU usage the
generally consumes more than half of CPU resource s. When perfo rming Scan No on a compu e ow uter that is in us you may want to change the Scan Now CPU usage c se, w configuration t medium or low. to
The Scan Now toolbar also makes the functions a N a ese available:
Mo odify your man scan setti nual ings by clickin Settings. ng Sen stop-scan notifications to selected clie nd n o ents by clicking Stop Scan N g Now. In the event that some notifica t t ations fail, you can quickly select these cl u lients by clicki ing
Sel Un-notifi Compute lect fied ers.

If you have selec y cted a large nu umber of comp puters the not tification proc can take t cess time,
in which case you may stop th notification process by cl w u he n licking Stop N Notification. You can pe erform a simp search for hostnames usiing the textbo and Search button at the top ple h ox e of the Scan Now page. n
Client Un ninstallatio Task on

nt Selecting Tasks > Clien Uninstallation on toolb of the Clien Managemen page launch T nt bar nt hes the Client Uninstallation tool, which functions simiilarly to the Sc Now tool and incorpora U n f can ates the listing function of th client-tree viewer, as show below. f he v wn
Figure 5.44 Uninstalling an OfficeScan Client from t Client Man 4: n the nagement Page e
137
Student T Textbook
Clicking In nitiate Uninst tallation caus the OfficeS ses Scan server w notify the s will selected OfficeScan clients to la aunch the unin nstallation app plication. Afte initiating th uninstallatio you can ca er he on, ancel the notifica ation on un-no otified compu uters by clickin Select Unng -notified Com mputers, and then Stop Unin nstallation.
Spyware e/Grayware Restore Task e T

After clean spyware/g ning grayware, Off ficeScan client back up spy ts yware/graywar data. At any re y time afterw wards, you can use the Offic n ceScan server to instruct cli ients to restore previously removed sp pyware/grayw ware.
NOTE can also export OfficeS You Scan spyware/ /grayware data to a CSV file for deeper a e
analysis or for sending information ab o bout the remo oved software to others.
Selecting Tasks > Spyw T ware/Graywa Restore on toolbar of th Client Man are n nagement page he causes the OfficeScan se erver to query the selected c clients for Spy yware/Graywa logs and are he yware/Grayw tool. ware launches th Restore Spy
Figure 5.45 Restoring Previously Rem 5: moved Spyware from the Clie Manageme Page e ent ent
To view de etails for each item that can be restored, c click View. A details page d displays in the same e browser wi indow. Click Back to return to the previ ous page. B n To restore spyware/gray yware: ments that you want to resto ore. 1. Select the data segm R ceScan will no otify you of th restore statu You can th check the he us. hen 2. Click Restore. Offic spywar re/grayware re estore logs for a full report.. r
13 38
5.5.6 Clie Mana 5 ent agement Settings S

The Setting drop-down menu at the top of the clie tree on the Client Mana gs n t ent e agement page provides yo with these options: ou
Figure 5.46 Settings Menu on the Toolbar of the Clie Manageme Page 6: ent ent
You may select any num mber of clients from the clie nt tree. You m select indi may ividual clients or s mains. Selecting the OfficeSc Server ico selects all c g can on clients in all do omains. Once you whole dom have select your target clients, clicki an item fro the setting menu launc ted t ing gs ches configura ation om page for th type of setti he ings you have selected.
Scan Me ethods
Selecting a domain, com mputer, or grou of compute and then c up ers choosing the S Scan Methods s m s h ntional scan to Smart Scan for o option from the Settings menu allows you to switch from conven the selected devices. d
Figure 5.47 Scan Method 7: ds
Switching from conventi f ional scan to Smart Scan re S equires careful planning and execution. If you l d f are switchin clients from convention scan to Sm art Scan, prep by doing the following: ng m nal pare :
139
Student Textbook
Product license
To use Smart Scan, ensure that you have activated the licenses for the following services and that the licenses are not expired: Antivirus Web Reputation and Anti-spyware If connection to the Global Smart Scan Server requires proxy authentication, specify authentication credentials. If you installed the integrated server during OfficeScan server installation, configure the update settings for this server and ensure the server has the latest updates. If you want clients to connect to this server through a proxy server, configure proxy settings. Consider disabling the OfficeScan firewall on the server computer. When enabled, the OfficeScan firewall may affect the integrated servers performance. If you have not set up any of these servers, install them first before switching clients to Smart Scan. Trend Micro recommends installing multiple servers for failover purposes. Clients that are unable to connect to a particular server will try to connect to the other servers you have set up. Add the Smart Scan Servers you have set up to the Smart Scan Server list. Clients refer to the list to determine which Smart Scan Server to connect to. Configure location settings. OfficeScan includes a location awareness feature that identifies the client computers location and determines whether the client connects to the global or a local Smart Scan Server. This ensures that clients remain protected regardless of their location. Ensure that clients can connect to the OfficeScan server. Only online clients will be notified to switch to Smart Scan. Offline clients get notified when they become online. Roaming clients are notified when they become online or, if the client has scheduled update privileges, when scheduled update runs. Also verify that the OfficeScan server has the latest components because Smart Scan clients need to download the Smart Scan Agent Pattern from the server. If you have Trend Micro Network VirusWall Enforcer installed, install a hot fix (build 1047 for Network VirusWall Enforcer 2500 and build 1013 for Network VirusWall Enforcer 1200) and update the OPSWAT engine to version 2.5.1017 to enable the product to detect a clients scan method.
Global Smart Scan Server Integrated Local Smart Scan Server
Standalone Local Smart Scan Server
Smart Scan Server list Computer location settings
OfficeScan server
Other Trend Micro products
Whenever you switch client scan methods, whether you are switching to Smart Scan or back to convention scan, consider the following:
Number of clients to switch Switching a relatively small number of clients at a time allows efficient use of OfficeScan server and Smart Scan Server resources. These servers can perform other critical tasks while clients change their scan methods.
140
Administrator Track
Timing
When switching to Smart Scan for the first time, clients need to download the full version of the Smart Scan Agent Pattern from the OfficeScan server. The Smart Scan Pattern is only used by Smart Scan clients. When switching back to conventional scan, clients will likely download the full version of the Virus Pattern and Spyware-active Monitoring Pattern from the OfficeScan server. These pattern files are only used by conventional scan clients. Consider switching during off-peak hours to ensure the download process finishes within a short amount of time. Also consider switching when no client is scheduled to update from the server. Also temporarily disable Update Now on clients and re-enable it after the clients have switched to Smart Scan.
Scan Options
Regular virus scanning is essential to keep your network free of computer viruses. OfficeScan provides three scanning methods to detect viruses before they start to multiply, spread, and damage your data.
Manual scan Real-time scan Scheduled scan
Manual scanning allows you and end users, if you give them permission, to scan for malware on demand. Real-time scanning monitors system activity in real time and scans for malware constantly. With real-time scanning, you select whether to notify users when a virus is detected or silently report the event back to OfficeScan server. Scheduled scanning enables you trigger system scans on a daily, weekly, or monthly basis.
NOTE Scan Now and Manual Scan are the same type of scan; they differ only in how they are started. Scan Now is the term applied to scans run by you (the administrator) from management console; Manual Scan is the term applied to scans run from the local client interface. OfficeScan allows you to create separate configurations for each use model.
Manual Scan Settings

Selecting Settings > Manual Scan Settings on the toolbar of the Client Management page opens the configuration page that defines how manual scans are executed. The management console displays the configuration in a new (popup) browser window and contains a tab that allows you to specify targets for the scan and a tab where you specify actions.
MANUAL SCAN TARGET SETTINGS You can specify which files should be scanned by choosing to scan all files, scan using IntelliScan, or scan only those files with the extensions specified.
IntelliScan is a dynamic method for identifying files that should be scanned. For executable files (.com and .exe, for example), the true file type is determined based on the file content. For nonexecutable files (.txt, for example), the true file type is determined based on the file header.
141
Student T Textbook
Figure 5.48 Manual Scan Settings Tar 8: n rget Configura tion
IntelliScan provides thes benefits: se

Perform mance Optimiz zation Shorter Scanning Period IntelliScan does not affect crucial applica d ations on the client because it uses minima system resou al urces. Because Inte elliScan uses tr file-type ide rue entification, it s scans only files s that are vuln nerable to infec ction. The scan time is therefo significantl n ore ly less than wh you scan al files. hen ll
The Scan Settings section allows you to specify whe S t ether to scan h hidden folders network dri s, ives, compressed folders, and OLE objects For scanning compressed files, you can choose how many d d s. g d n layers of co ompression to scan (1 to 6). The more lay scanned, the more thorough your sc o yers cans will be, but in some case you risk ove t es erburdening sy ystem resourc ces.
Important Office 2007 applications use Zip compre t: 7 u ession to save f files based on the Open XML L
format. To scan Office 20 files, you must enable Sc compresse files. To cle s 007 m Scan ed lean/delete file es Office 2007 files that bee infected with malware, you must enable Clean/delete infected files w 7 en th u e within compressed files under Global Client Settings.. d G S
When a file contains mu e ultiple Object Linking and E L Embedding (O OLE) layers, O OfficeScan sca up ans to the num mber of layers you specify (1 to 10) and sk the remaining layers. Fo example, if you y kips or f have a Mic crosoft PowerP Point docume that has an embedded W ent n Word file that itself contains an s embedded Excel spreads sheet, and the limit is set to 2, the OLE o e o object that is t Excel the et s E ection heuristi ically identifie malware by es spreadshee will not be scanned. OLE Exploit Dete checking Microsoft Offi files for exploit code. OL Exploit D M ice LE Detection is als limited by t so the specified maximum-layer m rs-to-scan threshold. For virus/m malware scann ning, you can also select the options (w ese which simply d not pertain to do n normal spy yware/graywar scanning): re
Sca boot area an Ena able IntelliTra ap
14 42
Administrator Track
Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering the network by blocking real-time compressed executable files and pairing them with other malware characteristics.
NOTE IntelliTrap can incorrectly block safe files. Thus, Trend Micro recommends quarantining (not deleting or cleaning) files when IntelliTrap is enabled. If your users regularly exchange real-time compressed executable files, you should disable IntelliTrap.
CPU usage options include high, medium, and low settings. The high setting enables the fastest scan, but may use 50 percent or more of the clients CPU resources. A low setting means the scan will take longer, but users will be more likely to be able to continue working efficiently during a scan. Enabling scan exclusions allows you to specify directories, files, and/or file extensions to exclude from scanning. You can specify a maximum of 250 directories, files and file extensions. When making a custom entry, you must specify whether the path entered should overwrite, be added to, or be removed from the client scan exclusion list. You can also disable scan exclusions at any time. You can also configure scan exclusion settings for a particular scan type and then apply the same settings to all the other scan types.
SCAN EXCLUSIONS USE SCENARIO

On January 1, OfficeScan administrator Chris found out that there are a large number of JPG files on client computers and realized that these files do not pose any security threat. Chris added JPG in the file exclusion list for Manual Scan and then applied this setting to all scan types. Realtime Scan, Scan Now, and Scheduled Scan are now set to skip scanning .jpg files. A week later, Chris removed JPG from the exclusion list for Real-time Scan but did not apply scan exclusion settings to all scan types. JPG files will now be scanned but only during Real-time Scan.
NOTE you selected the OfficeScan Server root icon in the client tree before loading the If Manual Scan Settings page, you will have the option to apply your settings to all current and future clients in all domains or apply your settings only to new clients and future domains. WARNING! Use wildcards cautiously. If you use the wrong character, OfficeScan might exclude
from scanning files or directories that could potentially have security threats.
If you select the option to Exclude directories where Trend Micro products are installed, OfficeScan automatically excludes the directories of these Trend Micro products from scanning:
ScanMail for Microsoft Exchange (all versions except version 7). If you use version 7, add the following folders to the exclusion list: \Smex\Temp \Smex\Storage \Smex\ShareResPool ScanMail eManager 3.11, 5.1, 5.11, 5.12 ScanMail for Lotus Notes eManager NT InterScan Messaging Security Suite InterScan Web Security Suite InterScan Web Protect InterScan VirusWall 3.53 InterScan FTP VirusWall
143
Student Textbook
InterScan Web VirusWall InterScan E-mail VirusWall InterScan NSAPI Plug-in InterScan eManager 3.5x
If you have a Trend Micro product that is NOT included in the list above, add the product directories to the scan exclusion list manually.
Tip You can configure OfficeScan to exclude Microsoft Exchange 2000/2003 directories on
the Networked Computers > Global Client Settings > Scan Settings page. If you use Microsoft Exchange 2007, manually add the directory to the scan exclusion list. For scan exclusion details, see: http://technet.microsoft.com/en-us/library/bb332342.aspx.
OfficeScan will not scan a file if its file extension matches any of the extensions included in this exclusion list. You can specify a maximum of 250 file extensions. A period (.) is not required before the extension.
For Manual Scan, Scheduled Scan, and Scan Now,
use a question mark (?) or asterisk (*) as a
wildcard character.
For Real-time Scan,
use an asterisk (*) as a wildcard character when specifying extensions. For example, if you do not want to scan all files with extensions starting with D, such as DOC, DOT or DAT, type D*.
Tip You can also use ? and * as wildcards when specifying extensions. For example, if you want to scan all files with extensions starting with D, such as DOC, DOT or DAT, you can type .D? or .D*. NOTE can select to discard any changes you make and restore the default extensions You last saved by clicking Restore to Default.
MANUAL SCAN ACTION SETTINGS Configuring scan actions allows you to specify what OfficeScan will do with the files in which it detects a security threat. You have the following choices:
ActiveAction
consists of a set of preconfigured actions for various types of malware. If you are not familiar with scan actions or if you are not sure which scan action is suitable for a certain type of virus, Trend Micro recommends using ActiveAction, which provides these benefits:
Time-saving and easy to maintain Updateable scan actions ActiveAction uses the scan actions that Trend Micro recommends. You do not have to spend time customizing the scan actions. To ensure that clients are protected against the latest threats, ActiveAction settings are updated in every new pattern file.
OfficeScan 10.6 uses the category of probable virus/malware to the types of detections for which you can choose a custom action. Even if you select to use ActiveAction, you can still select a custom action for detections of probable virus/malware.
144
Figure 5.49 Action Configuration Page for Manual S 9: e Scans
allows you to select a singl action for a detections. If o le all you select clean as the first action, you must spec a second a e y cify action.
Using the same action fo all malware s or e
allo you to spe ows ecify actions in six categoriz of n zes malware, in ncluding: jokes, trojans, viru uses, test virus packer ob ses, bjects, and oth Select the her. action you want for each category. Yo can choose from these ac h ou ctions:
Selecting a specific actio for each th on hreat type
Pass s Delete Rena ame Quar rantine Clean Allows program access to file even if a thr m es reat is detected d. Deletes the file that triggere d the action. Changes the fi extension to .vir. Subseque viruses disc ile o ent covered will be given the extensions .vi1, .vi2 and so on. 2, m to ine n an Encrypts and moves the file t the quaranti directory on the OfficeSca server. The UR or UNC path of the quarant RL h tine directory m must be specified. OfficeScan att tempts to clean the file. Not a ll infected files are cleanable; n when selecting clean, you mu select a sec g ust cond action.
The quaran ntine directory textbox y
allow you to spe ws ecify a differen virus/malw quarantine nt ware e directory. You can enter a URL or UN path. If th directory sp Y r NC he pecified is inva OfficeSca alid, an uses the de efault quaranti directory on the client c ine o computer: {installationp path}/SUSPECT. is ena abled by defau You can di ult. isable this fea ature by desele ecting the checkb OfficeSca backs up fil on the clien to the {ins box. an les nt stallationpa ath}/backup directory.
Backing up files before cleaning p c Spyware/G Grayware actio options on
Clean Pass
inc clude:
Terrminates processes and d p deletes registrie files, cookies and shortcuts. es, s Spyware/gray yware detection are logged fo assessment, but otherwise n ns or no action is taken n.
145
Student T Textbook
Real-tim Scan Set me ttings

Selecting Settings > Re S eal-time Scan Settings on toolbar of the Client Mana n e agement page opens the configu uration page th defines ho real-time sc hat ow canning opera ates. The man nagement cons sole displays the configuratio in a new (po e on opup) browse window and contains two tabs, one for er d o r target optio and one for action options. ons fo
REAL-TIME SCAN TARGET SETTING GS
Figure 5.50 Target Setti 0: ings for Real-t time Scans
Configurat options fo real-time sc settings ar the same as for manual sc settings, tion or can re can described above, with th exception a hese ns:
The page include options to enable/disable virus/malwa and spywa e es e e are are/grayware
scanning.
The User Activi on Files (discussed belo options a added. e ity ( ow) are The Scan floppy disk during system shutdo e y own option i added. is
Real-time scanning mon s nitors user activ vities that inv volve creating (writing), mod difying (rewrit ting), and retriev (reading) files. ving f
The User Activity on Fi iles setting specifies s
when files should b scanned. T table below n be The w explains th basic conseq he quences of the three option available. e ns
User Action
Open a read-only file e Sca files being an crea ated/modified Copy or move a file from an excluded m director ry File scan nned when writt (if destinatio is ten on not also excluded) File NOT scanned T File scan nned when writt (if destinatio is ten on not also excluded)
File NOT scanned N
Option
Sca files being ret an trieved Sca files being an crea ated/modified and retrieved
File scanned
File scanned
14 46
Table 5.2: Target Activiti for Real-tim Scan Setti ngs T ies me
REAL-TIME SCAN ACTION SETTING GS
Figure 5.51: Action Settin for Real-time Scans ngs
Action opt tions for real-t time scanning are also very much the sam as for the m me manual-scan configurati options de ion escribed in the previous sec e ction. There ar however, a few notewor re, rthy exceptions:
The options to enable/disable the display o f end user not e e tification messages for
viru us/malware sc canning and sp pyware/grayw scanning are added. Yo can enable ware ou not tifications for either, both, or neither type of scanning o es g.
The option to d e deny access in nstead of clea is added to the spyware/g an grayware actio on
opt tions, and the option to pa is remove (To disable actions taken on detected ass ed. e n spy yware/graywar simple disa the spywa re, able are/grayware scanning option at the top of the Tar page.) rget All other options are the same as for manual scanniing. Please see the section a o e m e above on Man nual Scan Settin for more information. ngs, i
Schedule Scan Se ed ettings

Selecting Settings > Sch S heduled Scan Settings on toolbar of th Client Mana n n he agement page opens the configuration page that defi c fines how sche eduled scans a run. The m are management console dis splays the con nfiguration in a new (popup) browser win ) ndow and contains a tab tha at allows you to specify targ for the sc and a tab w gets can where you spe ecify actions.
147
Student T Textbook
Figure 5.52 Scheduled Scan Settings 2: S
Configurat options fo scheduled scanning are id tion or s dentical to tho discussed in the section for ose n Manual Sca Settings above, except fo the addition of the sched configura an or n dule ation itself, sho own in the figur above. You can specify th frequency o scheduled s re u he of scans in daily, weekly, or , monthly in ncrements. You can also spe ecify a time of day for each option. Both the weekly an f nd monthly op ptions include drop-down menus for quiick and easy co e m onfiguration. Action opt tions for sched duled scans ar also the sam as for manu scans. Plea see these re me ual ase sections for more inform mation about the options av t vailable to you u.
Scan No Settings ow s
lows Selecting Settings > Sca Now Setti S an ings on the to oolbar of the C Client Manage ement page all you to defi how scans are run when the Scan Now function is used. The con ine n ow nsole presents Scan s Now confi iguration optio in a popup window. Ta on this pag allow you t specify targ ons p abs ge to gets for the scan and the actio to be take when threa are detected n ons en ats d.
Figure 5.53 Scan Now Sc Settings 3: can
Configurat options fo Scan Now settings are co tion or overed in the M Manual Scan S Settings sectio on above. For more inform r mation please see this section OfficeScan provides sepa n. arate configurations for Scan Now and Manu Scan functions so that yo have the fl N ual lexibility to create settings f for ou
14 48
scans execu from the management console (Scan Now) that a different th those used for uted t n are han d executing scans from the local client console (Manu Scan). s e c ual
5.5.7 Upd Agent Settin 5 date ngs

Making a computer an update agent is a simple, two c u s o-step process To enable th update-age s. he ent functionality: ng ent on f anagement pag ge 1. Selectin Settings > Update Age Settings o toolbar of the Client Ma opens the Configura ation page where you can en nable and disa update ag functiona able gent ality for the selected clien The Upda Agent Con e nts. ate nfiguration pag appears in a new (popup ge p) browse window. er
Figure 5.54: Enabling Update Agen Functionalit g nt ty
1.1.
Select the com mponents that you want the Update Agent to distribut to downstre t e te eam clients (new starting from OfficeScan ve s O ersion 10.5):
Compone updates ent Domain settings Client pro ograms and ho fixes ot
1.2.
Click Save.
2. Add ta arget compute to the Upd ers dates > Netw worked Comp puters > Upd date Source customized update source list and select the u a update agent as the update source. Requireme for clients selected to fu ents s unction as upd agents in date nclude:
Com mputer operating system: Windows XP, Vista, 7, or Se W erver 2003/20 008 800 MHz Intel Pentium or equ 0 P uivalent RA AM: 512 MB minimum 1 GB recommended on Windows XP or Server 20 2 m, P, 003 1 GB minimum, 1.5 GB recom G mmended on W Windows Vist 7 or Server 2008 ta, r Ava ailable disk sp pace: 700 MB
NOT TE Update agents may fail to obtain and deploy comp d ponents if adeq quate disk space is
not available. Make sure to use only clients wit sufficient di space as up a e o th isk pdate agents. An addit tional 20 KB fo every domain setting upda and 160 M B for program or ms/hot-fix upda ate ate is nee eded.
In the clien tree, update agents displa a different iicon once upd agent functionality is nt e ay date enabled: . To specify update source for update agents and as sign clients to specific upda agents, go to es o ate rked Comput > Update Source page ters e e. the Updates > Networ
149
Student T Textbook
5.5.8 Clie Privile 5 ent eges and Other Se d ettings

You can gr users the privileges to modify certain settings and perform high level tasks on the rant m n h n OfficeScan client. The privileges you set here affect the options d n p s t displayed in th user interfa of he ace the client console. Generally, you shou seek to gra as few priv c uld ant vileges to each OfficeScan h group/dom as is poss main sible. To configu client priv ure vileges and oth settings, cllick Network Computers > Client her Managem ment and select the target cli ients from the client tree. T e Then, on the to oolbar above the client tree, click Settings > Privileges and Other Settings. The managemen console will s e nt n parate window This page h two tabs: w. has Privileges an nd display the configuration page in a sep ttings. Other Set
Figure 5.55 Privileges Ta on the Clien Privileges a Other Sett 5: ab nt and tings Page
Privilege Tab es
ROAMING PRIVILEGE This privile allows use to enable ro ege ers oaming mode When in roa e. aming mode, c clients can onl ly update com mponents from the OfficeScan server. Ro m oaming clients cannot send logs to the s OfficeScan server. The OfficeScan ser also cann manage ro n O rver not oaming clients, including , initiating ta and deplo asks oying client settings. SCAN PRIV VILEGES Leaving an option in this section unch n hecked causes the client con nsole to gray out the y correspond set of con ding nfiguration op ptions in the u interface a user and, thus, bloc end-users f ck from modifying the settings th you choose. hat
NOTE user can start a manua scan from th client conso no matter which options you Any al he ole, s
select her Changing these privileges determines o re. only whether u users can chan the nge paramete of the scan. ers
SCHEDULE SCAN PRIV ED VILEGES In this sect tion, you can allow users to either postpo scheduled scans or stop them entirely a one d p y through the client conso These priv ole. vileges are desiigned especial for users w commonly use lly who y nsive applicatio and freque ons ently work irre egular hours o who are reg or gularly subject to t CPU-inten tight deadli ines to complete jobs that require CPU-in r ntensive proc cessing.
15 50
Administrator Track
FIREWALL PRIVILEGES You may select to show the Firewall tab on the client console and whether to allow users to enable and disable the OfficeScan firewall, intrusion detection system, and firewall notification messages.
If you leave the Display the Firewall tab checkbox unselected, the client console will not display the Firewall tab and users will not have access to the firewall settings. You may also select to allow clients to send firewall logs to the OfficeScan server. To select how often (in minutes, hours, or days) the clients with this privilege will send their logs to the server, go to Networked Computers > Global Client Settings and select from the options available under Firewall Log Settings.
BEHAVIOR MONITORING PRIVILEGES If you select to Display the Behavior Monitoring tab on the client console, targeted domains and clients will be able to manage their own exceptions list for approved and blocked applicaitons. MAIL SCAN PRIVILEGES If you leave the Display mail scan tab checkbox unselected, the client console will not display the Mail Scan tab, and users will not have access to the Mail Scan settings.
NOTE can configure Mail Scan only by using the client console. You Tip To prevent users from later modifying Mail Scan settings, you can first configure the settings on the client, then disable the Mail Scan tab in the management console.
TOOLBOX PRIVILEGES These client tools are add-on components available only through the client interface. At the time of writing, Check Point SecureClient Support is the only tool in the toolbox. If you disable the Toolbox tab, your users will not be able to access this component. PROXY SETTING PRIVILEGES If selected, users can configure proxy settings for client connections. However, user-configured proxy settings are used only when:
Users perform an on-demand update using the Update Now function. Allowing
mobile users, for example, to configure custom proxy settings may be required for them to access the Trend Micro ActiveUpdate server directly. (Access to the Update Now function is an additional privilege that you may selectively grant or revoke.)
When automatic proxy server detection is turned off and when automated configuration
by configuration script is not being used. (You can configure automated client proxy settings on the Networked Computers > Global Client Settings page.)
COMPONENT UPDATE PRIVILEGES These options allow you to grant users more control over updates. Clients with these privileges display the corresponding Update Now and/or Enable Scheduled Update options on the pop-up menu when a user right-clicks on the status icon in the system tray.
151
Student T Textbook
Granting th privilege to enable/disab scheduled updates does not give clien the ability t he o ble nts to configure the update sch t hedule. This up pdate schedulle is still an Of fficeScan glob parameter and is bal accessible only through the manageme console. o t ent
NOTE configure the update schedule, click U To Updates > Netw worked Computers - Automatic
Update. The update sch T hedule configuration is place under the h ed heading Sched dule-based Update.
UNINSTAL LLING AND UNLOADING N Users may attempt to un ninstall the clie software u ent using the clien program-g nts group folder in the n Start menu through the Add or Remo Programs utility in the C u, ove Control Panel or by direct l, access thro ough the Wind dows file syste em.
Users may attempt unloa (turn off) the OfficeScan client tempo ad n orarily by right t-clicking the client ows ay ng fficeScan. status icon in the Windo system tra and choosin Unload Of
Tip Of fficeScan allow you to require a password when users a ws d attempt to uni install and/or
unload th client softw he ware. If you do not want user to be able to unload or uninstall the clie rs o ent software, require passw words for thes functions an do not reve the passwo se nd eal ords.
Other Se ettings
Figure 5.56 Other Settin Tab on the Client Privile ges and Other Settings Page 6: ngs e r
UPDATE SETTINGS Selecting an option enab the corres n bles sponding func ctionality. Uns selecting or lea aving an optio on unselected disables it.
Client download ts updat from the tes Trend Micro d ActiveUpdate Serve er o dates directly fr rom the Trend Select to allow clients to download upd Micro ActiveUpdate Serv if the updat source(s) yo name in the ver te ou global con nfiguration is/a unreachable are e.
15 52
Administrator Track
Enable scheduled update
Important: If you want to deploy scheduled updates to clients, you must select this option. To allow users to stop a scheduled update, select the Stop scheduled scan option on the Privileges tab. The update schedule is on Updates > Networked Computers - Automatic Update, under Schedule-based Update.
Clients can update components but not upgrade the client program or deploy hot fixes
Select to permit clients to update pattern files, but restrict clients from upgrading the client program or deploying hot fixes. This option can stop potentially large updates from occurring outside of administrative planning and control.
WEB REPUTATION SETTINGS When selected, the OfficeScan client displays a notification to users when the web reputation service blocks a URL that violates a web-reputation policy. BEHAVIOR MONITORING SETTINGS When selected, the OfficeScan client displays a notification to users when a program is blocked, and depending on the configuration parameters applied to target may offer options for how to handle each incident. SCHEDULED SCAN SETTINGS When you enable this option, a notification message displays on the client computer minutes before Scheduled Scan runs. Users are notified of the scan schedule (date and time) and their Scheduled Scan privileges, such as postponing, skipping, or stopping Scheduled Scan.
The number of minutes is configurable. To configure the number of minutes, go to Networked Computers > Global Client Settings > Scheduled Scan Settings > Remind users of the Scheduled Scan __ minutes before it runs.
CLIENT SECURITY SETTINGS You can change the file permissions for user access to the OfficeScan client installation directory and registry settings.
High The client installation directory inherits the rights of the Program Files folder and the clients registry entries inherit permissions from the HKLM\Software key. For most Active Directory configurations, this automatically limits normal users (those without administrator privileges) to read-only access. Full rights to the OfficeScan client program directory and the OfficeScan client registry entries are given all users (everyone).
Normal
For more information on permissions granted per Windows user type, see Chapter 3: OfficeScan Application Architecture, File-System Security Options for Client Installations on page 50.
POP3 EMAIL SCAN SETTINGS When selected, this setting enables POP3 mail scan on the client console. This setting only applies to clients with the mail scan privileges. CLIENT CONSOLE ACCESS RESTRICTION When selected, users will not be able launch the client console from the system tray or from the Windows Start menu. They will, however, still be able to do so from the OfficeScan client installation folder.
153
Student T Textbook
RESTART NOTIFICATIO ON Select this option to disp a message prompting u play e users to restart the client com t mputer to fini ish S sage displays a after a particu security ris has ular sk cleaning infected files. For Real-time Scan, the mess been scann For Manu Scan, Scheduled Scan, an Scan Now the message displays once and ned. ual nd w, e only after OfficeScan fin O nishes scannin all the scan targets. ng
5.5.9 Ena 5 able/Disa Unau able uthorized Change Prevention and/o d or Firewal Service ll es
The Networked Computers > Clien Managem ent > Setting > Addition Services p nt gs nal page d U ention Service and the Firew e wall allows you to enable and disable the Unauthorized Change Preve Service for clients runnin Windows XP, Vista, and 7. r ng X d
Figure 5.57 Enabling the Unauthorized Change Prev 7: e d vention and Fir rewall Service es Unauth horized Chang Prevention Service (TMB ge BMSRV.EXE)
Regulates ap pplication beha avior an verifies prog nd gram trustwor rthiness. Beha avior Monitor ring, Device C Control, Certifi fied Sa Software Se afe ervice, and Cl lient Self-Prot tection all requ this servic uire ce. Pr rotects clients and servers o the networ using statefu inspection, high on rk ful pe erformance ne etwork virus sc canning, and e elimination.
Firewa Service all
WARNING Enabling or disabling the Firewall servic temporarily disconnects t clients from the G! F ce y the
network. En nsure that you change the settings only d u s during non-crit tical hours to m minimize netw work interruptions.
5.5.10 We Reputa 5 eb ation Ser rvices Set ettings

Trend Micr Web Reput ro tation Services (WRS) stops web-based t s threats based o the URL th a on hat user attemp to access. With WRS, ac pts W ccess to a URL is allowed o denied base on a Trend L or ed Micro glob web reputa bal ation database. This databas identifies U se URLs that are k known to be sources of web threats and scores others on how lik they are t be the source of various w kely to web hich p r are ns, ost threats, wh includes phishing sites, drive-by or silent softwa installation scripting-ho exploits, an various file nd e-type exploits, and other th hreats. WRS is not like tradition web-filterin solutions th discrimina among site based on co t nal ng hat ate es ontent categories and allow you to block acce based on t business-re a u ess the elevance of a category (bloc cking access to news sites, for example) or the violation o ethical stand n t of dards (blockin access to ng pornograph sites, for ex hy xample). Rath WRS is a s her, specialty service that focuse exclusively o es on scoring UR according to their threa potential. RLs g at
15 54
Reputation-Score Lookup Pro L ocess

Each Offic ceScan client includes passiv proxy capa ve ability (which r runs as a visib process nam ble med TmProxy.ex ). Enabling WRS causes the client to p xe t proxy traffic on the well-kno HTTP po n own ort (TCP 80) and other com a mmonly used HTTP ports (s H such as, TCP 8080, 81, and 11523). Before the internal pro establishe an external connection, it requests the rating, or thr score for the oxy es c t reat r destination URL from th Trend Micr rating serviice. n he ro
NOTE Port 11523 is used by the AO HighSpeed service, which is essentially an AOLu OL h y
proprietary local web ca ache. Known malware applic m cations disguis themselves as this service se e.
The reques for a URL rating is made using a specia formatted DNS request that function as a st r ally d t ns database qu to the WRS-controlled domain nam uery d mespace. Encoded in the DN response f NS from the WRS DNS servers is a threat score for the origiinally requeste URL. If the client fails tw D s ed e wice to receive a response to the DNS look or if the in kup nformation re eturned is not sufficient to o obtain a reputation score, the cl lient will use HTTP to conn to an HT H nect TTP-based rati server. ing
Tip Yo can use the Administrati > Proxy Se ou ion ettings > Exte ernal Proxy pa to specify age
proxy ser rver authentication credenti ials for clients to use when c connecting to the Trend Micro Web repu utation servers and. Global Smart Scan Se s S erver
at U shold defined by the selecte security lev ed vel If the threa score for a URL is lower than the thres (described below), the in nternal proxy blocks access to the URL a returns a m b and message to the e users web browser (or whatever other process may have initiated the connecti w y d ion). The OfficeScan client also di n isplays a messa age.
Figure 5.58 User Notification Message for Web Rep 8: es putation Servi ices
If the threa score for th URL is high than the sp at he her pecified thresh hold, the inter proxy rnal establishes the connectio and allows data to pass t and from w browser (o other host on to web or process). The specifi methodolog and algori ic gies ithms by whic Trend Micr assigns scores are the res of ch ro sult a dynamic and constantly evolving pro ocess of moniitoring and an nalysis. Curren the thresh ntly, hold 1, ed ored at 61. In other words, if you restrict t score for a safe site 81 while unrate sites are sco nt connection to safe sites only, then all URLs access by the clien over the m ns s l sed monitored port ts much exceed a value of 80. Additiona numerical th al hresholds corr respond to the other securit e tyns n hion. level option available in a similar fash
155
Student T Textbook
Policy Ac ction Based on Locat tion-Awaren ness

WRS allow you to estab ws blish separate configuration for internall versus exter ns ly rnally located machines. Your ability to define a clients internal/e Y o external status and apply different policie s es allows you to manage mobile clients more flexibly. In some insta m ances, you may require a mo y ore y ers our in nt strict policy for compute when they are outside yo network, i other cases, you may wan to provide a le strict polic or, simply, a different list of approved URLs for eac case. ess cy t ch You can de efine a clients location statu as internall or externa based on a) the gateway s us al ) address bei used, b) co ing onnection stat with the O tus Office Scan ser rver, or c) the clients ability to y make a sim TCP-leve connection to a reference server on a sp mple el t pecified port. To select th method to be used to de he etermine a com mputers locat tion, and conf figure gateway and y reference-s server lists, use the Networ e rked Comput ters > Compu Location page. uter n
NOTE gateway and reference The e-server settin gs you choose for determining location st e tatus
also apply to the locatio y on-based polic cies of Smart S Scan clients.
Assessm Mode ment

Similar to the assessmen mode provid for spywa / grayware detection, as t nt ded are e ssessment mod for de WRS allow you to evalu the action that WRS w ws uate ns would take if i were enabled In assessme it d. ent mode, WR does not blo access to any pages. In assessment m RS ock mode, WRS on logs reques nly sted access to dangerous, suspicious, and highly suspicio pages, based on the sele d h ous ected security level. You can th add exceptions that sho be allowed or blocked r hen ould regardless of t their Trend M Micro reputation score to the approved/bloc a cked URL list (maximum 1000 items). You can also re t equest sify that Trend Micro reclass any URLs that you feel may be miscla assified. Assessmen mode can be enabled/disabled separate for interna and extern clients on the nt ely al nal Networke Computers > Client Management > Settings > Web Reputa ed s ation Settings page s for selected clients. d
Figure 5.59 Enable/Disable Options fo WRS for Inte 9: or ernal Clients
Enhance Privacy Option for Internal Clients ed O

Introduced in OfficeScan 10.5, you ca now use int d an ternally locate standalone and integrate ed, ed Smart Prot tection Servers to provide WRS services. For integrated servers, the option to W
15 56
Administrator Track
enable/disable Smart Protection Serversupport for WRS is located on the Smart Protection > Integrated Server page, and for standalone servers on main configuration page of the server.
For more information about Smart Protection server options, see 5.4 > Smart Protection Server Settings, on page 116.
With WRS enabled on one or more Smart Protection Servers, you can then enable/disable use of WRS services on the Smart Protection Server for selected clients/client groups on the Networked Computers > Client Management > Settings > Web Reputation Settings page (shown above). By leaving the option to Query Trend Micro Smart Protection Network if there is no match in Smart Protection Server unselected, these client-management settings allow you to restrict WRS queries to your local Smart Scan server(s) only. This ability to restrict WRS queries to your local Smart Scan server(s) prevents query data about your users URL requests from leaving your local network. This provides the benefits of reduced Internet traffic and enhanced privacy by eliminating WRS queries to Trend Microhosted servers. However, when you select this configuration, the WRS security level is also restricted to blocking only those URLs that have been blacklisted in the current version of threat information on the Smart Scan server as dangerous or verified to be fraudulent or a known source of threat (the low setting). Suspicious and highly suspicious URL information is not replicated downstream to locally hosted Smart Scan servers. To enable blocking for suspicious and highly suspicious URLs, the option to Query Trend Micro Smart Protection Network if there is no match in Smart Protection Server must also be selected. Selecting both Smart Protection options for WRS reduces Internet traffic by eliminating queries for URLs that can be matched by local Smart Scan server(s), but does not prevent query data containing internal browsing activity from leaving the local network.
Configuring Web Reputation Policies

A URLs reputation score determines whether Trend Micro defines it as web threat or not. This score is calculated using Trend Micro proprietary metrics. Trend Micro considers a URL a web threat, very likely to be a web threat, likely to be a web threat, or not a threat if its score falls within the range set for these categories. To configure Web Reputation settings and policies, go to Networked Computers > Client Management and select target clients from the client tree. On the toolbar above the client tree, click Settings > Web Reputation Settings. Configuration options for external computers and internal computers are the same. To enable the web reputation service, you must have entered a valid activation code, and must also select the Enable Web Reputation policy checkbox.
157
Student T Textbook
Figure 5.60 Web Reputa 0: ation Policy Co onfiguration Pa age
To configu the web reputation polic for externall or internal co ure cy omputers: 1. Click Networked Computers > Client Mana N C agement and select target c clients using th he client tree. t 2. Click Settings > Web Reputatio Settings. S on 2.1. 2.2. 2.3. Select the Ex xternal Comp puters or Int ternal Compu uters tab, dep pending on the e policy you wa to configu ant ure. Verify that th Enable We reputation policy check he eb kbox is selecte ed. Optionally en nable the follo owing:
Assessme (Internal/E ent External) Wh in assessm When ment mode, W Reputatio Web on
Service wi log all URL but will allow it to pass. T ill Ls ow Trend Micro p provides assessmen mode to allo you to eva nt ow aluate URLs an then take a nd appropriate ac ction based on your evaluatio y on.
Use the Smart Protecti Server We Reputation Service (Internal only) ion eb
Internal cl lients connect to the Smart Protection Se t erver and uses the Web s Reputation Service to determine the status of the U d URL.
Protection Server (Inte n ernal only)
Query Tre Micro Sma Protection Network if th end art n here is no mat in Smart tch
In nternal clients connect to th Smart Prote he ection Network if the Smart Protection Serv cannot de i P vice etermine the s status of the U URL.
2.4.
Select a secur level. Offic rity ceScan provid four securi levels that determine wh des rity hether access to a UR will be blo RL ocked or allow wed.
Low Medium High Blocks only pages that are ver B rified to be frau udulent or know sources of threat wn Blocks pages that are verified to be or suspe cted of being fraudulent or kn B nown sources of threa at Blocks pages that are verified as fraudulent, sources of thre spam or that B eat, are suspected of being so. This may include u a o s unrated pages.
Tip Reme ember that as you set the se ecurity level h igher, the web threat b
detection ra improves but the possibi ate b ility of false po ositives also in ncreases.
Specify if you want to bloc Untested U u ck URLs. Untested URLs have not been asse d essed by Trend Mic While Tre Micro actiively tests web pages for safety, users ma cro. end b ay
15 58
encounter un ntested pages when visiting n or less po w new opular web sit Blocking a tes. access to untested pages can impr rove safety, bu it may also p ut prevent access to safe page es. 2.5. Add URLs to the Approve o ed/Blocked Liist. (Separately add URLs to the External and y o l Internal Clien nts.) 2.5.1. Specify whether to enable the Ap proved or Blo y e ocked URL Li feature. ist 2.5.2. Specify a URL in the text box. y e Use th wildcard character (*) any he ywhere on the URL. e 2.5.3. Select whether to ap pprove or bloc the URL. ck 2.5.4. Repeat required step until all UR you want t approve are added to the list. t ps RLs to e 2.5.5. To exp the list to a .dat file, cliick Export an then click S port o nd Save. 2.5.6. If you have exported a list from a d another server and want to i r import it to th his t he he n screen, click Import and locate th .dat file. Th list loads on the screen. 2.6. To submit we eb-reputation feedback, use the provided URL. The U links to th e d URL he Trend Micro Web Reputati Query sys ion stem. This system provides details about blocked URL and allows users to send W Reputati feedback t Trend Micr Ls u Web ion to ro.
Figure 5.61: Trend Micro We Reputation Query Websit eb te
2.7.
Select whethe to Allow cl er lients to send logs to the O d OfficeScan s server. This op ption is available to both the inte o ernal and exter configura rnal ation. You can use this option to n analyze block URLs and, later, add saf URLs to th approved U list, which can ked fe he URL h be managed on the Global Client Setting page. o gs
3. Click Save. S
HTTPS Reputation Checking R n

OfficeScan 10.6 has a ne option to check the repu n ew c utation of HT TTPS websites. Secure con nnections can be used to dis b stribute malwa malicious content, and other web thr are, reats. Select the Check the rep C putation of HTTPS webs H sites option to allow clients to monitor o s HTTPS tra affic for such threats. Monit t toring HTTPS traffic is sup S pported in the following browsers:
159
Student T Textbook
Mic crosoft Intern Explorer net 6 with SP2 or higher o 7.x 8.x Mo ozilla Firefox 3.5 to 4.x.x 3
5.5.11 Beh 5 havior Mo onitoring

OfficeScan includes the ability to cons n stantly monito client comp or puters for unu usual modifica ations to the oper rating system or installed so o oftware. Suspe programs w a valid di ect with igital signature or e that have been certified as safe are alw allowed t start. Admin b a ways to nistrators (and users, based on d d the privileg granted to them) can cre custom ex ges eate xception lists to allow named programs t to start and ch hange system settings or, alternatively, to block them. o
NOTE Two settings for behavior monitoring ar global config s re iguration optio : 1) the wait ons ttime allowed for a user response afte suspicious b r er behavior has b been detected, and 2) the enabling and disabling of the Certifie Safe Softwa Service. ed are Trend Micro recommen enabling Certified Safe S nds C Software Serv vice to reduce false-positive detection The default wait-time for a user respon before allo ns. t r nse owing a progra to run is 30 am 0 seconds. For more information about these global paramete please see Global Beha e a ers, e avior Monitorin ng Settings on page 176, in section 5.6 > Global Clie nt Settings. 6
Important To help ensu that the Of t: ure fficeScan client does not inte nt erfere with crit tical server
applications behavior mo s, onitoring is disa abled on serve platforms. er You can en nable behavior monitoring by modifying the servers regis y e stry settings. S 6.4 > PostSee Installation Consideration for Servers and x64 Deskto Platforms on page 241 fo more details n ns a top for s.
To configu behavior monitoring, cli Networke Computer > Client M ure m ick ed rs Management and select the target clients or domains fro the client t o om tree. Then, on the toolbar a n above the clien nt tree, click Settings > Be S ehavior Moni itoring Settin ngs.
Figure 5.62 Behavior Mo 2: onitoring Settings Page To Half op
The Behav Monitorin Settings pag provides th configura vior ng ge hese ation options:
Enable Malware Beh e havior Blocking g
Enables/d disables behav monitorin for the dete vior ng ection of malware activ and simila threats. (De f vity ar efault: enabled d.)
16 60
Administrator Track
Enable Event Monitoring
Enables/disables the monitoring of selected system events, such a change to the hosts file that can redirect TCP/IP connections to malware sites or the installation of an Internet Explorer plugin that may represent any number of unknown risks. (Event monitoring is disabled by default.) An executable file can be manually approved or blocked by specifying the full path to the program and adding it to the approved or blocked programs list using the configuration tool provided in the lower half of the page.
Exception list configuration
Configuring Event Monitoring Detection Responses

All actions that may be monitored are listed in the table below enable/disable option for event monitoring. The action that the OfficeScan client takes in response to each corresponding system-modification attempt is also configurable. These options include:
Assess Allow Always allow processes associated with an event but record this action in the logs for assessment Always allow processes associated with an event
Ask When Necessary Prompts users to allow or deny processes that may have violated Behavior Monitoring policies Deny Always block processes associated with an event and record this action in the logs
End-user prompts are pop-up notifications that ask users to select to allow or to deny a process to execute, and also whether to add the program to the allowed or blocked exceptions list. If the user does not respond within the amount of time specified in the global configurations options for behavior monitoring, the OfficeScan client allows the process to continue. The table below identifies monitorable events and explains how the corresponding system changes may be used by malicious programs. This information is available on the Behavior Monitoring Settings page by mousing over the name of each policy and reading the text displayed in the detail column on the far right.
Events Description
Many malicious programs create copies of themselves or other malicious programs using the names of Windows system files. This may be done to override or replace system files, avoid detection, or discourage users from deleting the files. The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the Web browser is redirected to infected, non-existent, or fake websites. Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution. Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
Default Action
Duplicated System File
Assess
Hosts File Modification
Assess
Suspicious Behavior
Assess
New Internet Explorer Plugin Internet Explorer Setting Modification
Assess
Malware often changes Internet Explorer settings, like the home
Assess
161
Student Textbook
Events
Description
page, trusted websites, proxy settings, and menu extensions.
Default Action
Security Policy Modification
Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.
Assess
Program Library Injection
Configuring Windows applications to load a malicious program library (DLL) automatically allows malicious code to run every time an application starts. Shell settings can associate a malicious program with certain file type, launching the program when a file is double-clicked in Windows Explorer. Malicious programs can also use shell settings to track program use and start alongside legitimate applications. Windows services have special functions and typically run continuously in the background with full administrative access. Malicious programs can hide themselves by running as services. Certain Windows system files determine system behavior, including startup programs and screensaver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior. Malicious programs often attempt to modify the firewall policies to allow themselves to access to the network and the Internet.
Assess
Shell Modification
Assess
New Service
Assess
System File Modification
Firewall Policy Modification
Assess
System Process Modification
Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes Adding or modifying the autostart entries in the Windows registry can cause malware to launch every time the computer starts.
New Startup Program
Assess
Table 5.3: Event Monitoring Rules
Configuring Exception Lists for Behavior Monitoring

Exceptions include lists of approved programs and blocked programs. Programs found in the approved-programs list will be allowed to be started even if the listed program violates behavior monitoring policies. However, programs found in the blocked-programs list are never allowed to be started.
162
Figure 5.63 Behavior Mo 3: onitoring Settings Exceptio Lists Config on guration
To add pro ograms to the approved/blo ocked exeptio lists, enter t full filesyst path to th on the tem he program an click Approve Program or Block P nd ms Programs base on the purp ed pose of your entries. Pro ogram items entered will the be displaye in the corre e en ed esponding tab at the bott bles tom of the page e.
Tip To add multiple entries at once, separate ea pathname with a semicolon (;).. o ach
Approv Programs List ved
This lis may contain a maximum of 100 entries List items m st n s. may be deleted by cli e icking the item correspond trash icon ms ding n. Of fficeScan enab the Appro bles oved Program List feature by default. The Device Co ms e ontrol fea ature also allow full access to these prog ws grams.
Blocke Programs List ed L
The Off ficeScan client will always bl t lock programs in this list fr rom be started. Th list may co eing his ontain a maxim mum of 100 e entries. List ite may be de ems eleted by clicking the items correspo y onding trash ic con.
If you selec domain(s or client(s) on the client t cted s) o tree, click Save to apply sett e tings to the domain(s) or client(s). If you selected the root icon,, choose from these options: f m
Apply to All Clients t Applies settin to all existin clients and t any new client added to an ngs ng to existing/futur domain. Futu domains ar domains not yet created at the re ure re time you conf figure the setti ngs. Applies settin only to clien added to fu ngs nts uture domains. This option will not apply settings to new clients added to an e s s existing domain n.
Apply to Future t Domain Only ns
5.5.12 De 5 evice Con ntrol

OfficeScan provides a de n evice control feature that re egulates access to external s storage device and es network re esources conne ected to comp puters. Device control helps prevent data loss and leak e a kage
163
Student T Textbook
and, combi ined with file scanning, help guard again security ris Device Co ps nst sks. ontrol is availa able only on com mputers runn x86 type platforms. ning p To configu device con ure ntrol, click Networked Com mputers > Cl lient Manage ement and sel lect the target clients or dom c mains from the client tree. T e Then, on the to oolbar above t client tree, click the Settings > Device Con ntrol. Choosin Block Aut ng toRun functio in USB dev on vices prevents s maliciously altered autor y run.inffiles from instructi ing the OS fro running ap om pplications.
Figure 5.64 Device Cont 4: trol Settings
Device con ntrol governs data access ba d ased on the pe ermissions you select for files stored on t u the various typ of devices monitored. pes
Permissio ons
Full access s
Files on the Device

Allowed: Copy Move, Open, S y, Save, Delete, Exec cute Allowed: Copy Move, Open, S y, Save, Delete Blocked: Exec cute Allowed: Copy Open, Execute y, e Blocked: Save Move, Delete e, Allowed: Copy Open y, Blocked: Save Move, Delete, Execute e, Any attempt to access the de t evice or network res source is automa atically blocked.
Inc coming Files

Allo owed: Save, Mov Copy ve, This means that a f can be saved, file m moved, and copie to the device ed e. Allo owed: Save, Mov Copy ve,
Read and write only w
Read and execute only e
Blo ocked: Save, Mov Copy ve,
Read only
ocked: Save, Mov Copy ve, Blo
No access
Blo ocked: Save, Mov Copy ve,
Table 5.4: Device Control Permissions D
The scanni functions in OfficeScan complement and may over ing i n rride the devic permission For ce ns. example, if the permissio allows a file to be opene but OfficeS f on ed Scan detects th the file is hat infected wi malware, a specific scan action will be performed o the file to e ith e on eliminate the malware. If the scan acti is Clean, th file opens a f ion he after it is clean However if the scan a ned. r, action is Delete, the file is de eleted. New startin from Offic ng ceScan 10.5, yo can also cr ou reate exception lists to ensu access to n ure programs that are shared by groups of people or to ensure that p t d f o people can edi documents o it on storage driv ves.
16 64
Administrator Track
There are two types of exceptions:

Approved Application List Executable Program List
Applications in this list are exempt from Device Control policies and have full access to external storage devices and network resources.
Applications in this list can be run from external storage devices, but do not have access to external devices.
To manage access to external devices: 1. Click Networked Computers > Client Management > Settings > Device Control. 2. Select the checkbox to enable device control. 2.1. 2.2. Choose whether to block or allow the AutoRun function (autorun.inf) on USB devices connected to the computer. Select the permissions for each device type.
3. Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access, which includes all operations that OfficeScan blocks. 4. Add device-access-control exceptions to the exception lists as required. 4.1. 4.2. To approve an application for full access to all device types, select Grant full access to all device types, enter the full path of the program, and then click add. To allow an application to be run from an external device, select Allow to be run from devices, enter the full path of the program, and then click add.
Tip Use wildcards (* ?) as a substitute for drive letters or file names. The maximum number of entries is 100. However, you can add up to 1,000 entries in the .ini file.
5. If you selected domains or clients on the client tree, click Save to apply settings. If you selected the root icon, you can also choose from the following options:
Apply to All Clients Apply to Future Domains Only Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings. Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
When using the DLP plug-in, the Device Control Settings page displays new device control features implemented with DLP in OfficeScan 10.6.
165
Student T Textbook
Figure 5.65: Device Control Settings C
Important Device Contr only suppor 32-bit platfo t: rol rts forms.
Important By default, Device Control is disabled on 3 t: D i 32-bit versions of Windows S s Server 2003 an nd
Windows Se erver 2008.
Important The types of devices that OfficeScan can monitor depe on whether the Data t: f O n end r
Protection license is activ vated. Data Pro otection is a se eparately licens module an must be acti sed nd ivated an before it ca be used.
For more in nformation on Device Control when using D DLP, see Appen ndix B: Managin Data Protec ng ction and Using Digital Asset Control on page 360. D Co
16 66
5.5.13 Sp 5 pyware/Grayware Approved List A d

OfficeScan provides a lis of approve spyware/g n st ed grayware, whi contains fi or applicat ich iles tions that you do not want tre o eated as spywa or graywar When a par are re. rticular spywa are/grayware is detected du uring scanning OfficeScan checks the ap g, pproved list an performs n action if it f nd no finds a match in the approved list. You can edit the appro d oved list at N Networked Co omputers > C Client ment > Setting > Spyware gs e/Grayware A Approved Li ist. Managem
Figure 5.66 Spyware/Gr 6: rayware Appro oved List
Apply the approved list to one or seve clients and domains, or to all clients that the serve a eral d r er manages. The approved list applies to all Scan Type which mea that the sam approved list T es, ans me will be used during Manu Scan, Real d ual l-time Scan, Sc cheduled Scan and Scan N n, Now. OfficeSca an can accomm modate a max ximum of 1024 spyware/gra ayware in the approved list. . To manage the spyware/ e /grayware app proved list: 1. Click Networked Computers > Client Mana N C agement > Se ettings > Spy yware/Grayw ware Appro oved List. 2. On the Spyware/Gr e rayware names table, select a spyware/gra s ayware name. To select mu ultiple names, press the Ctr key while se rl electing.
Tip Yo can also typ a keyword in the Search f ou pe field and click Search. Office eScan refreshe es
the table with the name that match the keyword. es
3. Click Add. The nam move to th Approved List table. A mes he

Tip To remove name from the ap o es pproved list, se elect the name and click Re es emove. To sele ect
multiple names, press the Ctrl key wh selecting. n t hile
4. If you selected doma or clients on the client tree, click Sav to apply se ains s ve ettings. cted i from the follow options: wing If you selec the root icon, you can also choose fr
Apply to All y Client ts Apply to Future y Doma ains Only Applies settin to all existi clients and to any new clie added to an ngs ing ent n existing/future domain. Fut ure domains ar domains not yet created at the re t ings. time you configure the setti ngs ents added to fu uture domains. This option will Applies settin only to clie not apply settings to new cl lients added to an existing domain.
167
Student T Textbook
5.5.14 Ex 5 xport/Imp Sett port tings

Selecting Settings > Ex S xport Settings or Settings > Import Settings on too s olbar of the Cl lient Manageme page opens provide an easy way to co settings fro one server to another se ent s e opy om r erver or to apply them to anot y ther client or domain on the same server. d e
Figure 5.67 Export Settings and Impor Settings Pa ges 7: rt
Exporting settings create a .datfile in the directo you specify es ory y. To import settings back to the same server or anoth server: sel the root, d her lect domain, or c h o tings, then clic Settings > Import Sett ck tings. individual client to which you want to apply the sett The Impor Settings pag (shown in th figure abov allows you to input the path and filen rt ge he ve) u name of the .dat file or click Browse to use the Open Fiile dialog to fi it. t B e ind
5.5.15 Cli 5 ient Mana agement: Logs :

The Logs drop-down me at the top of the client tree on the Client Managem page pro d enu p ment ovides you with th options: hese
Figure 5.68 Logs Menu on the Toolbar of the Client Management Page 8: o r
These options provide direct access to the same cap d o pability that is provided on the Logs > s ed urity Risks pa as shown in the figure b age, Networke Computer Logs > Secu below.
For more in nformation on using OfficeScan log data, in cluding the sea u arch, display, a delete func and ctions, please see Chapter 11: Log on page 329 C gs 9.
When searc ching for log data you may select any num d mber of client from the cli tree. You may ts ient select indiv vidual clients or whole dom o mains. Selecting the OfficeSc Server icon selects all cl g can lients in all doma ains.
16 68
Figure 5.69 Log > Netwo 9: orked Compute Logs > Secu er urity Risks Pag ge
Once you have selected your target cli h ients, clicking an item in the logs menu la e aunches a sear rch configurati page for th type of log you have sele ion he ected. After co onfiguring the search criteri e ia, clicking Di isplay Logs displays log da that match the criteria you have sele d ata hes a ected.
5.5.16 Cli 5 ient Mana agement: Managin the Cli : ng ient Tree e
OfficeScan 10.5 introduc the ability to use a rulen ces -based system for creating O OfficeScan domains, assigning clie to them, and periodica re-sorting clients based on the rules th ents ally hat you create. This system is enabled by selecting cus i stom client gro oups on the N Networked rs G e. Computer > Client Grouping page
For more in nformation abo how to man out nage OfficeSca Custom Clie Groups, see section 5.5 > an ent e Client Mana agement on page 124.
The Manag Client Tree drop-down menu at the to of the clien tree on the C ge e m op nt Client Manage ement page provid you with these options: des t :
Figure 5.70 Manage Clie Tree Menu on the Toolba of the Client Management Page 0: ent ar t t
NOTE When the Custom Client Gr roups feature is used, the Ad Domain and Rename Dom dd d main a ble. so using drag-and d-drop, and wit th options are not availab You are als not able to move clients u the Move Client tool, yo are only allowed to move clients to ano e ou e other OfficeSc server. You can u cannot move clients to another folde To do so wh using cust om client grou m er. hen ups, you must create a rule that accomplishes your goal and plac that rule in t proper ord within the list ce the der of sorting rules. When one of the manual sorting o ptions are use the Sort Cli g ed, ient option is n not available.
A domain in OfficeScan is a group of clients that sh the same configuration and run the same i n f hare e n tasks. When a client is in nstalled or moved from one domain to an e nother, the cli adopts the ient e settings of the domain to which it join o ns.
169
Student T Textbook
OfficeScan domains do not need to mirror your Miicrosoft Wind n m dows domain a assignments. Members of a single Mic o crosoft Windo domain m be assigne across any n ows may ed number of OfficeScan domains based on any crit n teria you choo By creatin domains an assigning cl ose. ng nd lients to them, yo can simplif your manag ou fy gement and co onfiguration ta asks. in nclude, groupi clients bas on ing sed departments, the functio they perfo ons orm, or a comb bination of th two. You ca also, as tim he an me progresses, group clients temporarily or permanentl according t the risk of i , s o tly to infection and for high-risk cl lients apply more secure configurations t m than you woul normally as ld ssign otherwise.
Common manual domain m n-management strategies t
By default, OfficeScan si imulates your network dom mains. The dom and clien names in th main nt he i t es main puter names in your network. n client tree initially have the same name as the dom and comp However, you can delete or rename th domains th OfficeScan has created f you, create a y e he hat n for e new domai or transfer clients from one domain to another, reg in, o o gardless of you existing ur Microsoft domain struct d ture.
Tip Yo can also gro clients by existing NetBI ou oup IOS names, Ac ctive Directory names, or DN y NS
hierarchy This setting is located on the Networked Computers > Global Client Settings page y. t d under the heading, Cli e ient Grouping. To add a do omain
from th Networked Computers > Client Ma he d s anagement p page:
1. Click Manage Clien Tree > Ad Domain on the toolbar. M nt dd n 2. Type a name for the domain you are adding. e 3. Click Add. The new domain appe in the clie tree. A w ears ent
To rename a domain
from the Networked Compu m uters > Client Manageme page: t ent
1. Select the domain yo want to ren ou name. 2. Click Manage Clien Tree > Re M nt ename Doma on the too ain olbar. 3. Type a new name fo the domain. or 4. Click Rename. The domain appe in the clie tree under the new name R e ears ent e.
Figure 5.71: Client Ma anagement Fu unctions
17 70
Administrator Track
To move a client
on the Networked Computers > Client Management page:
1. Select the client(s) that you want to move. 2. Click Manage Client Tree > Move Client on the toolbar. 3. Select whether to move clients to another domain or OfficeScan server. 3.1. To move clients to another domain, select Move selected client(s) to another domain, then select the target domain from the drop-down menu and select whether to apply the settings of the new domain to the clients.
Tip You can also drag and drop clients from one domain to another within the client tree.
3.2.
To move clients to another OfficeScan server, select Move selected client(s) to another OfficeScan server, then enter the name and port number of the other server.
4. Click Move. The client will be moved.

To re-sort the client tree based on your current custom-client-groups sorting rules
from the
Networked Computers > Client Management page: 1. Click Manage Client Tree > Sort Client. 2. Click Start in the Sort Client dialog that appears. 3. Wait for the sorting process to complete, and then verify the results.
To delete a domain
from the Networked Computers > Client Management page:
1. Delete all clients within the domain you want to remove or, alternatively, move all clients within the domain to be deleted to another domain. Only empty domains may be deleted. (You can move clients to other domains by simply dragging and dropping them on the domain you wish to which move them.) 2. Select the domain you want to delete. 3. Click Manage Client Tree > Remove Domain/Client on the toolbar. 4. Click Yes when the confirmation prompt appears. The domain will be deleted.
To delete a client
from the Networked Computers > Client Management page:
NOTE Deleting a client removes it from the client tree, but does not uninstall the client
software on the target computer. Even if deleted, the OfficeScan client can still perform serverdependent tasks, such as updating components. The server, however, will no longer be able to send configuration changes or other notifications to the client.
1. Select the client you want to delete. 2. Click Manage Client Tree > Remove Domain/Client on the toolbar. 3. Click Yes when the confirmation prompt appears. The client will be deleted.
5.5.17 Client Management: Export Data

Clicking Export on the toolbar of the client tree on the Networked Computers > Client Management page exports the client summary information that appears in the content area of
171
Student T Textbook
the client tr Data for selected client is saved to a to a .csv (co ree. s ts omma-separat values) file ted e, which you can view usin Microsoft Excel and othe spreadsheet programs. ng E er t
Figure 5.72 Internet Exp 2: plorer File Dow wnload Dialog f Exporting O for OfficeScan Cli ient Data
Lab Exercise 3: Conf figure Smar Scan rt Lab Exercise 4: Conf figure Client Settings t
5.6 > Globa Client Settin al t ngs

The Networked Computers > Glob Client Set bal ttings page en nables you to c configure s s, f n/group mem mbership or parameters that apply to all the clients regardless of their domain individual configurations Global clien configuratio options are grouped into these areas: c s. nt on e o
Scan settings Schedu uled scan setti ings Firewall settings Behavi monitoring settings ior Alert settings OfficeS Scan service re estart Clien self-protection nt Rese erved disk spac ce Netw work virus log consolidation Virus s/malware log bandwidth se ettings Unre eachable Netw work Upda ates and Proxy Configuratio y on
The figure below shows the options available. a
17 72
Figure 5.73 Networked Computers > Global Client Se 3: C G ettings Page
Global Sc Setting can gs

In this sect tion, you can select various global scan an cleanup set s nd ttings.
Configure scan setti ings for large compressed f files Select
th checkbox to specify whi his ich co ompressed files OfficeScan should skip ba s ased on (a) th size of each extracted file and he e (b) the number of files within the compres sed file. All cl ) n lients managed by the serve d er ch heck these sett tings when sca anning compre essed files for virus/malwa and r are spyware/graywa during Ma are anual Scan, Re eal-time Scan, Scheduled Sca and Scan N an, Now Select this checkbox to add an d Of fficeScan scan n-now link to the Windows shell so that t option app t the pears in Wind dows co ontext menus. This allows users to scan fiiles and folder by right-clic rs cking a file or fol and clicki Scan with OfficeScan Client. lder ing h
Add Ma anual Scan to the Windows context menu on clients o u
Figure 5.74: Windows Shell Integra ation for Office eScan Client S Software Exclud the OfficeSc server dat de can tabase folder from Real-tim Scan Sele me ecting
this opt tion
prevents OfficeScan from sca anning its own database. (Se n elected by def fault.)
NOTE Trend Mic recommen preserving this selection to prevent an possible cro nds g n ny
corru uption of the database that may occur dur m ring scanning.
173
Student Textbook
Exclude Microsoft Exchange server folders from scanning
If the OfficeScan client and a Microsoft Exchange 2003/2008 server exist on the same computer, OfficeScan will not scan the Exchange server folders for virus/malware and spyware/grayware during Manual Scan, Real-time Scan, Scheduled Scan and Scan Now. For Microsoft Exchange 2007 folders, you need to manually add the folders to the scan exclusion list. For scan exclusion details, see http://technet.microsoft.com/en-us/library/bb332342.aspx.
GLOBAL VIRUS/MALWARE SETTINGS The following scan setting applies only to virus/malware:
Clean/Delete infected files within compressed files
Select this checkbox if you want to clean or delete compressed files. Enabling this setting may increase computer resource usage during scanning and scanning may take longer to complete. This is because OfficeScan needs to decompress the compressed file, clean or delete infected files within the compressed file, and then re-compress the file. OfficeScan supports only certain compressed file formats, including ZIP and Office Open XML, which uses ZIP compression technologies. Office Open XML is the default format for Microsoft Office 2007/2010 applications such as Excel, PowerPoint, and Word.
GLOBAL SPYWARE/GRAYWARE SETTINGS The following scan settings apply only to spyware/grayware:
Enable assessment mode Because
cleaning terminates processes and deletes registries, files, cookies and shortcuts, assessment mode was designed to allow you to first evaluate whether regularly detected spyware/grayware is legitimate (acceptable to your organization) or not. During the evaluation you would then have the opportunity to add accepted grayware instances to the spyware/grayware approved list.
NOTE approved list is configurable on a per-domain/per-client basis and is The accessible from the Networked Computers > Client Management page. On this page, select the clients you wish to configure, then click Settings > Spyware/Grayware Approved List to configure the list.
When in assessment mode, OfficeScan logs spyware/grayware detections but does not attempt to clean/remove the detected instances.
NOTE Assessment mode overrides current user and/or administrator scan actions. Therefore, even if Clean is the current action for the clients Manual Scan configuration, cleaning will not occur during assessment mode.
Trend Micro recommendations for the use of assessment mode include:

Do not configure assessment mode to be active for a long period of time (more than
a few weeks) because unwanted spyware/grayware outbreaks may occur. Determine how much time you need to collect spyware/grayware samples on your network and limit assessment mode to that period of time.
Regularly examine the OfficeScan logs to determine which, if any, detected items
should be considered legitimate and allowed to pass in the future.

Add the acceptable spyware/grayware items to approved list. If you unsure if an item should be considered legitimate or not, and you can
investigate it no further, you can send the files to Trend Micro for analysis.
174
Administrator Track
NOTE can choose enable assessment mode when installing the OfficeScan You server software. For more information, see step 19. Choosing Assessment Mode Options on page 88).
Scan for cookies -
Some cookies track clicks that users make and record information that users enter into non-encrypted web-forms. Spyware cookies can be used by malicious individuals to collect information. Select this option to scan for potentially harmful cookies
Count cookie into spyware log
Sometimes counting cookies as spyware incidents can give you an artificially high perception of risk.
Global Scheduled Scan Settings

Only clients set to run Scheduled Scan will use these settings. Scheduled Scan can scan for virus/malware and spyware/grayware.
Remind Users of the Scheduled Scan __ Minutes Before it Runs
OfficeScan displays a notification message minutes before scanning runs to remind users of the scan schedule (date and time) and any Scheduled Scan privilege you grant them. The notification message can be enabled/disabled by going to Networked Computers > Client Management > Settings > Privileges and Other Settings > Other Settings tab > Scheduled Scan Settings. If disabled, no reminder displays.
Postpone Scheduled Scan for Up to __ Hour(s) and __ Minute(s)
Only users with the "Postpone Scheduled Scan" privilege can perform the following actions:
Postpone Scheduled Scan before it runs and then specify the postpone duration. If Scheduled Scan is in progress, users can stop scanning and restart it later. Users
then specify the amount of time that should elapse before scanning restarts. When scanning restarts, all previously scanned files are scanned again. The maximum postpone duration/elapsed time users can specify is 12 hours and 45 minutes, which you can reduce by specifying the number of hour(s) and/or minute(s) in the fields provided.
Automatically Stop Scheduled Scan When Scanning Lasts More Than __ Hour(s) and __ Minute(s) OfficeScan stops scanning when the specified amount of time is exceeded
and scanning is not yet complete. OfficeScan immediately notifies users of any security risk detected during scanning.
Skip Scheduled Scan When a Wireless Computer's Battery Life is Less Than __ % and its AC Adapter is Unplugged OfficeScan immediately skips scanning when Scheduled Scan
launches if it detects that a wireless computer's battery life is running low and its AC adapter is not connected to any power source. If battery life is low but the AC adapter is connected to a power source, scanning proceeds.
Resume a Missed Scheduled Scan
When Scheduled Scan did not launch because OfficeScan is not running on the day and time of Scheduled Scan, scanning is launched when OfficeScan is running at the exact time Scheduled Scan is set to run, regardless of the day.
175
Student Textbook
Global Firewall Settings

FIREWALL LOG SETTINGS On the Privileges and Other Settings page (accessible from the Settings drop-down menu on the Networked Computers > Client Management page), you can allow clients to send firewall logs to the OfficeScan server. (See Firewall Privileges on page 151.)
While the ability to send logs is a client/domain setting, the frequency by which firewall logs may be sent is a global parameter. This parameter applies only to clients with the privilege to send firewall logs. You may select the frequency in increments of minutes, hours, or days and specify the number using the associated drop-down list.
COMMON FIREWALL DRIVER UPDATE SETTINGS To avoid temporary disconnection from the network and other disruptions to end-user workflow that may occur if the Common Firewall Driver is updated during client upgrade, select to enable the OfficeScan client to Update the Common Firewall Driver only after a system reboot. This allows users to receive other non-disruptive updates as soon as they are available, but does not update the firewall driver until the next time the machine is shutdown and restarted.
NOTE OfficeScan clinets must be running version 8.0 SP1 or newer to use this feature. Clients running older software will still be prompted to restart immediately whenever updates to the Common Firewall Driver are deployed.
Global Behavior Monitoring Settings

TIME TO WAIT FOR USER INPUT When a program attempts unusual modifications to the operating system or on installed software, a message appears asking the user to continue or block the program. OfficeScan waits a number of seconds before allowing the program to run. The default is 30 seconds. CERTIFIED SAFE SOFTWARE SERVICE Certified Safe Software Service allows behavior monitoring to reduce the likelihood of false positive detections. It queries Trend Micro cloud servers to verify whether a program is a known safe application before permitting user access. Queries may be triggered by either the Malware Behavior Blocking or Event Monitoring functions.
Important: Ensure that clients have the correct Client Proxy Settings before enabling Certified Safe
Software Service. An intermittent Internet connection or the wrong proxy setting can cause programs to appear unresponsive, when Behavior Monitoring attempts to crosscheck a detection but is unable to receive an immediate response from Trend Micro servers.
Global Alert Settings

OfficeScan can alert end users in these events:
The Virus Pattern has not been updated after
a certain number of days. This alert appears as
an icon in the Windows task bar.

A user needs to restart his or her computer to
load a kernel mode driver. This can happen after installing a hot fix or an upgrade package. Restarting the computer installs the new version, and no further restart is required. This alert appears as a notification message.
176
Administrator Track
Global OfficeScan Service Restart

OfficeScan restarts client services that stopped responding unexpectedly and were not stopped by a normal system process. Enabling Restart an OfficeScan client service if the service terminates unexpectedly restarts these services: OfficeScan NT Listener (TMListen.exe) OfficeScanNT RealTime Scan (NTRTScan.exe) OfficeScan NT Proxy Service (TMProxy.exe) You can cross-reference the service names above with the process names listed in the Global Client Self-protection settings section below for brief explanations of each service. You can configure the following:
Restart the Service After x Minutes
When a service stops, OfficeScan waits a certain number of minutes before restarting the service.
If the First Attempt to Restart the Service Fails, Retry x Times
Specify the maximum retry attempts for restarting a service. Manually restart a service if it remains stopped after the maximum retry attempts. If a service remains stopped after exhausting the maximum retry attempts, OfficeScan waits a certain number of hours to reset the failure count. If a service remains stopped after the number of hours elapses, OfficeScan restarts the service.
Reset the Restart Failure Count After x Hours
Global Client Self-protection

Client self-protection provides ways for the OfficeScan client to protect the processes and other resources required to function properly. Client self-protection helps thwart attempts by programs or actual users to disable anti-malware protection.
Important: OfficeScan automatically disables client self-protection for processes and registry keys
on server platforms. See 6.4 > Post-Installation Considerations for Servers and x64 Desktop Platforms on page 241 for more details.
Protect Files in the OfficeScan Client Installation Folder
To prevent programs and users from modifying or deleting OfficeScan files, OfficeScan locks all digitally-signed files with .exe, .dll, and .sys extensions in the root of client-installation folder, along with these unsigned files:
bspatch.exe bzip2.exe INETWH32.dll libcurl.dll libeay32.dll libMsgUtilExt.mt.dll msvcm80.dll MSVCP60.DLL msvcp80.dll msvcr80.dll OfceSCV.dll OFCESCVPack.exe patchbld.dll patchw32.dll patchw64.dll PiReg.exe ssleay32.dll Tmeng.dll TMNotify.dll zlibwapi.dll
NOTE Protection does not extend to subfolders under the root folder.
If you enable Protect OfficeScan Client Processes, OfficeScan blocks all attempts to terminate these processes:
177

TmListen.exe | OfficeScan NT Listener receives
Student Textbook
commands and notifications from the OfficeScan server and facilitates communication from the client to the server. real-time, scheduled, and manual scans on OfficeScan clients.
NTRtScan.exe | OfficeScanNT RealTime Scan performs TmProxy.exe | OfficeScan NT Proxy Service scans
network traffic before passing it to the
target application
TmPfw.exe | OfficeScan NT Firewall provides
packet level firewall, network virus scanning
and intrusion detection capabilities

TMBMSRV.exe | Trend Micro Unauthorized Change Prevention Service (also
behavior monitoring) regulates access to external storage devices and prevents unauthorized changes to registry keys and processes
NOTE date, this setting can be deployed only to clients running on x86 platforms. To
If you enable Protect OfficeScan Client Registry Keys, OfficeScan blocks all attempts to modify, delete, or add new entries under the following registry keys and subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PCcillinNTCorp\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMCSS
NOTE date, this setting can be deployed only to clients running on x86 platforms. To
If you enable Protect OfficeScan client services, users will no longer be able stop OfficeScanrelated client services by using either the Microsoft Service Management Console or the net stop command. You can cross-reference the service names below with the process names listed above for brief explanations of the function of each service. OfficeScan NT Listener (TMListen.exe) OfficeScanNT RealTime Scan (NTRTScan.exe) OfficeScan NT Proxy Service (TMProxy.exe) OfficeScan NT Firewall (TmPfw.exe) Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe)
Global Reserved Disk Space Settings

OfficeScan can allocate a certain amount of client disk space for hot fixes, pattern files, scan engines, and program updates. OfficeScan reserves 60 MB of disk space by default.
Global Network Virus Log Consolidation

It is important to note that this configuration option
Applies only to network virus logs Is useful only if you are also using Trend Micro Control Manager, in addition to
OfficeScan. Only certain types of malware, such as worms, are network viruses. Network viruses use protocols, such as TCP, FTP, UDP, HTTP, and email protocols to replicate. Unlike other
178
Administrator Track
malware, they typically do not alter system files or modify hard-disk boot sectors, for example. Instead, they typically infect active memory and cause their hosts to flood the network with traffic, which can cause slowdowns and even complete network failure. By enabling OfficeScan clients to send network virus logs to the OfficeScan server on an hourly basis, the OfficeScan server can then send them to your Control Manager server(s) to ensure that the active monitoring, consolidation, and reporting capabilities of Control Manager have up-todate information about the state of the network.
Global Virus/Malware Log Bandwidth Settings

In certain cases, repeat instances of the same type of infection can result in large logs and, thereby, consume extra network bandwidth when the client sends its log information to the server. Selecting this option causes OfficeScan consolidate virus log entries after detecting multiple instances of the same malware in a short period of time. Enabling this option reduces log size and, therefore, the network bandwidth used to send log data to the server. It can also eliminate redundant administrator notifications.
Global Proxy Configuration

Manually configuring proxy settings can be challenging for end users to perform and for your IT organization to support. You can set the global proxy setting to automatic detection to reduce, and in many cases, eliminate, required user intervention. Global configuration options for proxy settings include:
Automatically detect settings Enables
client software to detect the proxy settings
automatically using DHCP or DNS.

Use automatic configuration script
Causes clients to uses a proxy auto-configuration (PAC) script set by the network administrator to detect the appropriate proxy server. To use this option, you must provide the UNC path or a URL to the script.
Global Updates Setting

You can restrict updates from the Activeupdate server to the download of pattern files only whenever performing an update. In certain environments where the automated update of other types of code is strictly not permitted without prior administrative approval, this option can help keep the OfficeScan system in compliance.
Lab Exercise 4: Configure Global Client Settings
5.7 > Computer Location

Computer location controls whether clients will be considered internal or external for both Web Reputation and Smart Scan. If the gateway address that the client is using appears on the Computer Location list, the client will be considered internal. If the client is using another gateway, the client will be considered external. If you do not add at least one gateway on the Computer Location page, then all computers will be considered external by default.
179
Student T Textbook
Figure 5.75 Networked Computers > Computer Loca 5: C C ation Page
To add inte ernal gateway addresses to the computert -location conf figuration: 1. Click Networked Computers > Computer L N C Location. 2. Enter the dot-decim IP address of the interna gateway. t mal al 3. [option Enter the MAC (Ethern address. I you use priv IP addres nal] net) If vate ssing on your interna network, providing the MAC address o the gateway can add an e al M of y extra layer of securit Because MA addresses are globally u ty. AC unique, if your mobile client go to anoth r ts her networ that uses th same intern IP address scheme, the O rk he nal OfficeScan cli can still ient disting guish between networks bec cause the MAC addresses w be differen C will nt. 4. Click Add. A
NOTE not confus the Comput Location se Do se ter etting with the Smart Scan S e Source setting gs.
Computer Location is used only to de u etermine whet her a client is internal or external. Once a Smart Scan client is det termined to be internal, it w connect to a Smart Scan server according e will to the set ttings you configure at Smart Scan > Sma Scan Sour art rce.
5.8 > Firew Polic an Profiles Con wall cies nd nfigurat tion
OfficeScan firewall conf n figuration page are accessib by clicking Networked Computers > es ble g Firewall > Policies or Networked Computers > Firewall > P N C Profiles in the navigation e column. Fo information on configura or n ation options and how to im mplement Off ficeScan firew wall policies, please see Chapt 9: OfficeScan Firewall on p ter n page 287.
eScan Client In C nstallat Op tion ptions 5.9 > Office

OfficeScan provides a nu n umber of opti ions for deplo oying OfficeSc client soft can tware to target t computers. Two of these options are accessible dire e ectly through the managem console u ment under ed s nstallation in t navigation column. n Networke Computers > Client In the
Client deplo oyment options are covered in Chapter 6: C s i Client Software Deployment o page 219. For e on information about the bro n owser-based in nstallation optio see section 6.2.1 Deploy C on, n Client Software Via e Browser-ba ased Installation on page 223. For informa ation about the remote instal e llation option, see 6.2.2 Deploy Client Softw ware Using Rem mote Install on pa 225. age
18 80
5.10 > Client Conne t ection Verifica V ation

The client-tree display on the Networ n rked Comput ters > Client Managemen page shows the t nt s most recen known con ntly nnection statu of each Off us ficeScan client registered wi the server. t ith . However, variable netwo conditions elapsed time between pol v ork s, e lling intervals, and other sys , stem events may prevent Offi y iceScan from reflecting the actual status o every client at every mom r of t ment in time. ntly, eScan-client connection-ver c rification featu provides y with an on ure you nConsequen the Office demand ab bility to update the connecti status of a OfficeScan clients. e ion all
NOTE connectio The on-verification utility does n allow you t o select specif domains or n not fic r
clients to verify. When you use this ut y tility, it will va lidate the con nection status of all clients. s
The connection-verificat tion utility also provides you with the abi schedule c o ility connection u verification that will run at regular int ns n tervals, based on the setting you choose gs e.
Figure 5.76 On-demand Client-connection-status Ve 6: erification
To verify th current sta of client connections: he atus c 1. Click Networked Computers > Connection Verification. N C . 2. Click Verify Now. V 3. Click OK to close th confirmatio message. O he on To configu regularly sc ure cheduled conn nection verific cations: 1. Click the Scheduled Verification tab on the Ne t t etworked Com mputers > Connection Verific cation page. 2. Select Enable sched duled verificat tion. fied 3. Select a frequency (o once, hourly, daily, or weekl every specif day) d kly 4. Specify a time of day y y. 5. Click Save. S
181
Student T Textbook
Figure 5.77 Scheduled Connection Ver 7: C rification Conf figuration
After you have run a ver h rification, you can view the results in the client tree or by viewing th he connection n-verification logs on the Lo > Netwo l ogs orked Compu Logs > C uter Connection Verificatio page. on
5.11 > Outbr reak Pr reventio on

Manual Ou utbreak Preven ntion can prov extra pro vide otection in resp ponse to the o outbreak of a new threat for which updated pattern files may not yet b available. Y can use th OfficeScan w d be You he management console to deploy Outbr reak Preventio policies tha you can des to provide on at sign e p ainst the replic cation method or connecti methods u ds ion used by the th hreat. additional protection aga Outbreak Prevention en P nables you to create policies that can: c
Blo shared fold to preven threats from infecting file in the share folders ock ders nt m es ed Blo ports to pr ock revent threats from connec cting to vulner rable services Deny write acces to files and folders to sto threats from modifying o deleting the ss op m or em
The Networked Computers > Outb break Preven ntion page allo you to con ows nfigure and de eploy Outbreak Prevention by first selecting target domaiins and/or clie using the familiar clien tree P y g ents e nt tool.
NOTE Outbreak prevention may remain in effec for a maxim um of 96 hour To block/de ct rs. eny
access to files or folder an ongoing basis, you sho uld use your n rs b network domai in/directory controls rather than using OfficeScan for this purp ose. r n
After selecting your target clients/dom mains, click St Outbreak Prevention on the toolba to tart k ar launch the Outbreak Pre evention Settin page. On this page you can select the type of polic ngs e cies you want to deploy and configure them o m. You can also specify dur ration that the Outbreak Pr e revention polic should be in effect and cies e d w u t Prevention po olicy is being configure whether end users should be notified that a Outbreak P implemented and what the notification should say. t n
18 82
Figure 5.78 Outbreak Pr 8: revention Settings
WARNING Deploy Outb G! break Preventi only in res ponse to an ou ion utbreak. Take special care w when
configuring your Outbrea Prevention settings. Inco rrect configur g ak ration can caus network se communica ation problems s.
5.11.1 Bloc 5 cking Sha Folde ared ers

Viruses like NIMDA can gain access to computers through share folders. To block shared e n t ed o d folders with OfficeScan, enable Manu Outbreak P h , ual Prevention by following the procedure e outlined ab bove. When th Outbreak Prevention Set he P ttings page appears, select t Limit/De the eny access to sh hared folders checkbox.
NOTE Shared folder that are bloc rs cked can still b accessed lo be ocally.
With share folder block enabled, you can speci fy access privi ed king y ileges to share folders by ed clicking the hyperlink that is the title of policy. Opti e o tions for acces privileges in ss nclude:
Allow read access only Deny full access Users will be able to read files, but cannot modify them s o t y Users (and malware will have neit s e) ther read nor w write access
Figure 5.79 Configuring Shared Folder Blocking for Outbreak Prev 9: r vention Policie es
Make your selection and click Save to return to the Outbreak Pre d o e evention Setti ings page.
183
Student T Textbook
5.11.2 Blo 5 ocking Po orts

During viru outbreaks, you can block vulnerable p us k ports that virus and Trojan might use t ses ns to gain access to clients. To block vulner s o rable ports wit OfficeScan deploy Outb th n, break Preventi ion by followin the procedu outlined above. When t Outbreak Prevention Se ng ure the ettings page appears, se elect the Bloc ports chec ck ckbox. With port blocking enab b bled, you can specify which ports to deny access privile to by clicking s y eges the hyperlin Block po nk, orts. The Por Blocking pag will appear rt age r.
Figure 5.80 Port Blockin Configuratio Page 0: ng on
NOTE trusted port is the port you assigned for OfficeScan client-server communication The t
during server installatio on.
On the Por Blocking pa click Add and the Add Ports to Bloc page appea Options fo rt age, d ck ars. or blocking po include: orts
Block all ports (inclu a uding ICMP)
This option w block all p will ports, includin the Internet ng t Co ontrol Messag Protocol (IC ge CMP) used by PING and tr y race-route fun nctions. Th option doe not block th OfficeScan trusted port the port th OfficeScan uses his es he n t, hat n to communicate with clients. If you want to block the tr e o rusted port, se elect the Bloc ck tru usted port ch heckbox on th Port Blockin page. he ng
WARN NING! If you block the Office eScan trusted port, the Offic ceScan server and clients w not r will
be able to communic e cate, and you will be unable t cancel outb w to break preventi (or make o ion other modific cations to sett tings from the management console) unti l the policy expires. Block specified ports This s
optio will block o ports you select. on only u
18 84
Figure 5.81: Specifying Ports that the Outbreak Prev O vention Policy Will Block
A number of ports are known to be vulnerable to T k v Trojan attacks. OfficeScan e enables you to o pecific ports during a virus outbreak. d selectively block these sp
Port Num mber
23432 31337 18006 12349, 666 67 80 21 3150, 2140 0 10048 23 6969 7626 10100 21544 7777 6267 25 25685 68
Trojan T
Asylum A Back Orifice B Back Orifice 20 B 000 Bionet B Code Red C DarkFTP D Deep Throat D Delf D EliteWrap E GateCrash G Gdoor G Gift G Girl Friend G GodMsg G GW Girl G Jesrto J Moon Pie M Mspy M
Port Number
1120 7300 31338, 31339 0, 139 4444 44 8012 7597 4000 0 666 1026, 64666 22222 2 11000 0 113 1001 3131 1243, 6711, 6776, 4 27374 6400 0 12345 1234 5,
Trojan
Net Bus Net Spy Nuker Prosiak Ptakks Qaz RA Ripper RSM Rux Senna Spy y Shiver Silencer SubSari Sub Seven n Thing Valvo line
Table 5.5: Trojan Port Nu T umbers
NOTE you select the All Trojan Ports option, y may be blo If t you ocking commo only used ports
(such as port 80 for the Code Red Trojan). Howeve you can use the All Trojan Ports option, and p e er, e n then manually delete po orts from the list as describe below. ed
185
Student T Textbook
When you have finished configuring the settings an saved them you can retu to the Port d t nd m, urn p g uding the bloc cked ports, Blocking page and view a list of your port blocking settings, inclu protocol, comments, and traffic direct c d tion. You mod or delete ports to block by selecting them dify k in this list and choosing Edit or Delete. a
5.11.3 Den 5 nying Wri Acces to Files and Fold ite ss s ders
Some virus are program ses mmed to mod or delete f dify files and folde on their ho computers You ers ost s. can configu OfficeScan to prevent viruses from m ure n v modifying or d deleting files a folders on your and n clients duri a virus out ing tbreak. To deny write access to files and folde deploy Ou ers, utbreak Preve ention using th procedure he bove. When th Outbreak Prevention Set he P ttings page appears, select t Deny wri the ite outlined ab access to fi and folder checkbox. You can then specify whic directories a file extens iles rs n ch and sions to protect by clicking the hyperlink th is the name of the policy b e hat e y.
Figure 5.82 Write Acces Denial Settin for Outbre Prevention Policies 2: ss ngs eak n
To protect specific direc ctories, enter a directory pat in the Directory path fie If you ent th eld. ter aths, separate the entries with semicolons (;). When you finish enteri the directo s ing ory multiple pa path you want to protect click Add to transfer the path to the Protected dire w t, o ectories field.
NOTE OfficeSca server will also protect an subdirector The an a ny ries in the spec cified paths.
The deny write feature sets permission for specific files, not dire w ns c ectories, so on you specif the nce fy directory to be protected you must sp o d, pecify which fi inside the directory will be protected files e l d. These options are availab ble:
All files in the pr rotected direct tories Spe ecified extensi ions Ind dividual filenam (files to protect) mes
If you selec files with the following extensions, y must spec the extens ct t you cify sions you wan nt. After confi iguring the set ttings and clicking Save, a c confirmation p page will appe ear.
18 86
Ch hapter 5: OfficeS Scan Manageme Console ment
5.11.4 Act 5 tivating the Outbr t reak Prev vention P Policy

After you have configure all the setti h ed ings for your O Outbreak Prev vention Policy you must y, activate it on the Outbre Prevention Settings pag o eak n ge. Click Start Outbreak Pr t revention to deploy Outbr reak Preventio on the selec domains or on cted clients. A confirmation message will ask you if you are sure you w to apply the policy. Af c m a want fter confirming that you do, the current st g tatus for the p policy will chan to enable nge ed.
Figure 5.83 Outbreak Pr 3: revention Status Page
5.11.5 Res 5 storing Network Settings t Norma N S to al

When an outbreak has been successfu contained and all infecte files have b o b ully ed been cleaned o or quarantined you can disable the Outb d, break Preventiion policy in e effect. Click R Restore Settin ngs on the tool on the Networked Co lbar omputers > O Outbreak Pre evention page e.
Figure 5.84 Outbreak Pr 4: revention Rest tore Settings P Page
You can en nable, disable, or edit the no otification tha will appear a a pop-up m at as message on eac ch selected cli to inform users that the outbreak has ended. ient e s Click Restore Settings to disable out tbreak prevent tion and click OK in respon to the nse t n subsequent confirmation message.
5.12 > Notifi ications and Event M s E Monitori ing

On OfficeS Scan clients, th hreat-detectio events trigg scan action and cause lo entries to b on ger ns og be created. Th results of sc actions are, themselves,, events that c he can cause log entri to be created. ies Update eve also resul in log entries. The OfficeS ents lt Scan server re eceives inform mation about various eve by collect log entries from Office ents ting eScan clients. The Notifications section of the navig gation column of the manag n gement conso contains th ole he ion or g ow n fy configurati options fo determining when and ho OfficeScan should notif you (and optionally other adminis o strators) when various event occur. n ts
187
Student T Textbook
The Notifications section of the navig gation column also contains configuration options for n s n s n ure ns, modifying the messages that end users receive when you configu scan action firewallviolation in ncidents, or web-reputation blocking inciidents to resul in user notif lt fication, along with g whatever other security-related actions you may hav selected. o ve
5.12.1 Adm 5 ministrat Notifications tor

fall The Office eScan administrator-notifica ation options f into two b basic categorie standard es: notification and outbrea notification Configurab parameters for all admin ns ak ns. ble nistrator notification include: ns
Gen neral settings include basi connection information f the availab notification ic n for ble n
methods, which include:

Em SMTP serv mail ver Pag telephone number and modem COM port ger m M SN NMP-trap serve and commu er unity name (Th Windows NT event log does not inclu any config he N d ude gurable parameters. Sta andard notifica ation settings determine w s when (the cond ditions or crite by which) eria )
not tifications are sent and how they are sent. t

Out tbreak notifica ation settings specify the various thresh s holds that def when you fine u
sho be notifie of a potenti outbreak an how you should be noti ould ed ial nd ified. Standard notifications ar triggered by single events Outbreak no n re y s. otifications ar triggered on re nly when a def fined threshold for multiple events across all clients is exceeded. d e s Both confi iguration page include the same series of tabbed pages: es f
The metho for configu od uring standard and outbreak notifications is basically th same. k he 1. You se elect the criter according to which notif ria t fications will b sent (every time a threat is be our, detecte and every time ten threa are detecte within an ho for exam ed, t ats ed mple). 2. You th enable or disable the va hen arious media b which a not by tification migh be sent (em ht mail, pager, etc.) and in most cases spec the conten of the notif m cify nt fication. sy. he tions available on each e Its that eas Following sections outline describe th specific opt configurati page. ion
Configur Genera Settings ring al

You must use the Notifi u fications > Ad dministrator Notification > General Settings page to ns e specify the settings for OfficeScan to use to send no O otifications by email, pager, and SNMP T y Trap.
18 88
Figure 5.85 General Sett 5: tings for OfficeScan Admini strator Notific cations
To configu administrator notificatio settings: ure on 1. Specify information in the fields provided. y p
For the SMTP an SNMP Tra Server IP a r nd ap address fields, you can speci either an IP ify P
add dress or computer name.

For the Pager fie only these characters are allowed: 0 to 9, # and , (c r eld, o comma) e The modem COM port must be between 1 and 10 e b Typ pically, you sh hould a commu unity names th are difficu to guess that ult
2. Click Save. S
Configur Standa Notifica ring ard ations

The Notifi ications > Ad dministrator Notification > Standard Notification page enabl ns d ns les you configu the Office ure eScan server to notify you ( o (and others) of security risks detected on client f computers. OfficeScan can send stand notificatiions through: c dard Email Pager P SNMP trap Windo NT Event Log ows t
189
Student T Textbook
Figure 5.86 Standard No 6: otifications Criteria
To configu standard notifications: ure n 1. On the Criteria tab, specify whet e , ther to send no otifications wh virus/ma when alware and spywar re/grayware are detected or only when th action on th security r r he hese risks is unsucc cessful. 2. On the Email, Pager SNMP Trap and NT Eve Log tabs: e r, p, ent 2.1. 2.2. 2.3. Enable notifications for vir rus/malware a spyware/g and grayware. For email not tifications, spe ecify the emaill recipients an accept or m nd modify the def fault subject. Accept or mo odify the defau notification messages. ult n
NOTE When modifyi message content, use to ing oken variables in message fie elds only. Toke en
variables are not allowe in the subje fields. ed ect
3. Click Save. S
ENABLING EMAIL NOTI G IFICATIONS To enable email notifications, you mu select the ust Enable notification via ema checkbox ail x. ts bled lt. he specify whethe email recipi er ients Email alert are not enab by defaul You have th option to s will get not tifications from all domains or only from managed dom m s m mains.
19 90
Figure 5.87 Email Notific 7: cation Configu uration Option s
NOTE %CV is a variable for the na ame of the vir us detected. % %CC is a variab for the nam ble mes
of clients that have detected the virus (see Append A: Notificat dix tion Tokens).
The messag section ena ge ables you to in nclude various data in the em notificati such as th s mail ion he path of the infected file, the action tak and more e ken, e.
ENABLING PAGER NOT G TIFICATIONS Pager notif fications send messages to an alphanume pager. Not enabled by d a eric t default, you ca an enable page notification in the same way as email notifications. To receive pa notificati er ns e ager ions, you must have a modem installed on the OfficeScan server and c h m t configure the General Sett tings n for notifica ations, which include the CO port the m i OM modem uses a enter the pagers teleph and hone number. On the Pager ta you can cr O ab, reate the alpha anumeric message that you want to be se ent.
Figure 5.88 Pager Notifi 8: ication Configu uration
191
Student T Textbook
ENABLING SNMP TRAP NOTIFICAT G TIONS You can also use SNMP to send notif P fications to dif fferent parts o your network. Select the of otification via SNMP Trap checkbox, ty the IP add ype dress of your n networks SNM MP Enable no server, spec the comm cify munity name, and (optionallly) modify the message. a e
Figure 5.89 SNMP Trap Notification Configuration 9:
ENABLING NT EVENT LOG NOTIFICATIONS G Configurin NT Event Log notificatio is similar t other notifi ng L ons to fications. Selec the Enable ct e Notificatio via NT Eve Log checkbox and (opt on ent tionally) modi the messag ify ge.
Figure 5.90 NT Event Lo Notification Configuration 0: og n n
Configur Outbre Notifica ring eak ations

You can co onfigure Offic ceScan to notify you (as welll as others) of security risk outbreaks on your f n network. On the Criteria tab of the Outbreak Notif O a fications page,, you can spec the number of cify security risk detections and the detecti period tha will be used to trigger ou a ion at d utbreak ns. notification Respondin to an outbre is very crit ng eak tical. Unless y take correc you ctive action, a outbreak ca an an spread quic throughout and beyond your networ ckly d rk.
19 92
Figure 5.91: Outbreak Notification Conf figuration Pag ge
To configu outbreak notifications: ure n 1. On the Criteria tab, specify the number of det e , n tections and de etection perio for each risk. od
Off ficeScan will send a notifica s ation message when the num mber is exceed For exam if ded. mple
you specify 100, the alert is sen on the 101s instance. u nt st

NOTE Trend Mic recommen accepting t default va lues in this scr cro nds the reen.
Bef fore notificatio criteria for firewall-viola on r ation and shared-folder-sess sion monitorin ng
will be used to tr l rigger an outbr reak notificatiion, you must explicitly ena monitorin of t able ng these functions by selecting th correspondiing checkbox.. b he
Un nder Shared Fo older Sessions, click the num mber link to v view the comp puters with sha ared
fold and the computers acc ders c cessing the sha ared folders. 2. In the Email, Pager, SNMP Trap, and NT Even Log tabs, e nt enable notifica ations for the ble vents and (opti ionally) modif message co fy ontent in the sa manner a for ame as availab types of ev standar rd-notification configuratio described iin the previou section abo n ons us ove.
NOTE OfficeSca reports firewall violation and shared fo an older session outbreaks through
email only. l
3. Click Save. S
5.12.2 Cli 5 ient User Notifications r

OfficeScan can display notification me n n essages on clie computers to inform us of threatent sers detection events. Client user notificati e u ions display im mmediately wh hen:
A real-time scan or scheduled scan detects v r virus/malware and spyware e e/grayware. The OfficeScan firewall detect a firewall po e f ts olicy violation n.
193
Student T Textbook
Off ficeScan block a URL that violates a We Reputation policy or detects device-ac ks eb n ccess-
con ntrol or behav vior-monitorin policy viola ng ation. To modify the message for a specific security risk, u the tabs on the Notific f use cations > Clie ent n ifications pag and edit the message as it appears in th correspond text box. ge e t he ding User Noti
Figure 5.92 Client User Notification Message Config 2: N guration
All notifica ation configurations on the Client User N Notification pa are global configuration age n variables. However, the display of use messages is a function of the action set H er f ttings that you u configure for the OfficeS f Scan scan eng gines and othe security serv er vices. In other wo ords, an indiv vidual client displays these m messages only if the security policies that you y have applie to the clien are configur to do so. O ed nt red OfficeScan clie security policies are ent configured using the Ne d etworked Com mputers > Cl lient Manage ement page.
Lab Exercise 6: Prev vent Outbreaks
5.13 > Administration Set ttings

The items in Administra i ation menu inc clude global co onfiguration o options that p pertain mainly to server func ctionality, but also include options that re o elate to system m-wide functio such as pr ons, roxy settings and licensing. Administration options cove red in this sec d ction include:
User acco ounts User roles s Active Dir rectory Proxy settings Connectio settings on Inactive clients Quar rantine manag ger Prod duct license Cont trol Manager s settings Web console settin ngs Data abase backup
5.13.1 Cre 5 eating Us and Assigning Roles sers A g

You can cr reate additiona users for the OfficeScan m al e management console and g grant them acc cess to features based on role Role-based administratio gives you th ability to assign specific es. d on he lities to admin nistrative users and expose o those too and rights t are necessary s only ols that responsibil to perform specific role. m
19 94
Figure 5.93 Adding a User Role and De 3: efining the Clie Tree Scop and other A ent pe Access Permiss sions
You can cr reate multiple customized ro that you c later edit o delete acco oles can or ording to your needs, and you can assig multiple use to a single role. OfficeSc also has tw built-in ro gn ers can wo oles, fy which you cannot modif or delete:
Administr rator Guest Use er Users with the Administrator r U A role can config ure all menu items. Delegate this role to other Of r fficeScan admin nistrators or us sers. Delegate this ro to users wh o want to view the Web conso for referenc D ole ole ce purposes. Users with the Gues User role hav no access to the following p s st ve o menu items: m n Plug-in Manager Admin nistration > User Roles r Admin nistration > User Accounts r Guest users hav view access to all other me items. G ve enu
Add custom roles if non of the built- roles meet your requirem m ne -in t ment. You can configure ea n ach custom rol to have vie or config le ew gure access to specific men items and s o nu sub-items. Ac ccess to specific OfficeScan do omains on the client tree ca e annot be contr rolled for each role. If the c h client ble, ns u nd es tree is visib all domain display. You can manage all built-in an custom role at Administr ration > User Roles. r Role-based administratio involves th following ta d on he asks: 1. Definin user roles. ng 1.1. 1.2. Specifying the OfficeScan domains that the role can c e d configure or vi iew. Specifying the role permiss e sions that defiine the level of user access t the various to elements of th user interfa he ace.
2. Config guring user acc counts and assigning a role to each user.
195
Student T Textbook
How to perf form these tas is discussed in more detai below. sks d il
When defin a role, yo can delegate tasks to chilld domains to restrict admin ning ou nistrative user to rs specific tas without int sks terfering with parent domaiins. Limiting t presentatio of the the on management console to configuration pages related to a defined role allows ad n d dministrative u users to focus on on their sp nly pecific respons sibilities. You can also assig view only access to pa u gn y ages without gra anting an adm ministrator the ability to mod the associ dify iated configur ration paramet ters.
Figure 5.94 Highly Granular Options Available for C onfiguring Use Roles 4: A er
Role-based administratio can simplif managemen by reducing the complexi of the d on fy nt g ity OfficeScan infrastructur and is espec n re, cially helpful iif you already have a robust Active Direc t ctory infrastructu that define existing adm ure es ministrative bo oundaries. Ac ctive Directory integration y enables you to use existin administra u ng ative user-acco ount credentia from multials -forests and tr rusted domains, making it so th neither sen IT manag m hat nior gement nor ad dministrative u users themselv ves must keep track of separ login cred rate dentials for the OfficeScan m e management c console. There are three types of role permissio t ons:
Menu Items for Serv vers/Clients (Shown
he e.) hich in th figure above Specify wh server or client me items that all users can see or configu regardless of selected d enu t ure, s domains. This role should have the necessary per e rmissions on t OfficeSca root directo to ensure t the an ory that e ns bled. the view and configure option can be enab Specify me items that all managed d enu t domains can s or see co onfigure.
Menu Items for Managed Domains s
Client Management Menu Items Specify
client management tree drop-do menu item t t own ms tha can be seen or configured for each dom on the O at n d main OfficeScan clie tree. ent
Each role can be given permission to view or config c p gure menu ite ems. Not selec cting an option n means the menu item wi be hidden when the user role logs on t the OfficeS ill w to Scan web cons sole. vers/Clients settings, only u s users with adm ministrative pr rivileges that For Menu Items for Serv manage all domains can set configure permission.
19 96
NOTE Each user role will get the default domain settings if th role was imported from d n he
another server. The imp s ported role will retain the pe ermissions for the global me items. r enu However each domain will have to reconfigure the client manage w ement menu items and restructure the domain permissions. n
Managin Custom Roles ng

The Admin nistration > User Roles page of the ma p anagement con nsole enables you to add, modify, or delete custom user roles. You can expor role definitio from one OfficeScan server m Y rt e ons t other to duplic configura cate ation paramete across mul ers ltiple servers. and import them on ano
Figure 5.95 Administration > User Roles 5:
To add a new user role: n 1. Click Administratio > User Ro > Add. A on oles
Tip If you are cr reating role wi similar acc ess to an exist ith ting role, you m find it eas may sier
to be egin by copying the existing role and then modifying it. Y can do this by selecting the You g chec ckbox next to the role and th clicking Co hen opy.
1.1. 1.2.
Enter a name for the role in the Name field. e i Type a descri iption of the role (optional) .
2. Click Define Client Tree Scope and specify th domain(s) that this role can see or D t he configu You must define the cl ure. t lient tree scop such that yo be able to c pe ou configure acce to ess the clie manageme menu item ent ent ms. 2.1. Click Save.
197
Student T Textbook
Figure 5.96: Configuring a New Us Role ser
3. Click the Global Me Items tab Specify whiich menu item the role can see or config t enu b. ms n gure for the following: e 3.1. Specify which server or client men items that all y r nu users can see or configure, regardless of selected dom mains. This role should have the e rmissions on the OfficeScan root director to ensure th the view a t n ry hat and necessary per configure opt tions can be en nabled.
Menu items fo servers/clients or Menu items fo managed do or omains
3.2.
Spec menu item that all man cify ms naged domain can ns
see or configu ure.

NOTE you select the Configure pe rmission for a n item, the Vie permission If e ew n matically selec cted. will be autom NOTE ustom roles ca either confi gure Plug-in M Cu an Manager or will not have
access at all. Granular selections inside plug-in applic ations are not available t ug-in Manager is an independ dent program and OfficeSca does not an because Plu control its functions.
4. Click the Client Ma t anagement Menu Items ta M ab.
Figure 5.97: Configuring Permissio for Access to Items on t Client Man ons s the nagement Page e
19 98
Administrator Track
4.1. 4.2.
Select domains from the client tree scope. Specify which Client Management Menu Items the role will be allowed to see.
NOTE you select the Configure permission for an item, the View permission If will be automatically selected.
4.3.
Optionally, click Copy settings of the selected domain to other domains to copy client management role permissions to other domains.
5. Click Save. The new role displays on the User Roles list. Note the following:
You cannot grant access to the User Roles and User Accounts menus. Only users with
the built-in administrator role and those using the root account created during OfficeScan installation can configure roles and accounts.
You cannot grant View-only access to Plug-in Manager. Plug-in Manager is an
independent program and OfficeScan does not control its functions so if you grant access to it, it must be configure access. From the User Roles page, you can also perform the following functions:
Modify a role by clicking the role name (this brings up a page similar to the Add User
page).
Delete a user role by selecting the checkbox next to it and clicking Delete. Export role definitions by clicking Export. Role definitions will be exported to a .dat file. Import role definitions by clicking Import and browsing to a saved .dat file you exported
previously.
Important: Importing a role with the same name as an existing role on the User Roles page will
overwrite the existing role.
Managing User Accounts

Set up user accounts and assign a particular role to each user. The OfficeScan server installation process automatically creates a built-in account called root. Users who log in using the root account can access all menu items. You cannot delete the root account but you can modify account details, such as the password and display name. You can add either custom accounts or Active Directory accounts.
ADDING CUSTOM ACCOUNTS To add a custom user account:
1. Click Administration > User Accounts. 2. Click Add.
199
Student T Textbook
Figure 5.98: Adding a Custom Use Account er
3. Type the user name, full name, an password (w , nd which you nee to confirm ed m).
NOTE Password must be bet ds tween 1 and 24 characters. 4
a ess al). 4. Type an email addre for the account (optiona

NOTE email address is on used as ref The nly ference. The o owner of the em account d mail does
not get an email no otifying him or her of the acc count you crea ated.
5. Assign the account a user role fro the drop-d n om down menu. 6. Click Save. S You should notify the us of his or her account cre d ser h luding usernam and password. me edentials, inclu
ADDING ACTIVE DIREC CTORY ACCOU UNTS You can ad individual Active Directo users or gr dd A ory roups by click the Add b king button and selecting th Active Dire he ectory User or Group radio button. How r o wever, you can add multiple users n or groups at the same tim using the Add from Ac tive Director button. Thi page also let you a me A ry is ts use wildcar to locate users, groups, or domains, w rds u while the Add User page req quires that you u enter the fu user or gro name and domain name ull oup e.
To add Active Directory accounts: y A on ccounts. 1. Click Administratio > User Ac 2. Click Add from Act Directory A tive y.
2 200
Figure 5.99: Add Act tive Directory Users
3. Search for an accoun (user name or group) by specifying the user name a domain to h nt e and o which the account belongs. When OfficeScan f b n finds a valid ac ccount, it disp plays the accou unt u nd name under User an Groups.
Tip Use the wild dcard characte (*) to search for multiple accounts. If yo do not spec er h ou cify
the wildcard character, include the complete a w account name. OfficeScan will not return a . result if the accoun name is incomplete. nt
4. Click > to move the account from the User and Groups field to the S e f rs s Selected Users and s Group field. ps 5. Select a role for the account. 6. Click Save. S Users can now log in to the managem console u n ment using their Act Directory domain name tive y es and passwo ords. If you spec an Active Directory gro all memb ers belonging to a group ge the same ro If cify oup, g et ole. a particular account belo r ongs to at least two groups a the role fo both group are differen t and for ps nt:
The pe ermissions for both roles are merged e
If a user configu a particul setting and ures lar d the is a conflic between permissions for the setting, th higher perm ere ct he mission applie es. For exampl User John le, nDoe logged o on wi the followi roles: Adm ith ing ministrator, Po ower User.
All use roles display in the Syste Event logs er y em s
NOTE Authorization Manager Run n ntime supports only English, French, Germ s man, and Japan nese
language versions.
PERFORMI ADDITION USER ACCOUNT MAN ING NAL C NAGEMENT TA ASKS After you have added ac h ccounts, you can also modif them, enabl or disable th fy le hem, change t their roles, delet them, or ass them a sin sign-on f the Trend Micro Contro Manager co te sign ngle for ol onsole.
To mod dify user acco ounts
click on the user nam on the Use Accounts p o me er page.
Tip Use this opt tion to change a users passw word or assign a new one if the user has n
forgo otten the original one.
201
Student Textbook
To disable or enable user accounts
click the icon in the Enable column on the User Accounts page. Note that you cannot disable Active Directory group accounts. If you do not want users on the group to access the management console, delete the group from the user accounts list and create new accounts for individual users you want to have access. The root account cannot be disabled. Select the checkbox by the user account and click Change Role. the checkbox by the user account and click Delete.
To change a users role
To delete user accounts Select
To create a single sign-on for Trend Micro Control Manager
Create a new user account in Control Manager. When specifying the user name, type the account name that appears on the OfficeScan console. Assign the new account access and configure rights to the OfficeScan server. See Trend Micro Control Manager documentation for more information on the process.
NOTE Single sign-on enables users to access the OfficeScan management console from the Control Manager console.
If a Control Manager user has access and configure rights to OfficeScan but does not have an OfficeScan account, the user cannot access OfficeScan. The user sees a message with a link that opens the OfficeScan Web consoles logon screen. Users who log on using Control Managers root account can access OfficeScan even without an OfficeScan account.
User Activity Log Entries

You can view log entries for all user activity related to the management console the System Events Logs. The following activities are logged: Logging on to the console Password modification Logging off from the console Session timeout (user automatically gets logged off)
See Chapter 11: Logs on page 329 for more information about working with OfficeScan logs.
5.13.2 Active Directory Settings

OfficeScan integration with Microsoft Active Directory helps you to manage OfficeScan clients more efficiently. All users in the network domain can have secured access or be allowed access based on the logon authentications of another domain. The authentication process and the encryption key provide validation of credentials for users. You can manually or periodically synchronize your Active Directory domains with the OfficeScan server. Information from Active Directory can then be used for these key features:
Role-based administration Custom Client Groups
Gives you the ability to assign specific responsibilities to administrative users and use their domain accounts to access the management console.
Automatically groups clients to OfficeScan-configuration domains in the OfficeScan client tree based on Active Directory name and domain or IP addresses to identify clients.
202
Outside Server Mana agement
He you to ens elps sure that com mputers in the network that are no managed by the OfficeScan server com with the c ot y mply companys sec curity guidelin nes.
To integrat Active Dire te ectory with Of fficeScan: 1. Click Administratio > Active directory > A A on d Active Directo Integratio ory on. 2. Under Active Direct tory Domains specify the A s, Active Directo domain na ory ame.
Figure 5.100: Adding an Active Dir g rectory Domain and Access Credentials n
3. Click Enter domain credentials. E n Enter domain credentials and an encryption key if the Office d e y eScan server is not part of t the networ However, these are optional if the Of rk. fficeScan serve is already p of the netw er part work. ctive 4. When prompted, en the user name and passw nter n word OfficeS Scan will use to query the Ac o ory Directo domain.
Import rtant: Ensure that the doma credential d t ain does not expire e.
5. To ent more than one Active Directory doma click the p button. (C ter D ain, plus Click the minu us button to delete Act Directory domains.) Sp n tive pecify domain credentials se eparately. 6. Specify an encryp ying ption key and a file that Off ficeScan can u to transfor plain text i use rm into cipher text when sto oring the domain credentials in the Office s eScan databas provides se onal T on rts mats. additio security. This encryptio key suppor all file form 7. Click Save or Save and synchron Active D S a nize Directory. Active Dire ectory synchro onization activ is indicate at the botto right of th Active Dire vity ed om he ectory Integration page. An ani n imated process graphic is allso displayed t the right of the Enter to f domain cre edentials butt (not show in the graph below). Su ton wn hic uccessful synchronizations a are indicated by a green chec b ckmark (or tic mark) place to the right of the Ente domain ck ed t er credentials button. (Start and comple etion times are also recorde in the system event logs.) e ed m )
Figure 5.101: Activity and Completion Indicators for A d Active Directo Synchroniz ory zation
203
Student T Textbook
Maintain Active Directory Domains ning

You should regularly syn d nchronize Act Directory with the Offi tive iceScan databa to ensure that ase the Active Directory and the OfficeSc Client tree have the sam data and to ensure securi d can e me o ity e ged compliance for unmanag computers. To manual synchronize Active Direc lly e ctory domains with the Off s ficeScan datab you use th base he Save and synchronize Active Direct s A tory button on the same pa that you or n age riginally used to configure Active Directo Integration Although, o subsequent uses of this p A ory n. on t page, you do n not need to re-enter domain names and cr redentials. 1. Click Administratio > Active Directory > A A on D Active Direct tory Managem ment.
NOTE the OfficeScan server is part the ne If etwork, click S Save and synch hronize Active e
Direc ctory without specifying dom s main credentia ls and the enc cryption key.
2. Under Active Direct tory Domains specify the A s, Active Directo domain na ory ame. 3. Specify domain cred y dentials. 4. Specify an encryptio key and file that OfficeSc uses to tra y on e can ansform plain ntext into ciphertext when storing the do s omain credenti in the Off ials ficeScan datab base. 5. Click Save and sync S chronize Act Directory tive y. To automa atically synchro onize Active Directory dom D mains with the OfficeScan d e database: 1. Click Administratio > Active Directory > S A on D Scheduled Sy ynchronizatio on.
Figure 5.102: Configu uring Schedule Synchroniz ed zations with Ac ctive Directory Domains y
2. Select Enable sched duled Active Directory sync D chronization. 3. Specify the frequenc (daily, week or monthly by which sy y cy kly, ly) ynchronizations should be perform and the time of day that synchroniza med t ations should begin. For we eekly synchr ronizations, yo may also sp ou pecify a day of the week; an for monthly synchronizat f nd y tions, you ma specify the day of the mo ay onth. 4. Click Save. S
5.13.3 Pro Setti 5 roxy ings

The Admin nistration > Proxy Setting page displa the curren proxy setting for both th gs ays nt gs he OfficeScan server and th Smart Scan server. If the is no proxy the use a p n he n ere y, proxy chec ckbox will not be selected. To add proxy sett a tings, you just first select th use a prox t he xy checkbo To ox. sting proxy se ettings, simply enter the new information and click Sav w n ve. change exis Intranet co ommunication do not norm ns mally require a proxy server Change the i r. intranet proxy y settings on if your netw nly work requires it. If HTTP c communication between the OfficeScan e
2 204
clients and the OfficeSca server uses a proxy, you need to enter the proxy ser an s r rver, port, logi gin t roxy page. name, and password in the Intranet Pr
Figure 5.103: OfficeScan Proxy Setting gs
5.13.4 Co 5 onnection Settings n s

During Of fficeScan serve installation, the installatio program au er on utomatically se up the ets OfficeScan web server (I or Apache Web server) to which clien computers connect. In th n IIS e nt he event, that you change th IP address and/or port n he number of the OfficeScan w server (us e web sing nagement con nsole, for exam mple), the Adm ministration > Connectio Settings pa on age the IIS man allows you to update this information for OfficeSca clients. s an
Figure 5.104: Connection Settings to OfficeScan Web Server n O b
NOTE your server receives a DH If r HCP-assigned IP address, Tr end Micro reco ommends usin ng
the DNS name to ensure that if your server obtains a different IP address, clien will still be n s s P nts e able to fin it using DNS nd S.
To configu connection settings: ure n 1. Click Administratio > Connec A on ction Settings s. 2. Type the domain na ame/IP addres and port nu ss umber of the O OfficeScan we server. eb 3. Click Save. S The connection settings you specify ar written to t ofcscan.in file, which is then pushed out re the ni d can c ver. to OfficeSc clients so they can still communicate with the serv
205
Student T Textbook
5.13.5 Ina 5 active Cli ients

When you use the client uninstallation program to r n remove the cli program from a compu lient uter, m lly e n eceives this no otification, it the program automatical notifies the server. When the server re removes th client icon in the client tr to show th the client d he i ree hat does not exist anymore. However, if the client is removed usin other meth i ng hods, such as r reformatting th computer h he hard drive or de eleting the client files manua OfficeSca will not be aware of the r ally, an removal and i will it display the client as inact tive. If a user unloads or dis ent ended period o of sables the clie for an exte time, the se erver also disp plays the client as inactive. To have th client tree display active clients only, yo can configu OfficeSca to automati he d c ou ure an ically remove ina active clients from the client tree. f
Figure 5.105: Configuring OfficeScan to Remove Inac g o ctive Clients A Automatically
To configu OfficeScan to automatic ure n cally remove in nactive clients s: 1. Click Administratio > Inactive Clients. A on e 2. Select Enable autom matic removal of inactive cllients. l ys ceScan consid a client ina ders active. 3. Select how many day should pass before Offic 4. Click Save. S
5.13.6 Qu 5 uarantine Manager e

Whenever the OfficeSca client detec a security riisk and the sc action is qu an cts can uarantine, it he e, rantine folder,, and sends it t the OfficeS to Scan encrypts th infected file moves it to the local quar server. The server also encrypts the in e nfected file to prevent it from infecting ot m ther files.
Figure 5.106: Quarantine Manager Page
Default loc cations of the quarantine fo older:

Client Server r
{installationpath}\SUSPECT
{instal llationpath h}\PCCSRV\Vir rus
The default OfficeScan server installat folder is % s tion %ProgramFil les%\TrendMicro\OfficeS Scan. The default client installa ation folder is %ProgramFi s iles%\TrendM Micro\Office eScanClient.
2 206
NOTE the OfficeScan client is unable to send the encrypted file to the OfficeScan serve If d er
for any re eason, such as a network connection prob lem, the encry s ypted file rema ains in the clie ent quarantin folder. The client will atte ne empt to resend the file when it connects to the OfficeSca d n o an server.
To change quarantine fo olders location on the serve go to the sc action con n er, can nfiguration pa ages ed rs M ab). (Networke Computer > Client Management > Settings > {Scan Type} > Action ta
NOTE can also change the qu You uarantine direc ctory by editin the ofcscan.ini file. Under ng r
[server_ini_section], change the path for Quaran c ntine-Folder= .
To configu the quaran ure ntine manager: er 1. Accept or modify th default capa t he acity of the qu uarantine folde and the ma aximum allowe ed size for a file stored in the quaran ntine folder. Th default valu are specifi in the pag he ues fied ge. 2. Click Save Quarant S tine Settings. . 3. To rem move all existin files in the quarantine fo ng older, click De elete All Qua arantined File es.
5.13.7 Pro 5 oduct Lic cense

On the Ad dministration > Product License page, you can view and renew O n L w OfficeScan serv vice licenses. Yo can also ac ou ctivate a new service you ha purchased. If you purch s ave hased the Anti ivirus service, you can enable/disable the Of u fficeScan firew The Anti wall. ivirus service also includes support for Cisco NAC and outbreak prevention. r
NOTE can enab the OfficeScan firewall du You ble uring installati ion. If you disa able firewall, all
firewall fu unctions in the server and client will be hid e dden.
Figure 5.107: Product Lic cense Page
207
Student T Textbook
The status of your licens appears at the top of the page. Remin ses e nders occur in these instances:
Full version 30 days befo grace perio ends ore od When the lic cense is alread expired and grace period is over (comp dy d ponent update will e
be disabled but scanning will proceed u b w using out-of-da componen ate nts)
Eva aluation (Trial) version When the lic cense is alread expired (com dy mponent upda scanning and all client ate,
features are disabled) d To activate e/renew a serv license: vice 1. Click the name of th service. t he 2. In the Product Licen Details pa click New Activation C nse age, w Code.
Figure 5.108: Adding a New Activa g ation Code to R Renew an Offic ceScan Servic ce
3. Enter the activation code in the page that open and click Sa t p ns ave.
NOTE must register a service before y ou can activat it. Contact y You t te your Trend Mic cro
sales representativ for more inf ve formation abo ut your Regist tration Key and Activation C Code.
4. Back in the Product License Deta page, click Update Info n ails k ormation to r refresh the pag ge with th new license details and th status of th service. Thi page also pr he e he he is rovides a link to your detailed license available on the Trend Mic website. e t cro
5.13.8 Co 5 ontrol Manager Se ettings

You can manage OfficeS m Scan servers with Trend Miicro Control M w Manager. Control Manager is a highly scala managem product that provides a centralized m able ment t management c console to consolidate report data and manage Trend Micro pr e a T roducts and services deploy throughou a yed ut network. The Contro Manager ag for Office ol gent eScan accepts commands fr from the Trend Micro Cont d trol Manager se erver and instr ructs OfficeSc to perform them. This v can m version of Of fficeScan supp ports Control Ma anager 3.5 Pat 2. tch
2 208
Figure 5.109: Control Manager Configuration Page
NOTE manage OfficeScan usin Control Man To O ng nager, you mu first install the Control ust
Manager server softwa on one or more servers a activate th software. Fo information on are m and he n or how to in nstall and use Control Manag please see the Control M C ger, e Manager docum mentation. After you Control Man ur nager server(s) are set up, y ou may then r register the Of fficeScan serve er with the Control Manag you choose The Control Manager Sett C ger e. tings page sho ows registratio on status an other option nd ns.
To register the OfficeSca server to a Control Man r an nager server: 1. Click Administratio > Control Manager Se A on l ettings. The C Control Manag Settings pa ger age appear rs. 2. Verify the Connectio Status. If the OfficeScan server is not already regist on n t tered to a Con ntrol ger r ppear in red. Manag server, the words Not registered ap 3. Under Connection Settings for Entity displa name, ent the name b which the ay ter by hould be know to the Con wn ntrol Manager server. OfficeScan server sh
NOTE name you specify is the name th at Control Ma nager will use to identify the The e i e
devic in the Produ Directory of Control Man ce uct o nager interface e.
nager Server Settings, ente the IP addr or FQDN (fully qualifie S er ress N ed 4. Under Control Man n nager server t which you w to registe to want er. domain name) of the Control Man 4.1. Also, enter th port numbe that the Con he er ntrol Manager server uses t receive r to connections from Control Manager clien f nts/agents.
NOTE Required fields are mar rked by red as sterisks.
4.2.
If the web ser that Cont Manager u requires authentication enter the rver trol uses n, username and password in the Web ser d rver authentication section. Otherwise, l leave this section blank. b
209
Student T Textbook
5. If there is a proxy se erver between the OfficeSca server and the Control M an Manager serve er, t oxy Control Manag server ger select the Use a pro server for communicatiion with the C checkb under Pro Settings. The associated options beco editable. box oxy T d ome 5.1. 5.2. 5.3. Select the Pro protocol to use: HTTP,, SOCKS4, or SOCKS5. oxy t r Enter the FQ QDN or IP add dress of the proxy server an the port th it uses. nd hat If the proxy server uses aut s thentication, e enter the user ID and passw word.
6. If you have a router with NAT (N Network Addr Translatio enabled an your Office ress on) nd eScan server is on the inter rnal/private/t translated side of the router and the Con e r ntrol Manager server is on the external/public si you can co ide, onfigure the r registration of the OfficeSca f an server with the Cont Manager server so that the Control M trol Manager serve will use an er externa al/public IP address of the router/NAT device instead of the intern a d nal/private IP P address that the Off ficeScan server uses on the llocal network To make thi work, you m k. is must: 6.1. Configure a static port map s pping on the r router/NAT d device that ma an externa IPaps al addressTCP P-port combin nation to the in nternal IP add dress and TCP port 443 of t P the OfficeScan se erver. Select the En nable two-way communicat y tion port forw warding checkbox on the Control Mana Settings page. ager p Enter the external IP addre of the rout ess ter/NAT devi that you w use, along with vice will the external TCP port num T mber.
6.2. 6.3.
NOT there are no NAT dev TE If a vices between the OfficeSca server and the Control n an
Mana ager server, t two-way comm munication por forwarding is NOT required for two-way rt y comm munication. Also note that although you lose real-time upd e dates and cont trol, two-way c communication is n not required for other Control Manager functio r ons.
7. After entering all req e quired settings click Test C s, Connection to verify that y o your OfficeSca an server can connect to the Control Manager serv t l ver. R isplays the pro ogress of the r registration an indicates wh nd hen 8. Click Register. A progress bar di registra ation is compl lete. Upon completion, the Control Man nager Settings page is update to ed reflect the connectio status. on
Figure 5.110: Control Manager Registration Statu Indicator us
NOTE Once the OfficeScan server is registered, the managem r , ment of update functions is e
transferre to the Cont ed trol Manager console and the options wi c ese ithin the mana agement conso ole are disabled (grayed ou ut).
To verify th the Office hat eScan server appears correc in the Con a ctly ntrol Manager management console: 1. Log on to the Contr Manager co n rol onsole and cliick Products on the main m menu.
2 210
2. Go to the Managed Products pa d age. 3. Look to see that you OfficeScan server appear in the produ directory. t ur rs uct
5.13.9 We Console Setting 5 eb gs

The Web Console Settin page allow you to confi C ngs ws figure the Offi iceScan server to automatic r cally update stat informatio on the Sum tus on mmary page so that it display up-to-date i ys information without having to click Refresh. You can also conf R figure an idle-time threshold for console d logins with hout having to configure the servers ini fi o e file.
Figure 5.111: Administration > Web Cons sole Settings P Page
To configu the web co ure onsole settings s: 1. Click Administratio > Web Co A on onsole Setting gs. 1.1. 1.2. Select Enabl auto refresh and then se le h elect the refres interval. Av sh vailable selecti ions range from 10 to 300 secon in varying intervals. Th default is 30 seconds. 0 nds g he 0 Select Enabl Timeout Se le etting and the select the ti en timeout interv Available val. selections ran from 10 to 60 in 10-min intervals. The default is 30 minutes. nge o nute
S 2. Click Save.
5.13.10 Database Backup 5 B

OfficeScan can automati n ically back up its own datab at a regul base larly scheduled time. You ca d an also perfor manual bac rm ckups using th Administra he abase Backup page. p ation > Data You may select either a local path or a UNC path fo the backup location. If y select a UN l for p you NC path, it ena ables you to in nstall to any lo ocation on you network. W ur When you type in a UNC pat th, you must also enter the administrator account nam and passw a a s me word. If Office eScan cannot a access the selected path, it will back up to {In d b nstall Path}\P PCCSRV\Web\Service\DBTem . mp
WARNING The backup path must be a local or UNC path. Backups to mapped drives will fail. G! C
211
Student T Textbook
Figure 5.112 OfficeScan Database Back Configura tion 2: D kup
To enable a scheduled backup, click in the appropriiate checkbox Scheduled b n x. backups are no ot y ct hen OfficeScan to perform the backup. You may o enabled by default. Selec the time wh you want O choose a daily, weekly, or monthly bac o ckup. Whiche ever you choose, you may th select the hen starting tim Trend Mic recommen backing up the database during non-b me. cro nds p e business hours s. To save sch heduled datab backup co base onfigurations,, click Save. T perform an immediate ba To n ackup to the spec cified path, clic Backup Now. ck N
WARNING Abnormal server shutdow during a b ackup can cor G! wns rrupt the datab base. For
information on how to recover a corrup database, s ee Chapter 12: Troubleshooting on page 3 n pt 341.
Lab Exercise 7: Conf figure Administration S Settings
5.14 > Plug-in Mana ager

You can manage plug-in programs tha are develop outside of a product rele by using the m n at ped f ease Plug-in Ma anager. The Pl lug-in Manage page autom er matically display plug-in pro ys ograms when t they become av vailable. You can download, install, and m c , manage Plug-in programs on this same pa n n age.
NOTE Plug-in Manag does not support plug-in program inst ger n tallation and m management fr rom
Trend Mic Control Ma cro anager.
WARNING The Plug-in Manager insta G! allation packag does not su ge upport remote installation. Y You
must open the OfficeScan web-based management c m console in a br rowser that is running on the e OfficeScan server itself. (Using Remote Desktop to a accomplish thi is supported is d.)
2 212
To install the Plug-in Ma t anager: 1. Click the installation here link on the Plug-in Manager pag t n o n ge.
Figure 5.113 Plug-in Manager Installation Package D ownload Link 3:
2. Read subsequent no otice with rega to Plug-in Manager requ ard uirements and click Downlo oad Plug-i Manager. in 3. At the File Downloa prompt, sel to Run th file (or sele to save the setup.exe fil ad lect he ect le ally w nload is comp plete). After th installer pro he ogram is launc ched, manua launch it when the down follow the on-screen prompts to complete the iinstallation. n c
Figure 5.114 Plug-in Manager Installati 4: ion
4. Return to the Plug-in Manager pa to verify th installation. The Plug-in Manager page is n age he e automa atically popula with avail ated lable plug-in p programs. The cu urrently install version of Plug-in Mana is listed at the top. If a newer version is led ager t n availab the newer version is liste along with a Download button. ble, ed, h
Figure 5.115: Plug-in Manager Available Program and Version Information ms n
213
Student T Textbook
To update the current ve ersion of Plug Manager: g-in P ger sion of Plug-in Manager is a n available, click k 1. If the Plug-in Manag shows that a newer vers Down nload.
Figure 5.116 Upgrading the Plug-in Man 6: nager
2. When the download is complete, click Upgrad Now. d de 3. When the upgrade is complete, cli OK. s ick
5.14.1 Plu 5 ug-in Prog gram Inst tallation

To install a new plug-in program: 1. On the Plug-in Man e nager page, go to the plug-in program sec n ction and click Download. The k size of the plug-in program packa displays be f age eside the Dow wnload button n.
Figure 5.117 Downloading an OfficeSca Plug-in Prog 7: g an gram
NOTE Plug-in Manager downloads the package from the Tren Micro ActiveUpdate serve s nd er,
the defau download source, to a tem ult mporary folder (\PCCSRV\Do r ownload\Product). If Plug-in Manager is un nable to downl load the packa age, it automat tically downloads again afte 24 er hours. To manually trig o gger Plug-in Ma anager to dow wnload the pac ckage, restart t OfficeScan the n Plug-in Manager service from the Mic crosoft Manag ement Consol e.
2. Monito the downlo progress. Navigating aw from this p or oad N way page during th download w he will not abort the proces ss.
2 214
3. After Plug-in Manag downloads the package,, a new page d P ger s displays, providing you the followi options: In ing nstall Now or Install Later. Click Install Now. r 4. After the installation the current plug-in progra version di t n, am isplays. You ca manage the an e plug-in program, by clicking Man n nage.
Figure 5.118 Installed Plu 8: ug-in Program
5.14.2 Plu 5 ug-in Pro ogram Ma anagemen nt

On the Plu ug-in Manager page, go to th plug-in pro r he ogram section and click Ma anage Progra to am configure settings and pe s erform progra am-related tas ks. Tasks may include activ y vating the prog gram and deploy it to Offic ying ceScan clients.
Figure 5.119 A Plug-in Pr 9: rogram Management Interfa Displayed w ace within the Plug Manager P g-in Page
The Office eScan client so oftware includ a Plug-in M des Manager client component t communi t that icates with the se erver (for more information see 8.7.8 Cllient Plug-in M n, Manager on p page 283. When you install a plug-in that functio as an add- to existing OfficeScan c ons -on g client software the e, anager notifies OfficeScan clients to insta the program s c all m. Plug-in Ma
NOTE client Plu The ug-in Manager has the same system requir rements as the OfficeScan e
client. The only addition requiremen is Microsoft XML Parser ( MSXML) version 3.0 or later e nal nt t r.
The installa ation path for a plug-in pro r ogram on the c client computer is {%Progra amFiles%}\ TrendMicr ro\{Pluginprogramname . e}
215
Student Textbook
5.14.3 Troubleshooting the Download of a Plugin

If your attempt to download a plug-in fails, check the Plug-in Manager update source by navigating to Updates > Server > Update Source on the OfficeScan management console. Possible update sources may include:
ActiveUpdate Server Other Update Source Intranet Location Containing a Copy of the Current File
The Trend Micro ActiveUpdate server is the default update source for OfficeScan. Internet connection is required to connect to this server. If the server computer connects to the Internet through a proxy server, ensure that Internet connection can be established using the proxy settings. If you have specified multiple update sources: 1. Ensure the server computer can connect to the first update source on the list. If the server computer cannot connect to the first update source, it does not attempt to connect to the other update sources. 2. Check if the first update source contains the latest version of the Plug-in Manager component list (OSCE_AOS_COMP_LIST.xml) and the plugin installation package. If the update source is an intranet location: 1. Check if there is functional connection between the server computer and the update source. 2. Check if the update source contains the latest version of the Plug-in Manager component list (OSCE_AOS_COMP_LIST.xml) and the plugin installation package.
216
Administrator Track

Summary
The OfficeScan management console is the key to managing all the OfficeScan clients on your network. It gives you complete control over the security policies of the enterprise. You can use it to perform management tasks such as reviewing threat status information of all of your clients, configuring Outbreak Prevention policies, granting privileges to clients, configuring proxy servers, and creating alert messages.
Review Questions
1. In which of the following ways can Manual Outbreak Prevention protect your network? a) It can block access to shared folders. b) It can block ports from being used. c) It can deny all access to files and folders. d) All of the above 2. What is IntelliScan? a) A method of identifying files to scan by looking at their headers b) A method of identifying files to scan based on the file content c) A method of scanning files based on their extensions d) All of the above 3. What is ActiveAction? a) A specialized cleaning action b) An action that protects the desktop in the most efficient way c) A set of preconfigured scan actions for viruses and other types of malware d) None of the above 4. Which tab can you NOT prevent from appearing in the client console? a) Firewall tab b) Toolbox tab c) Mail Scan tab d) Scan tab
217
Administrator Track
Ch ter 6: Cli hapt 6 ient Softw e ware Deployment D

Ide entify the hard dware requirem ments of Offic ceScan client s software Describe the vari ious client dep ployment optiions available
219
Student Textbook
6.1 > Minimum Requirements for Client Software

OfficeScan provides client software support for 32-bit and 64-bit editions of Windows XP, Vista, 7, Server 2003, and Server 2008, along with support for these virtualization platforms: Microsoft Virtual Server 2005 R2 with Service Pack 1 VMware ESX/ESXi Server 3.5 (Server Edition) VMware Server 1.0.3 or later (Server Edition) VMware Workstation and Workstation ACE Edition 6.0 Before deployment, you will need to verify that client machines meet the requirements listed in the tables below.
NOTE OfficeScan provides support for Microsoft Vista beginning with version 8.0, in which support for legacy Microsoft Windows 9x, Me, NT4, and IA64 platforms was simultaneously discontinued. If you have clients running these older operating systems, please see Accommodating Unsupported Client Operating Systems on page 71.
NOTE OfficeScan client software supports Citrix Presentation Server version 4.5 (32-bit and 64-bit versions) and Platinum Edition version 4.0 beginning with version 8.0, service pack 1.
OfficeScan Client for Windows XP/Server 2003 32-bit and 64-bit Editions
Operating System
Windows XP Professional with SP2 or later Windows XP Home with SP2 (32-bit only) Windows Server 2003 & 2003 R2 Standard, Enterprise, Datacenter, and Web Editions with SP 2 or later Windows Storage Server 2003 & 2003 R2 Microsoft Cluster Server 2003 Guest XP/Server 2003 OSs hosted on these virtualization platforms:
o Microsoft Virtual Server 2005 R2 with Service Pack 1 (32-bit OSs only) o VMware Workstation and Workstation ACE Edition 6.0 o VMware ESX/ESXi Server 3.5 or 4 (Server Edition) o VMware Server 1.0.3 or later (Server Edition) o Microsoft Windows Server 2008 & 2008 R2, 64-bit Hyper-V o Microsoft Hyper-V Server 2008 R2, 64-bit
File sharing configuration Hardware
On Windows XP computers, Simple File Sharing must be disabled for users to successfully install the OfficeScan client 300 MHz Intel Pentium processor or equivalent; including AMD x64 or Extended Memory 64 Technology (EM64T) processors 256 MB of RAM (512 MB recommended) 350 MB of available disk space Microsoft Internet Explorer 6.0 or later, if performing web-based setup Disable Simple File Sharing on Windows XP computers so users can
Browser
220
Administrator Track
Chapter 6: Client Software Deployment
successfully install the OfficeScan client program
OfficeScan Client for Windows Vista / Windows 7 32-bit and 64-bit Editions
Operating System
Windows Vista Home, Premium, Business, Enterprise, & Ultimate Windows 7 Home, Premium, Business, Enterprise, & Ultimate Guest Windows Vista / 7 OSs hosted on these virtualization platforms:
o VMware ESX/ESXi Server 3.5 or 4 (Server Edition) (4 only for Win 7) o VMware Server 1.0.3 or later (Server Edition) o VMware Workstation and Workstation ACE Edition 6.0 o Microsoft Windows Server 2008 & 2008 R2, 64-bit Hyper-V o Microsoft Hyper-V Server 2008 R2, 64-bit
Hardware
800 MHz Intel Pentium processor or equivalent; or AMD x64 or Extended Memory 64 Technology (EM64T) processor Windows 7: 1 GHz Intel Pentium processor or equivalent (2 GHz recommended) 1 GB of RAM (1.5 GB recommended, 2 GB recommended for Windows 7) 350 MB of available disk space

Browser
If performing web-based setup: Vista: 7 : Microsoft Internet Explorer 7.0 or later Microsoft Internet Explorer 8.0 or later
OfficeScan Client for Windows Server 2008/2008 R2 32-bit and 64-bit Editions
Operating System
Windows Server 2008 SP1 & 2008 R2 Standard, Enterprise, Datacenter, and Web Editions or later Microsoft Cluster Sever 2008 Guest Windows Server 2008 OSs hosted on these virtualization platforms:
o VMware ESX/ESXi Server 3.5 or 4 (Server Edition) o VMware Server 1.0.3 or later (Server Edition) o VMware Workstation and Workstation ACE Edition 6.0 o Microsoft Windows Server 2008/2008 R2 64-bit Hyper-V o Microsoft Hyper-V Server 2008 R2 64-bit NOTE: OfficeScan can be installed on Windows 2008 running in the Server Core environment.
Hardware
1.4 GHz (2GHz recommended) Intel Pentium processor or equivalent, including AMD x64 or Extended Memory 64 Technology (EM64T) processors 512 GB of RAM (2 GB recommended) 350 MB of available disk space Microsoft Internet Explorer 7.0 or later, if performing web-based setup

Browser
Table 6.1: Minimum System Requirements for OfficeScan Client Software
221
Student Textbook
NOTE may need more RAM and disk space if you install client tools such as Outlook Mail You Scan or any future plug-ins.
6.2 > Deployment Options for OfficeScan Client Software

OfficeScan provides several methods to deploy the OfficeScan client software to end-user computers and network servers. The list below provides a summary of the deployment methods available. You can use this list and the subsequent tables to help you decide which methods are most suitable for your network environment.
Internal Web Page
Instruct the users via email to go to the internal web page and download the clientsoftware setup files. This option works with all supported operating systems.
OfficeScan Remote Installation
Using the OfficeScan management console, you can deploy the client software to clients using the built-in remote installation capability of the OfficeScan server. This option works with all supported operating systems except Windows Vista/7 Home Basic and Home Premium editions, and XP Home edition.
Login Script Setup
Automate the installation of the client software when users log on to the domain. This option works with all supported operating systems.
Client Packager
Deploy the client-software setup or update files by creating an MSI package that you can distribute via email or install using Active Directory or Microsoft SMS. This option works with all supported operating systems.
Client Disk Image
The Image Setup Utility assists in the creation of disk images (using third-party imaging software) with client with OfficeScan client stalled for later deploying clones of the image to other computers. This option works with supported 32-bit Windows XP and Server 2003 or earlier operating systems only, and does not work with Vista, 7, or Server 2008 editions.
Trend Micro Vulnerability Scanner (TMVS)
Install the client software using the Trend Micro Vulnerability Scanner tool. This option works with all supported operating systems except Windows Vista/7 Home Basic and Home Premium editions, and XP Home edition
Security Compliance
Push the client software to unprotected clients found in the Security Compliance report. This option works with all supported operating systems except Windows Vista/7 Home Basic and Home Premium editions, and XP Home edition.
Microsoft SMS
Deploy the MSI package using Microsoft System Management Server (SMS). Packager MSI installers are compatible with and are well-suited for use with Active Directory GPOs. You must have Microsoft BackOffice SMS installed.
222
Administrator Track
Supported installation methods and some of their features and benefits are summarized in the tables below.
Windows XP Home SP3 Vista/7 XP Pro, Home Basic & Server 2003 Premium Vista/7 BusiServer 2008 ness, EnterStandard, Ent., prise, Ultimate & Datacenter
Web page install Remote Install Login script Client packager Client disk image TMVS Security Compliance SMS

32-bitonly
Table 6.2: Available Client Installation Methods by Operating System
Web Page Suitable for WANbased deployment Leverages management tools Requires end user intervention Requires IT resource Suitable for mass deployment Bandwidth consumption End user requires local admin rights
High
Remote Install
Login Scripts
Client Packager
Client Disk Image
TMVS
Security Compli- SMS * ance

HIgh

High, if all at once High, large packages
*
Yes/No

Low, if scheduled

High, if all at once

High

Low, if scheduled
Table 6.2: Deployment Methods for OfficeScan Client Software * Client packager MSI installers are compatible with Active Directory GPOs.
6.2.1 Deploy Client Software Via Browser-based Installation

When you install the OfficeScan Server, the setup wizard creates a webpage on the server that users can access to install the client. The browser-based installation option provides a
223
Student T Textbook
preconfigu ured email mes ssage that you can send from the email program install on the local u m led machine fr rom which you are using the managemen console. u e nt To open th Initiate Bro he owser-based In nstallation pag click Netw ge, worked Comp puters > Clie ent Installatio > Browser on r-based in the navigation co e olumn of the management console.
Figure 6.1: Initiate Browser-based Insta allation Page
Type the su ubject line you want to appear in your em message, and then click Create Ema A u mail k ail. window fro your defau email appli om ult ication appear as shown in the figure ab rs, n bove. The subjec line you specified and the link to the in ct e nstallation page are already i the message e in e window. The default UR for the client-installation website is RL n https://<s servername>/ /officescan/c console/html l/ClientInsta . Edit the m all message if you u choose, add recipients, and click Send d a d.
NOTE email not The tification optio obviously re on elies on users to complete the actual
installatio of the client software. These users mus also have ad on t st dministrative r rights on the lo ocal computer and be able to enable the browser to use Active X cont r b e trols to complete the installatio on.
The URL for client insta f allation is also provided on the log-on pag of the Offi age iceScan management console. Yo can also, of course, go d ou o directly to the page by enter the URL f ring from t e stem requirem ments. As seen from the end n d-users or any client that meets the minimum sys administrat tors perspecti to install the OfficeScan client via we browser: ive, t n eb 1. Click the link sent vi email (as de t ia escribed above or click the link on the lo e), e og-on page of the f manag gement consol or navigate directly to the client-install page using a browser. le, e l
For OfficeScan servers using SSL, the defau URL for th client-instal page is r s S ult he ll
(default port num mber is 4343.):

htt tps://<server rname_or_IPa address:port> >/officescan n/console/htm ml/ClientInstall
For OfficeScan servers that ar not using SS use the h r s re SL, http resource identifier ins e stead
of the https id t dentifier and the correct port number (de t efault 8080). 2. Select to install the WinNTChk ActiveX contro by clicking anywhere in t yellow W A ol the mation bar that appears at th top of the c t he content windo of the brow and choo ow wser osing inform Install ActiveX con l ntrol 3. Click Install Now to start installi the Office I t ing eScan client.
2 224
Chapter 6: C Client Software D Deployment
Figure 6.2: Browser-based Client Software Insta S allation
Once insta allation is complete, the brow window will display a notice that th Client wser he installation is complete, and if the cli must be r n ient rebooted an ad dditional notic will appear in a ce separate wi indow. You ca also verify the installatio by checking to see that th OfficeScan an on g he n client icon appears in the Windows sy e ystem tray.
NOTE the browser-based client software insta If allation is unsu uccessful, the browser window
will displa a message to confirm this This messag e also lists po ssible reasons for the ay t s. s unsuccessful installatio along with recommended solutions. on, r d
6.2.2 Dep Clien Softwa Using Remote Install 6 ploy nt are g

Remote Install is a deplo oyment option in the Office n eScan manage ement console You can rem e. motely install the OfficeScan cli on Windo XP, Vista 7, and Serve 2003/2008, and you can i O ient ows a, er install to multiple computers at the same tim e t me.
WARNING You cannot install to a rem G! mote compute running Win dows XP Home or Vista/7 B er Basic
because these platforms do not include remote-regis e stry functions s.
To begin a remote instal llation, click Networked C omputers > Client Instal N llation > Rem mote gation column of the Office n eScan manage ement console e. in the navig
Figure 6.3: Remote Client Installation Page P
225
Student Textbook
Use the network navigation tree on the Remote Installation page to select the computers to which you want to deploy client software. You may also use the search feature to find computers. Click Add to add computers to the list of selected computers. Once you have selected all your targets, click Install.
NOTE Users do not need administrative rights on their local computers. The OfficeScan administrator specifies the local username and password. NOTE When installing to multiple computers, all unsuccessful installations are logged. You do not have to supervise individual installation once the process begins. If an installation fails, it does not affect other installations.
6.2.3 Deploy Client Software Using Login Script Setup

Use Login Script Setup to automate the installation of the OfficeScan client software on unprotected computers when they log on to an Active Directory domain. Login Script Setup adds a program called autopcc.exeto the server login script. Autopcc.exeperforms the following functions:
Determines the operating system of the unprotected computer and the
OfficeScan client software

Updates the scan engine, virus pattern file, Damage Cleanup Services components,
cleanup file, and program files An important benefit of this deployment method is that you can install the client regardless of the user privileges that are assigned to the user that is logging on. When creating the login script, you must provide an Administrator account and password. No special end-user privileges are required.
NOTE Obviously, to enforce the use of the login script installation method, client computers must be listed in the Windows Active Directory of the server that is performing the installation.
To add autopcc.exe to the login script using Login Script Setup: 1. On the OfficeScan server, click Start > [All] Programs > Trend Micro OfficeScan Server {Server Name} > Login Script Setup. 2. The Login Script Setup utility loads. It displays a tree showing all domains on your network.
226
Fig gure 6.4: Login Script Setup Utility n p
3. Browse for the Wind dows Server whose login sc w cript you want to modify, se t elect it, and th hen rver main r click Select. The ser must be a primary dom controller and you must have istrator access Login Script Setup promp you for a u name and password. s. t pts user d admini 4. Type your user nam and password. Click OK to continue. T User Selection page app y me The pears. The Users list shows the compute that log on to the server The Selected users list sho s ers n r. d ows ers mputer login script you wan to modify. nt the use whose com
To modify the lo ogin script of a single or mu ultiple users, se elect them fro the Users and om
then click Add.

To modify the lo ogin script of all users, click Add All. a k To exclude a use whose comp er puter you prev viously modif fied, select the name in the e
Sel lected users and click Dele a ete.

To reset your choices, click De elete All.
5. Click Apply when all the target us are in the Selected use list. A mes A a sers e ers ssage appears inform you that you have mod ming y dified the serve login script successfully er ts y. 6. Click OK. The Logi Script Setup utility will re O in p eturn to its initial screen.
To modify the lo ogin scripts of other servers repeat steps 2 to 4. f s, To close Login Script Setup, click Exit. S c
NOTE When an unprotected computer logs on to the serv c vers whose log scripts you gin u
modif fied, autopcc.e will automatically install the client to i exe it.
Working with Existi Window Server S ing ws Scripts

If you alrea have an ex ady xisting login sc cript, Login S cript Setup wi append a co ill ommand that executes au utopcc.exe; otherwise, it cr o reates a batch file called ofc cscan.bat (wh hich contains the command to run autopc cc.exe). pt nds wing d t: Login Scrip Setup appen the follow at the end of the script
\\{Ser rver_name}\of fcscan\autop pcc
NOTE {Server_name}is the com mputer name or IP address of the OfficeSca server and r f an
ofcscan is the shared name of the PCCSRV folder where autop P r pcc.exe is loca ated.
227
Student T Textbook
The Windo 2003/200 login script is on the Win ows 08 ndows 2003/2 2008 server (th hrough a net l logon shared dire ectory), under: :
\\Wind dows2003or20 008server\s systemdrive\w windir\sysvo ol\domain\scr ripts\ofcsca an.bat
6.2.4 Dep Clien Softwa Using the Clien Packag Tool 6 ploy nt are g nt ger
Client Pack kager can com mpress setup an update file into a self-e nd es extracting file t simplify de to elivery via email, CD-ROM, or similar media. C
Figure 6.5: Client Packag Utility ger
When user receive the package, they simply double rs p e-click the file to run the se e etup program. OfficeScan clients install using Clien Packager re n led nt eport to the se erver on which the package was e created. Th tool is espe his ecially useful when deployin installation or update file to clients in loww ng es n bandwidth remote office es.
WARNING Client Packa G! ager installatio packages re on equire > 160 M free disk sp MB pace on the tar rget
client, and Windows Insta aller 2.0 is req quired for MSI packages. Als the end use must have lo so, er ocal Administrator privileges. .
NOTE can use Microsoft Outlook and the C lient Packager send mail option. However You M r r,
installatio packages may not be suit on m table for email in all environ ments. .EXEs are the follow wing sizes (MSIs are slightly larger): XP/Vista/7/2003/2 008 client, 49 MB, 64-bit clients, 58.4 M 9.8 MB.
Client Pack kager can crea two types of self-extractiing files: ate o
Execut table
This co ommon file ty has an .exe extension. ype e
Micros soft Installer Package Form (MSI) P mat
Th file type con his nforms to Mic crosoft's Wind dows Installer package specification For more iinformation o MSI, see th Microsoft e ns. on he ebsite. we
2 228
Administrator Track
Tip Trend Micro recommends using Active Directory to deploy an MSI package with Computer Configuration instead of User Configuration. This helps ensure that the MSI package will be installed regardless of which user logs on to the machine.
To create a package with the Client Packager GUI: 1. Launch {OfficeScanPath}\PCCSRV\Admin\Utility\ClientPackager\ClnPack.exe to run the tool. The Client Packager console opens (shown above).
NOTE must run the program locally on the OfficeScan server. You
2. Select the type of package you want to create:

Setup Creates an installation package in .exe format Update Creates an update package for existing OfficeScan clients MSI Package Creates an installation package in MSI format
NOTE MSI package is intended for Active Directory deployment only. For local The installation, create an .exe package.
3. For the Windows operating system type, select the Windows operating system, 32-bit or 64-bit, for which you want to create the package (when creating executable files only). 4. For Scan method, choose Conventional Scan or Smart Scan.
NOTE This determines the default scan method for the client package. However, the client will adopt the scan method of the OfficeScan server domain that it joins. For example, if the client uses smart scan, and the default OfficeScan server domain is using conventional scanning, the client will switch to conventional scanning.
5. Select from among the following installation options under Options:

Silent Mode Creates a package that installs on the client machine in the background
without presenting installation status to the local user

NOTE you install the OfficeScan client program using Client Packager and the update If agent option is enabled, any OfficeScan server that registers with the client will not be able to synchronize or modify the following settings: the update agent privilege, client scheduled update, update from Trend Micro ActiveUpdate server, and updates from other update sources.
Trend Micro recommends installing only on client computers that are not registered with any OfficeScan server and configuring the update agent to get its updates from an update source other than an OfficeScan server. If you want to modify the update agent settings
Force overwrite with latest version Overwrites old versions with the latest version.
This checkbox is enabled only when you select Update as the package type.
Disable pre-scan (only for fresh install) Disables the file scanning that OfficeScan
performs before installation. 6. Select from among the following update agent options under Update Agent Options:
229
Student T Textbook
WARN NING! If you se elect the upda agent optio here, you m ate on must then use t Scheduled the d
Update Configuration Tool to enab and configu scheduled updates. You can find e ble ure instruc ctions for using this tool imm g mediately follo owing the instr ructions for th packager to he ool.
Pro ovide compone service Enables the cl ent E lient to act as an update age and provid ent de
upd dates to Office eScan pattern files and othe application components. er
Pro ovide setting service Enab s bles the client to act as an u update agent a provide up and pdates
to OfficeScan settings. O
Pro ovide program service Ena ables the clien to act as an update agent and provide nt
pro ogram updates for the Offic s ceScan client. 7. Select the utilities to include in the package: o e
Mai Scan Scans Microsoft Outlook mailbo il O rity oxes for secur risks Che Point Secu eck ureClient Support Suppor for Check P rt Point SecureCl lient for Wind dows
XP P/Vista/7/Ser 2003 rver 8. Under Components, select the components to include in th installation package (only for o he y ng p creatin an update package):
Antivirus Fire ewall Com mmon compo onents Anti-Spyware/G Grayware Vir Cleanup rus
9. For so ource file ensure that the location of the ofcscan.ini file is correc To modify the l e i ct. path, click c to bro owse for the ofcscan.ini file. By default, th file is loca in the o this ated \PCCS SRV folder of the OfficeSca server. f an 10. In Out tput file, click to specify the file name (for example ClientSetu y e e, up.exe) and th he locatio to create the client packa on age. 11. Click Create to buil the client pa C ld ackage. When Client Packag finishes cr n ger reating the pac ckage, the me essage Packag created suc ge ccessfully. app pears. To veri successful package creat ify tion, check the output dir t rectory you sp pecified.
Figure 6.6: Notice of Successful Pa f ackage Creatio on
12. Send th package to your users via email, or co py it to a CD or similar me and distrib he edia bute among your users. g
WARNING You can sen the package only to those clients that r G! nd e e report to the s server where the
package wa created. Do not send the package to cli as o ients that may report to ano y other OfficeSc can server.
2 230
For Upda Agents Using the Scheduled Update C ate s: e d Configuratio Tool on
Use the Sch heduled Upda Configurat ate tion Tool to e enable and con nfigure schedu updates o uled on OfficeScan clients acting as update ag n g gents that you installed using Client Packa g ager. This tool is l available on on update agents that Client Packager installs. nly C r
Figure 6.7: Scheduled Up pdate Configur ration Tool Inte erface
To use the Scheduled Up pdate Configu uration Tool: e t P ndows Explor rer. 1. On the update agent that Client Packager installled, open Win 2. Go to the OfficeSca client folder. an 3. Double-click SUCT Tool.exe to ru the tool. Th Schedule U un he Update Config guration Tool consol opens. le 4. Select Enable Sche eduled Updat te. 5. Specify the update frequency and time. y fr 6. Click Apply. A
Deployin an MSI Package Us Active Directory ng P sing e

You can ta advantage of Active Dir ake rectory feature to deploy th MSI packag simultaneo es he ge ously to multiple client compu e uters. (For inst tructions on c creating an MS file, see 6.2 Deploy Cl SI 2.4 lient Software Using the Clien Packager Tool on page 228 above.) U nt To deploy an MSI packa using Activ Directory: age ve t rectory conso ole. 1. Open the Active Dir 2. Right-c click the Orga anizational Un (OU) wher you want to deploy the M package an nit re o MSI nd click Properties. P 3. In the Group Policy tab, click Ne y ew. 4. Choose between Co omputer Confi figuration or U Configura User ation and ope Software en Setting below it. gs
NOTE Trend Micro recommen using Com nds mputer Config uration instead of User
Confi iguration to ensure that the MSI package will be install ed regardless which user log e e e gs on to the computer o r.
5. Below Software Sett tings, right-clic Software i ck installation, a then selec New and and ct Packa age. 6. Locate and select the MSI packag e ge.
231
Student Textbook
7. Select a deployment method and then click OK.

Assigned The MSI package is automatically deployed the next time users log on to the
computer (if you select User Configuration) or when the computer restarts (if you select Computer Configuration). This method does not require any user intervention.
Published The MSI package is made available in the Add/Remove Programs page,
which users can access from Control Panel. To run the MSI package, inform users to go to the Add/Remove Programs page and select Add New Programs from the menu items. The MSI package will display and users simply click Add to start installing the client.
Deploying an MSI Package Using Microsoft SMS

You can deploy the MSI package using Microsoft System Management Server (SMS). However, you must have Microsoft BackOffice SMS installed on the server. (For instructions on creating an MSI file, see 6.2.4 Deploy Client Software Using the Client Packager Tool on page 228 above.)
NOTE These instructions apply to Microsoft SMS 2.0 and 2003.
Before it can deploy the package to target computers, the SMS server needs to obtain the MSI file from the OfficeScan server.
Local - The Remote -
SMS server and the OfficeScan server are on the same computer
The SMS server and the OfficeScan server are on different computers
To obtain the package locally: 1. Open the SMS Administrator console. 1.1. 1.2. 1.3. 1.4. On the Tree tab, click Packages. On the Action menu, click New > Package From Definition. The welcome page of the Create Package From Definition Wizard appears. Click Next. The Package Definition page appears. Click Browse. The Open page appears.
2. Browse and select the MSI package file created by Client Packager, and then click Open. The MSI package name appears on the Package Definition page. The package shows Trend Micro OfficeScan Client and the program version. 2.1. 2.2. Click Next. The Source Files page appears. Click Always obtain files from a source directory, and then click Next. The Source Directory page appears, displaying the name of the package you are creating and the source directory. Click Local drive on site server. Click Browse and select the source directory where the MSI file is located. Click Next. The wizard creates the package. When it completes the process, the name of the package appears on the SMS Administrator console.
2.3. 2.4. 2.5.
To obtain the package remotely:
232
Administrator Track
1. On the OfficeScan server, use Client Packager to create a setup package with an .exe extension (the .msi package is not supported). (For instructions on creating an .exe file, see 6.2.4 Deploy Client Software Using the Client Packager Toolon page 228 above.) 1.1. 1.2. 1.3. 1.4. 1.5. 1.6. On the computer where you want to store the source, create a shared folder. Open the SMS Administrator console. On the Tree tab, click Packages. On the Action menu, click New > Package From Definition. The welcome page of the Create Package From Definition Wizard appears. Click Next. The Package Definition page appears. Click Browse. The Open page appears.
2. Browse and select the .exe package file created by Client Packager, and then click Open. The .exe package name appears on the Package Definition page. The package shows Trend Micro OfficeScan Client and the program version. 2.1. 2.2. Click Next. The Source Files page appears. Click Always obtain files from a source directory, and then click Next. The Source Directory page appears, displaying the name of the package you are creating and the source directory. Click Network path (UNC name). Click Browse and select the source directory where the installation file is located (the shared folder you created). Click Next. The wizard creates the package. When it completes the process, the name of the package appears on the SMS Administrator console.
2.3. 2.4. 2.5.
To distribute the package to target computers: 1. On the Tree tab, click Advertisements. 2. On the Action menu, click All Tasks > Distribute Software. The Welcome page of the Distribute Software Wizard appears. 2.1. 2.2. 2.3. Click Next. The Package page appears. Click Distribute an existing package; then click the name of your setup package. Click Next. The Distribution Points page appears.
3. Select a distribution point to which you want to copy the package, and then click Next. The Advertise a Program page appears. 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. Click Yes to advertise the client setup package, and then click Next. The Advertisement Target page appears. Click Browse to select the target computers. The Browse Collection page appears. Click All Windows NT Systems. Click OK. The Advertisement Target page appears again. Click Next. The Advertisement Name page appears. In the text boxes, type a name and comments for the advertisement, and then click Next. The Advertise to Subcollections page appears.
233
Student Textbook
4. Choose whether to advertise the package to subcollections. You can choose to Advertise the program only to members of the specified collection or Advertise the program to members of subcollections as well. 4.1. 4.2. 4.3. Click Next. The Advertisement Schedule page appears. Specify when to advertise the client setup package by typing or selecting the date and time in the list boxes. If you want Microsoft SMS to stop advertising the package on a specific date, click Yes. This advertisement should expire, and then specify the date and time in the Expiration date and time list boxes. Click Next. The Assign Program page appears. Click Yes, assign the program, and then click Next.
4.4. 4.5.
Microsoft SMS creates the advertisement and displays it on the SMS Administrator console. When Microsoft SMS distributes the advertised program (that is, the OfficeScan client program) to target computers, a page will display on each target computer. Instruct users to click Yes and follow the instructions provided by the wizard to install the OfficeScan client to their computers. Known Issues when Installing with Microsoft SMS
Unknown appears in the Run Time column of the SMS console. If the installation is unsuccessful, the installation status may still show that the installation
is complete on the SMS program monitor.
6.2.5 Deploy Using the Image Setup Tool

Disk imaging technology allows you to create an image of a client-machines hard-disk drive to replicate the machines exact configuration other computers. Trend Micro provides the Image Setup tool to assist when deploying clients using disk imaging. To deploy clients through disk imaging requires third-party disk-imaging software that is not included with OfficeScan. The purpose of the Image Setup tool (imgsetup.exe) is to create new globally unique identifiers (GUIDs) for cloned computers so that the OfficeScan server can identify each computer individually.
NOTE Image Setup Tool does not currently support x64 platforms. The
Users do not need local administrative rights for you to use this deployment method.
To deploy using disk imaging, follow these steps: 1. Install the operating system, all desired applications, and the OfficeScan client software to create the source of the disk image. 2. Copy imgsetup.exe to the computer from the OfficeScan servers {installation path}\PCCSRV\Admin\Utility\ImgSetup folder. 3. Run imgsetup.exe. A RUN registry key will be created under HKEY_LOCAL_MACHINE. 4. Use your disk-imaging application to create a disk image of the OfficeScan client. 5. Deploy the image created by the disk-imaging application.
234
6. When the newly ima aged compute is started for the first time Imgsetup.ex will er r e, xe atically start an create one new GUID v nd value. The clie will report this new GU to ent t UID automa the ser and the se rver erver will crea a new recor for the new client. ate rd w The Image Setup tool cr e reates a new GUID, but it d G does not chang the name o the comput in ge of ter the OfficeS Scan database. To avoid hav two com ving mputers with th same name you must he e, manually ch hange the com mputer name or domain nam of the clon OfficeSca client. o me ned an
NOTE Image Se The etup tool creat a new GUID for OfficeSca however yo will still nee to tes D an, ou ed
use a thir rd-party tool to create a new security iden o w ntifier (SID) an d GUID for you Microsoft ur Windows network. Also, to avoid havi two compu ing uters with the same name in the OfficeSca n an database, you must at least change the computer n l name or doma in name of the clone. e
6.2.6 Dep Usin the Vulnerability Scanne Tool 6 ploy ng y er

Trend Micr Vulnerabili Scanner co ro ity onnects to por that are normally used by antivirus rts y solutions and uses the in nformation it obtains to det o termine wheth a computer is protected with her antivirus so oftware. The Vulnerability Scanner can allso deploy Of V S fficeScan clien software to nt computers that do not have a recogniz h zable antivirus program ins s stalled.
Figure 6.8: Trend Micro Vulnerability Scanner Conso V S ole
This tool is not particula suitable fo mass deploy s arly or yment, but it w help ensu that unprot will ure tected computers do not access the network. (This tool rep s . places the NT Client Instal [cnic.exe] t T ller tool ersions of Off ficeScan befor OfficeScan 6.5.) For mor information about other re re n found in ve features of the Vulnerab f bility Scanner tool, see Chapt 10: OfficeSca Tools on pa 307. t ter can age
NOTE can use Vulnerability Scanner on com You V S mputers runni ng Windows 2000 or Server r
2003/200 however, the computers cannot be run 08; t s nning Termina Server. You cannot install al OfficeSca clients with Vulnerability Scanner to a c an computer with the OfficeSca server insta h an alled.
To launch the Vulnerabi Scanner from the Offic ility fr ceScan server,, open Window Explorer a ws and go to {inst tallationdi irectory}\PCC CSRV\Admin\U Utility\TMVS folder. Doubl le-click TMVS.exe e.
235
Student T Textbook
Once the Vulnerability Scanner is laun V S nched, click Se ettings. The V Vulnerability Scanners installation options are in the final box of the Settin page unde OfficeScan server Settin for n n x ngs er n ng (Install and Log Report): Specify an OfficeScan serv (e.g. MySe d O ver erver).
Figure 6.9: Installation Settings on the Vulnerability Scanner Setti e ings Page
When the Vulnerability Scanner determines that a c V S computer is no protected b suitable ant ot by tivirus software, you can config it to deplo the OfficeS y gure oy Scan client sof ftware.
NOTE order to remotely install the client soft In tware, the use who is logge on must hav er ed ve
administr rator rights. To bypass this problem, you c provide an Install accoun that the o p can nt Vulnerabi ility Scanner will use to insta the client. w all
If you wan to automatic nt cally install Of fficeScan clien select the nt, Auto-install O OfficeScan Cli ient for unprote ected computer checkbox. Type a user n . name and a pa assword for a user account on the target computer that has the privil c t leges required to install the OfficeScan cl d lient. Click OK K. If you wan to send a log to the Office nt g eScan server r reporting the s status and out tcome of the remote inst procedure select the R tall e, Report log to O OfficeScan se erver checkbo ox.
6.2.7 Dep Thro 6 ploy ough the Security Complian S nce

The outside server man nagement Sec curity Complia ance feature u Active Di uses irectory query y results to id dentify unprot tected compu uters, and you can install the client softwa by pushing it e are g out to clien from that page. nts p However, the OfficeScan client canno be installed using this me t n ot ethod in some situations: e
The OfficeScan server is instal e s lled on the co omputer. The computer ru Windows XP Home, W e uns Windows Vista Home Bas and Windo a/7 sic, ows
Vis Home Prem sta mium. If you have compute running th platforms choose anot h ers hese s, ther clie deploymen method. ent nt
Figure 6.10: Client Installation Through Security Com h mpliance
2 236
Administrator Track
If the target computer runs Windows Vista/7 Business, Enterprise, or Ultimate Edition, you must perform the following steps on the computer before you can install the client through Security Compliance: 1. Enable a built-in administrator account and set the password for the account. 2. Disable the Windows firewall. 2.1. 2.2. Click Start > Programs > Administrative Tools > Windows Firewall with Advanced Security. For Domain Profile, Private Profile, and Public Profile, set the firewall state to off.
3. Open Microsoft Management Console (click Start > Run and enter services.msc) and start the Remote Registry service. When installing the OfficeScan client, use the built-in administrator account and password. If Trend Micro or third-party endpoint security programs are installed on the computer, check if OfficeScan can automatically uninstall the software and replace it with the OfficeScan client. For a list of endpoint security software that OfficeScan automatically uninstalls, open the following files in {installationdirectory}\PCCSRV\Admin. You can open these files using a text editor such as Notepad.
tmuninst.ptn tmuninst_as.ptn
If the software on the target computer is not included in the list, manually uninstall it first. Depending on the uninstallation process of the software, the computer may or may not need to restart after uninstallation. Finally, before starting the installation process, record the logon credentials for each computer you plan to deploy the client to. OfficeScan will prompt you to specify the logon credentials during installation.
Important: You cannot use this method to update the OfficeScan client. If an earlier OfficeScan
client version is already installed on a computer and you click Install, the installation will be skipped and the client will not be updated to this version.
To install the OfficeScan client from the Security Compliance page: 1. Click Install on top of the Client Tree. 2. Specify the administrator logon account for each computer and click Log on. OfficeScan starts installing the client on the target computer.
6.2.8 Windows Server Core 2008 Support

Windows Server Core 2008 is a "minimal" installation of Windows Server 2008. In a Server Core: Many of the Windows Server 2008 options and features are removed.
The server runs a much thinner core operating system. Tasks are performed mostly from the command line interface.
237
Student Textbook
The operating system runs fewer services and requires fewer resources during startup.
The OfficeScan client supports Server Core. This section contains information on the extent of support for Server Core. The OfficeScan server does not support Server Core.
Installation Methods for Windows Server Core

The following installation methods are not or are partially supported: Web install page: This method is not supported because Server Core does not have Internet Explorer.
Trend Micro Vulnerability Scanner: The Vulnerability Scanner tool cannot be run locally
on the Server Core. Run the tool from the OfficeScan server or another computer.
Client Features on Windows Server Core

Most OfficeScan client features available on Windows Server 2008 work on Server Core. The only feature that is not supported is roaming mode. The OfficeScan client console is only accessible from the command line interface.
Windows Server Core Commands

Launch the OfficeScan client console and other client tasks by issuing commands from the command line interface. To run the commands, navigate to the location of PccNTMon.exe. This process is responsible for starting the OfficeScan client console. This process is found under the <Client installation folder>.
COMMAND ACTION
pccntmon pccntmon -r pccntmon -v pccntmon -u pccntmon -n pccntmon -m pccntmon -c
Opens the client console Opens Real-time Monitor Opens a screen with a list of client components and their versions Opens a screen where manual update (Update Now) is launched Opens a popup window where a password is specified to unload the client. If a password is not required to unload the client, client unloading starts. Opens a popup window where a password is specified to uninstall the client. If a password is not required to uninstall the client, client uninstallation starts. Shows the following information in the command line: Scan method: Smart scan or Conventional scan Pattern status: Updated or Outdated Real-time Scan service: Functional or Not Functional Client connection status: Online or Offline Web Reputation Services: Available or Unavailable File Reputation Services: Available or Unavailable Shows all the available commands
pccntmon -h
6.3 > Verifying the OfficeScan Client Installation

To verify client installation, you can:
238
Administrator Track
Check files, services, processes, and registries Check the installation log Verify the client status icon appears in the system tray
NOTE you need instructions on how to check the files, services, processes or registry keys, If see Chapter 4: OfficeScan Server Installation on page 63.
6.3.1 Check Files, Services, Processes, and Registry Keys

Check that the following files, services, processes, and registry entries for the OfficeScan client and the Cisco Trust Agent (CTA), if applicable, are located on or running on the computer:
OfficeScan Client Files

C:\ProgramFiles\TrendMicro\OfficeScanClient
(default)
OfficeScan Client Services

OfficeScan NT Listener (TmListen.exe) OfficeScan NT RealTime Scan (NTRtScan.exe) OfficeScan NT Proxy Service (TmProxy.exe) OfficeScan NT Firewall (TmPfw.exe) (if enabled) Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe) (only for computers running an x86 type processor)
OfficeScan Client Processes

TmListen.exe NTRtScan.exe TmProxy.exe TmPfw.exe TMBMSRV.exe PccNTMon.exe
OfficeScan Client Registry Keys

HKLM\Software\TrendMicro\CFW HKLM\Software\TrendMicro\NSC HKLM\Software\TrendMicro\AEGIS HKLM\Software\TrendMicro\PCcillin HKLM\Software\TrendMicro\PCcillinNTCorp
6.3.2 Check the Installation Log

The client installation log is written to <%WINDIR%>\OFCNT.LOG, except for installations from MSI package which write the installation log to the users %temp% directory. It records:
239
Student Textbook
Process status Stage completion Registration
6.3.3 Verify the Client Status Icon Appears in the System Tray
If the client software has been properly installed, a status icon appears in your system tray.
NOTE 3.4.13 Normal and Roaming Client Operation Modes on page 55 for depictions of See client-status icons for normal and roaming modes.
6.3.4 Verify the Client Installation Using Vulnerability Scanner

You can also automate Vulnerability Scanner by creating scheduled tasks. For information on how to automate Vulnerability Scanner, see the OfficeScan online help.
NOTE can use Vulnerability Scanner on Windows 2000, Server 2003 and Vistabut not You if Terminal Server is running.
To verify client installation using Vulnerability Scanner: 1. On the OfficeScan server computer, launch %ProgramFiles%\OfficeScan\PCCSRV \Admin\Utility\TMVS\TMVS.exe. The Trend Micro Vulnerability Scanner console appears. 2. Click Settings. 3. Under Product query, select the OfficeScan Corporate Edition/Security Server checkbox and specify the port that the server uses to communicate with clients. 4. Select whether to use Normal or Quick retrieval. Normal retrieval is more accurate, but it takes longer to complete. If you select Normal retrieval, you can set Vulnerability Scanner to try to retrieve computer descriptions, if available, by selecting Retrieve computer descriptions when available. 5. To automatically send the results to yourself or to other administrators in your organization, select Email results to the system administrator. Then, click Configure to specify your email settings.
In To, type the email address of the recipient In From, type your email address. If you are sending it to other administrators in your
organization, this will let the recipients know who sent the message
In SMTP server, type the address of your SMTP server. For example, type smtp.company.com. The SMTP server information is required
6. In Subject, type a new subject for the message or accept the default subject. 7. Click OK to save your settings. 8. To display an alert on unprotected computers, click Display notification on unprotected computers. Then, click Customize to set the alert message. The Alert Message page appears. Type a new alert message in the text box or accept the default message, and then click OK.
240
Administrator Track
9. To save the results as a comma-separated value (CSV) data file, select Automatically save the results to a CSV file. By default, Vulnerability Scanner saves CSV data files to the TMVS folder. If you want to change the default CSV folder, click Browse, select a target folder on your computer or on the network, and then click OK. 10. Under Ping settings, specify how Vulnerability Scanner will send packets to the computers and wait for replies. Accept the default settings or type new values in the Packet size and Timeout fields. 11. Click OK. The Vulnerability Scanner console appears. 12. To run a manual vulnerability scan on a range of IP addresses, do the following: 12.1. In Manual Scan, type the IP address range of computers that you want to check for installed antivirus solutions. 12.2. Click Start to begin checking the computers on your network. 13. To run a manual vulnerability scan on computers requesting IP addresses from a DHCP server: 13.1. Click the DHCP Scan tab in the Results box. The Start button appears. 13.2. Click Start. Vulnerability scanner begins listening for DHCP requests and performing vulnerability checks on computers as they log on to the network. Vulnerability Scanner checks your network and displays the results in the Results table. Verify that all desktop and notebook computers have the client installed. If Vulnerability Scanner finds any unprotected desktop and notebook computers, install the client on them using your preferred client installation method.
6.4 > Post-Installation Considerations for Servers and x64 Desktop Platforms
Beginning with OfficeScan 10 Service Pack 1, OfficeScan automatically disables some features on server platforms to avoid performance issues. The table below summarizes the features that are disabled and the platforms affected.
Disabled Features on x86 Platforms
Device Control Behavior Monitoring Client Self-protection for: o Registry keys o Processes OfficeScan Firewall
Operating System
Windows Server 2003 Windows Server 2008
Disabled Features on x64 Platforms

Device Control Behavior Monitoring Client Self-protection for: o Registry keys o Processes OfficeScan Firewall Device Control Behavior Monitoring Client Self-protection for: o Registry keys o Processes
Windows Desktop/Workstation OSs
N/A
Table 6.3: Summary of Disabled Features on OfficeScan Server and x64 Workstation Clients
241
Student Textbook
NOTE Context-specific notices within the user interface of the management console call attention to the default configuration for servers when the default is different than for normal clients. Each notice also provides a link to online information for enabling these services, similar to the instructions provided below.
Important: Before enabling these features on server platforms, carefully consider the potential
impact on critical applications. If you encounter performance issues after enabling these features, contact Technical Support to obtain and run the Trend Micro Performance Tool (TMPerfTool).
To enable these disabled features: 1. Identify any critical applications that should not be at risk of interruption or stoppage due to behavior monitoring and add them to the list of approved programs.
See Configuring Exception Lists for Behavior Monitoring on page 162 for more information.
2. Add the following data in the registry key:

HKLM\SOFTWARE\TrendMicro\PCcillinNTCorp\CurrentVersion\Misc.\
Type: Name: Value:

0 1
DWORDvalue(REG_DWORD) DoNotDisableFuncOnServerPlatform
Specify one of the following

Disables OfficeScan Firewall, Behavior Monitoring, Device Control, and Client Self-protection on server platforms (This is the default setting.) Enables OfficeScan Firewall Disables Behavior Monitoring, Device Control, and Client Self-protection on server platforms Enables Behavior Monitoring, Device Control, and Client Self-protection Disables OfficeScan Firewall on server platforms Enables OfficeScan Firewall, Behavior Monitoring, Device Control, and Client Self-protection on server platforms
2 3
3. Restart the client.
Lab Exercise 8: Deploy OfficeScan Clients
242
Administrator Track

Summary
OfficeScan server provides several ways to deploy client software to all your clients, including via internal web page, Windows remote install, login script setup, Client Packager, client disk image, and the Trend Micro Vulnerability Scanner (TMVS).
Review Questions
1. Which deployment method allows you to install the Mail Scan and Check Point SecureClient Support with the client software? a) Notify install option b) Vulnerability Scanner tool c) Login script setup utility d) Client Packager tool 2. Which deployment method requires using third-party tools? a) Image setup utility b) Remote install option c) Login script setup utility d) Vulnerability Scanner tool 3. Which two deployment methods are accessible from the OfficeScan management console? a) Image setup utility and notify install option b) Notify install option and remote install option c) Vulnerability Scanner tool and Client Packager tool d) Login script setup utility and image setup utility 4. Which deployment methods enforce automatic installation of client software? a) Login script setup utility and Vulnerability Scanner tool b) Client Packager tool and login script setup utility c) Remote install option and image setup utility d) Notify install option and Client Packager tool
243
Administrator Track
Ch ter 7: Up es hapt 7 pdate

Ide entify which OfficeScan com O mponents are updated regul larly Describe the upd architectu of OfficeS date ure Scan Describe the met thods by whic OfficeScan clients can be updated ch n e Ma anage the upda process ate
245
Student Textbook
7.1 > OfficeScan Update Architecture

Virus writers, hackers, and spyware writers are continually looking for new ways to circumvent your network security. For example, hundreds, and by some estimates thousands, of new viruses are written and released each year.
7.1.1 Updatable Components

To ensure that the OfficeScan clients can detect new threats, Trend Micro regularly updates these components:
Feature
Smart Scan (for smart scans only) Antivirus and AntiSpyware (for conventional scans only) Scan Engine
Component
Smart Scan virus pattern (server) Smart Scan agent pattern Virus pattern file Spyware pattern file Spyware active-monitoring pattern Virus scan engine Spyware scan engine Root-kit scan engine
File Name
not updated on client icrc$oth.<3-digit version extension> Lpt$vpn.<3-digit version extension> ssapiptn.da5 Ssaptn.<3-digit version number> vsapint.sys ssapi32.dll tmcomm.sys tsc.ptn tsc.exe tmf<version>.ptn tm_cfw.sys tmufeng.dll TMTD.ptn Tml<version>.ptn tmcomm.sys, tmevtmgr.sys, tmactmon.sys tmblack.<3-digit extension> tmwhite.<3-digit extension>
Damage Cleanup
Virus cleanup template Virus cleanup engine
Firewall
Common firewall pattern Common firewall driver
Web Reputation Behavior Monitoring (BM) Device Control IntelliTrap
URL filtering engine BM detection pattern Firewall trusted application pattern Behavior Monitoring driver IntelliTrap pattern file IntelliTrap exception file
Table 7.1: Updatable Components
NOTE Compressed component files are stored at <Install path}\PCCSRV\Download on the OfficeScan server and at {install path}\ActiveUpdate on OfficeScan clients that are update agents.
Smart Scan Components

The patterns used to identify viruses and malware will vary depending on the scan method you choose. When in Smart Scan mode, OfficeScan will use the lightweight Smart Scan patterns instead of the conventional anti-malware and anti-spyware patterns.
246
Administrator Track
Chapter 7: Updates
A Smart Scan server hosts the Smart Scan virus pattern, which is updated hourly (or optionally, ever 15 minutes) and contains the majority of virus pattern definitions. Smart Scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the server. The OfficeScan server hosts the Smart Scan agent pattern, which is updated daily and contains the pattern definitions not found in the Smart Scan virus pattern. Clients download this pattern from the OfficeScan server using the same method used for downloading other OfficeScan components. The OfficeScan client, using the Smart Scan agent pattern and advanced filtering technology, can verify whether a file is infected without sending scan queries to the Smart Scan server. The Smart Scan client first scans the local computer using only its local resources. If the client cannot determine the risk of the file during the scan, the client verifies the risk by sending a scan query to a Smart Scan Server. This saves bandwidth. When queries are made, the client caches the query result and will not need to send the same scan query to the Smart Scan Server for subsequent detections of the same type. If a client cannot verify a files risk using its local resources and is unable after several attempts to connect to a Smart Scan Server, the client will
Flag the file for verification. Allow temporary access to the file.
When a subsequent connection to a Smart Scan Server is made, flagged files are re-scanned. The appropriate scan action is then performed on those that are confirmed to be infected.
Conventional Scan Antivirus and Anti-Malware Components

When you select the convention scan method, OfficeScan will use the antivirus and anti-spyware patterns to determine the presence of malware or grayware in scanned files.
VIRUS PATTERN FILE As new viruses are discovered, Trend Micro collects their binary patterns and incorporates this information into a virus pattern file. OfficeScan clients compare the binary patterns with the typical code patterns of computer viruses. Because new viruses are continually being developed and released, it is critical that all servers and workstations use the most recent version of the virus pattern file.
To help reduce the bandwidth used when updating the virus pattern file, OfficeScan performs incremental updates. Rather than downloading the entire virus pattern file every time it is updated, OfficeScan downloads only the new virus patterns that were added to the virus pattern file. The new patterns are then merged with the older virus pattern file. Incremental updates greatly reduce both download time and deployment time, thus decreasing network utilization.
NOTE recently released Trend Micro products use a new multi-digit format for displaying All the numbers of pattern files.
SPYWARE PATTERN FILE OfficeScan clients use spyware/grayware pattern files to identify spyware, adware, hacker tools, and other threats. Trend Micro updates the spyware/grayware scan pattern regularly. Like virus pattern files, spyware/grayware scan patterns are updated incrementally.
247
Student Textbook
Scan Engine
At the heart of all Trend Micro products lies the scan engine. Originally developed in response to early file-based computer viruses, todays scan engines are highly sophisticated and capable of detecting Internet worms, mass-mailers, Trojan horse threats, spyware, and network exploits as well as viruses. The scan engine detects in the wild or actively circulating threats, and in the zoo threats, which are controlled viruses not in circulation but developed and used for research. Rather than scanning every byte of every file, the engine and pattern file work together to identify not only tell-tale characteristics of the virus code, but the precise location within a file that the virus would hide. OfficeScan removes virus/malware upon detection and restores the integrity of the file. International computer security organizations, including ICSA (International Computer Security Association), certify the Trend Micro scan engine annually. By storing the most time-sensitive virus/malware information in the virus patterns, Trend Micro is able to minimize the number of scan engine updates while at the same time keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new scan engine versions available. Trend Micro releases new engines under the following circumstances:
New types of viruses are discovered that the scan engine cannot handle. Trend Micro engineers enhance the performance and detection rates of the scan engine. The updated scan engine supports virus detection of additional file formats, scripting
languages, encoding, and/or compression formats
Damage Cleanup Components

The virus cleanup engine scans computers for Trojans and Trojan processes. It relies on the virus cleanup template to identify Trojan files and processes so the engine can eliminate them. It also uses the spyware/grayware cleanup patterns to eliminate grayware files and processes. The virus cleanup templates and spyware/grayware cleanup patterns are updated incrementally. The engine supports 32-bit and 64-bit platforms.
Common Firewall Components

The OfficeScan firewall, which is included with the OfficeScan client, uses the common firewall driver to protect client computers from network viruses. Using the common firewall pattern, the common firewall driver scans incoming and outgoing traffic for Internet worms (which are also called network viruses). The driver also enforces firewall policies based on firewall policies and Intrusion Detection System (IDS) rules. The driver supports 32-bit and 64-bit platforms.
Web Reputation URL Filtering Engine

The URL Filtering Engine facilitates communication between OfficeScan and the Trend Micro URL Filtering Service. The URL Filtering Service rates URLs and provides the OfficeScan client with rating information for URLs accessed from its host, thereby allowing the client to block access to malicious URLs.
248
Administrator Track
Chapter 7: Updates
Device Control & Behavior Monitoring Components

The Behavior Monitoring Driver is a kernel mode driver that monitors system events and passes them to the Behavior Monitoring Core Service for policy enforcement. The Behavior Monitoring Core Service provides rootkit detection, regulates access to external devices, and protects files, registry keys, and services. The Behavior Monitoring Driver uses the Behavior Monitoring Configuration Pattern to identify normal system events and exclude them from policy enforcement. The Digital Signature Pattern contains a list of valid digital signatures that are used by the Behavior Monitoring Core Service to determine whether a program responsible for a system event is safe. The Behavior Monitoring Core Service checks system events against the policies in the Policy Enforcement Pattern.
7.1.2 Component Duplication for OfficeScan Updates

Component duplication refers to the process of creating a series of overlapping updates so that update agents can provide incremental updates to clients that may have missed one or more prior updates. When a new full version of a pattern file is available from the Trend Micro ActiveUpdate server, 14 versions of incremental patterns are also made available. Each incremental pattern-file update represents only the changes between the latest pattern file and a previous pattern file. For example, if the latest pattern-file version is 175, incremental pattern v_173.175 indicates that it contains signatures in version 175 that are not found in version 173. Likewise, incremental pattern v_171.175 contains those signatures in version 175 that are not found in version 171.
NOTE Pattern-file version numbers always end an odd number, where each new version number is incremented by two from the previous number.
To reduce network traffic generated when downloading the latest pattern, OfficeScan servers and update agents can download incremental patterns to avoid downloading information that they already have in their local copy of the full pattern. After downloading incremental patterns, OfficeScan servers update their own latest-version of the pattern file by merging it with the appropriate incremental update. Likewise, before a client downloads a pattern, it will compare its current pattern version with the available patterns on the update server/agent and download a smaller, incremental pattern. OfficeScan clients download incremental patterns as long as they are less than 14 versions behind. Otherwise, they download the full the pattern file. Component duplication applies to these components: Virus pattern Smart Scan agent pattern Spyware pattern Spyware active-monitoring pattern Virus cleanup template IntelliTrap exception pattern
249
Student T Textbook
7.2 > Smar Scan Update Infras rt e structu ure

Smart Scan technology uses multiple lightweight pa n u l atterns that wo together to provide ork o protection equal to conv ventional patte ern-file design Smart Scan patterns are d ns. n downloaded f from the Trend Micro ActiveU M Update server by standalon and integrat Smart Scan servers. r ne ted n There are no componen download ov n nt verlaps betwe the Smart Scan server an the OfficeS een nd Scan server. Eac server down ch nloads a speci set of com ific mponents. A S Smart Scan ser download rver ds only the Sm Scan patt mart tern while the OfficeScan se erver downloa all the oth componen ads her nts, including th Smart Scan agent pattern he n n.
Figure 7.1: The Smart Sca Update Infr T an rastructure
The Smart Scan server to which a client connects d o depends on the clients locat e tion. Internal Smart ts S while external S Smart Scan cli ients connect to Scan client connect to a local Smart Scan server, w the Trend Micro Global Smart Scan Server. The tab below com M S ble mpares the two servers: o
Basis of Comparison
Availability y
Local Smart Scan Server L S

Available for inte A ernal clients, wh hich are clients that meet the location cr c riteria specified on the OfficeScan Web console. s b Designed and int D tended to localiz scan ze operations to the corporate net o twork to optimize efficien o ncy OfficeScan admi O inistrators insta and all manage these se m ervers Trend Micro ActiveUpdate serve T er HTTP and HTTPS H S
Trend Micro Glo obal Smart Sc Server can

vailable for exte ernal clients, wh hich do Av not meet the locat t tion criteria spe ecified on the OfficeScan Web console. globally scaled Internet-based Ag infrastructure for users disconnec cted fro their corpora network om ate Tre Micro maint end tains this server r Tre Micro ActiveUpdate server end HT TTPS
Purpose
Server adm ministrator Pattern up pdate source Client conn nection protocols
Table 7.2: Comparison Be C etween Local and the Trend Micro Global Smart Scan Servers a
2 250
Administrator Track
Chapter 7: Updates
7.3 > Conventional OfficeScan Update Infrastructure

Although downloading updates to clients is critical to protecting your network, this process can consume both bandwidth and server resources. To support a large number of clients, deploying updates in a timely fashion without disrupting the network can become an issue in large, enterprise networks. This is one reason Trend Micro created the Smart Scan solution. However, to increase efficiency for conventional scans, OfficeScan uses a three-tier architecture for updates (shown in the figure below).
OfficeScan server OfficeScan update agents OfficeScan clients
Figure 7.2: Using Update Agents to Deploy Updates
You can configure the OfficeScan server to download from as many as ten different update sources, including an internal update server, if you have configured one. However, in most situations, at least one OfficeScan server downloads updates directly from the Trend Micro ActiveUpdate server. Before downloading the updates, the OfficeScan server checks the values in its ofcscan.ini file and compares them with the server.ini file on the Trend Micro ActiveUpdate server. Server.ini contains the versions of the components that need to be updated. If the version that OfficeScan currently has is lower than that of the ActiveUpdate servers version, the OfficeScan server downloads that particular component; otherwise, the OfficeScan server will skip it (see the figure below). Server.ini also contains a checksum value for the files. When the server downloads updates, it first checks the checksum to see if the downloaded updates are corrupted or not. After the server downloads the updates, they can then be deployed to all OfficeScan update agents and clients. Like the OfficeScan server, the update agents and clients use the checksum to determine if new updates from the server have been corrupted. The OfficeScan architecture is designed to maximize the bandwidth of your companys Internet connection and to provide better security. For example, if your network includes two thousand workstations and servers, OfficeScan downloads the updates only once from the Internet. In addition, other servers are not directly exposed to the dangers of the Internet (such as hackers).
251
Student Textbook
Trend M icro ActiveUpda te Server
Server.ini is compared.
Updates are downloaded.
Downloaded components and server.ini are saved in \ PCCSR download V\ on the OfficeScan server.
Upda te Agent Clients OfficeSca n Server
Figure 7.3: Downloading Updated Components Only
Update agents also offload the burden of deploying updates from the OfficeScan server. Rather than deploying updates to tens of thousands of clients, the OfficeScan server deploys the updates to update agents, which then deploy updates to the masses. This frees up resources on the OfficeScan server. In addition to reducing the workload on the OfficeScan server, update agents also reduce network and WAN traffic. For example, you can install update agents at branch offices so that updates are downloaded only once across your companys WAN link. All the clients at the branch office then download the updates from the local update agent. You can also install update agents at each LAN segment to reduce network traffic. Again, the updates are downloaded only once to the LAN segment. The clients on the LAN segment then download the updates from the update agent. The OfficeScan update architecture is extremely flexible. You can configure some clients to download the updates from the OfficeScan server, and you can configure other clients to download the updates from an update agent. The OfficeScan server then notifies update agents and update clients that the updates are available. Depending on your configuration, the clients then download the updates from the OfficeScan server or from an update agent. By studying your network configuration, you can determine the stress points on your network. You can identify areas where network traffic is heavy and deploy update agents to reduce update traffic in those areas.
7.3.1 Update Priority

When an OfficeScan server downloads updates from the ActiveUpdate server, it first notifies the update agents that the updates are available. The OfficeScan server then waits for a designated amount of time, giving the update agents the opportunity to download the updates, before notifying any OfficeScan clients that updates are available. You can specify how long OfficeScan server will wait in the servers ofcscan.ini file or by using the Server Tuner tool. Giving the update agents priority speeds up the deployment process.
NOTE more information about the Server Tuner tool, see Chapter 10: OfficeScan Tools For
on page 307.
252
Chapter 7: Updates r
7.4 > Viewing Upd date Inf formatio on

You can vi detailed in iew nformation about client upd dates at a glanc by clicking Updates > ce Summary in the navigat column of the OfficeSc managem console (s the figure tion o can ment see below). Yo can view information abo the update including: ou out es,
Date/time for ne scheduled update ext The connection status of Offic e ceScan clients installed on t networked computers s the d The number of clients with up e c pdated and ou utdated compo onents Update status for each compo r onent
Figure 7.4: Updates Summary Page
For each co omponent, yo can view its current versiion and the lat available v ou s version from test Trend Micr You can al view client with out-of ro. lso ts f-date compon nents by clicki the numbe ing er link. You can manually update clients with out-of-d componen c u date nts
guring Server Update es 7.5 > Config

Configurin updates is a two-step pro ng ocess: You con nfigure the ser to downlo the updat rver oad tes, and you co onfigure the se erver to notify update agent and clients t the updat are availab y ts that tes ble. OfficeScan provides two methods of updating the s n o server. You ca an:
Con nfigure schedu updates for the server uled f Update the serve manually er
253
Student T Textbook
7.5.1 Configuring Scheduled Update 7 S es

To configu the OfficeS ure Scan server to download up o pdates automa atically, click U Updates > Se erver > Schedul Update in the navigatio column of the managem console. led n on f ment
Figure 7.5: Server Scheduled Update Page P
On the Ser Scheduled Update page select the E rver d e, Enable schedu update of the OfficeSc uled f can server che eckbox. Then, navigate the expandable an collapsible component s , nd e sections and select the components you wan to be updat nt ted:
Smart Scan agent pa attern p Virus pattern IntelliT Trap pattern IntelliT Trap exception pattern n Virus scan engine (32- or 64-bit) s Spyware pattern Spyware active-monitoring pattern n e Spyware scan engine (32- or 64-bit) Virus cleanup tem plate s Virus cleanup engi (32- or 64s ine -bit) Com mon firewall p pattern Beha avior Monitorin detection p ng pattern Beha avior Monitorin driver ng Beha avior Monitorin core service ng Beha avior Monitorin configuration pattern ng Digit signature p tal pattern Polic enforcemen pattern cy nt
You can th configure the schedule of the update.. You can defi the update based on hourly, hen o ine e daily, week or monthly interval. If you select weekly, you must specify the da of the week the kly, y y t k, ay time of day and the leng of the upd y, gth date. If you sellect monthly, you must spec the day of the cify f month.
NOTE Update sched dules for the Smart Scan viru pattern are managed at S us e Smart Scan >
Integrate Server for the integrated Smart Scan s ed t d server (see Ch apter 5) or thr rough individu ual server consoles on stan ndalone server (see Append H). rs dix
2 254
7.5.2 Upd 7 dating th Server Manually he y

You can manually initiat an on-dema update (or update now at any time regardless o the m te and r w) e, of scheduled time used for automated up t pdates. Office eScan automat tically updates itself during t the initial insta allation of the server softwar Trend Mic recommen that you m re. cro nds manually updat te components whenever a virus outbrea occurs. ak There are two ways to manually updat the compon t m te nents stored o the OfficeS on Scan server:
Clic Update Se ck erver Now at the top of the navigation column in man e nagement con nsole. Clic Updates > Server > Manual Updat in the navig ck te gation column of the n
man nagement con nsole. The Ser Manual U rver Update page di isplays a list of components s, their version num mbers, and the last time the were update You can se e ey ed. elect individua al mponents to update or easil update all co u ly omponents. com
Figure 7.6: Starting an On-demand Upd date for Office eScan Server C Components
Clicking Update at the bottom of the page starts th manual upd b e he date, and the O OfficeScan server ly e ces have specified and determin which nes immediatel contacts the update sourc that you h components are out of date and need to be updated Once these components are identified, the d d. ents OfficeScan server begins to download the compone and repo the progre n s d orts ess.
Figure 7.7: Manual Updat Progress as Reported by the Managem ent Console te s
When the components have been dow c h wnloaded, they will be store in the {Inst y ed tallation Directory} }\PCCSRV\Dow wnloadfolder on the Office eScan server.
255
Student T Textbook
7.5.3 Spe 7 ecifying Custom Server-Up C S pdate Sou urces

OfficeScan allows you to configure cu n o ustom update sources, other than the Tre Micro r end ActiveUpd server, on the Updates > Server > U date n s Update Source page. You can select the e ActiveUpd server or as many as ten other update sources. date a n e If you conf figure the serv to use othe update sour ver er rces, the serve will look fo updates on e er or every update sou you config each time it performs an update. Af checking e urce gure fter each of these update sou urces, the OfficeScan server will also look for updates o the ActiveU r k on Update server The r. server will download the most up-to-d compone it finds. e date ents
Figure 7.7: Update Sourc Configuratio Page for Se ce on erver Updates
NOTE Update sources for the Sma Scan virus pattern are m art managed at Sm mart Scan >
Integrate Server for the integrated Smart Scan s ed t d server (see Ch apter 5) or thr rough individu ual server consoles on stan ndalone server (see Append H). rs dix
7.6 > Deplo oying Updates to Clie ents

To deploy updates to Of fficeScan clien you config nts, gure the Offic ceScan server to notify the o hat Update agents download up pdates update agents and then other clients th an update is available. U om Scan server. Other clients c O contact their d designated upd agent or, if so date directly fro the OfficeS designated, the server. You can config automatic and manual updates. , Y gure c
7.6.1 Crea 7 ating an Update Agent U A

Any Windo XP, Vista 7, Server 200 or Server 2 ows a, 03, an ent, 2008 client ca function as an update age including 64-bit clients. Clients can be 6 C ecome update agents at any time after the client softwa y e are has been in nstalled.
For instruct tions, see Sect tion 5.5.7 Upda Agent Setti ate tings on page 14 49.
If you crea software in ate nstallation pack kages using th Client Pack he kager, you hav the option t ve to designate all clients insta a alled with that particular pac ckage to be up pdate agents.
For more in nformation, see Section 6.2.4 Deploy Client Software Usin the Client P e 4 t ng Packager Tool o on page 228.
2 256
7.6.2 Con 7 nfiguring Automat Client Updates ted t s

Trend Micr recommends always hav an automa ro ving ated update sc chedule in effe Automating fect. client upda is an easy and effective way to ensure that clients a up-to-date ates e are e. In addition to componen during an automated up n nts, pdate OfficeS Scan clients rec ceive configur ration updates tha may have occurred since the last updat and for whi the client m not have been at te ich may notified. Cl lients need ne configuration files to app new settin ew ply ngs. To configu automatic deployments, click Update > Network Compute > Automa ure es ked ers atic Update. The Automatic Update (Net T c tworked Comp puters) page a appears.
Figure 7.8: Automatic Up pdate Configur ration Page fo r Client Updat tes
You can co onfigure event t-triggered dep ployment, or y can specif a deployme schedule. you fy ent
Event-triggered Cli Update ient es

the The server can notify on nline clients to update comp o ponents after i downloads t latest it nd ect ver. components and offline clients when they restart an then conne to the serv When read to initiate co dy omponent upd date, the Offic ceScan server sends update notifications to r e clients, whi informs th to check the server for the latest com ich hem r mponents.
NOTE the OfficeScan server is unable to succ If u cessfully send an update not tification to clients
after it do ownloads components, it aut tomatically res sends the noti ification after 15 minutes. The serve will continue to send upda notification up to a max er e ate ns ximum of five t times until the e client responds. If the fifth attempt is unsuccessful the server st s l, tops sending n notifications. If you select the option in this screen to update com n mponents whe clients resta and then en art connect to the server, component update will still p t c proceed.
Schedule e-based Cli Updates ient

Clients con nfigured to per rform schedul update check the client update source for updates based led on the sche edule that you specify. Befo specifying the schedule, select the clie that can u ore ents perform sc cheduled upda ate.
To grant selected clients the privilege to ena d able/disable sc cheduled upd date, go to
etworked Com mputers > Cl lient Manage ement > Sett tings > Privil leges and Oth her Ne Set ttings > Privi ileges tab > Component U C Update Privi ilege.
257
Student Textbook
When you grant the privilege, the default setting is to enable scheduled update. If the
client user disables scheduled update from the client console, updating will not proceed on the update date and time you specified.
To automatically enable scheduled update without client user intervention, go to
Networked Computers > Client Management > Settings > Privileges and Other Settings > Other Settings tab > Update Settings. To update networked computer components automatically: 1. Click Updates > Networked Computers > Automatic Update. 2. Select conditions for event-triggered updates.
Optionally include roaming clients if you select clients to update immediately after the
server downloads new components.

Select whether to scan client computers after updating.
3. Select how often clients with scheduled update privilege will perform updates
If you select Minute(s) or Hour(s), you have the option to Update client configurations
only once per day. If you do not select this option, the OfficeScan client retrieves both the updated components and any updated configuration files available on the server at the interval specified. If you select this checkbox, OfficeScan updates only the components at the interval specified, and the configuration files once per day.
Tip Trend Micro often updates components; however, your OfficeScan configuration
settings probably change less frequently. Updating the configuration files with the components requires more bandwidth and increases the time OfficeScan takes to complete the update. For this reason, Trend Micro recommends selecting updating client
If you select Daily or Weekly, specify the time of the update and the time period the
OfficeScan server will notify clients to update components. For example, if your start time is 12 p.m. and the time period is 2 hours, OfficeScan will randomly notify all online clients to update components from 12 p.m. until 2 p.m. This setting prevents too many simultaneous connections to the server at the start time, significantly reducing the amount of traffic directed to the server.
Offline clients will not be notified. Offline clients that come online after the time period
expires can still update components if you selected Let clients initiate component update when they restart. Otherwise, they update components on the next schedule or if you initiate manual update. 4. Click Save.
7.6.3 Manually Deploying Updates

If you want to deploy updates immediately, on-demand, you must use the management console to perform a manual update. You may, for example, wish to deploy updates immediately after you install the client on computers or immediately after Trend Micro releases a new virus pattern file to detect a malicious virus. The configuration page for initiating a manual update looks similar to the pages used for configuring scheduled and manual server updates, as described above. However, when you perform a manual update for client computers (that is, networked computers)
258
You cannot selec individual components to update. A m u ct c o manual update for clients alw ways
che all compo ecks onents to mak sure they ar all up to dat ke re te.
You must select the target clie u ents to which u update notific cations will be sent.
To manual deploy upd lly dates, click Up pdates > Netw worked Com mputers > Ma anual Update e.
Figure 7.9: Initiating a Ma anual Update for OfficeScan Clients f n
The Manua Update pag shows all th component versions and the last date a time a al ge he and component was updated to the server Clients will u d r. update their components to the versions o shown. Of fficeScan clien will also up nts pdate their con nfiguration file during man update, if any es nual f are out of date. d To update networked co omputer comp ponents manu ually: t nts n 1. View the componen versions on top of the page. 2. Choose the target cl lients. You can update only those clients with outdated components or n d s manua select any number/combination of O ally n OfficeScan dom mains and indi ividual clients.
Choosi to manuall select clien ing ly nts
When sellecting this op ption, the Ini itiate Update bu utton at the bo ottom of the page is replace with a Sele button. C p ed ect Click Select to o ch hoose clients/d domains from the client tre After select the client you want to m ee. ting ts up pdate, go Back to the Manu Update pag and click In k ual ge nitiate Update.
The server starts the pro ocess of notify each clien to download updated com ying nt d mponents.
NOTE Once updates have been de s eployed to clie nts, the comp onents are sto ored in the
C:\Progra Files\Trend Micro\OfficeS am d Scan Client dir rectory.
7.6.4 Con 7 nfiguring the Upda Sourc ate ce

The first st in configur the client deployment iis specifying t update sou tep ring t the urce. You can configure clients to recei updates fro the Office c ive om eScan server, f from an upda agent, or fr ate rom another sou urce. To configu networked computer up ure d pdate sources: 1. Choose from the av vailable update sources. e
259
Student T Textbook
Cus stomized update sources ca include an u an update agent o the Trend M or Micro
Act tiveUpdate ser rver.

If OfficeScan clie O ents are unabl to update fr le rom the select update sou ted urce, they will try l
oth sources. (See Update So her ource Priority below.) y
Figure 7.10: Client Up pdate Source Configuration Page C
Tip Trend Micro recommends using update agents and ad o s e dding them to the Customized
upda source list. By configurin clients to re ate . ng eceive updates from the age s ents rather tha an from the OfficeSca server, you can distribute the task of d eploying comp m an e ponents. This helps ensure that your clients re eceive compon nent updates i n a timely man nner without cting a signific cant amount of network traf fic to your Off f ficeScan serve er. direc
2. If you choose to upd from customized upda sources, co date ate onfigure the cu ustomized update source list. 2.1. To add an up pdate source, click Add. In t page that displays, enter a range of cl c the lient IP addresses that will receiv updates fro this source and then select an update ve om e, e a a cific using its URL) Click Save. ). source, such as an update agent or a spec source (u Edit an updat source by clicking the IP range link. M te Modify the sett tings in the pa age that displays and click Save a e. To remove an update source from the list, select the c n checkbox and click Delete. . w. To move an update source click the up or down arrow You may m u e, move only one e source at a tim me.
2.2. 2.3. 2.4.
NOTE may add as many as 1,024 sourc to the upda You a ces ate-source list.
N ients. 3. Click Notify All Cli
7.6.5 Upd Sour Priori 7 date rce ity

After you have set up an saved the li the update process proc h nd ist, e ceeds as follow ws: 1. A clien updates from the first ent on the list.. nt m try 2. If unab to update from the first entry, the clie updates fro the second entry, and so on. ble f ent om 3. If unab to update from all entrie the client c ble f es, checks the foll lowing option ns:
2 260
Administrator Track
Chapter 7: Updates
Update components from the OfficeScan server if all customized sources are not available or not found If enabled, the client updates from the OfficeScan server.
If the option is disabled, the client then tries connecting directly to the Trend Micro ActiveUpdate server if any of the following is true:
In Networked Computers > Client Management > Settings > Privileges and
Other Settings > Other Settings tab > Update Settings, the option Clients download updates from the Trend Micro ActiveUpdate Server is enabled.
The ActiveUpdate server (http://osce10-p.activeupdate.trendmicro.com/
activeupdate) is not included in the Customized Update Source List.

NOTE Domain settings, programs, and hot fixes can only be downloaded from the OfficeScan server or Update Agents. The ActiveUpdate server cannot supply these.
Update domain settings from the OfficeScan server if all customized sources are not available or not found If enabled, the client updates from the OfficeScan server. Update client programs and hot fixes from the OfficeScan server if all customized sources are not available or not found Enabled, the client updates from the OfficeScan server.
4. If unable to update from all possible sources, the client quits the update process.
NOTE Trend Micro recommends using the ActiveUpdate server as the backup source. Forcing all clients to continually update from the Internet-located ActiveUpdate server as the first choice could consume significant network bandwidth. Trend Micro recommends this option only if you cannot update from the OfficeScan server or Update Agents.
7.7 > Rolling Back an Update

If you discover that the virus pattern file or scan engine that you are using is causing false alarms, you can roll back these components. Rolling back refers to reverting to the previous version of the pattern file or scan engine. OfficeScan retains the current and the previous versions of the Virus Scan Engine and the last five versions of the Virus Pattern. OfficeScan uses two different scan engines: one for 32-bit Windows XP/Vista/7/Server 2003/Server 2008 clients, and one for 64-bit Windows XP/Vista/7/Server 2003/Server 2008 clients. You can roll back these scan engines independently. To roll back a virus pattern file update or a scan engine update, click Updates > Rollback in the navigation column. On the Rollback page, you can see which version of the Smart Scan agent pattern, virus pattern, and scan engine is the most current. You can also see the previous version.
261
Student T Textbook
Figure 7.11: Pattern File and Scan Engin Rollback Pa a ne age
NOTE Update agent cannot automatically be ro ts olled back. To roll back an update agent, y you
will have to manually ro back the pattern file or sc engine and restart the client service. t oll can d
To roll bac the Smart Scan agent pat ck S ttern, virus pat ttern, or virus scan engine: 1. Click Synchronize with Server for the compo S w f onent you wan to roll back. nt . 1.1. 1.2. Use the client tree viewer that subsequen appears to select the cli t t ntly o ients that will roll back the com mponent. Click Roll ba on the too bar of the cllient-tree view You can c ack ol wer. click Back at the bottom of the page to return to the Rolllback page. e
Figure 7.12: Selecting Rollback Tar g rgets and Initia ating the Rollb back
2. If an older version pattern file exi on the serv you can r back the p o p ists rver, roll pattern file for both r the clie and the server by clickin Rollback S ent ng Server and Cl lient Version ns. 3. The Ro ollback Status page informs you that Th OfficeScan server has no s he n otified the OfficeScan clients in nstalled on the selected com e mputers to roll back components. On th l his page yo can click View Update Logs or click Back. Clicki back ret ou V k ing turns you to th he main Rollback page. R .
Lab Exercise 9: Upda and Dep OfficeS ate ploy Scan Compo onents
2 262
Administrator Track
Chapter 7: Updates

Summary
Virus writers, hackers, and spyware writers are continually looking for new ways to circumvent your network security. To ensure that the OfficeScan clients can detect these new threats, Trend Micro updates virus pattern files and other components of the OfficeScan software. To take advantage of these updates, you must update your OfficeScan software regularly. Updates can be performed manually or scheduled. To streamline the update process, you can have some clients act as update agents. They will then update other clients so that all clients do not have to receive their updates from the OfficeScan server. You can also configure clients to receive their updates directly from the Trend Micro ActiveUpdate server or from an internal webpage.
Review Questions
1. For which of the following was the update architecture designed? a) To maximize throughput b) To optimize use of bandwidth c) To use minimum mass storage d) To put ease of installation before throughput considerations 2. In which of the following ways can you create an update agent? a) Edit the servers ofcscan.ini file b) Use the OfficeScan management console to designate an update agent c) Use the setup wizard to install an update agent d) Configure an update agent on the client machine 3. When can the server be configured to automatically deploy updates to clients? a) After a scan b) After a cleanup c) When Manual Outbreak Prevention is stopped d) When it downloads a new component
263
Administrator Track
Ch ter 8: Of hapt 8 fficeS Scan Clie ent User Inte ce U r erfac

Ide entify the navig gation options for OfficeSc can Con nfigure and ru manual, rea un al-time, or sch heduled scans selected targe ets Sca email for vi an iruses Install Check Poi SecureClie support int ent Run Damage Cle n eanup Services (DCS) in the event of an i s e infection
265
Student T Textbook
8.1 > Unloc cking th Capa he abilities of the Client Consol s e le

The client console allow users to scan directories, files and certa email. All u ws n ain users can perf form he ole: these basic tasks using th client conso
Ma anually scan fil and folders for virus/ma les s alware and spy yware/graywa are Vie Manual Sca results and take action on uncleanable files ew an n e Che logs for se eck ecurity risks an firewall po nd olicy violations s
As the adm ministrator, you may also gra extra priviileges to users to allow them to perform u ant s m additional tasks, such as: t :
Con nfigure real-tim manual, and scheduled scan settings me, a d Sca POP3 emai (also Micros an il soft Outlook e email on Wind dows XP) Ma anually update components Ena able and disab firewall and ble d/or behavior r-monitoring features and c configure them m Ena able and disab notification messages ble n Install support fo Check Poin SecureClien or nt nt
Figure 8.1: Client-Console Menus and Tabs Available When All Priv e T vileges Are Ass signed
This chapte explains all the options available to a c er a client that has been granted full privileges The d s. availability of client func ctions to end users is contin u ngent on the p policy settings that the tor gured through the managem ment console. administrat has config
To configur client privile re eges, see Sectio 5.5.8 Client Privileges and Other Setting on page 150 on t d gs 0.
8.1.1 Load 8 ding/Unlo oading the OfficeS e Scan Clien nt

To open th client conso the client software mus first be runn he ole, st ning. The clien software ru nt uns automatica at startup. However, if the client does not start auto ally t s omatically, you can start it b by clicking Sta > [All] Pr art rograms > Tr rend Micro O OfficeScan Client > Offic ceScan Client t. When runn ning, the Offic ceScan client icon appea in the syste tray. i ars em
NOTE OfficeScan sy ystem-tray icon changes to r represent the clients curren status. See nt
3.4.13 Nor rmal and Roam ming Client Operation Modes on page 55, f a list of the status icons and s for e brief explanation of what they mean.
2 266
Ch hapter 8: Office eScan Client Use Interface ser
Clients that have been gi iven sufficient privileges can manually un t n nload (stop) th client by rig he ghte s on ng fficeScan. Th OfficeScan he clicking the OfficeScan system-tray ico and clickin Unload Of service will be stopped and the system l a m-tray icon willl disappear.
NOTE client privile If eges in the ma anagement con nsole have bee set to require a password en d,
then you will be prompt for a passw ted word before yo can turn of f the client. ou
8.1.2 Lau 8 unching th Client Console he

To open th client conso you can cli the start-m he ole ick menu shortcut as above. (If client service is t, f e not already running, you will have to click the starty u c -menu shortcu twice to lau ut unch client console.) You can also ri Y ight-click Offi ficeScan system m-tray icon an choose Off nd ficeScan Con nsole.
Figure 8.2: Launching the Client Conso Using the Ic in the Sys e ole con stem Tray
NOTE Double-clickin the OfficeSc system-tra icon launch the OfficeS ng can ay hes Scan Client RealTime Mon nitor. For more information, see 8.9 >Offic eScan Client R e Real-Time Mon nitor on page 2 284.
8.2 > Client t-Config gurable Scan S e Setting gs

You can ac ccess scan sett tings from the Options men Manual Sc Real-Time Scan, and e nu. can, e Scheduled Scan are indiv vidual menu it tems. Howeve each of the menu item launches a s er, ese ms single ettings here are the same as the settings fo e or dialog box with tabs for all three scan types. The se an, e heduled Scan in the manag gement console, although th he Manual Sca Real-Time Scan, and Sch appearance of the screen is different. e ns
NOTE a client has not been give the required privileges to change the va If en d arious scan
settings, these options will appear gra t ayed out in the menu. e
Privileges to change scan settings appe under 5.5. 8 Client Privil t n ear leges and Oth Settings on page her n 150 on Ne etworked Com mputers > Cl lient Manage ement page.
See Section 5.5.8 Client Privileges and Other Settings on page 150 f more inform n P O s for mation.
If you give configuration privileges to the client for manual, real e o r l-time, and/or scheduled r scanning, settings that us make usin the local cli s sers ng lient console w override a group setti will any ings you specify in the manag y gement console.
267
Student T Textbook
8.3 > Manu Scan Settin ual n ngs

You can se manual scan to check onl specific files and folders s you can sav time and av et n ly s so ve void scanning fi you know are not infect You can a configure the way OfficeScan handle iles ted. also e es threats whe it detects th en hem.
Tip Be ecause of the potential impact on perform p mance due to sc canning activit administrat ty, tors
and users typically con s nfigure real-tim and schedu me uled scans for less thorough scanning than n manual scans.
Figure 8.3: Manual Scan Settings for Virus/Malware and Spyware/ V /Grayware Eng gines
There are two types of manual scannin that you m configure from this pag They are t m ng may ge. selectable using the drop u p-down menu of the tabbed Manual Scan form. d n
Vir rus/Malware Scan S Spy yware/Graywa Scan are
NOTE On-demand scanning canno be initiated from this dialo box. These are just the ot og
settings that will be use when you do start a scan by selecting t ed target drives/f folders and clicking S Scan on the tabbed, Manua Scan page o n the main vie of client console. t al ew
8.3.1 Con 8 nfiguring Manual Virus Scan Setting M V n gs

Specifyin Files to Scan for Viruses/Mal ng V lware
This frame determines which files to scan according to their type You have th options: e w s g e. hree
Inte elliScan: True file type iden ntification All scannable file es Spe ecified files (ed ditable)
2 268
IntelliScan is a method of identifying files to scan. F executable files (for exa o f For e ample, .ZIP an nd e d e cutable files (f for .EXE), the true file type is determined based on the file content. For non-exec example, .T TXT), the true file type is de e etermined bas on the file header. sed e You can ch hoose to exclu specific di ude irectories, files or file exten s, nsions from th scan by ena he abling the exclusio list. on 1. Click the Edit butto to specify which director t on w ries, files, or ex xtensions you want to exclu u ude. 2. Select Enable Intel lliTrap to scan for bots. n
Specifyin Target Files, File-ty ng F ypes, & File e-system A Areas

Four check kboxes in this section allow you to config gure the scope of the scan: e Scan boot area b Scan hidden folders h Scan network drive n Scan compressed files (If you sele this option you will need to determin how many l ect n, ne layers one to sixy would like to scan.) you e deep
Specifyin Actions to Take Ag ng s gainst Thre eats

Specifying the scan actio frame deter on rmines what to do with an i o infected file, o once it is detec cted. A ed e ording to Tren Micro nd Choosing ActiveAction causes infecte files will be handled acco recommendations. You can customize the way infe e ected files are h handled by se electing Custom mize Action and clicking Edit d t.
Figure 8.4: Custom Scan Action Config guration
The Active eAction dialog box displays the default se g ettings for Act tiveAction. Yo can change the ou e defaults by using the dro y op-down menu If at any tiime you want to reset the d us. defaults for ActiveAction, click Defa Actions. ault If you wan all types of malware to be treated identiically, select th Use the sa nt m e he ame action fo all or virus/mal lware types ch heckbox, and configure the single item la e abeled All typ pes. Choose the action you wish to perfo from the drop-down m orm d menu. The actions you may sele from inclu Clean, Qu ect ude: uarantine, Del lete, Rename, and Pass.
269
Student Textbook
NOTE all malware can be cleaned. In fact, cleaning can damage some files, even though Not it is the recommended action. Trend Micro recommends backing up any file before cleaning it. To save a copy of the file before it is cleaned, select the Back up files before cleaning checkbox. If you select Clean for any malware, you will also need to select an alternative action.
Limiting CPU Usage for Virus/Malware Scans

You can select a High, Medium, or Low impact on CPU usage for the scan. A High setting enables the fastest scan, but can consume all of a clients CPU resources for an indefinite amount of time. A Low setting means that scanning will not exceed 20% of CPU resources. The scan will take longer with this setting, but its effects on the user will be minimal.
8.3.2 Manual Spyware/Grayware Scanning Options

Spyware/grayware scanning enables OfficeScan to find and eliminate threats that include:
Spyware Hacker tools Remote access programs Cookies Adware Dialers Browser helper objects Back door programs
You may select one of two actions to perform in the event that a file is identified as a spyware/grayware threat:
Clean Cleans Pass Action
the detected spyware/grayware
is limited to recording the incident in the spyware/grayware logs for later assessment.
8.4 > Real-Time Scan Settings

Real-time scan provides maximum protection against viruses by continuously scanning files that your computer opens or saves. Real-time scan runs in the background whenever the client is running and displays an alert upon detecting a virus. To configure real-time scanning, select the Settings menu, then real-time scan. The Real-time scan tab of the Options page will be displayed.
8.4.1 Specifying When in Real-time to Scan Files

With real-time scanning you may choose whether to scan files as they are being:
Created, modified, or retrieved Retrieved only Created or modified only
270
Figure 8.5: Real-time Sca Tab an
8.4.2 Spe 8 ecifying Files to Scan for R F S Real-time Scannin e ng

As with Ma anual Scan, in this frame, yo may determ which fil to scan acc n ou mine les cording to the eir type; you have three opti h ions:
Inte elliScan: True file type iden ntification All scannable file es Spe ecified files
Again, you can create an exclusion list and include s n t scanning for s spyware/grayw by marki ware ing the checkb boxes accompa anying the opt tions.
8.4.3 Spe 8 ecifying Actions to Take Ag A o gainst Th hreats

Similar to Manual Scans scan action options, real-tiime scanning features a che M s o eckbox that ca auses files to be backed up bef b fore they are cleaned. It also repeats the A c o ActiveAction and customiz zed scan action options, alon with the qu n ng uarantine direc ctory field. Di istinct to the r real-time Scan option, how wever, is a che eckbox enabli a virus-det ing tection alert. This alert displays the location of the infected file, t name of th virus and th scan results. To d i the he he learn more about the vir click the virus name in t pop-up ale you will b linked to rus, v the ert; be information about the vi in Trend Micros Virus Encyclopedia (This inform n irus s a. mation is also accessible through the Help menu.) t H
271
Student T Textbook
Figure 8.6: Trend Micro Virus Encyclop V pedia
8.4.4 Rea 8 al-time Virus-Sca Target Settings V an s

The target options are sl lightly differen from those in the manua scan. You ca select any o nt al an of ons: these optio
Ena able IntelliTra ap Sca network dri an ive Sca floppy at sh an hutdown Sca compressed files (Again, if you select t an d this option, yo will need to determine how ou o
man layerson to sixdee you would llike to scan.) ny ne ep
8.4.5 Rea 8 al-time Spyware/G S Grayware Scan Ac e ction Opt tions

By selecting Spyware/G Grayware Scan from the dr n rop-down me in the mid of the for enu ddle rm, you may se elect one of tw actions to perform in the event that a file is identified as a wo p e spyware/gr rayware threat t:
Clean Cleans
the detected spywa d are/grayware b terminating processes an by g nd/or deleting g reg gistry entries, files, cookies and shortcuts that are assoc s ciated with th threat. he actions ar not taken b threat-relat system operations are h re but ted halted.
Deny access Clean a ning
You may also select to display a notifi d ication messag when spyw ge ware/grayware is detected.
8.5 > Sched duled Scan Se S ettings

You can co onfigure the OfficeScan clie to run scan at a specifie time. This allows you to O ent ns ed maintain a high level of threat-prevent t tion, and yet r scans at ti run imes when the are least likely to ey impact pro oductivity. Sch heduled scans run automatic cally, requiring no further in g ntervention.
2 272
Figure 8.7: Scheduled Scan TabVirus Scan and Spy yware/Graywar Scan Option re ns
Basic Sc cheduled-Scan Option ns

Refer to th Manual Scan or the Realhe n -Time Scan se ctions above for an explana ation of the available fil le-types-to-sca scan-settin and scan-a an, ngs, r action options. The options available for Spyware/g grayware scann are also th same as for manual scan ning he nning. You can se the CPU usa level to hi medium, o low for a sc et age igh, or n, with cheduled scan as you can w a manual sca Manual- an scheduled-s an. nd scan CPU sett tings operate i independently of each othe y er.
Schedule Scan: Sc ed chedule Co onfiguration n

In the sche edule frame yo set the freq ou quency and tim for scans. me
Frequ uency Time Day of the week o Day of the month o
Set the scan to occur d daily, weekly, mo onthly, or with n specified action. no ine d ch start the scan. Determi the hour and minute at whic you want to s Determi which day yo want to perfo ine ou orm the scan (fo weekly setting). or Determi the date eac month you wa to perform t scan (for ine ch ant the month setting). hly
When the scheduled scan begins, the client icon in the system tra becomes an s n c ay nimated.
Postpon Stop, or Skip Sched ne, duled Scan n

Before Sch heduled Scan runs, right-clic the OfficeS r ck Scan client ico on the syste tray and se on em elect Scheduled Scan Advan d nced Settings On the notiification windo that displa select one of s. ow ays, the followi options: ing
Postpo scanning for __ hours and __ minutes one f s
After select this optio specify the ting on, e po ostpone durati Scheduled Scan can on be postpon once. ion. d nly ned
Skip th Scheduled Scan. The nex Scheduled Scan runs on {date} at {tim his xt me}.
If you do not have these two privilege your only o n e es, option is Run the scan as scheduled. n
273
Student T Textbook
Figure 8.8: Scheduled Sc Advanced Settings can
If Schedule Scan is alre ed eady in progress, right-click the OfficeSca client icon on the system tray an m and select Scheduled Sc Advanced Settings. O the notifica S can On ation window that displays, select one of the followin options: o ng
Stop scanning. Rest tart the scan after __ hours and __ minut a s tes
After sele ecting this opt tion, specify the amount of time th should elap before sca hat pse anning restarts When scann s. ning starts, all prev viously scanned files are scan d nned again. Sc cheduled Scan can be stopp n ped res an then restart only once. nd ted
Stop scanning. The next Schedule Scan runs o {date} at {t n ed on time}.
OfficeScan notifies you of any security risk detected before the scan was stopp You can also n y d ped. check the logs for securi risks detect during Sch l ity ted heduled Scan.
8.6 > Drag-and-Dr Sca rop anning

Users can manually scan any file or dir m n rectory at any time by simp dragging th file or direc y ply he ctory onto any ta of the clien console. The file or direct ab nt tory is immed diately scanned using the set d ttings you configu under Manual Scan. ured M
Figure 8.9: On-demand Scanning Using Drag-n-Drop onto the Clien Console S g nt
If the optio is enabled, users can also right-click an file and sel Scan with OfficeScan on o ny lect h Client from the context menu to imm m mediately scan a file.
2 274
8.7 > The Client Console Tabs C C

The client console interf features th tabs: face hese
Manual Scan S Mail Scan n [Toolbox x] Manual Scan Results n Behavior Mo onitoring Firewall Logs
Figure 8.10 Manual Scan Tab on the Cl 0: n lient Console
8.7.1 The Manual Scan Tab 8 S b

From the Manual Scan tab, you select the drives an directories y want to m M t nd you manually scan. The page will di isplay all the drives on your computer; yo can expand or contract t tree to find the d r ou d the precise dire ectories you wish to scan. w After you have selected the items you want to scan,, click the Sca button. Ma h t an anual scan star rts immediatel and scans al of the files you specify, us these sett ly ll y sing tings:
Settings configur for Manua Scan in the c red al client console will be used i the client ha e if as
vileges. priv
Settings configur for Manua Scan in the m red al management console will b used if the c be client
doe not have pr es rivileges. How long the scan will take depends on the numbe and size of files you chos to scan and on t o er se ware s. sage setting (H or Low) w also affec the scan tim High will ct me. your hardw resources The CPU us Scanning progress for manual scan is similar to that shown above for drag-and p m t e d-drop scannin ng. For virus/m malware scans you have the option to pa s e ause or stop th scan. For sp he pyware/grayw ware scans, you have the optio to stop the scan only. on e
275
Student T Textbook
8.7.2 The Manual Scan Re 8 e esults Tab b

The Manua Scan Result tab lets you view the resu from and s al ts ults statistics abou the most rec ut cent manual sca you perform an med.
Figure 8.11: Scan Results Tab on the Client Console
Manual Scan Resul Statistic Summa S lts cal ary

The summ section of the page disp mary f plays:
The number of in e nfected files The number of cleaned files e c The name of the last virus fou e e und The number of files scanned e f The elapsed time of the scan e e
Infected Files
A list of infected files is generated at the bottom of the page. You can choose to perform th t f u hese a additional actions:
Virus Info Clean Delete e Renam me
Gives you access to Trend Micros online Virus Encyclop e pedia, where you can learn more u e about a virus. Removes the virus from a file. Removes the infected file altogether. e Changes the extension of the infected fil e to .vir (or sub t f bsequently, .vi0 or .vi1 and so on if n there ar more than one) to prevent it from being ope ned. re
Finally, wh you are do applying re hen one esolution actio you can c ons, clear the list.
NOTE Even if you do not clear the list, the infor o e rmation display on the Sca Results tab is yed an
deleted when you close the console. w e
2 276
8.7.3 The Firewall Tab 8 e l

On the Firewall tab of th OfficeScan client consolle, you may en he n nable the Offic ceScan firewa for all esses. If you choose to enab the firewalll, you will also have the option to enable c ble o e all IP addre Intrusion Detection Syst (IDS) and alert messag Once you have selected your preferen D tem d ges. d nces, click Apply y.
NOTE appropriate privileges have been grant through th e managemen console, the If e ted nt
OfficeSca firewall can also be enable or disabled by right-click ing the client s an ed status icon and selecting Enable or Dis sable Firewall. This menu ite acts as a to . em oggle switch.
Figure 8.12: Firewall Tab
The network card list shows the IP address of alll network card on the clien To edit an ds nt. OfficeScan firewall polic select the policy from th list and click Edit. n cy, p he k
NOTE edit a polic and its exce To cy eption list, the user must ha ve been assigned the e
associate privileges in the OfficeSca firewall pro file settings o n the OfficeSc manageme ed n an can ent console. In other words the client mu fit the crite s, ust eria of an exist ting profile and that profile ge. nformation, se Chapter 9: O ee OfficeScan Fir rewall on page must assign the privileg For more in 287.
Figure 8.13: Security Lev and Exception Rule List vel
277
Student T Textbook
The securit level specifi which traff will be bloc ty ies fic cked. The thr levels you c choose fro ree can om low, mediu and high delineate in the chart below: um, are ed t
Security Level L Low Medium High Incoming Traffic
Allow Block Block
Outgoing Traffic
Allow Allow Block
Table 8.1: Security Level Settings S
For more information on firewall secu i n urity levels, see Chapter 9: O OfficeScan Fir rewall on page 287. e The except rule list al tion llows users to make exceptiions to the firewall policy b allowing or by blocking sp pecific types of traffic. Selec the exceptio you wish to modify then click the but o ct on o n tton for the acti you wish to perform. You may also c ion t Y change the ord in which e der exceptions are listed. Exce eptions are rea top-down. Action is take on the first match. ad en t If you choo to edit an exception, the Exception R dialog bo appears. ose e Rule ox
Figure 8.14 Exception Ru 4: ule
Define exc ceptions by ch hoosing to allo or block tra ow affic based on these criteria n a:
Dir rection of traf (incoming or outgoing) ffic Pro otocol (TCP, UDP, ICMP, TCP/UDP, o all) U T or Por (allowed po range is be rts ort etween 1 and 65535) Com mputers (iden ntified by host name or IP a address)
Traffic is matched to the exception lis first (top-tom e st n rity -bottom), then to the secur level.
NOTE you are run If nning Trend Mi icro Control M anager on you network, yo should add ur ou
an except tion to the list allowing the ports for Vulne p erability Asses ssment and DC (ports CS 20901 and 137-139) to remain open.
2 278
8.7.4 The Mail Sca Tab 8 e an

On Windows XP clients you can install Outlook M Scan to sc Microsoft Outlook inco s, Mail can oming i chments, auto omatically as th are downl hey loaded from y your Exchange e messages, including attac server. You can also use mail scan sc now func u can ction to scan f folders manua ally.
Figure 8.15: Client Conso Mail Scan Tab ole T
Scanning Emails an Attachm g nd ments

Installing th POP3 mail scan feature (available on all Windows-b he l based client p platforms) automatica configures the client to perform real-t ally p time scanning on messages and attachme g ents as they are received from POP3 mail servers. m s To configu POP3 mail scan: ure l 1. Select the checkbox to enable scanning of POP email messages in real tim P3 me. 2. Select the action Of fficeScan perfo orms on detec viruses/m cted malware.
If you select Clean, select an alternative acti (Pass or D y a tion Delete) for uncleanable files s.
Off ficeScan clean infected file in email messages and pe ns es erforms the alt ternative actio if on an infected file is uncleanable. i s
Sele ecting Clean also allows yo to select Cl a ou lean infected compressed files. If you select d d
this option, Offic s ceScan also cl leans an infect compresse file first and then perform ted ed d ms the alternative ac ction if the com mpressed file is uncleanable If you do not select this e. tion, OfficeScan performs the alternative action on inf t e fected compre essed files. opt
If you select Del y lete, OfficeScan automatica deletes inf ally fected files in email message es,
incl luding infected compressed files. In place of a deleted file is a file na d e amed "Tm mWarn.txt" th provides in hat nformation ab bout the delete file. ed
If you select Pas OfficeScan does not per y ss, n rform any actio on infected files in emai on d il
messages, includi infected compressed filles. ing 3. Click Apply. A
279
Student T Textbook
To configu Microsoft Outlook mail scan: ure 1. Click Install/Upgra I ade. In the co onfirmation pa that appea click Yes. The client age ars, . connec to the serv and downlo cts ver oads the mod dule. 2. After installation, th Scan Now button becom active and the Outlook Mail Scan con he mes d nsole appear (shown in th figure below rs he w). 3. Your system is autom s matically conf figured to scan incoming O n Outlook messag ges.
WARNING Outlook Mail Scan does no use the sam scan engine as the rest of the OfficeScan G! ot me e
client. To ensure that the mail scan eng e gine is up-to-d date, you must periodically c t check for upda ates by clicking the Install/Up pgrade button on the Mail Sc tab (show n in the figure above) or by can e clicking on Update Virus Scan Engine button on Out tlook Mail Scan console (see the figure below). n e
Scanning Your Out g tlook Folder rs

NOTE mail scan module must be installed fi The n irst before you can execute manual scans on u
your exist ting Microsoft Outlook folders (Windows X clients only XP y).
To scan yo Outlook fo our olders: 1. On the Mail Scan tab (see the figu above), cliick Scan Now The Outloo Mail Scan e ure w. ok consol appears, the program logs into your ma account, an then displa your mail le e s ail nd ays folders as depicted in the figure below. s
Figure 8.16: Outlook Mail Scan Inte erface
2. Select the folders that you want to scan by click the check o king kboxes next to the folder na o ames. The Sc Now butto becomes active. can on a 3. Under Scan action, select an act to perfor in the even a threat is d , tion rm nt detected. eScan cannot not quarantin infected me ne essages and att tachments.) (Office 4. You may update you scan engine before scann to increas the detectio rate of the m ur e ning se on engine. 4.1. 4.2. 4.3. Click Update Virus Scan Engine. e If you use a proxy server to connect to t Internet, select the Use a proxy server p o the checkbox and enter your proxy informat d p tion. Click Update Now. The client connects to the server and checks f scan engin e c s r for ne updates. If an update is ava n ailable, Outloo Mail Scan w automatic ok will cally download it. d
2 280
5. Click Scan Now. When scan is co S W omplete, a pag appears, di ge isplaying the n number of messag scanned an the numbe of threats de ges nd er etected.
8.7.5 The Behavio Monito 8 e or oring Tab

NOTE Users can con nfigure the beh havior monito ring settings o only if the adm ministrator has s
granted the necessary privileges. p
This tabbed page display your lists of approved an blocked pro d ys f nd ograms. Progr rams in the approved-p programs list can be started even if they a c d attempt to ma monitored system chang ake d ges. Programs in the blocked i d-programs list can never be started. e Users can add a maximu of 100 app a um proved and 10 0 blocked ent tries.
Figure 8.17: The Client Co onsole Behavio Monitoring Tab & Approv Programs List or ved
To add or remove a prog gram from eit ther list, click the correspon nding Approv Programs or ved s P tton on the Be ehavior Monit toring tab. The use the ad en, dd-and-remove e Blocked Programs but dialog to en the full path to the targ program(s) (or browse t them) and a them to th nter get ) to add he selected list. Listed prog grams may be removed one at a time by s e selecting a pro ogram from th list-display area he and clickin Remove. ng When the notification pe n ermission is en nabled by an a administrator using the man nagement con nsole, the OfficeS Scan client dis splays a notific cation when b behavior moni itoring halts or blocks progr rams.
Figure 8.18 Client Notific 8: cation Message of an Event Blocked by Be ehavior Monito oring
281
Student T Textbook
8.7.6 The Logs Ta 8 e ab

This page lets you view and manage virus and firew logs. View these logs will help you l a v wall wing s u assess how well your com w mputer is bein protected a the freque ng and ency of attacks s.
Figure 8.19: Client Conso Log Report Tab ole
To obtain a report, first select whethe you want to view virus or firewall logs. Next, specify the er o r y start and en dates. Fina click the View Logs bu nd ally, V utton. A log page displays th informatio his on:
Log Ty ype Date and Time Virus Name N Scan Type n Resu ult Deta ail
NOTE alert will appear if there are no logs fo the dates yo specify. An a e or ou
To conserv disk space, you can confi ve igure OfficeSc to automa can atically delete old logs. Just specify the number of da (1 to 15 fo virus logs o 1 to 7 for fir ays or or rewall logs) af which you want fter u t port nables you to configure the automatic e the report to be deleted. The Log Rep tab also en deletion of log files throu the Optio page. f ugh ons
NOTE logs will be deleted automatically aft the maximu time period has passed. You The b ter um d
also have the option to delete log files on demand.
2 282
8.7.7 The Toolbox Tab 8 e x

From the toolbox tab yo can install support for Ch t ou s heck Point Se ecureClient.
NOTE install SecureClient supp To port, you must have Check P t Point SecureCl lient installed on
your computer. The installation will abort and displ ay a notice if s secure client is not detected d.
Figure 8.20 Client Conso Toolbox Ta 0: ole ab
Check Point Secure P eClient

Check Poin SecureClien is a VPN cl nt nt lient that allow you to enfo desktop s ws orce security policie as es your clients connect to the VPN. You can install th Check Poin support module on client t u he nt t t k eClient to enab SecureClie to check f the latest ble ent for machines that use Check Point Secure OfficeScan virus pattern file before be granted V n n eing VPN access.
8.7.8 Clie Plug-in Manag 8 ent ger

Plug-in Ma anager displays available pro s ograms for the OfficeScan s e server and Of fficeScan clien nts. You can th install and manage the programs from the managem hen d p m ment console, including , deploymen to clients. Plug-in capabili will allow y to take ad nt ity you dvantage of ne services an ew nd technologie as soon as they become available. es t a The Plug-in Manager bu n utton functions toggles betw ween the norm OfficeScan client view a mal n and the plug-in manager view When the plug-in manag is displayed the buttons text changes to n w. p ger d, s s OfficeSca Console. Click it to retu to the norm OfficeSca client view. an C urn mal an .
283
Student T Textbook
Figure 8.21: Plug-in Mana ager
8.8 > Perfo orming Update on th Clien U es he nt

You can pe erform on-dem mand updates on the client by right-click the client icon in the sy king ystem tray and selecting Updat Now. If yo have a prox server, select Use HTTP proxy serve te ou xy P er y rver ation informat tion. Click Up pdate Now. and enter your proxy-ser configura
Figure 8.22 Update Now Settings 2: w
If you have the proper privileges, you can disable a scheduled up e p pdate. Right-cl the client icon lick and select Disable Sche D eduled Updat This optio acts as a tog te. on ggle, so to rea activate the up pdate, right-click the client icon and select Enable Schedu n E duled Update e.
eScan Client Real-Tim Mon C R me nitor 8.9 > Office

To launch the real-time monitor, doub m ble-click the O OfficeScan ico in the syste tray or righ on em hten c elect Go to > Real-time M Monitor from drop-down m menu. click to ope the client console and se You can vi the real-tim monitor whenever the c iew me w client is runnin The real-ti monitor ng. ime displays rea al-time inform mation about the antivirus st tatus of your c computer:
Rea al-time scan st tatus for virus/malware sca anning and spy yware/graywa detection, are
incl luding the last files scanned and the last t t d threats found
Sca statistics, in an ncluding the to number o files scanned and the num otal of d mber infected Sch heduled scan settings, includ when it is scheduled to run s ding s o
2 284
Figure 8.23 Real-Time Monitor for the OfficeScan C lient Console 3: M e
8.10 > Proxy Settin y ngs

If you use a proxy server to download updates, you can configur your proxy settings by r d u re ettings > Client Proxy. Se elect the Use HTTP proxy server check y kbox and fill i the in selecting Se appropriate IP address, port number, user name, an password. e p nd
Figure 8.24 OfficeScan Client Console Proxy Setting 4: C e gs
Lab Exercise 10: Con nfigure Setti ings on the Client Cons sole
285
Student Textbook

Summary
The client console is installed to the desktops of client machines to allow users to scan directories, files and email. The client console interface features scan settings, scan results, firewall settings, mail scan settings, log reports, and links to client utilities if the client has been granted all privileges.
Review Questions
1. What does the client mail scan utility scan? a) Netscape Messenger folders b) Eudora Pro folders c) Outlook Express folders d) Email in real-time 2. When will manual scan settings configured in the OfficeScan management console override client console settings? a) During a virus outbreak b) When CPU usage is set to High c) Whenever a setting conflicts d) When the client does not have the privilege to configure manual scans 3. If you run a DCS cleanup, which of the following does it NOT clean? a) Unwanted registry entries created by worms or Trojans b) Memory resident worms or Trojans c) Garbage and viral file drops by worms or Trojans d) Viruses discovered in the Program Files directory
286
Administrator Track
Ch ter 9: Off Scan Fire hapt 9 ficeS ewall

Ide entify the two modules that comprise the OfficeScan fi firewall Exp plain the OfficeScan firewa intrusion de all etection system (IDS) m Exp plain OfficeSc firewall ne can etwork-virus s scanning Con nfigure Office eScan firewall policies and p profiles
287
Student Textbook
9.1 > Client Firewall Overview

The OfficeScan firewall helps protect OfficeScan client machines from attacks by the stateful monitoring and evaluation of data packets sent to and received from the computers network interface. When enabled, the OfficeScan firewall can police incoming and outgoing TCP, UDP, and ICMP traffic and block traffic that violates firewall policies. Policies may be based on packet profiles (protocol type, port number, destination, etc), the sending or receiving application, or a combination of both. The OfficeScan firewall also provides additional features, including intrusion detection, network-virus scanning, and application filtering based on a global certified-safe software list.
NOTE OfficeScan automatically disables the OfficeScan firewall on Windows Server platforms. You can select to override this default configuration on the Client Management > Settings > Additional Services page.
9.2 > Firewall Architecture

The OfficeScan firewall is composed of two modules:
The personal firewall module The common firewall module
Figure 9.1: OfficeScan Firewall Modules
New starting from OfficeScan 10.5, the OfficeScan firewall is also integrated with the Unauthorized Change Prevention Service module to provide application-lookup services that, when enabled, determine whether an application attempting to send or receive data is on the local approved-applications list or (optionally) on a global approved-applications list maintained directly by Trend Micro. When the OfficeScan firewall detects that an approved-application filtering list rule is relevant to the inspection of a connection attempt, the firewall calls on the Unauthorized Change Prevention Service to query the local list and then (if configured) the global list. Local exceptions take priority over global exceptions.
288
Administrator Track
Chapter 9: OfficeScan Firewall
9.2.1 Personal Firewall Module

The personal firewall module acts as the interface with OfficeScan for receiving and loading policies. It is responsible for communication and policy formulation.
COMMUNICATOR The Communicator receives the commands from the OfficeScan management console, the client software (PccNT.exe), and the OfficeScan or Trend Micro Control Manager Outbreak Prevention Policy module. In addition, when a user logs onto the client computer, the Communicator checks the username to determine which OfficeScan firewall profile to use. POLICY FORMULATION The personal firewall module compiles all the policy information received from the Communicator before passing it along to the common firewall module. It determines which policy should be enabled based on the policy settings (IP address, domain, machine name, platform, status, username).
9.2.2 Common Firewall Module

The OfficeScan firewall is a stateful inspection firewall. It monitors all connections to the client and remembers all connection states. It can identify specific conditions in any connection, predict what actions should follow, and detect disruptions in a normal connection. Therefore, effective use of the firewall not only involves creating profiles and policies, but also analyzing connections and filtering packets that pass through the firewall. The common firewall module receives policy information from the personal firewall module and performs the specified action. It is responsible for firewall policy enforcement, intrusion detection, and network-virus scanning. The key component of the common firewall module is the common firewall driver (TM_CFW.sys). This driver enforces firewall policies by scanning incoming and outgoing traffic, then allowing or blocking it based on criteria from the following:
Pattern files Firewall policies Application filtering IDS rules
Network Virus Scan

The OfficeScan firewall uses a pattern file to scan incoming and outgoing network packets for viruses. The common firewall driver uses the network virus pattern file (tmfxxxxx.ptn) to inspect network packets for viruses. This pattern file is stored in the OfficeScan client directory. Any time the OfficeScan firewall is enabled, the Network Virus Scan is enabled as well. By performing simultaneously, both components work together to provide optimum protection.
NOTE While the port-level firewall settings can be configured, the network virus scan runs automatically and unchangeably. If the OfficeScan firewall is disabled, network virus scanning will also be disabled.
289
Student Textbook
Firewall Policies
The firewall policies are those you define using the OfficeScan management console (including separate policies for Outbreak Prevention), the OfficeScan client console, or the Trend Micro Control Manager management console (Outbreak Prevention policies apply). Firewall policies allow you to block incoming or outgoing traffic entirely. You can also create exception lists to allow specific types of traffic through the firewall based on
Direction (inbound/outbound) Transport-layer protocol (TCP/UDP/ICMP) Port number Source/destination IP address Application
Profile definitions allow you specify the clients to which a policy should be applied.
Application Filtering
Introduced as a new feature in OfficeScan 10.5, application filtering allows you to add application criteria to firewall exception rules. Application information can be used by the OfficeScan firewall in three different forms.
Individualized exception rule Reference to the local approved-applications list Reference to the Trend Micro global approved-applications list
Application-level firewall control is important for providing security in what some people refer to as an everything over HTTP world where unwanted and dangerous applications alike are specifically designed to communicate using standard protocol-port combinations so that their packet-header profiles are indistinguishable from legitimate traffic. Restricting network communication to approved applications, in addition to traditional portprotocol rules, tightens network traffic control considerably. It provides you with an extra layer of criteria by which you can establish granular control over your network security posture. You can, for example, create a policy that permits specified network traffic (say FTP traffic) from one kind of application, but prohibit that same type of traffic from all other applications. Conversely, you can create rules that prohibit traffic only if the application is specified. You can also choose whether to filter traffic based on the local-network version of the approved-applications list. You can additionally enable clients that have Internet access to check the global Firewall Approved Applications list, which is dynamically updated and maintained directly by Trend Micro. When the OfficeScan firewall detects that an approved-application filtering list rule is relevant to the inspection of a connection attempt, the firewall calls on the Unauthorized Change Prevention Service to query the local list and then (if configured) the global list. Local exceptions take priority over global exceptions.
290
Administrator Track
Intrusion Detection System (IDS)

The OfficeScan firewalls intrusion detection system (IDS) monitors packets coming from and going to the network and attempts to discover if an intruder is attempting to break into a system or cause a denial of service attack. The table below describes nine types of attacks IDS can detect:
Name Protocol Description
A Denial of Service Attack where a hacker directs an oversized TCP/UDP packet at a target computer. This can cause the computer's buffer to overflow, which can freeze or reboot the computer. A Denial of Service attack where a hacker directs an oversized ICMP packet at a target computer. This can cause the computer's buffer to overflow, which can freeze or reboot the computer. A type of attack where a hacker sends an Address Resolution Protocol (ARP) request with the same source and destination IP address to a computer. The target computer continually sends an ARP response (its MAC address) to itself, causing it to freeze or crash. A Denial of Service attack where a program sends multiple TCP synchronization (SYN) packets to a computer, causing the computer to continually send synchronization acknowledgment (SYN/ACK) responses. This can exhaust computer memory and eventually crash the computer. Similar to a Teardrop attack, this Denial of Service attack sends overlapping TCP fragments to a computer. This overwrites the header information in the first TCP fragment and may pass through a firewall. The firewall may then allow subsequent fragments with malicious code to pass through to the target computer. Similar to an overlapping fragment attack, this Denial of Service attack deals with IP fragments. A confusing offset value in the second or later IP fragment can cause the receiving computers operating system to crash when attempting to reassemble the fragments. A type of attack where a small TCP fragment size forces the first TCP packet header information into the next fragment. This can cause routers that filter traffic to ignore the subsequent fragments, which may contain malicious data. A Denial of Service attack that sends fragmented IGMP packets to a target computer, which cannot properly process the IGMP packets. This can freeze or slow down the computer. A type of attack that sends IP synchronization (SYN) packets with the same source and destination address to a computer, causing the computer to send the synchronization acknowledgment (SYN/ACK) response to itself. This can freeze or slow down the computer.
Too Big Fragment
All except ICMP
Ping of Death
ICMP
Conflicted ARP
ARP IP address request
Syn Flood
TCP
Overlapping Fragment Attack
All except UDP
Teardrop
UDP
Tiny Fragment Attack
IP
Fragmented IGMP
IGMP
LAND Attack
TCP/UDP
Table 9.1: Attacks IDS Can Detect
291
Student T Textbook
You can en nable or disabl IDS withou disabling th OfficeScan firewall. The IDS rules are not le ut he user-defina able. However updates to th r hose rules are made by Tren ndLabs and ar embedded i the re in common fi irewall driver. You can update the comm firewall dr mon river from the Trend Micro e o ActiveUpd server. date
9.2.3 Dat 9 taflow

When the OfficeScan fir O rewall is enabl its policies are automati led, s ically loaded t the common to firewall driv when the client is starte The netwo virus patte file (tmfxxx ver ed. ork ern xxx.ptn) is als so loaded into memory to allow the common firewall d o a driver to scan for network v n viruses.
Incoming Traffic g
Incoming data first unde d ergoes scannin via the Intr ng rusion Detecti (IDS); if it does not meet the ion t set criteria, it is blocked; otherwise, it proceeds to F , Firewall Policie and, if it pa es, asses that scru utiny, it moves to the last step, Network Vir Scanning. I the data pac o , rus If ckets are clean the client ca n, an accept the data.
Figure 9.2: Flow of Incom ming Traffic
Outgoing Traffic g
When data is leaving the client, the pr a e rocess chronollogy is slightly different. Fir it must pass y rst, IDS, then the Firewall Policies, and fin t P nally the Netw work Virus Sc canning. As wi incoming d ith data, the packets can be block at any of these stages if they do not m the criter s ked meet ria.
Figure 9.3: Flow of Outgo oing Traffic
2 292
Administrator Track
NOTE only action OfficeScan firewall components can take is to block packets and log The the event. Blocked packets are dropped.
9.3 > Configuring the OfficeScan Firewall

You can use the OfficeScan management console to configure the OfficeScan firewall. If the client has been granted the proper privileges, you can also configure the OfficeScan firewall from the client console. This chapter will describe the process used to configure the OfficeScan firewall using the management console.
Client console settings are described in Chapter 8: OfficeScan Client User Interface on page 265.
To configure the OfficeScan firewall, you specify settings for policies and profiles. Policies define rules and settings, while profiles determine to whom the policies apply. In addition to setting policies and profiles, you can:
Create an exception list template Configure Firewall Outbreak Monitor
If the personal firewall module cannot read any policy (if, for example, a policy is corrupt or the policy file is missing or cant be read), it uses the default settings shown below.
Firewall Setting
Security Level Enable Firewall IDS Alert Message Approved-applications list Exception List
Status
Low Enabled (which also enables Network Virus Scanning) Disabled Disabled Disabled Disabled
Table 9.2: Default OfficeScan Firewall Settings
9.3.1 Configuring Firewall Policies

The OfficeScan firewall policy determines which kinds of traffic the OfficeScan firewall will block. To edit a policy or define a new one using the OfficeScan management console, click Networked Computers > Firewall > Policies in the navigation column to load the Firewall Policies for Networked Computers page.
293
Student T Textbook
Figure 9.4: Firewall Policy List
Click Add to create a ne policy (show in the figu below); or to edit an exi ew wn ure isting policy, e ick choose the policy and cli Edit.
Figure 9.5: OfficeScan Firewall Policy Editor E
To create a policy, perfo these basic procedures: orm 1. Enter a policy name e 2. Select a security leve el e/disable the firewall, IDS, and/or alert m f message optio ons 3. Enable 4. Enable e/disable appl lication filterin based on th approved-a ng he applications lis st 5. Config the excep gure ption list
Security Level y
The securit level specifi which traff will be bloc ty ies fic cked. The tab below iden ble ntifies the three e levels you can choose fro low, medium, and high c om: h.
2 294
Administrator Track
Security Level
Low Medium High
Incoming Traffic
Allow Block Block
Outgoing Traffic
Allow Allow Block
Table 9.3: Firewall Security Level Settings
NOTE the medium setting, the firewall allows both incoming and outgoing trace-route On (ping) echo-request packets, unless you set an exception that blocks incoming ICMP traffic.
Even on the high security level, two ports will remain open:
The DHCP Port At startup, the client uses port 67 to request an IP address from a DHCP server; port 68 receives the answer. The firewall leaves an opening for these two ports to enable the performance of network functions. This port must be left open since the client receives commands from the server via this port.
The Client Communication Port
NOTE you enable Outbreak Prevention from the management console and select to block If the trusted port, client communication will be blocked for the duration of Outbreak Prevention.
Enabling/Disabling Basic Firewall Features

If you enable the OfficeScan firewall on a client machine with multiple network cards with separate IP addresses, each IP address must use the same firewall policy. While Network Virus Scanning is automatically enabled with the OfficeScan firewall, IDS can be enabled separately. Enabling the alert message notifies users of IDS events using the message specified on the Firewall Violations tab on the Notifications > Client User Notifications page.
NOTE message appears only when outgoing traffic is in violation. No warning will appear The for incoming traffic; the system will simply block it from entering and log the event.
Application Filtering Based on the Approved-Applications List

This feature works with Behavior Monitoring. For this feature to work, you must enable the Unauthorized Change Prevention Service and Certified Safe Software Service, before enabling the global Certified Safe Software List. The Certified Safe Software List provides a list of applications that can bypass Firewall Policy security levels. If the security level is set to medium or high, OfficeScan will still allow applications list to run and access the network. Additionally, you can enable querying of the global Certified Safe Software List. This is a list dynamically updated by Trend Micro.
NOTE Application filtering based on the approved-applications list is available only when the security level is set to medium or high.
295
Student T Textbook
Important Only clients that have enab the Unauth t: t bled thorized Chang Prevention S ge Service, Office eScan
Firewall Ser rvice, and Cert tified Safe Soft tware Services will be able to use the globa firewall appr s o al rovedapplications list. s
Exceptio Lists on
The securit level setting can be over ty gs rridden by the exception list To add exce e t. eptions to a policy, click Add under the Ex u xception in th policy edito he or. Define exc ceptions by ch hoosing to allo or block tra ow affic based on the following criteria: n g
Application Dir rection of traf (incoming or outgoing) ffic Pro otocol (TCP, UDP, ICMP, TCP/UDP, o all) U T or Por (allowed po range is be rts ort etween 1 and 65535) Com mputers (iden ntified by host name or IP a address)
Figure 9.6: Edit Firewall Exception Pag E ge
es In evaluatin traffic, the OfficeScan fi ng irewall checks packet profile against the exception list t entries first (in a top-dow flow) and then against th security lev t wn he vel.
NOTE you are run If nning Trend Mi icro Control M anager, you sh hould add an e exception that t
allows the ports for Vul e lnerability Assessment and D Damage Clean Services (D nup DCS) (ports 20 0901 and 137-13 to remain open. 39)
2 296
Chap apter 9: OfficeSc Firewall can
Exceptio List Tem on mplates

To simplify creating mul y ltiple policies that use the sa exception you can us the Excepti ame ns, se ion Template function to de f efine a list of reusable excep r ptions. This is the list that ap ppears whene ever you create a new policy. pply late g t e o You can ap the templ to existing policies, but you will have to then edit each policy to apply the proper excepti p ions. To open the Exceptio Template p on page, click Edi Exception it Template on the toolba of the Firew Policies pa ar wall age.
Figure 9.7: Firewall Exception Template Editor
Clicking Ad or choosin an exceptio and clicking Edit opens the Edit Exce dd ng on g eption page, sh hown above. Savi the setting on that pag adds the exc ing gs ge ception to the list or update the exceptio e es on that you ch hose.
Default Policies P
The policie below, whic detailed in accompanying tables, are cr es ch g reated when O OfficeScan is installed.
All-Acc cess PolicyYou Y
can use th policy if yo want to pro his ou ovide all client with unrestr ts ricted acc to the network. cess
Policy Detail P
Security Level S Enable Firewall E ID DS Approved Applications A Exceptions E
Setting
Low (all traff allowed) fic Enabled Disabled Disabled None
Ta able 9.4: All-Ac ccess Policy Settings
NOTE you do not change the firewall policy, the Off If ficeScan firewa will use the all e
All-Access Polic by default. cy
297

Cisco Trust Agent for Cisco NACYou
Student Textbook
can use this policy on client machines that have the
Cisco Trust Agent (CTA) installed.

Policy Detail
Security Level Firewall Enabled IDS Approved Applications Exceptions
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound UDP port 21862 traffic for all clients
Table 9.5: Cisco Trust Agent for Cisco NAC Policy Settings Communication Ports for Trend Micro Control ManagerYou
can use this policy on client
machines that have the Control Manager agent installed.

Policy Detail
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound TCP/UDP port 80 traffic for all clients
Table 9.6: Communication Ports for Control Manager Policy Settings ScanMail for Microsoft Exchange ConsoleYou
can use this policy on client machines that
need to access the ScanMail web console.

Policy Detail
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound TCP port 16372 traffic for all clients
Table 9.7: ScanMail Console Policy Settings InterScan Messaging Security Suite InstallationYou
can use this policy on client machines
that have the InterScan Messaging web console.

Policy Detail
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound TCP/UDP port 80 traffic for all clients
Table 9.8: InterScan Messaging Console Policy Settings
298
9.3.2 Fire 9 ewall Prof files

Profiles define the client to which a particular polic will apply. Y choose w ts p cy You which clients u use cy ring which polic by configur profiles.
Default Profile Sett P tings

The default profile settin OfficeScan uses is show in the follo ngs n wn owing table:
Profile De etail
Policy use ed Applied to client machines o
Settings
All-access policy Unspecifie ed
Table 9.9: Default Profile Settings D e
Adding a Profile
To edit a profile or defin a new one using the OffiiceScan manag p ne u gement conso click ole, Networke Computers > Firewall > Policies in the navigatio column. ed s n on
Figure 9.8: Firewall Profiles List
Click Add to create a ne profile, or choose an exis ew c and t sting profile a click Edit to modify it.
Tip Ad dministrators with full management permi w issions can opt tionally enable the option to e o
Overwrite client secur level excep rity ption list. Sel ecting this opt tion replaces a customize any ed ofile settings with the server settings. w r client pro
299
Student T Textbook
Figure 9.9: Firewall Profile Editor
You may define a profile based on the following: d e e

IP add dress Doma ain Machi name ine Platfo orm User ID Client status t This may be a single address, a range of add resses, or a sub T s bnet. The policy is ap T pplied to all com mputers that be elong to the spe ecified OfficeSc can domain. You mu select doma d ust ains from the c client tree. The selected po T olicy will be use on all compu ed uters with specified names. Yo ou can select name from the clie tree. c es ent The selected po T olicy will be run on Windows X n XP/Vista/7 or Server 2003/20 008 operating syste o ems. The selected po T olicy will be use on all compu ed uters where the specified user ID e r logs on. The selected po T olicy is applied to online or off fline clients.
You may also limit the scope of user privileges by s p selecting whet ther to allow e users the a end ability to change (that is overrid the securit level establiished or edit th exception l as defined by ( de) ty he list d the associa policy. ated
Alternat Referenc Server Configuratio for Onlin te ce C on ne/Offline S Status

When the connection be c etween an Off ficeScan client and the serve is lost, the c t er clients status is offline an the firewal implements the more secu firewall co nd ll ure onfiguration. O Occasionally, however, due to increasi d ingly complex network enviironments, co omputers that are still inside the e local corpo orate network may lose conn nection with t OfficeScan server. the n To avoid im mproperly enf forcing the off ffline firewall c configuration,, the OfficeSca firewall an configurati allows you to configure a Reference S ion u Server List to help OfficeSc clients can determine whether a com w mputer is actu ually outside yo network. our
3 300
Figure 9.10: Firewall Alte ernate Referen Server List Page nce t
The Refere ence Server Li is used only when (a) it is enabled, and (b) the client cannot ist y s d t communicate with the OfficeScan serv If the Of O ver. fficeScan clien cannot cont either the nt tact n e nate nly an OfficeScan server or one of the altern servers, on then does the OfficeSca firewall implement its offline policy. p To manage the alternate server list: e 1. On the toolbar of th Networked Computers > Firewall > Profiles pag click Edit e he d s ge, Refere ence Server List. L 2. Select the Enable th Alternate Server list op he S ption, or verify that it is sele y ected. 3. To add a computer to the list, clic Add. d t ck
Figure 9.11: Adding/Editin an Alternate Server Conf ng figuration
4. Enter the IP address NetBIOS name, or fully q t s, qualified dom name (FQ main QDN) of the alterna server. ate 5. Type the port throug which clien communic with this computer. gh nts cate 6. Click Save. S To edit an alternate serv on the list, click the com ver mputer name. M Modify the co omputer name or e c port; then click Save.
To remove an alternate server s
from th list, select t checkbox next to the co he the omputer name e; of refer rence servers, click Assign to Clients.
then click Delete. D

To update clients with th list c he
NOTE may ente up to 32 refe You er erence servers s.
301
Student T Textbook
9.3.3 Fire 9 ewall Out tbreak Mo onitor

The Firewa outbreak monitor provid an alert sys all m des stem for the O OfficeScan fire ewall. It track the ks firewall, ID and netwo DS, ork-virus scann logs. If ex ning xcessive numb of events are detected bers s within a sp pecified timeframe, it could mean the clien is under att nt tack or has a v virus.
Figure 9.12: Firewall Outb break Monitori ing
You can se separate crit et teria for the nu umber of IDS logs, OfficeS S Scan firewall logs, and Netw work Virus Scanning logs. Eac individual log represents a violation of policy. Choo a time in h ch l s f ose hours and a numb of logs for each compo ber r onent that you want to be co u onsidered an o outbreak.
Figure 9.13: Outbreak Notification Conf figuration for Firewall Violat tions
You can co onfigure the cr riteria that det termine an ou utbreak. You a configure who will rece also eive notification and how. ns
NOTE actual messages, the var In riable %A is re eplaced by the alerts name f from the logs; %T
is replace by the numb of hours, and %C is repla ed ber a umber of logs. See Appendix A: . x aced by the nu Notification Tokens for a list of token that can be used in notific ns cation messages.
3 302
Administrator Track
9.4 > Firewall Logs

The OfficeScan firewall generates three types of records: firewall policy violations, IDS violations, and detected network viruses. These records are combined daily into a single log file on the client: {Installationpath}\PFW\PfwLog_[logdate].dat. The client summarizes its logs and sends them to the server hourly. If all the fields in separate log entries (except for the date/time field) are the same, the client merges the entries into a single entry with a counter. This allows the server to display current OfficeScan firewall information on the Summary and Client Management pages of the management console. If you use Trend Micro Control Manager, the OfficeScan server also forwards firewall logs to Control Manager.
For more information about OfficeScan firewall logs, see Chapter 11: Logs on page 329.
NOTE the log count exceeds 50,000, OfficeScan will no longer write additional log content If or count logs.
Lab Exercise 11: Configure OfficeScan Firewall
303
Student Textbook

Summary
The OfficeScan firewall helps protect OfficeScan client machines from attacks by creating a barrier between the client machine and the network. The OfficeScan firewall does more than just provide a firewall; it also offers intrusion detection and Network Virus Scanning to protect your client. The OfficeScan firewall policy determines which kinds of traffic the firewall blocks. Profiles define the clients to which a particular policy will apply.
Review Questions
1. Which two modules combine to create the OfficeScan firewall? a) Policy and procedure modules b) Personal firewall and common firewall modules c) Security and exception modules d) Incoming and outgoing traffic modules 2. Which of the following CANNOT be configured? a) Alert message b) Firewall policies c) Network virus scan d) Firewall profiles 3. Which of the following correctly associates the data flow type with its correct sequence of checks? a) Incoming: firewall policies, IDS, Network Virus Scanning b) Incoming: IDS, Network Virus Scanning, firewall policies c) Outgoing: firewall policies, IDS, Network Virus Scanning d) Outgoing: Network Virus Scanning, IDS, firewall policies 4. Which of the following is a profile NOT based on? a) Security level b) IP address c) Platform d) User ID
304
Administrator Track
5. Which of the following is NOT a way to configure changes in the OfficeScan firewall? a) From the OfficeScan Management Console b) From the Outbreak Prevention Policy module in TMCM c) From the Client Console d) From the Rule Set Generator 6. Which of the following security levels is correctly associated with incoming and outgoing traffic? a) Low security: incoming blocked; outgoing blocked b) Medium security: incoming allowed, outgoing blocked c) Medium security: incoming blocked, outgoing allowed d) High: incoming allowed; outgoing allowed
305
Administrator Track
Ch ter 10: Office hapt O eScan Too n ols

Use the Vulnerab e bility Scanner to detect unp protected com mputers on the network and to
inst the Office tall eScan client

Use the Server Tuner to optim the perfor e T mize rmance of the OfficeScan s e server Use the Restore Encrypted Vi e irus tool to vie infected fil that Office ew les eScan has dete ected
and encrypted to prevent them from spread d o m ding

Use the Client Mover I tool to transfer clien from one s e M o nts server to anot ther Use the Touch Tool to synchr e T ronize the tim stamps of a destination an a source fi me nd ile Use the ServerPr e rotect Normal Server Migra l ation Tool to m migrate comp puters running g
Ser rverProtect No ormal Server to the OfficeS t Scan client

Use the Schedule Update Configuration to to schedule updates on u e ed ool update agents s
crea from Clie Packager packages ated ent p
307
Student Textbook
10.1 > Overview of OfficeScan Tools

OfficeScan includes various administrative tools for managing server configuration and client management. These tools are classified into two categories:
Administrative tools help Client tools help
configure the OfficeScan server and manage clients
enhance the performance of the OfficeScan client
NOTE Some tools available in previous versions of OfficeScan are no longer distributed. If you require these tools, contact technical support.
The table below lists the tools available in OfficeScan 10.

Administrative Tools
Login Script Setup Automates the installation of the OfficeScan client software Vulnerability Scanner (TMVS.exe) Searches for unprotected computers on your network Server Tuner (SvrTune.exe) Optimizes the performance of OfficeScan servers Gateway Settings Importer (GSImporter.exe) Import gateway information into the Computer Location page
Client Tools
Client Packager (ClnPack.exe) Creates a self-extracting file containing the OfficeScan client software and components Image Setup Utility (imgsetup.exe) Helps you use hard drive imaging technology to deploy the client Restore Encrypted Virus (VSEncode.exe) Opens infected files that the OfficeScan client has encrypted Client Mover (IpXfer.exe) Moves client membership from one server to another. Touch Tool (TmTouch.exe) Changes the time stamp on a hot fix to automatically redeploy it ServerProtect Normal Server Migration (SPNSXfr.exe) Detect installed ServerProtect Normal Servers and migrate them to OfficeScan client Trend Micro Performance Tuning Tool Prevent performance issues with OfficeScan features by using the Trend Micro Performance Tuning Tool to indentify system-intensive applications for inclusion in the Behavior Monitoring Exception list
Table 10.1: OfficeScan Tools
NOTE cannot run these tools from the management console. For instructions on how to You run the tools, see the sections below.
To view a descriptive list of these tools in the management console, click Tools > Administrative Tools or Tools > Client Tools in the navigation column of the management console.
308
Ch hapter 10: Office eScan Tools
The links on these pages open help fil that explain how to use the tools. The tools themse o s les n e elves are located in the %Progr d ramFiles%\TrendMicro\O OfficeScan\PC CCSRV\Admin n\Utility fold der on the Off ficeScan server You cannot launch these tools directly using manage r. t y ement console e.
Figure 10.1: OfficeScan Ad dministrative and Client Too Pages ols
This chapte describes how to use: er h Vulner rability Scanne er Server Tuner tool re V Restor Encrypted Virus tool Client Mover I tool Touch Tool h ServerP Protect Norm Server Mig mal gration tool The other tools listed (namely the Log Script Setu the Client Packager, and the Image Se t gin up, d etup tools) are described in Chapter 6: Client Software D d C Deployment on page 219. T chapter w This will also describ the Schedu Update Configuration t be uled tool, which th pages show above do no list he wn ot and which is used for up pdate-agent de eployments pr repared using the Client Pac ckager.
309
Student Textbook
10.2 > Vulnerability Scanner

Although you may require users to run antivirus software on their computers, you may not be able to actually enforce this rulewithout some help. The Vulnerability Scanner can check the computers on your network and help you ensure that they are protected by antivirus software. The Vulnerability Scanner can:
Determine if an antivirus solution is installed on a computer Search for unprotected computers on your network Install the OfficeScan client on unprotected computers
NOTE This functionality is complemented by the Security Compliance functionality in the management console, which can identify unprotected computers through Active Directory.
To determine if a computer is protected with antivirus software, Vulnerability Scanner connects to ports that are normally used by antivirus solutions. Vulnerability Scanner can perform these functions:
Listen for DHCP requests and scan computers as they come onto the network Ping computers on your network to check their status and retrieve their computer names,
platform versions, and descriptions

Determine the antivirus solutions installed on the network. It can detect the following: Trend Micro OfficeScan, ServerProtect for Windows NT or Linux, ScanMail for
Microsoft Exchange, InterScan products, PortalProtect, PC-cillin, and HouseCall Pro real-time scanner
Third-party antivirus solutions such as Norton AntiVirus Corporate Edition 7.5 and
7.6 and McAfee VirusScan ePolicy Orchestrator

Display the server name and the version of the pattern file, scan engine, and program for
OfficeScan and ServerProtect for Windows NT

Send scan results using email Scan multiple client ports simultaneously Install the OfficeScan client remotely on computers running Windows XP/Vista/7/
2003/2008
It cannot install the OfficeScan client remotely on computers running Windows XP
Home, Windows Vista/7 Home Basic, and Windows Vista/7 Home Premium, or on computers with other antivirus products installed.
Vulnerability Scanner does not install OfficeScan clients on a computer already
running OfficeScan server.
10.2.1 Launching the Vulnerability Scanner

To run Vulnerability Scanner on a computer other than the server, copy the TMVS folder from the {installpath}\PCCSRV\Admin\Utility folder of the server to the computer.
310
NOTE can use Vulnerability Scanner on ma You V S achines runnin g Windows NT software; but not T t
if Termina Server is run al nning.
Figure 10.2: Vulnerability Scanner y
10 0.2.2 Co onfiguring the Sett g tings for Vulnerab bility Scan nner
To configu what you want the Vuln ure w nerability Scann to search for, click Sett ner tings. The Set ttings page appea ars.
Figure 10.3: Vulnerability Scanner Sett y tings
Product Query Sec ction

The Produ Query secti of the Settings pages en uct ion nables you to s select the prod ducts that you u want the Vulnerability Sc V canner to check for on you network. To prevent false alarms, Tren ur o e nd Micro reco ommends selec cting all check kboxes. For ex xample, if Serv verProtect is i installed on a server but you did not se y elect the Serve erProtect (NT T/Linux) chec ckbox, the Vul lnerability Sca anner will report that the serve is unprotect er ted. The Vulner rability Scanner can detect antivirus prod a ducts either th hrough the por or by pingi rts ing computers, if you enable ping. Howev The Vulne e ver, erability Scann cannot de ner etect PC-cillin unless you first disable ping, because the integrated firewall will b p t block the ping attempt. If you g
311
Student T Textbook
want the Vulnerability Sc V canner to dete PC-cillin a well as other antivirus pro ect as oducts, you m must disable ping and verify th the port se hat ettings are cor rrect for your other antiviru products. T us The Vulnerabili Scanner alw checks fo PC-cillin in the UDP tra ity ways or n affic on port 40116. ServerProtect and the McAfee VirusScan ePolicy O M Orchestrator al use hard-c lso coded port numbers. To change the port num mbers of the ot ther products,, either type th port number in the field or, he for Norton AntiVirus Co n orporate Editi and Trend Micro InterS ion d Scan products click the Set s, ttings button nex to that prod name. Th Settings bu xt duct he utton brings up a dialog box that enables you p x to verify th port numbe that Vulnerability Scanne will check fo each produ To enter he er er or uct. multiple po numbers, separate the port numbers w a comma ort s with a.
Figure 10.4 The InterSca Settings Dia 4: an alog Box
The Desc cription Re etrieval Set ttings Secti ion

The Descri iption Retriev Settings sec val ction enables y to select t retrieval m you the method that yo ou want to use for obtaining computer de e g escriptions. N Normal retriev is more acc val curate, but it ta akes longer to complete than Quick retriev Normal re val. etrieval gathers more inform s mation, includi ing uter n ct omputer descr riptions when available). (F For the compu description (if you selec Retrieve co more infor rmation, see th Starting a Scan section that follows.) he n )
The Aler Settings Section rt

The Alert Settings sectio gives you th option of s S on he sending email alerts or displ laying an alert t message on unprotected computers. If you select E n d Email results to the system administrator r, you can click the Config gure button to specify the e o email settings for yourself o other or tors rganization. The Email Aler dialog box appears. T administrat in your or rt
Figure 10.5: Email Alert Dialog Box D
NOTE must hav an SMTP ma server for t he Vulnerabili ty Scanner to send email ale You ve ail erts.
3 312
If you selec Display ale on unprote ct ert ected comput ters, you can click the Customize butto to on define an alert message for unprotecte computers.. a f ed
Figure 10.6: Alert Messag Dialog Box ge
Save as CSV File Se ection

To save the results of the scan as a comma-separate value (CSV data file, sel the e ed V) lect Automatically save the results to a CS file check SV kbox. By defa ault, CSV data files are saved to d u nge g, se y er the TMVS folder. If you want to chan this setting click Brows and specify a target folde on your comp puter or on the network. e
Ping Set ttings Secti ion

To specify how Vulnerab bility Scanner will send pac kets to the co omputers and w for replie wait es, configure the Ping Settin section. Accept the defa settings or type new val t ngs ault lues in the Pa acket size and Timeout fields T s. On a TCP/ /IP-based WA communi AN, ication over so routes m fail if an in ome may ntermediate network se egment has a maximum packet size that is smaller than the maximum packet size of the m s n m communicating hostsa if the router does not s and send an appropriate ICMP r response to th his black hole ro outer. You can locate a blac ck condition. Such a router is sometimes known as a r w ndard utility th is installed with the Wind hat dows hole router by using the Ping utility, which is a stan TCP/IP pr rotocol. If you are using firewalls they could cause trouble w your time u s, c with eout setting. Y want the You timeout set tting to be as low as possibl to decrease the time your scan will take, however, if your l le r f timeout set tting is too fas the firewall may not let th packet thro st, l the ough before it times out. t
Installati Setting ion gs

To remotel install the OfficeScan clie and send a log to the se ly O ent erver, type the OfficeScan server name and port number in the Office p i eScan server se etting text bo If you wan to automati ox. nt ically install Offi iceScan client, select the A Auto-install Of fficeScan Clien for unprote nt ected compute er checkbox. If you want to configure th OfficeScan client, click In o he nstall Accoun The Accou nt. unt on rs ure nter me sword for a us ser Informatio page appear (see the figu below). En a user nam and a pass account tha has the priv at vileges require to install th OfficeScan client. Click O This acco ed he OK. ount arget compute no matter w privileges the enables you to install the OfficeScan client on the ta u e c er what user who lo in to the computer has. ogs c
313
Student T Textbook
Figure 10.7: Account Info ormation Dialog Box
If you wan to send a log to the Office nt g eScan server, select the Re eport log to O OfficeScan serv ver checkbox.
10 0.2.3 Starting a Scan S

In the main Vulnerability Scanner win n y ndow, you can configure the range of IP addresses that you n e t want to che for unpro eck otected compu and antiviirus software. Click Start to begin checki uter o ing the compu uters on your network. n The scan re esults are disp played in the Results table. I you selected Normal, the Results table will R If d contain this information n:
IP addres ss MAC add dress Product name (antiviru product) us OfficeScan server nam me Pattern file version f OPP activated Remote Install result Com mputer name Ping result form Platf Vers sion of the antivirus program m Scan engine versio n on Com mputer descript tion
You can ex xport the scan results to a .csv file by clic n cking the Exp button. port
10 0.2.4 Ru unning a DHCP Sc D can

You can ru a DHCP sc to detect computers tha are accessin the network and to ensur that un can c at ng k re they are run nning antiviru software. A DHCP scan listens on the DHCP ports us sparticularly port y 67, which is the DCHP request port compute requesting an IP address from a DHC i r for ers s CP server. Wh a compute requests an IP address, th DHCP scan retrieves the computers M hen er he n e MAC address and then perform a scan to determine if th computer h antivirus software instal d ms d he has lled. To run a DHCP scan, se D elect the DHC tab under the Results of the main Vu CP f ulnerability Sca anner window. Then, click the Start DHCP Scan button The DHCP scan will run until you stop it. P n. p
10 0.2.5 Sc cheduling Scans g

Vulnerabili Scanner als allows you to schedule sc ity so cans to run au utomatically. T create sche To eduled tasks, click the Add/Ed button in th Scheduled Tasks section of the main V dit he n Vulnerability indow. The Sc cheduled Task dialog box ap k ppears. Scanner wi
3 314
Figure 10.8 Scheduled Ta Dialog Box 8: ask x
The config guration settings in this dialo are mostly self-explanato Under Ta Name, ent a og ory. ask ter name for th task you ar creating. Un he re nder IP Addre Range, ent the IP addr range tha you ess ter ress at want to che for installed antivirus so eck olutions and u unprotected co omputers. Under Task Schedule, de k efine a start tim using the 24-hour form Then select a frequency for me, mat. y the task you are creating gDaily, Wee ekly, or Month hly. tings, select U current se Use ettings to use your existing settings, or se e g elect Modify y Under Sett settings if you want to change the co f c onfiguration. If you select M f Modify setting click the gs, Settings button to chan the configu nge uration. The S Settings windo appears. A ow After you modi ify s, ask x. the settings click OK to return to the Scheduled Ta dialog box The task ap ppears under Scheduled Tas in the maiin Vulnerabilit Scanner win S sks ty ndow.
10 0.2.6 Mo odifying the TMVS File t S.ini

You can co onfigure five other settings by modifying the TMVS.ini file, which is located in the o i e {installat tionpath}\P PCCSRV\Admin\ \Utility\TMV folder. VS
Debug g EchoN Num Threa adNumManual Threa adNumSchedule e Enable or disable the deb ug log d Set the num mber of compu uters that Vulne erability Scanner will simultaneo ously ping Set the num mber of compu uters that Vulne erability Scanner will simultaneo ously check for antivirus softw ware Set the num mber of compu uters that Vulne erability Scanner will simultaneo ously check for antivirus softw ware when runn ning scheduled tasks mber of compu uters that Vulne erability Scanner will Set the num simultaneo ously check for antivirus softw ware when runn ning the tool at the command prompt p
adNumSilent Threa
To modify these settings complete th steps: s, hese 1. Use a text editor to open the TMVS t S.ini file. 2. To ena the debug log, change the value from Debug=0toDebug=1. able g t m
315
Student Textbook
3. To set the number of computers that the Vulnerability Scanner simultaneously pings, change the value for EchoNum. Specify a value between 1 and 64. For example, EchoNum=64 allows the Vulnerability Scanner to ping 64 computers at the same time. 4. To set the number of computers that the Vulnerability Scanner simultaneously checks for antivirus software, change the value for ThreadNumManual. Specify a value between 8 and 64. For example, ThreadNumManual=50 allows the Vulnerability Scanner to check 50 computers at the same time. 5. To set the number of computers that the Vulnerability Scanner simultaneously checks for antivirus software when running scheduled tasks, change the value for ThreadNumSchedule, Specify a value between 8 and 64 for. For example, type ThreadNumSchedule=58 if you want the Vulnerability Scanner to simultaneously check 58 computers whenever it runs a scheduled task. 6. To set the number of computers that the Vulnerability Scanner simultaneously checks for antivirus software when running the tool at the command prompt, change the value for ThreadNumSilent. Specify a value between 8 and 64. For example, type ThreadNumSilent=60 if you want the Vulnerability Scanner to check 60 computers at the same time when run from the command prompt. 7. Save and close the TMVS.ini file.
10.2.7 Running the Vulnerability Scanner in Silent Mode

You can run the Vulnerability Scanner in silent modewithout the target computer being aware that it is running. To run the Vulnerability Scanner in this mode, you use the command line prompt to create a file that defines the IP range of clients you want to scan. You can also specify the file name to which you want to save the results. Complete the following steps at the command line prompt: 1. Use Notepad or any text editor to create a new text file. 2. Type the IP addresses of the computers that you want to check. You can type individual IP addresses or an IP address range. 3. When specifying a range of IP addresses, you can use the asterisk (*) and question mark (?) as wildcards, as shown below:
Type10.1.116.1?forIPaddresses10.1.116.10to10.1.116.19 Type10.1.112.*forIPaddresses10.1.112.1to10.1.112.255 Type10.1.*forIPaddresses10.1.1.1to10.1.255.255
If you type an incorrect IP address range, the Vulnerability Scanner will not display an error message. However, if the debug log is enabled, OfficeScan will record the error in the debug log (TMVS debug). (For more information about enabling the debug log, see Chapter 12: Troubleshooting on page 341.) Save the file with a .txt extension in the {installationpath}\PCCSRV\Admin\Utility\TMVS folder. For example, you can save the text file as IPadd.txt. Open a command prompt and then go to the TMVS folder. Type the following command:
316
TMVS.exetext_file_nam meResults.csv v<Enter>
The Vulner rability Scanner checks com mputers with t IP address you specifi The result are the ses ied. ts saved in Re esults.csv file which is cre e, eated in the TM folder. MVS
10.3 > Serve Tuner Tool er

You can us the Server Tuner tool to optimize the p se T Scan server. T This performance of the OfficeS tool provid an interfac for modifyin performan parameters in the ofcscan.ini file. U des ce ng nce s Using the Server Tuner tool, yo can configu the timeou settings and retry setting for downloa ou ure ut d gs ads, crease the size of buffers, an you can lim the numbe of connecti e nd mit er ions that are you can inc allowed du uring specific times of the da t ay. To launch the Server Tu uner tool, open Windows E xplorer on the OfficeScan server and go to n e lation path}\P PCCSRV\Adm min\Utility \S SvrTune folde Double-clic SvrTune.e er. ck exe. the {install The Server Tuner conso opens (see the figure bel ow). r ole
Figure 10.9: Server Tuner Console r
Under Dow wnload, you can modify th following se c he ettings based o your netwo traffic: on ork
Timeou for clients specifies ut Timeou for update agent ut a Retry Count specif C fies
the length of tim the OfficeS e me Scan server wil wait for the client ll to acknowledge that the upda was succes ate ssful specif the length of time the O fies h OfficeScan ser will wait f rver for the update agen to acknowle e nt edge that the u update was suc ccessful how many times the ser y rver will try to update a clie o ent the num mber of minute that the Of es fficeScan serve will wait be er efore ch hecking the up pdate queue
Retry Interval spec cifies
Under Buf ffer, you can modify the fol m llowing setting based on yo network tr gs our raffic:
Event Buffer t Log Buffer B Used in reportin client status U ng s Used in reportin detected vir U ng ruses
317
Student Textbook
If a large number of clients are reporting to the OfficeScan server, you may want to increase the size of the buffers. However, before you increase buffer settings, you should ensure that the OfficeScan server has enough memory to handle the new settings. Under Network Traffic, you specify the number of clients that the server will notify about updates at the same time. However, before any of these clients are notified, the update agents receive their updates. Set the Timeout for update agent setting with enough time for all your update agents to receive their updates before clients are notified. The default setting is 10 minutes. You may need to increase that setting if your network is very large. Define normal, off-peak, and peak hours (see the figure above). For example, peak hours for your company may be between 10 a.m. and 2 p.m. There are two separate Maximum Connections settings for normal, off-peak, and peak hours: one for clients that receive their updates from Other Update Source (OUS) and one for clients that receive their updates from the server. OUS include update agents, the Trend Micro ActiveUpdate Server, and internal update web pages. Configure the maximum number of OUS and server connections for each of the three time periods. The server notifies clients that updates are available. The clients then attempt to update from their designated update sourcewhether that is the server or an OUS. OUS clients and server clients will try to update from their various update sources simultaneously. The number of clients in your network and your network resources will determine the best Timeout for client setting. The Timeout for client, Retry count, and Retry interval settings would work together with the Maximum Connections settings as follows (if the defaults shown in Figure 10.9 are used as an example):
The server will wait up to 30 minutes for all the clients it notified in a group to complete
their updates.
After the 30 minute timeout, if even one client has not reported back successfully, the
server will then retry with that client, before notifying the next group of clients.
The server will wait 15 minutes before attempting to update the client again. If the client
still has a problem, the server will retry up to 5 times, in 15-minute intervals, to update the client before notifying the next group of clients.
Under the default settings then, if a single client has difficulty updating, it could delay the
notification of the next group of clients for as long as an hour and a half. In large networks, you may want to experiment with smaller Maximum Connections settings, shorter timeouts, and fewer retries to find the settings that update your clients as securely and rapidly as possible.
10.4 > Gateway Settings Importer Tool

OfficeScan checks a computer's location to determine the Web reputation policy to use and the Smart Scan Server to connect to. One of the ways OfficeScan identifies the location is by checking the computer's gateway IP address and MAC address. You can configure the gateway settings either directly on the Computer Location page, or you can use the Gateway Settings Importer tool to import a list of gateway settings to the Computer Location page.
318
To use Gat teway Settings Importer: s 1. Prepar a file containing the list of gateway sett re o tings. On each line, type an IP address an h nd option nally type a MA address. Se AC eparate IP add dresses and M MAC addresses by a comma The s a. maxim mum number of entries is 40 o 096. For example:
10.1.1 111.222,00:17 7:31:06:e6:e e7 10.1.1 111.223 10.1.1 111.224,00:17 7:31:06:e6:e e7
2. On the server comp e puter, go to {installpath} }\PCCSRV\Adm min\ Utilit ty\GatewaySet ttingsImport launch GSI ter Importer.exe.
Figure 10.10 Using the Ga 0: ateway Settings Importer T ool
NOTE cannot ru the Gateway Settings Imp You un porter tool fro Terminal Se om ervices.
3. On the Gateway Set e ttings Importe page, brows to the file c er se created in Step 1 and click p Impor rt. 4. Click OK. The gatew settings display on the Computer Lo O way d ocation page and the OfficeScan server deploys the se ettings to clien nts. 5. To delete all entries, click Clear All. If you only need to dele a particular entry, remov it , A y ete r ve from th Computer Location pag he ge. 6. To exp the settings to a file, cli Export Al and then specify the file n port ick ll name and type e.
10.5 > Resto Enc ore crypted Virus T Tool

When the OfficeScan cli detects an infected file,, it encrypts th file to preve users from O ient n he ent m opening it and spreading the virus to other files on the computer The OfficeS g o r. Scan client the en stores the infected file in the \Suspect folder on the client. By de i n t efault, this folder has the following path: %Program p mFiles%\Tren ndMicro\Offi iceScanClie ent\Suspect. E Eventually, th he client forw wards the infec file to the %ProgramFiles%\TrendMi cted icro\OfficeScan\PCCSRV\v virus folder on th OfficeScan server. he n
319
Student T Textbook
Although encrypting infe e fected files is a good safety p precaution, so ometimes you may need to o open an infected file. For exam d mple, if a virus infects an im mportant docu ument, you ma need to retr ay rieve information from the do n ocument. You can use the R Restore Encry ypted Virus too to decrypt a ol an infected file so that you can open it.
WARNING Decrypting an infected file can spread t virus to oth files. Trend Micro G! a e the her
recommend that you iso ds olate the comp puter on which the infected file resides. Unplug the com h mputer from the ne etwork and back up important files on tha t computer to another locat o tion.
To decrypt files in the Su t uspect folder, open Window Explorer o the client w ws on where you wan to nt decrypt an infected file. Browse to the %ProgramFi B e iles%\TrendM Micro\Office eScan\PCCSRV \Admin\Uti ility\VSEncr ryptfolder on the OfficeSc server. Co the entire VSEncrypt fol n can opy lder to the clien computer. nt
NOTE not copy /VSEncrypt int the OfficeSc folder. The Vsapi32.dll file of Restore Do / to can e
Encrypted Virus will con d nflict with the original Vsapi i32.dll.
Open a com mmand prom and go to the location w mpt t where you copi the VSEncr ied rypt folder. R Run Restore Encrypted Vir using the following para rus f ameters:
no parameter -d -debug /o /f {file ename} /nr /u
Encrypt files in the Suspect fol lder Decrypt files in the Suspect fol lder Create debug lo and save it in the root folder of the client og n r Overwrite encrypted or decryp pted file if it alre eady exists Encrypt or decr rypt a single file e Do not restore original file nam me hical user interf face Launch in graph
Figure 10.11 Graphical Inte 1 erface Option for VSEncryp t
For examp you can typ VSEncode [-d] [-debu to decrypt files in the Su ple, pe e ug] t uspect folder a and create a deb log. When you decrypt or encrypt a file, the decry bug n t ypted or encry ypted file is cre eated in the same folder. e
3 320
Administrator Track
Chapter 10: OfficeScan Tools
NOTE may not be able to encrypt or decrypt files that are locked. You
To encrypt or decrypt files in other locations, create a text file and then type the full path of the files you want to encrypt or decrypt. For example, if you want to encrypt or decrypt files in C:\MyDocuments\Reports, typeC:\MyDocuments\Reports\*.* in the text file. Next, save the text file with an .ini or .txtextension; for example, you could save a file as ForEncryption.ini on the C: drive. At the command prompt, run Restore Encrypted Virus by typing the following command:
VSEncode.exedipathofthe.inior.txtfile
For example, the path of the .inior .txt file you created might be C:\ForEncryption.ini. Restore Encrypted Virus provides these logs:
VSEncrypt.log
Contains the encryption or decryption details. This file is created automatically in the root system drive (typically, the C:\ drive). Contains debug details and is created automatically in the root system drive if you run VSEncode.exe with the -debug parameter.
VSEncDbg.log
10.6 > Client Mover I

Client Mover I can transfer clients from one server to another, providing a client-side solution for moving to a new OfficeScan server. The two servers must be of the same type (that is, both HTTP-based or both file-based) and have the same version numbers and language versions. You can run this tool only at the command prompt. To run Client Mover: 1. On the OfficeScan server, go to {Installationpath}\PCCSRV\Admin\Utility\IpXfer 2. Copy IpXfer.exe to the client computer 3. On the client computer, open a command prompt and then navigate to the folder where you copied IpXfer.exe 4. Run Client Mover using the following syntax:
IpXfer.exes<Server_Name>p<Server_ListeningPort>mmodec<Client_ListeningPort>
The following definitions apply:

-s -p -m -c
server name or master directory server listening port mode (1 for HTTP-based, 0 for file-based) client listening port
To confirm the client now reports to the other server, do the following: 1. On the client computer, right-click the OfficeScan client program icon in the system tray. 2. Select OfficeScan Console.
321
Student Textbook
3. Click Help in the menu and select About. 4. Check the OfficeScan server that the client reports to in the Server name/port field.
NOTE function of the Client Mover tool can also be performed using the Move link on the The client tree screen (see Chapter 5: OfficeScan Management Console on page 95).
10.7 > Touch Tool

Touch Tool synchronizes the time stamp of one file with the time stamp of another file or with the system time of the computer. If you unsuccessfully attempt to deploy a Hot Fix on the OfficeScan server, use the Touch Tool to change the time stamp of the hot fix. This causes OfficeScan to interpret the hot fix file as new, which makes the server attempt to automatically deploy the hot fix again. To use Touch Tool: 1. Open a command prompt on the server 2. Go to the {installationpath}\PCCSRV\Admin\Utility\Touch folder 3. Run Touch Tool using the following syntax:
TmTouch.exe<destinationfilename><sourcefilename>
NOTE you do not specify a source filename, the destination file will be set to the system If time. You can use the wildcard character (*) for the destination file, but not for the source file name.
4. To verify if the time stamp changed, type dir in the command prompt, or check the files properties from Windows Explorer
10.8 > ServerProtect Normal Server Migration Tool

The ServerProtect Normal Server Migration Tool is a Windows-based tool that helps migrate computers running ServerProtect Normal Server to the OfficeScan client. It uninstalls ServerProtect Normal Server software and installs the OfficeScan client software.
322
Figure 10.12 The Server Protect Norma Server Migr 2: al ration Tool
The Server rProtect Norm Server Mig mal gration Tool a migrates S also ServerProtect exception list to ts the scan se ettings of the OCSE. O
Ser rverProtect Set Scan Optio is migrated to the Offic on d ceScan Netwo orked Comput ters
Ma anual Scan Sett tings, Real-tim Scan Settin Scheduled Scan Settings, and Scan N me ngs, d Now sett tings.
Ser rver Protect S Scan Exclusion List: Directo ories and files is migrated to the OfficeS s Scan
Sca Exclusion List (Directori and Files) an L ies

NOTE ServerProtect migratio tool does no configure th newly installed OfficeScan The on ot he
client with the same or comparable ServerProtect Normal server settings beyo migrating the S r ond exception lists, as descr n ribed above.
The execut table file for th tool and a companion . ini file are in his nstalled on the OfficeScan server e in {installationpath} }\Admin\Utili ity\SPNSXfr. You canno run the exec ot cutable from this directory. To use the to copy both SPNSXfr.exe and t ool, h e SPNSX.ini to the {insta allationpath h}\Admin\ dir rectory. After doing so, you can double-c u click SPNSXfr.ex to launch the tool. xe
Tip o access client computers, re To t emember that you must use a local/doma administrat t e ain tor
account to migrate fro ServerProtect successful If you use a account wit insufficient om lly. an th privileges, such as "Gu uest" or "Norm user," you w not be abl e to perform installation. mal will
Tip o enable the to to automat To ool tically find the OfficeScan se e erver the next time you open
the tool, select Auto fi OfficeScan server in th e upper left of the interface (selected by ind f e default).
To use the ServerProtect Normal Serv Migration tool: ver 1. On the OfficeScan server, open {Installation e s npath}\PCCS SRV\Admin\Ut tility\SPNSX Xfr and co the files SP opy PNSXfr.exe an SPNSX.ini to {Installationpath}\P nd PCCSRV\Admin\
323
Student Textbook
2. Double click the SPNSXfr.exe file to open the tool. The Server Protect Normal Server Migration Tool console opens 3. Select the OfficeScan server. The path of the OfficeScan server appears under OfficeScan server path. If it is incorrect, click Browse and select the PCCSRV folder. 4. To enable the tool to automatically find the OfficeScan server again the next time you open the tool, select the Auto Find Server Path checkbox (selected by default) 5. Select the computers running ServerProtect Normal Server on which to perform the migration by clicking one of the following under Target computer. (For more information, see the Target Computer Search section that follows.) 6. Select to include computers running Windows Server 2003 in the search 7. Select to restart computers running Windows Server 2003. For the migration to complete successfully on these computers, the computer must restart. Selecting this checkbox ensures that it automatically restarts. If you do not select the Restart after installation checkbox, restart the computer manually after migration 8. Click Search. The search results appear under ServerProtect Normal Servers 9. Click the computers on which to perform the migration
To select all computers, click Select All To deselect all computers, click Unselect All To export the list to a comma-separated value (CSV) file, click Export to CSV
10. If logging on to the target computers requires a user name and password, do the following: 10.1. Select the Use group account/password checkbox. 10.2. Click Set Logon Account. The Enter Administration Information window appears. 10.3. Type the user name and password.
NOTE the local/domain administrator account to log on to the target computer. If Use you log on with insufficient privileges, such as "Guest" or "Normal user", you will not be able to perform installation.
10.4. Click OK. 10.5. Click Ask again if logon is unsuccessful to be able to type the user name and password again during the migration process if you are unable to log on 11. Click Migrate. 12. If the computer runs Windows Server 2003, restart the computer to complete the migration OfficeScan Server. In the field for OfficeScan Server Path, the migration tool needs the path to the Ofcscan.ini file on the server. The Auto Find Server Path checkbox is enabled by default, and in most cases the tool will automatically find the Ofcscan.ini file. If it does not, use the Browse button to direct the tool to this file.
324
Administrator Track
10.8.1 Target Computer Search

The Select Target Computer frame enables you to search for ServerProtect Normal Servers that exist on your network. You can perform searches using the following criteria:
Windows Network Tree With this search, a tree is displayed in the frame showing the Windows domains on your network, you can expand or collapse the trees. Select the domain you wish to search and click Search. The tool searches for ServerProtect Normal Server software in the domain. Positive results appear in the ServerProtect Normal Server frame below. If the tool finds no ServerProtect Normal Servers, it notifies you with a pop-up window. Selecting this search method causes a text box to appear in which you can type the name of an Information Server on your network. To search for multiple Information Servers, enter a semicolon between server names. Type the name or names and click Search to begin the search. Results will be displayed as in a Windows network tree search. Selecting this search method causes a text box to appear in which you can type the name of a ServerProtect Normal Server on your network. To search for multiple Normal Servers, enter a semicolon between server names. Type the name or names and click Search to begin the search. Results will be displayed as in a Windows network tree search. Selecting this search method enables you to enter a range of class-B IP addresses which the tool will search for ServerProtect Normal Server software. Enter the IP address range and click Search to begin the search. Results will be displayed as in a Windows network tree search.
Information Server Name
Certain Normal Server Name
IP Range Search
NOTE a DNS server on your network does not respond when searching for clients, the If search will hang. Wait for the search to timeout. NOTE include Windows 2003 computers in your search, you should enable this option To under ServerProtect Normal Server before conducting your searches. This option is not enabled by default.
10.8.2 Logon Information

If a user name and password are required to log on the target computers enable the Use group account/password checkbox and click Set User Logon Account to enter an administrator username and password on the target ServerProtect Normal Server. Enable Ask again if logon is unsuccessful to be able to type the user name and password again during the migration process in the event your first logon attempt is unsuccessful.
10.8.3 ServerProtect Normal Server List

Once you have performed a search, the results appear in the ServerProtect Normal Server List field. You can select the servers you want to migrate from ServerProtect Normal Server to the OfficeScan client. To select all computers, click Select All; to deselect all, click Unselect All. Once you have selected the computers you want, click Migrate to begin the migration process. You can also export the server list to a .csv file by clicking on Export to CSV. If any of the computers you are migrating are Windows 2003, you may choose to have them automatically restart by selecting the Reboot Windows 2003 after installation checkbox. For
325
Student T Textbook
the migrati to complete successfully on Windows 2003 compu ion y s uters, the com mputer must re eboot. If you do not select the Reboot Wind n dows 2003 aft installation checkbox, y must resta ter n you art the compu manually after migration uter a n.
NOTE ServerProtect Normal Serv Migration T ver Tool does not u uninstall the C Control Manage er
agent for ServerProtect. For instructions on how to uninstall the agent, refer t your o to ServerPro otect or Control Manager do ocumentation.
10.9 > Sched duled Update Configu U C uration Tool

Update age installed using Client Packager can n longer recei command from the ents u P no ive ds OfficeScan server that al their scheduled update time. In order to schedule u n lter r updates on th hese update agents, you must use the Sched duled Update Configuration tool. This to is located i the n ool in {Installat tionpath}\P PCCSRV\Admin\ \Utility\Cli ientPackager directory on t OfficeScan the n server. It is also included in client inst packages fo update agents made by t Client Packager. s d tall for the
Figure 10.13 Scheduled Update Configu 3: U uration Tool
To open th Scheduled Update Config he U guration tool,, find the SUC CTool.exe file on the update e agent and double-click it Scheduled updates are ena d t. u abled by defau You can s ult. select an hourl ly, daily, or we eekly update schedule. If yo select a dailly or weekly u s ou update schedul you can als le, so configure how long the update agent will spend atte h u w empting to de eploy updates to the clients that report to it (up to 24 hou t urs).
Lab Exercise 12: Dete Vulnera Comput ect able ters
3 326
Administrator Track

Summary
OfficeScan includes administrative tools and client tools to help you install and manage the server and client software. The Vulnerability Scanner can check the computers on your network and help you ensure that they are protected by antivirus software. You can use the Server Tuner tool to optimize the performance of the OfficeScan server. You can use the Restore Encrypted Virus tool to decrypt an infected file so that you can open it. The Client Mover I tool can transfer clients from one server to another. The Touch Tool synchronizes the time stamp of a destination file with a source file. The ServerProtect Normal Server Migration Tool helps migrate computers running ServerProtect Normal Server to the OfficeScan client. Finally, you can schedule updates on update agents created with Client Packager packages by using the Scheduled Update Configuration tool.
Review Questions
1. Which of the following can the Vulnerability Scanner do? a) Determine if an antivirus solution is installed on a computer b) Determine whether Windows service packs are up-to-date c) Determine whether users are browsing high-risk Internet sites d) Determine whether spyware is on your network 2. What does Trend Micro recommend doing before using the Restore Encrypted Virus tool? a) Isolating the computer where the infected file resides b) Unplugging the computer from the network c) Backing up important files on the computer where the infected file resides d) All of the above 3. Which of the following does the ServerProtect Normal Server Migration Tool do? a) Uninstall ServerProtect Information Server and install the OfficeScan client software b) Migrate ServerProtect Normal server settings to OfficeScan client settings c) Uninstall ServerProtect Normal Server and install the OfficeScan client software d) Uninstall the Control Manager agent for ServerProtect
327
Administrator Track
Ch ter 11: Lo hapt ogs

Describe the diff ferent types of logs availabl e with OfficeS f Scan Acc cess the Offic ceScan logs an use them to monitor the OfficeScan clients nd o l
329
Student T Textbook
11.1 > Overv view of OfficeS Scan Lo ogs

The Office eScan server an all OfficeS nd Scan clients rec cord all impor rtant events an status nd conditions to log files. The OfficeScan server proviides a central r T n repository for client logs an r nd consolidate them in a si es ingle database The OfficeS e. Scan managem console p ment provides you w with direct access to both serv and client logs. ver s, o data ma-separated v values (CSV) file. For all logs OfficeScan enables you to export log d to a comm You can im mport CSV file into spreadsheet applicat es tions or into o other structure databases to ed o further pro ocess OfficeSc system dat and create c can ta custom report ts.
Figure 11.1: Accessing OfficeScan Logs Using the Web b-based Manag gement Conso ole
For client event logs rela to securit e ated ty-risk detectio OfficeScan allows you t select target on, n to t client/clien nt-domains using the client tree, and prov vides a search tool so that y can find e h you exactly the information you wan OfficeScan logs and lognt. n -management utilities allow you to monit w tor virus event component update event system eve nts, and other security-relat events fro a ts, t ts, r ted om single cons sole. Log data enables the OfficeScan serv to provide summary rep O rver e ports and grap phs. OfficeScan client logs ar organized in two groups, those related to security-ris detection a n re n sk and response an those relat to program maintenance These logs i nd ted m e. include: The virus logs, update lo system ev logs, and v l ogs, vent verify-connec ction logs are s stored in the {installat tionpath}\P PCCSRV\Logfo older. The Off ficeScan firew logs are sto wall ored on the OfficeScan clients and ar sent to the server only if you configur the OfficeSc global sett n re f re can tings to do so, or when you el to notify the clients to s lect t send the logs to the OfficeS Scan server.
Securit ty-risk-related Logs Virus/m malware Spyware/grayware Firewall Prog gram Maintena ance Logs Com ponent-update e Conn nection-verific cation Spyw ware/grayware restore e
3 330
Administrator Track
Chapter 11: Logs
Web-reputation Behavior monitoring Device control
11.1.1 Uploading Virus Logs from the Client to the Server

Each OfficeScan client uploads at least four different variations of logs to the server:
Virus/Malware logs information
about virus/malware events about startup, shutdown, scan initiations about manual, real-time, and scheduled scans, as well
Client status/event logs information Local configuration logs information
as the exclusion file

Firewall logs firewall
event information (sent only if/when the option is enabled)
Behavior monitoring and device control logs
information about program behavior, system configuration changes, and device access attempts.
Sometimes, the logs may not be transferred to the server successfully. In this case, the client uses a retry mechanism (a back-off algorithm) to attempt to resent log files. If retries are not successful, the virus log will be stored on the client until the program restarts, and the client will then discard the local configuration log and the client-status/event log. If the log entry is not formatted correctly (for example, a power failure corrupts a log-writing process), the client will not resend the data. On the other hand, if the log format is correct but the server fails to write the data to the database, the client will resend the information. If the client sends a common gateway interface (CGI) command to the server and receives an error code, the database is corrupt. The client then resends the data the next time a virus is found; the client resends the data in background mode.
11.1.2 Virus Logs

OfficeScan logs all of the viruses detected on the clients in your enterprise. You can use this information to assess your companys virus-protection policies and to identify clients that are at a higher risk of infection. All virus logs are saved to a file, name of which based on the current date. Daily log files are stored on the OfficeScan server in the {installationpath}\PCCSRV\Logfolder. The size of a file depends on the number of viruses detected that day. The virus log on the server can record a maximum of 10,000 entries in the database. For example, if there are 1,000 clients, the clients can average 10 virus incidents each before OfficeScan experiences problems writing to the virus log.
Consolidating Redundant Logs

Frequently, a virus outbreak causes redundant log entries, that is, multiple log entries concerning the same virus, which can make the server load very heavy. OfficeScan can consolidate redundant log entries that occur within an hour into a single entry. To enable this to occur, you
331
Student T Textbook
must enabl the feature under Virus Bandwidth Set le u B ttings on the G Global Client Settings page (see Chapter 5: OfficeScan Mana O agement Console on page 95). e If you have enabled this setting, the OfficeScan clie keeps redu e O ent undant occurre ences of the same virus in a queue, recordin the viruss name, full file path, and the date and tim for each q ng e e me occurrence of the virus in the same log. If the maxiimum number of occurrenc is exceeded e i r ces d within an hour, the first occurrence is deleted from the log. You can set the m h maximum number in the ofcscan.ini file. Th default valu is five occur he ue rrences, but yo can set it to as high as 20. ou
Viewing Virus Logs s

To view vir logs, in the sidebar, sele Logs > N etworked Co rus ect omputer Log > Security gs Risks > View Logs > Virus/Malwa Logs. You must specify which client virus logs y V V are u fy ts you want to vie When the View Logs di ew. ialog box appe ears, you can s select log type the way you es, u want log en ntries sorted, and the time period. a p Selecting th type of log you are intere he ested in allows you to deter s rmine which v viruses were detected by manual scan scheduled scans, or real-t y ns, s time scans. Fo example, yo can tell if c or ou certain viruses wer found durin a manual sc This may occur if you need to stop a restart the re ng can. y and e virus-scann service when you are re ning w econfiguring t server. Vir the ruses might be introduced i e into the networ then, and when you perfo a manual scan, it detec a virus infe rk w orm cts ection that occ curred when real-t time scanning was turned off briefly. g o The variou parameters on which you can sort give you visibility into specific p us u e problems. For r example, yo can see if a specific virus is detected m ou more frequent than any ot tly thers are, or y you can see if more virus infe m fections are rep ported from o group of c one computers rat ther than othe ers. You can sp pecify the peri of time for which you w to view v iod r want virus informati ion. For exam mple, you can vie the entries for the last da last two da or the last week. ew ay, ays, t
Figure 11.2: Viewing Virus s/Malware Log gs
The Virus Log page con L ntains this info ormation abou the viruses t OfficeSca detects: ut that an
Date and time of the sc d can Virus nam me Nam and IP addre of client me ess Infec ction source
3 332
Chap pter 11: Logs
Infected file name Scan result
Scan type n
If you click the View link for a particu entry, you can view add k k ular u ditional inform mation:
Date and time of the sc d can Domain Platform m Infection source n Path of the infected file t Scan result Clien nts Logi n name Virus name s Infec cted file name Scan type n
Deleting Logs g
You can pe eriodically dele your logs to prevent the log files from becoming to large. ete t e m oo To delete logs, select Lo > Delete Logs from th menu in the sidebar. The Delete Logs ogs he e e s dialog box will appear. hoose the logs types to dele and specify whether you want to delet all logs or o s ete y u te only You can ch those that are older than a certain num a n mber of days.
11 1.1.3 Upd Logs date s

OfficeScan records the results of both server and cllient updates i update logs which are st n r h in s, tored as the upda ate.log file in the C:\Progr n ramFiles\Tre endMicro\Of fficeScan\PCC CSRV\Logfold der on the Off ficeScan server You can use these update logs to verify the last date and time r. e e fy e OfficeScan components were updated on each clien n d nt. To view th server update logs, click Logs > Serve Update Lo in the navi he L er ogs igation colum of mn management console. Th Server Upd Logs page displays the date and time of the updat the he date e e te, c hat ed, pdate method used. result, the component th was update and the up
Figure 11.3: Server Update Logs
333
Student T Textbook
To view th client updat log, select Logs > Netw he te L worked Comp puter Logs > Component Update fro the manag om gement consol sidebar. Th Client Upda Logs page appears. le he ate
Figure 11.4: Client Update Logs e
The Client Update Logs page shows the time and d of the upd and the co t day date omponents th hat were updat By clickin the View lin in the Prog ted. ng nk gress column, you can view how long the w e update event took and how many clien were upda h nts ated in 15-min incremen nute nts.
Figure 11.5: Client Update Progress Pag e ge
NOTE informati on the Clie Update Pro The ion ent ogress screen is extremely u useful when try ying
to set opt timal settings using the Serv Tuner tool (see Chapter 10: OfficeScan Tools on page ver n 307).
From the Client Update Logs page, yo can also cliick the View li under the Detail colum to C ou ink mn view the fo ollowing inform mation:
Com mputer name Date and time th update was completed he No otifications sen or received nt Update source
11 1.1.4 Sys stem Even Logs nt

OfficeScan records even related to the server prog n nts t gram, such as shut down an startup, in nd system event logs. These logs are save in the PtnD P1xxxxx.log file in the {Install e ed Path}\PCCS SRV\Log folde on the Offic er ceScan server.. You can use these logs to verify that the e
3 334
Chap pter 11: Logs
server is ru unning smooth and that th services nec hly he cessary for Of fficeScan to w work on your network ar running (see the figure be re e elow).
Figure 11.6: System Event Logs t
To view th system even logs, click Logs > System Event Log in the navig he nt L m gs gation column of n the manage ement console sidebar. e
11 1.1.5 Con nnection Verificatio Logs V on

OfficeScan maintains Ve n erify Connecti logs to tra the connec ion ack ction status be etween the OfficeScan server and cl n lients. These logs are saved in the vercon nn.log file in t {installa the ation path}\PCCS SRV\Logfolde on the Offi er iceScan server r. To view th connection verification lo click Log > Network Compute Logs > he ogs, gs ked er Connectio Verificatio in the navig on on gation column of the manag n gement conso Connectio ole. onverification logs display log time/dates, client comp n l puter names, d domains, IP ad ddresses, and connection status. You can sort this in n c nformation by clicking colu y umn headings. You can also . o select the number of resu to display per page from the Displa results per p n ults y m ay page list.
Figure 11.7: Connection Verification Log gs
11 1.1.6 Offic ceScan Firewall Lo F ogs

OfficeScan collects detai informatio about the OfficeScan fir n iled on rewall running on each g OfficeScan client. Becau OfficeScan firewall logs are typically e n use n extremely larg this inform ge, mation is stored on the client an only upload once per d to the serv although the OfficeSca n nd ded day ver, an
335
Student T Textbook
firewall not tifies the serve hourly of it log count an sends a log summary. Th allows you to er ts nd g his u manage bandwidth and server resourc You can m s ces. manually force an upload at any time. e t To ensure that you are notified immed n diately if a crit tical security e event occurs such as a hac cker o O ewallyou us the Firewall Outbreak M se l Monitor. You that tries to bypass the OfficeScan fire configure a threshold for security even and Offic r nts, ceScan notifies you if that th s hreshold is exceeded. (For more info ( formation abou Firewall Ou ut utbreak Moni itor, see Chapt 9: OfficeScan ter n Firewall on page 287.) To manual upload log information from clients, s elect Logs > Security Risks > View Lo lly f ogs > Firewall Logs > Clie Notificati in the man l ent ion nsole sidebar. Select the clie ents nagement con that you wa to upload OfficeScan fi ant irewall logs to the OfficeSca server and click Notify an Clients. It may take a fe minutes to send the logs . ew After the tr ransmission is completed, click Display Logs in the F s c Firewall Log C Criteria window to w view the up ploaded log da ata.
Figure 11.8: OfficeScan Fi irewall Logs
If you wan to view upda to the Of nt ates fficeScan firew logs, you m once aga notify the wall must ain appropriate clients to up e pload these log gs.
11 1.1.7 Beh havior Mo onitoring Logs L

Clients log unauthorized program access instances a send the l d and logs to the ser rver. A client t that nuously aggreg gates the logs and sends the every 60 m em minutes, by default. To keep the p runs contin size of logs from occupy too much space on the hard disk, yo can manual delete logs or s ying h e ou lly configure a log deletion schedule. Behavior monitoring log contain the following info m gs formation:
Da ate/Time unaut thorized process was detecte ed Co omputer where unauthorized process was d e detected s Event monitoring rule violated by the process g OfficeScan action performed when violation w detected w was Ty of object ac ype ccessed by the program e Ris level of the unauthorized program sk p Program, which is the unauthorized program i Op peration, action performed by the unauthor n y rized program
3 336
Chap pter 11: Logs
Target, which is the process that was accesse t ed Po olicy name of th event monit he toring rule
To view be ehavior monitoring logs: 1. Click Logs > Netw L worked Comp puter Logs > Security Ris > View L sks Logs > Behav vior Monit toring Logs or Networked Computers > Client Ma o d s anagement > Logs > Behav Monitori Logs. vior ing
Figure 11.9: Behavior Monitoring Lo Criteria Sel r og lection Page
2. Specify log criteria and click Disp Logs. y a play 3. View lo ogs. To configu the Behavi Monitoring log sending schedule: ure ior g 1. Naviga the local fi ate ilesystem to: <Serverinsta allationfol lder>\PCCSRV. 2. Open the ofcscan.i file using a text editor s t ini such as Notepa ad. 2.1. 2.2. 2.3. 3.1. Search for the string Send e dBMLogPerio d and then c check the valu next to it. T ue The default value is 3600 secon and the str appears as SendBMLogPe nds ring eriod=3600. Specify the va in second For examp to change the log period to 2 hours, alue ds. ple, d change the va to 7200. alue Save the file. Click Save wi ithout changin any setting ng gs.
k ent 3. In the management console, click Networked Computers > Global Clie Settings. 4. Restart the client. t
11 1.1.8 Dev Contr Logs vice rol

OfficeScan provides a de n evice control feature that re egulates access to external s storage device and es network re esources conne ected to comp puters. Device control helps prevent data loss and leak e a kage and, combi ined with file scanning, help guard again security ris ps nst sks. Clients sen device cont logs to the server daily. Only unautho nd trol e orized access e events are log gged. To view de evice control logs: l 1. In the management console sideb select Log > Network Compute Logs > bar, gs ked er ity V D rol Securi Risks > View Logs > Device Contr Logs.
337
Student Textbook
2. Specify log criteria and click Display Logs. 3. View logs containing this information:
Date/Time unauthorized access was detected Computer where external device is connected or where network resource is mapped Device type or network resource accessed Target, which is the item on the device or network resource that was accessed Accessed by, which specifies where access was initiated Permissions set for the target
11.1.9 Saving Logs as Files

If you want to save a log as a comma-separated value (CSV) data file, click Export to CSV. A File Download dialog box appears; select whether you want to view the file from its current location or save it to disk. If you choose to save it to disk, the Save As dialog box appears so you can specify a name and location for the file. You can then use spreadsheet applications, such as Microsoft Excel, to view CSV data files.
11.2 > Log Maintenance

To prevent your logs from taking up too much disk space on the server, you can configure OfficeScan to automatically delete the logs based on a schedule. To do so, click Logs > Log Maintenance in the management console sidebar. Under Log Types to delete, select the log types to delete automatically. You can select the various virus scan-type logs independently of each other. You can select all the other types of logsincluding system event logs and update logsfor automatic deletion as well. For each of these selections, you can specify the age of the logs you want to delete (under Range) and the frequency and day of the week (or month) on which you want the purging to take place.
338
Chapter 11: Logs p
Figure 11.10 Log Maintenance Configur 0: ration
Lab Exercise 13: View OfficeSca Logs w an
339
Student Textbook

Summary
OfficeScan includes five types of logs. Virus logs, update logs, system event logs, and verify connection logs are stored on the server. The OfficeScan firewall logs are stored on the client machine. You can view these logs from the OfficeScan management console, but to view current firewall logs, you will first have to notify the client to upload its logs to the server. To prevent your logs from taking up too much hard disk space on the server, you can configure OfficeScan to automatically delete the logs based on a schedule.
Review Questions
1. What is the maximum number of virus logs the server can store? a) 1,000 b) 5,000 c) 10,000 d) 50,000 2. What is the default number of logs held in the memory queue if you enable the consolidation of virus logs under Virus Bandwidth Settings? a) 5 b) 10 c) 15 d) 20 3. What type of file can you export logs to? a) A .txt file b) A .sql file c) A .gif file d) A .csv file
340
Administrator Track
Ch ter 12: Tr blesho ng hapt roub ootin

Tro oubleshoot co ommon errors Use the Case Dia e agnostic Tool (CDT) Ma anually enable debug mode for OfficeScan servers, clie ents, and proce esses such as n
Act tiveUpdate, Damage Cleanu Service (D CS), and Vuln D up nerability Asse essment
341
Student Textbook
12.1 > Troubleshooting Common Problems

If you experience a problem with the OfficeScan server, you should first try to determine if the problem is actually caused by OfficeScan itself, by the operating system, or by another program running on the computer. If you isolate the problem to OfficeScan, you should check the list of common problems listed in this chapter or search the Trend Micro Knowledge Base, which contains comprehensive information about all Trend Micro products. A list of frequently asked questions is also available. To search Knowledge Base, visithttp://esupport.trendmicro.com/enterprise/search.aspx.
12.1.1 Server Installation Error

During master setup, if you select a server with a space in its name, you might get this message: Pleasespecifyaservernamethatdoesnothavespecialcharacters. Resolve this issue by removing the space or the special character. For example, if the server name is TRENDMICRO, change it to TRENDMICRO . Then try installing OfficeScan again.
12.1.2 Recover a Corrupt Database

To recover a database that was not backed up, perform the following: 1. Stop the OfficeScan master service. 2. Delete the database files in the {installationpath}\PCCSRV\HTTPDB directory. 3. Restart the OfficeScan master service. 4. Restart the clients, which will automatically reregister with the OfficeScan server. To recover a database that was backed up, perform the following: 1. Stop the OfficeScan master service. 2. Delete the database files in the {installationpath}\PCCSRV\HTTPDB directory. 3. Copy the database backup files to the {installationpath}\PCCSRV\HTTPDB directory. 4. Restart the OfficeScan master service.
12.1.3 Client Errors

This section discusses some issues that you might encounter when installing the client.
Client Installation Using Remote Install Fails

If Windows NT Remote Install does not accept the default user name and password, try typing the user name and password using the following syntax:
domainname\username
342
Administrator Track
Chapter 12: Troubleshooting
Login Script Setup Error

If you are using login script setup to install the client, you might get this error message:
ErrorFailedtologon.Pleasemakesuretheselectedserver<ServerName>isaWindowsNT server,andenterthecorrectusernameandpassword.
To correct this error, use an account that has Domain Administrator privileges.
Windows XP/Vista/7/2003 Computers Are Not Displayed in the Remote Install Page
Some Windows NT computers might not appear in the Remote Install page, even if they are online. These computers and the server must be on the same subnet and File and Print Sharing must be enabled in the Network Connection properties. Adjust the settings of the client to meet these requirements and retry performing Windows NT Remote Install.
Client Installation Using the Internal Web Page Is Unsuccessful

If users cannot display the web page that contains the link for installing the client, their browsers Internet Options settings may not be configured correctly. To correct this error, ask users to: 1. In Internet Explorer, select Tools > Internet Options. 2. Select the Connections tab and select LAN Settings. 3. Verify that the Bypass proxy server for local addresses checkbox is not selected. 4. Click OK to save your changes and exit. 5. Try installing the client again using the web browser. If users can download the client setup file but cannot install the client, you should:
Ensure that they have administrator rights Verify that the computer meets the minimum system requirements for client software Verify that the user is installing the client software on a Windows computer
12.1.4 Upgrade Issues

This section covers potential issues related to upgrading from a previous version of OfficeScan.
Clients Are Not Automatically Upgraded

If your clients are not automatically upgraded after a server program upgrade, verify that you have the following files in the servers {installation path}\PCCSRV\Download folder: tmengNT.zip tmnewpNT.zip tmengX64.zip tmnewpX64.zip
If you do not find all or some of these files, copy them from Output\_wgroup\Download in the setup directory. Then restart the OfficeScan master service.
343
Student T Textbook
12 2.1.5 Con nsole Issu ues

This sectio discusses so issues tha you might e on ome at encounter with the way the clients appear in h r the OfficeS Scan managem console. ment
Status of Clients on the Conso Is Incor o n ole rrect

The actual client status and the status reported on t console do not appear t be synchron a the o to nized. This happe if the clien is unable to launch the cliient program or if, at startu the client lo ens nt up, oses connection to the server before it cou report its s tatus. n r uld If any of th actions were performed incorrectly o if there was an error duri any of the hese w d or s ing ese processes, it is possible that the client was not able to inform the server that it is shutting do t e own s ded, or that it is being unload removed, or stopped. To resolve this, try the following: fo
Use the Verify Connection fea e C ature of the se erver to reesta ablish basic communication Ver the compu is on and the software has not been unloaded, rem rify uter d moved, or stop pped.
On the clie check if th OfficeScan roaming clien icon appear as ent, he n nt rs tray. If it does, this mean that client has switched t roaming mo ns h to ode.
in the Windows sy e ystem
Versions of Compo s onents on the Console Are Incor e rrect

The version of the com ns mponents listed on the conso are incorre This happ d ole ect. pens when the e client is un nable to write its status infor i rmation to the registry and send it to the server. e For examp you update the pattern file of a clien from 411 to version 413. However, after ple, ed n nt o updating, the console sti shows 411. It is possible that the client was updated but was unab to ill t d ble write its up pdated information to the re egistry. To resolve this, try the following: fo
Ver that client rify t-server comm munication exiists by using p or telnet. ping
s If you have limited bandwidth check if it ca y h, auses timeouts between the server and th e he clie ent.
If you have a pro server in between client and server, make sure you settings are y oxy b ts ur e
cor rrect.
Op a web brow on the cl pen wser lient, type
htt tp://<Servername>/Offic ceScan/cgi/c cgionstart.e exe
in the address tex box and pre ENTER. I the next pag shows -2, this means th t xt ess If age he es clie can communicate with the server. Thiis also indicate that the pro ent t oblem might b in be the server databa it might not have a reco on the clie ase; ord ent.
Che if the user modified file or registry v eck r es values but forg to restart t OfficeSca NT got the an
List tener service on the client for Windows X o f XP/Vista/7. I users do no have the pri If ot ivilege to unload OfficeScan, they nee to restart th computer t restart the m program u ed he to main m.
Che if the clien has two or more Networ Interface C eck nt rk Cards (NICs). I a client has two If
NIC it will also have two IP addresses. Th server migh not be able to communic Cs, o he ht cate
3 344
Administrator Track
with the client because it does not know which IP address to use. You might be able to install the client, but might not be able to update it.
Client Icon Does Not Appear on the Console after Installation

The client icon does not appear on the console after you install the client. This happens when the client is unable to send its status to the server. To resolve this, try the following:
Click the Refresh button in the client console. Verify that client-server communication exists by using ping and telnet. If you have limited bandwidth, check if it causes timeouts between the server and the
client.
Directory/User
PCCSRV
Administrator
Full Control
All Users
Read, Execute
User
N/A
System
Full Control
Check if the {installation path}\PCCSRV folder on the server is shared and if all users
have been granted appropriate privileges. After the installation of OfficeScan, the following privileges will be given to each user.
If you are using a proxy server for client-server communication, check if the proxy
settings are configured correctly.

Check if the IIS Iuser_xxx account on the client still exists. Open a web browser on the client, type http://<Server name>/officeScan/cgi/cgionstart.exe in
the address text box and press ENTER. If the next page shows -2, this means the client can communicate with the server. This also indicates that the problem might be in the server database; it might not have a record on the client.
NOTE this does not help you find the real cause of the issue, gather the Ofcdebug.log from If both the server and client.
Update Failed
If a pattern file merge failure appears in the ActiveUpdate debug log, choose either of the following steps to solve the problem:
Remove v_aaa.bbb in {installation path}\PCCSRV\ download\pattern (where, aaa =
client pattern number, bbb = server pattern number).

Wait for the servers next scheduled pattern update and provide a good incremental file
for the pattern file (v_xxx.xxx).
If there are any problems when updating new modules from the ActiveUpdate server, check the debug logs, which are located at:
{installationpath}\PCCSRV\aubin\patch.ini {installationpath}\PCCSRV\aubin\patchdmp.txt {installationpath}\PCCSRV\aubin\patchdll.ini
345
Student Textbook
{installationpath}\PCCSRV\web\cgi\temp\tmudump.txt
(This is used for manual pattern update.)

{installationpath}\PCCSRV\web\service\temp\tmudump.txt
(This is used for scheduled
pattern update.) These files will be created automatically when you update through the ActiveUpdate server. You also need to turn on the server debug log. If the clients did not update from the server, turn on the server debug log. Then, update the clients using the console. Next, see if the clients are listed in the update queue. (To view the update queue, click Updates in the sidebar of the OfficeScan management console.) If the clients are not queued, it may be because they do not have a connection to the server. The server will notify the clients about the new update when the connection is restored.
Unable to Connect to the Management Console

Sometimes, after installing the OfficeScan server, the user is unable to launch the OfficeScan management console. One possible cause is that the web virtual directory is not written during master setup. The solution is to add a web share {installationpath}\PCCSRV\webwithalias/officescan. If you are using Microsoft Internet Information Server (IIS), complete these steps: 1. Launch a command prompt and change the working directory to %ProgramFiles%\Trend Micro\OfficeScan\PCCSRV. 2. Execute the following command in a command prompt. This will recreate a virtual directory.
svrsvcsetupsetvirdir
3. Execute the following command in a command prompt. This will reset privileges for directories you specify during the installation process.
svrsvcsetupsetprivilege
If you are using Apache, check your product documentation to determine how to add a web share \PCCSRV\web with alias /officescan.
12.2 > Case Diagnostic Tool (CDT)

The Trend Micro Case Diagnostic Tool (CDT) is a tool to help the Trend Micro Technical Support Team and customers diagnose problems in Trend Micro products. The purpose is to shorten the diagnostic communication process between Trend Micro and its customers. CDT collects all necessary diagnostic information from a customers product whenever problems occur. It automatically turns the products debug status on and off and collects necessary files according to problem categories. CDT provides the following capabilities:
Allows users to provide detailed problem descriptions Supports multiple product diagnostics Collects relevant system information from the customers computer/system
346
Ch Chapter 12: Trou ubleshooting
Tur product an specific mo rns nd odule debug s status on and o according to problem off
cate egory
Mo onitors specific process statu information such as CPU load and m c us n, memory usage U Ret trieves problem m-related files and compres them into a password-p s sses o protected ZIP file P
(password is tre end) As of the release of this document, CD supports t following Windows pla r DT the atforms: Windo 98 Second Edition ows d Windo 2000 Prof ows fessional/Serv Edition ver Windo XP Profes ows ssional Edition n Windo 2003 Serv Edition ows ver
NOTE the time of this documen release, Win At f nt ndows Vista is not supported by CDT. d
12 2.2.1 Usi the CDT ing C

The Case Diagnostic To (CDT) can be download from the f D ool n ded following loca ation on the Trend Micro website: http://ww ww.trendmicro.co om/download/p roduct.asp?produ ductid=25 ows f tract the conte of the ZI ents IP For OfficeScan, download the Windo version of CDT and ext e n er greement appe ears. file. Once extracted, run CaseDiagnosticTool.exe. The End-Use License Ag
Figure 12.1: CDT License Agreement A
Select I ac ccept the term of this licen agreement and click St ms nse tart. The CDT will detect T existing Trend Micro pro oducts on the current comp puter. Once co omplete, you will be display yed end oducts found on the compu o uter. with all Tre Micro pro
347
Student T Textbook
Figure 12.2: Detecting Trend Micro Pro oducts
Select the product for which you wou like to gath debug info p w uld her ormation. Nex click the V xt, View Events link on the right side of the wi k indow. This w display all possible even for which C will nts CDT can gather information.
Figure 12.3: Product Even nts
r There are numerous eve that can be gathered for both the Of n ents b fficeScan Server and Client:
OfficeSca Server an
Basic produ information uct ActiveUpda (Server patt ate tern, engine and program download failed) d ActiveUpda (Server patt ate tern, engine and program deployme to clients failed) ent Master setup failed System has triggered Dr. Watson window s Problem re elated to manage ement console Communica ation error (serv and client) ver Database is ssues Performanc issues ce Spyware cleanup issues IIS/Apache log collection e
O OfficeScan Clie ent

Ba asic client debu information ug P roblems with sc canning P roblems with GP PF P roblems with ho otfix update A ctiveUpdate Pe ersonal Firewall policy l O utbreak Preven tion Policies (OPP) PO OP3 MailScan Sc canMail for Outl look Se ecuRemote deb bug Co ommunication p problems
3 348
Smart Scan n-related issues
W Reputation Web Sm mart Scan-relat issues ted
Table 12.1: CDT Data for OfficeScan Ser C O rver and Office eScan Client
Select the specific events you would li to include in your diagn s s ike nostic informat tion or click th All he Events che eckbox and cl Next. lick In Step 2 of the process, debug mode is enabled for the selected modules. Wh you click the o , r hen Start Debu Mode button, CDT will automatically enable debu for the mod ug l y ug dules you selec cted on the prev vious page. This will cause a number of D T DOS window to appear w ws while each component debug is ena abled. You wil also see text which says D ll t Debug mode is changing .
Figure 12.4: Start Debug Mode
NOTE Click Skip to go to the Gene erate Diagnos tic Data scree n, Figure 12.5, if you do not
want to re eproduce the problem at this time or if yo have alread y turned the d p ou debug mode on n, reproduce the problem and turned the debug mo de off. ed m,
Once debu mode is ena ug abled, change to the produc console or d ct dialog and try to reproduce the y e problem. After reproduc the problem, click Stop Debug Mo A cing p ode. This resto the produ ores uct and modul original de les ebug settings and allows you to proceed t the next ste by clicking a u to ep Next. he ows pecify where th diagnostic i he information should be save for ed Step 3 of th process allo you to sp analysis.
Figure 12.5: Generate Dia agnostic Data Page
Select the folder where the informatio should be s f t on saved and whi log files to collect. Also you ich o o, must provi a detailed explanation of the issue you experienced This descrip ide e u d. ption will be included with all debug information when sent to T w i w Trend Micro T Technical Supp port. Click Ne to ext have CDT begin generat the diagno ting ostic data.
349
Student T Textbook
Figure 12.6: Diagnosis complete
When CDT has finished generating th data, it will compress and save the file in the locatio T d he d on specified, and display the Diagnosis completed m a e c message on the Generate dia e agnostic data p page. The text fie displays th path name of the compre eld he o essed diagnost data file (Z format). C tic ZIP Click Open Fold to open th folder wher the ZIP file is located, or click Finish to exit CDT. der he re e r h Once all di iagnostic data has been gath hered, contact your local Tr t rend Micro Te echnical Suppo ort representat to begin the analysis of your data. tive t f
12.3 > Manu ually En nabling Debug Mode

If an OfficeScan problem persists afte you perform standard pro m er m ogram, modul service and le, d network tro oubleshooting procedures, you can manu g ually enable de ebug mode to examine the o OfficeScan program for problems. Yo can then se the debug information to Trend Micr n ou end g ro support en ngineers. Using this informa g ation, a suppor engineer can analyze the internal funct rt tions n of the Offi iceScan compo onents, scann threads, cllient commun ning nication, and interprocess communication to troub bleshoot the problem. nable debug mode for these components : m e You can en OfficeScan servers OfficeScan clients rability assessm ment Vulner DCS Installa ation Policy Server CTA re Postur Plug-In
NOTE installatio debug logs are created au The on utomatically. Y do not hav to enable th You ve hem.
12 2.3.1 Ena abling De ebug Mode on Offic ceScan S Servers

To enable debug mode on OfficeScan servers, click the first lette C in Office Scan on th d o n k er he management console ban nner. The Debug Log Settin page opens. ng
3 350
Figure 12.7: Debug Log Setting page
Select the Enable debug log checkbox an select Debu from the D E g nd ug Debug Level pu down menu ull u. Although you can choos five levels, there are only three levels o debug infor y se t of rmation:
Debug g Error Warning mation Inform Fatal This level inclu udes the most d detailed inform mation. Tracing and ch heckpoints are filtered out fro the log. Trac om cing and checkpoints ar detailed step or procedure that the mod re ps es dule performs. Only fatal erro are recorde d in the log. ors
The default setting for th Debug Level is Debug. Pllease always ch he l hoose Debug unless other level g is specified by Trend Mi d icro Support Engineer. E You can also configure the name and location of th debug file. T default na is t he The ame ofcdebug.l log, which is created in the {installati e ionpath}\PCCSRV\Private e\LogServer f folder. After confi iguring the op ptions for debu mode, click Save. Office ug k eScan creates the ofcdebug.ini file in the above folder. This file actua launches th debug proc a T ally he cess. After you enable the deb mode, rec e bug create the prob blem you enco ountered and make a copy o the of debug log. Then, reopen the Debug Log Setting pag uncheck th Enable deb log checkb n L ge, he bug box can e and click Save. OfficeSc deletes the ofcdebug.inii file. You can also use a text editor to manu e ually create th ofcdebug.in file in the {installation he ni CSRV\Private e\LogServer folder. You mu include th first three fo f ust he ollowing entri ies; path}\PCC the last three entries are optional:
[Debug] debugleve el=9 debuglog= ={installation npath}\ PCCSRV\ \Private\ofcde ebug.log debugLeve el_new=D debugSpli itSize=1048576 60 debugSpli itPeriod=12 debugRemo oveAfterSplit= =1
Execute Lo ogServer.exe in the {instal llationpath }\PCCSRV\Pri ivate\LogServ folder. ver Recreate th problem an save the deb log. Stop LogServer.ex and delete ofcdebug.in . he nd bug xe e ni
12 2.3.2 En nabling De ebug Mod on Offi de iceScan C Clients

When the debug log is enabled on the OfficeScan c d e client, all processes for all m modules are recorded in one debug lo To enable the debug mo for a clien complete th following s n og. ode nt, he steps:
351
Student Textbook
1. Use a text editor to manually create the ofcdebug.ini file in the C:\ folder. You must include the first three following entries; the last three entries are optional:
[Debug] debuglevel=9 debugLog=C:\ofcdebug.log debugLevel_new=D debugSplitSize=10485760 debugSplitPeriod=12 debugRemoveAfterSplit=1
2. Restart OfficeScan client, which will automatically create Logserver.exe in C drive 3. Recreate the problem you had and save the debug log To stop debugging: 1. Delete the ofcdebug.ini file 2. Restart the computer. This will stop debugging and remove Logserver.exe on the C drive.
WARNING! Make sure to stop debugging after the problem has been recreated. Otherwise, the
client will continuously create debug logs even after the client is restarted.
12.3.3 Enabling Debug Mode for the Vulnerability Scanner

To enable the debug mode for the vulnerability assessment scanner, you must modify the TMVS.ini file, which is located in {installationpath}\PCCSRV\Admin\Utility\TMVS. Complete the following steps: 1. Use Notepad or a text editor to open the TMVS.ini file 2. To enable the debug log, change the value from Debug=0 to Debug=1 3. Save the TMVS.ini file
12.3.4 Enabling Debug Mode for DCS

To enable the debug mode for the DCS, edit the following parameter in the TSC.ini file, which is located in the {installation path}\PCCSRV\Admin folder.
[advanced] DebugInfoLevel=
There are three levels of debug logging:

Level 0 (or blank) Level 13 Level 45 No debug information is provided. Generates debug information about what DCS has done to the system. Generates detailed debug information included all operations that DCS has done.
352
Administrator Track
NOTE Level 45 debug information is generated by Trend Micro support staff. The TSCDebug.log is created in the C:\Program Files\Trend Micro \OfficeScan\Client\debug folder.
12.3.5 Special Log

OfficeScan uses the Special Log, which is located in the {installationpath}\PCCSRV\Log folder, to record the following information: Client has less disk space. Client service does not start normally. Client cannot ping nor telnet. Master service start and stop.
12.3.6 Installation Debug

Two installation logs for the server and one for the client may help with installation problems. The ofcmasr.log is created in the local Windows folder, and the ofcmas.log is created in the Windows folder of the remote computer. The client log Agent_OSCE_install.log is located in the root of the drive (C:\). Using a text editor to view these logs, you can find the following data:
OS determination Temp directory file copy Upgrade process Process result codes System requirements verification Pre-scan information File copy process
12.3.7 Policy Server Debug

To enable the debug mode for the Trend Micro Policy Server, edit the following parameter in the psdebug.ini file, which is located in the C:\Program Files\Trend Micro\PolicyServer directory.
[debug] DebugLevel=9(onlylevelavailable) DebugLog=C:\ProgramFiles\TrendMicro\PolicyServer\psdebug.log
12.3.8 CTA Debug

To enable debug mode for the CTA, first create the CTALOGD.ini file in C:\Documents and Settings\All Users\application data\Cisco Systems\CiscoTrustAgent. You will need to create a subdirectory in this directory called Logs. Input these parameters into the .ini file, then restart CTA and the CTA Logging Service.
[main]
353
Student Textbook
EnableLog=1 [loglevel] NetTrans=15 PEAP=15 EAPTLV=15 CTAMsg=15 PADaemon=15 PAPlugin=15 EAPSQ=15
Code 1 Code 0 Level 15
Enable log. Disable log Debug level
12.3.9 Posture Plug-In Debug

To enable debug level for the Posture Plug-In, create the TMABPPDL.ini file in the system root directory. Input the following parameters:
[debug] DebugLevel=9 DebugLog=C:\PPdebug.log
12.3.10 Additional Files to Collect for Technical Support

In addition to sending Trend Micro technical support the debug logs, you may be asked to collect the following files from the OfficeScan server:
ofcscan.ini in {installationpath}\PCCSRV tmudump.txt in ...\PCCSRV\Web\Service\AULog server.ini in ...\PCCSRV\Web\Service Registry export ofHkey_local_machine\software\trendmicro
12.3.11 Control Manager Agent Debug

You can enable debug mode for the MCP agent when you encounter problems registering OfficeScan 8.0 to the Trend Micro Control Manager (TMCM) server. 1. On the OfficeScan server, open the \OfficeScan\PCCSRV\CmAgent folder. 2. Open the product.ini file in a text editor. 3. Add the following lines at the end of the file:
[debug] debugmode=3
354
Administrator Track
debuglevel=3 debugtype=0 debugsize=10000 debuglog=c:\CMAgent_debug.log
4. Save and close the file. 5. Replicate the issue you encountered. 6. Send the C:\CMAgent_debug.log to Trend Micro Technical Support.
NOTE disable debug mode, open the product.ini file then remove the lines you added in To
step 3.
12.4 > Viewing Dr. Watson Logs

Dr. Watson is a debug tool that is included with the Windows operating system. You can use Dr. Watson logs to determine if a particular problem is caused by the Windows operating system. By default, Dr. Watson logs have a .wlg extension and are stored in the \Windows\Drwatson folder. The log records the program that created the fault, the program that the fault occurred in, and the memory address where the fault occurred.
12.5 > Problems with Updates

Use the figure below to troubleshoot problems with updates.
355
Student Textbook
Perform update via MC.
If no ofcservice.exe, proceed to A.
Update W orking? No
Yes
Problem solved.
Start W W W service. Default W ebsite and OfficeScan Master Update W orking? No Yes
Download server.ini file via http:/ / officescan-t.activeupdate.trendmicro.com/ activeupdate/ server.ini
Perform update via MC. Ensure that the MC has the correct entries for the Internet Proxy. If there are no entries, define the proxy server and account that will be used at the Internet Proxy page of the OSCE MC. Perform update via MC.
Update W orking? No
Yes
Yes Update W orking? No
Check for entry at ofscan.ini. Ensure Master_Pattern_URL and Master_Program_URL entries have the value http:/ / officescan-t.activeupdate.trendmicro.com/ activeupdate/ server.ini Perform update via MC.
Update W orking? No
Yes
Perform Debug Procedures.
For HTTP based: PCCSRV/Web/cgi/temp folder - Manual update PCCSRV/Web/service/temp folder - Auto update For File based: PCCSRV/Admin/temp folder - Manual update * delete all items below the Temp folder except the tmudump.txt log. * If there is a proxty server, delete the cached items on the proxy server. Yes
No Update W orking? Yes Perform Procedure A or B
Update W orking? No
Figure 12.8: Troubleshooting Problems with Updates
12.6 > Problems with CPU Utilization

Use the figure below to troubleshoot problems with CPU utilization when using the conventional scan method.
356
Administrator Track
Manage OfficeScan Realtime Scan settings: Disable/ Set Compressed File Scan to: " 1" Set to scan only specific extensions. Exclude database directories. Disable Realtime Scan during backup activity.
Yes
Problem Resolved? No Rollback Pattern
Yes
Problem Resolved? No Rollback Engine
Yes
Problem Resolved? No
Disable " realtime" scan to isolate the source, if the product or scan engine causes the problem.
Yes
Problem Resolved? No Perform Debug Procedures.
Problem solved.
Figure 12.9: Troubleshooting Problems with CPU Utilization
12.7 > Escalating Problems to Trend Micro Support

If you cannot find an answer to a problem, the technical support team of Trend Micro can help you find the solution. You must register OfficeScan to be eligible for support. For information on how to register OfficeScan, see Chapter 4: OfficeScan Server Installation on page 63. You can send an email message to the highly trained basic technical support staff of Trend Micro or you can visit the Trend Micro Support website. Email: Website:
support@trendmicro.com http://esupport.trendmicro.com/
357
Student Textbook
To speed the resolution of a problem, provide the Trend Micro support staff with: Product activation code Version numbers of the program, scan engine, and pattern file Operating system and version Type of Internet connection Exact text of the error message, if any Steps to reproduce the problem
12.8 > Trend Micro Support Contacts

Asia Argentina Australia Brazil France Germany Hong Kong India Italy Korea Mexico Singapore Spain Taiwan
asia@support.trendmicro.com soporte@trendmicro.com support@trendmicro.au suporte@trendmicro.com.br service_commercial@trendmicro.fr support@trendmicro.de hksupport@trendmicro.com.hk support@support.trendmicro.com support@trendmicro.it support@trendmicro.co.kr soporte@trendmicro.com.mx helpdesk.sg@trendmicro.com support_spain@trendmicro.com 11F, No. 198,Sec.2, Tun Hwa S. Road., Taipei, Taiwan (106) Tel: +886 2-2378-9666 Fax: +886 2-8733-1811 URL: www.trend.com.tw support@trendmicro.com
USA/Canada
358
Administrator Track
Appen ndix A: Notif N ficati T ns ion Token

The follow tokens are available for use in notific wing e r cation message es:
%CV %CC %A %T %C Will be replaced by the nam of a virus or viruses. me r Will be replaced by the nam or IP addres of a client or clients. me ss Will be replaced by the nam of an alert o alerts. me or Will be replaced by a time. ount. Will be replaced by a log co
359
Student Textbook
Appendix B: Managing Data Protection and Using Digital Asset Control

This appendix discusses how to install and activate the Data Protection module and how to use the Digital Asset Control feature.
B.1 > Data Protection Installation

The Data Protection module includes the following features:
Data Asset Control: Prevents unauthorized transmission of digital assets Device Control: Regulates access to external devices
NOTE OfficeScan out-of-the-box has a Device Control feature that regulates access to commonly used devices such as USB storage devices. Device Control that is part of the Data Protection module expands the range of monitored devices.
Digital Asset Control and Device Control are native OfficeScan features but are licensed separately. After you install the OfficeScan server, these features are available but are not functional and cannot be deployed to clients. Installing Data Protection means downloading a file from the ActiveUpdate server or a custom update source, if one has been set up. When the file has been incorporated into the OfficeScan server, you can activate the Data Protection license to enable the full functionality of its features. Installation and activation are performed from Plug-in Manager.
Important: You do not need to install the Data Protection module if the Trend Micro Data Loss
Prevention software is already installed and running on endpoints.
Important: The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However,
only Device Control feature can be deployed to pure IPv6 clients. Digital Asset Control does not work on pure IPv6 clients.
TO INSTALL DATA PROTECTION:
1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Download. The size of the file to be downloaded displays beside the Download button. Plug-in Manager stores the downloaded file to <Server installation folder>\PCCSRV\Download\Product.
360
Appendix B: M Managing Data P Protection and U Using Digital As sset Control
NOTE Plug-in Man If nager is unable to download the file, it aut e tomatically re-downloads aft ter
24 hours. To manually trigger Plug-in Manager to d . t n download the f file, restart the OfficeScan P e Plugin Manage service from the Microsof Managemen Console. er m ft nt
3. Monito the downlo progress. You can navig away from the screen d or oad Y gate m during the downlo If you en oad. ncounter probl lems downloa ading the file, check the serv update log on ver gs the Of fficeScan web console. On the main men click Logs > Server Up t nu, pdate Logs. A After Plug-in Manager dow n wnloads the file, OfficeScan Data Protec fi n ction displays in a new scree en. 4. To inst OfficeScan Data Protec tall n ction immedia ately, click Ins stall Now. 4.1. To install at a later time: 4.1.1. Click Install Later. I 4.1.2. Open the Plug-in Ma anager screen. n 4.1.3. Go to the OfficeScan Data Protection section and click Install. 5. Read th license agreement and ac he ccept the term by clicking Agree. The in ms nstallation sta arts. 6. Monito the installat or tion progress. After the inst tallation, the O OfficeScan D Data Protection version displays.
Figure B.1: Plug-in Manag > OfficeSca Data Protec ger an ction Screen
B.2 > Data Prote 2 a ection License L e

View, activ vate, and renew the Data Pr w rotection licen from Plug- Manager. O nse -in Obtain the Activation Code from Trend Micro an then use it to activate th license. T nd he To activate or renew Da Protection: e ata : 1. Open the OfficeScan web console and click Pl t e lug-in Manag in the mai menu. ger in 2. On the Plug-in Manag screen, go to the OfficeS e ager Scan Data Pr rotection secti and click ion Manage Program. 3. Type the Activation Code. You ca also copy t Activation Code and the paste it on any an the n en of the text boxes. 4. Click Save. S 5. Log of from the we console and then log on again to view configuration related to D ff eb d w ns Digital Asset Control and Device Contro C D ol.
361
Student T Textbook
TO VIEW LICENSE INFORMATION FOR DATA PROT L R TECTION:
1. Open the OfficeScan web console and click Pl t e lug-in Manag in the mai menu. ger in 2. On the Plug-in Manag screen, go to the OfficeS e ager Scan Data Pr rotection secti and click ion Manage Program. V e n. 3. Click View License Information 4. View li icense details in the screen that opens. The Data Protection License Detail section pro P L ls ovides the follo owing information:
Sta atus: Displays either "Activ vated", "Not A Activated" or " "Expired". Version: Display either "Full or "Evaluati ys l" tion" version. If you have both full and
aluation versio the versio that display is "Full". ons, on ys eva

Exp piration Date: If Data Pro otection has m multiple license the latest e es, expiration date e
disp plays. For exa ample, if the lic cense expiratiion dates are 1 12/31/2011 an 06/30/201 nd 11, 12/ /31/2011 disp plays.
Sea Displays how many Of ats: h fficeScan clien can install t Data Prot nts the tection module e Act tivation code Displays the Activation C e: e Code Reminde about an expiring license ers e
disp during th following in play he nstances:

If you have a full version licen a reminder displays duri and after t grace period. y l nse, r ring the
The full version license enters a grace period after it expir e l d res.
Figure B.2: OfficeScan Da Protection License Deta Screen ata n ails
NOTE duration of the grace period varies b region. Plea se verify the g The p by grace period w with
your Tren Micro representative. nd
If you have an evaluation version licen a reminde displays wh the license expires. Ther is e n nse, er hen e re no grace pe eriod for an ev valuation vers sion license. If you do not r f renew the licen Digital Asset nse, Control an Device Con nd ntrol still work but you will no longer be eligible for tec k chnical suppo ort. formation abo your license on the Tren 1. Click View detailed license onli to view inf V d ine out nd Micro website.
3 362
Administrator Track
2. To update the screen with the latest license information, click Update Information.
B.3 > Deploying Data Protection to Clients

Deploy the Data Protection module to clients after activating its license. After the deployment, the client will start to use Digital Asset Control and Device Control.
Important: The Data Protection module only supports 32-bit platforms.

By default, the module is disabled on 32-bit versions of Windows Server 2003 and Windows Server 2008 to prevent impacting the performance of the host machine. If you want to enable the module, monitor the systems performance constantly and take the necessary action when you notice a drop in performance.
Important: Only Device Control can be deployed to pure IPv6 clients. Digital Asset Control does not
work on pure IPv6 clients.
Online clients will install the Data Protection module immediately. Offline and roaming clients install the module when they become online. If the Trend Micro Data Loss Prevention software already exists on the endpoint, OfficeScan will not replace it with the Data Protection module. In order to finish installing the Digital Asset Control driver, users must restart their computers.
Tip Trend Micro recommends enabling debug logging to help you troubleshoot deployment issues.
B.3.1 About Digital Asset Control

Traditional security solutions are focused on preventing external security threats from reaching the network. In todays security environment, this is only half the story. Data breaches are now commonplace, exposing an organizations confidential and sensitive data referred to as digital assets to outside unauthorized parties. A data breach may occur as a result of internal employee mistakes or carelessness, data outsourcing, stolen or misplaced computing devices, or malicious attacks. Data breaches can:
Damage brand reputation Erode customer trust in the organization Result in unnecessary costs to cover for remediation and to pay fines for violating
compliance regulations
Lead to lost business opportunities and revenue when intellectual property is stolen
With the prevalence and damaging effects of data breaches, organizations now see digital asset protection as a critical component of their security infrastructure. Digital Asset Control safeguards an organizations digital assets against accidental or deliberate leakage. Digital Asset Control allows you to:
363
Student Textbook
Identify the digital assets to protect Create policies that limit or prevent the transmission of digital assets through common
transmission channels, such as email and external devices

Enforce compliance to established privacy standards
B.3.2 Digital Asset Control Policies

OfficeScan evaluates a file or data against a set of rules defined in Digital Asset Control policies. Policies determine files or data that must be protected from unauthorized transmission and the action that OfficeScan performs when it detects transmission. You can configure policies for internal and external clients. OfficeScan administrators typically configure a stricter policy for external clients. Policies are granular settings in the OfficeScan client tree. You can enforce specific policies to client groups or individual clients. You can also enforce a single policy to all clients. After you deploy the policies, clients use the location criteria you have set in the Computer Location to determine their location and the policy to apply. Clients switch policies each time the location changes. Data transmissions between the OfficeScan server and its clients are not monitored. If the destination of the server data is not the client, the policy takes effect. The same is true if the destination of the client data is not the server.
Policy Configuration
Define Digital Asset Control policies by configuring the following items:
ITEM DESCRIPTION
Template Channel Action
Adigitalassettemplatecombinesdigitalassetdefinitionsand logicaloperators(And,Or,Except)toformcondition statements.Onlyfilesordatathatsatisfyacertaincondition statementwillbesubjecttoaDigitalAssetControlpolicy. OfficeScancomeswithasetofpredefinedtemplatesand allowsuserstocreatecustomizedtemplates. ADigitalAssetControlpolicycancontainoneorseveral templates.Ifafileordatamatchesthedefinitiononmorethan onetemplate,thehigherprioritytemplateapplies. Channelsareentitiesthattransmitdigitalassets. OfficeScanperformsoneorseveralactionswhenitdetectsan attempttotransmitdigitalassetsthroughanyofthechannels. Anexceptionoverridestheactionconfiguredforapolicy.For example,apolicymayblockthetransmissionofdigitalassets throughemail,exceptthosethataretransmittedtothe organizationsemaildomains.
Execution
Table B.1: Digital Asset Control Policy Configuration Parameters
364
B.3.3 Dig Asse Definiti B gital et ions

Digital asse are files an data that an organization must protect against unaut ets nd n n t thorized transmissio You can define digital as on. ssets using the following: e
Exp pressions: Data that has a certain structu D ture. File attributes: File propertie such as file type and file size. es Keywords: A lis of special words or phras st w ses.
Expressi ions
An express is data tha has a certain structure. For example, c sion at n credit card num mbers typically y have 16 dig and appea in the forma "nnnn-nnnn gits ar at n-nnnn-nnnn", making them suitable for m r expression-based detecti ions. se ns. o You can us predefined and customized expression For details please refer to the Administra ation Guide th contains fu description of predefined expressions hat ull n d
TO VIEW SETTINGS FOR PREDEFINED EXPRESSIO : S R D ONS
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select E Expressions. . 2. Click the expression name. t n 3. View settings in the screen that op s pens.
Figure B.3: Digital Asset Definitions Sc creen
Customi ized Expres ssions

Create cust tomized expre essions if none of the prede e efined express sions meet you requiremen ur nts. Expression are a power string-mat ns rful tching tool. E nsure that you are comfortable with u expression syntax before creating expr e ressions. Poor written exp rly pressions can dramatically impact performance.
365
Student Textbook
When creating expressions:

Refer to the predefined expressions for guidance on how to define valid expressions. For example, if you are creating an expression that includes a date, you can refer to the
expression for Full Date, ISO DATE, Partial Date, or UK Date.

Note that OfficeScan follows the expression formats defined in Perl Compatible Regular
Expressions (PCRE). For more information, visit the following website:

http://www.pcre.org/ Start with simple expressions. Modify the expressions if they are causing false alarms or
fine tune them to improve detections.

There are several criteria that you can choose from when creating expressions. An
expression must satisfy your chosen criteria before OfficeScan subjects it to a Digital Asset Control policy. Choose one of the following criteria for each expression:
Criteria
None
Rule
None
Example
Americanpeoplesnames
Expression:
[^\w]([AZ][az]{1,12}(\s?,\s?|[\s] |\s([A] Specific characters An expression must include the characters you have specified. In addition, the number of characters in the expression must be within the minimum and maximum limits.
ABAroutingnumber
Expression:
[^\d]([0123678]\d{8})[^\d] Characters: 0123456789 Minimum characters: 9 Maximum characters: 9
Suffix
Suffix refers to the last segment of an expression. A suffix must include the characters you have specified and contain a certain number of characters. In addition, the number of characters in the expression must be within the minimum and maximum limits.
Homeaddress,withzipcodeasthe suffix
Expression:
\D(\d+\s[az.]+\s([az]+\s){0,2} (lane|ln|street|st|avenue|ave| road|rd|place|pl|drive|dr|circle| cr|court|ct|boulevard|blvd)\.? [09az,#\s\.]{0,30}[\s|,][az]{2}\ s\d{5}(\d{4})?)[^\d]
Suffix characters: 0123456789Number of characters: 5 Minimum characters in the expression: 25 Maximum characters in the expression: 80
366
Administrator Track
Single character separator
An expression must have two segments separated by a character. The character must be 1 byte in length. In addition, the number of characters left of the separator must be within the minimum and maximum limits. The number of characters right of the separator must not exceed the maximum limit.
Emailaddress Expression:
[^\w.]([\w\.]{1,20}@[az09]{2,20 }[\.][az]{2,5}[az\.]{0,10})[^\w.]
Separator: @ Minimum characters to the left: 3 Maximum characters to the left: 15 Maximum characters to the right: 30
Table B.2: Digital Asset Control Customized Expressions
TO ADD AN EXPRESSION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Click Add. A new screen displays. 3. Type a name for the expression. The name must not exceed 100 bytes in length and cannot contain the following characters: 4. > < * ^ | & ? \ / 5. Type a description that does not exceed 256 bytes in length. 6. Type the expression and specify whether it is case-sensitive. 7. Type the displayed data. For example, if you are creating an expression for ID numbers, type a sample ID number. This data is used for reference purposes only and will not appear elsewhere in the product. 8. Choose one of the following criteria and configure additional settings for the chosen criteria:
None Specific characters Suffix Single-character separator
9. Test the expression against an actual data. For example, if the expression is for a national ID, type a valid ID number in the Test data text box, click Test, and then check the results. 10. Click Save if you are satisfied with the results. The screen closes. 11. Back in the Digital Asset Definitions screen, click Assign to Clients.
367
Student T Textbook
Figure B.4: Expressions > Add Expressi ions
TO ADD AN EXPRESSIO USING THE "COPY" OPT N ON E TION:
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select E Expressions. . 2. Select a customized expression an then click C nd Copy. A new screen appear rs. 3. Type a unique name for the expre e ession. The na must not exceed 100 bytes in length and ame cannot contain the following char t f racters:
<*^|&?\/
4. Accept or modify th other settin t he ngs. 5. Click Save. The scre closes. S een 6. Back in the Digital Asset Definitio screen, cliick Assign to Clients. n A ons o
TO ADD EX XPRESSIONS USING THE "IMPORT" OPT TION:
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select E Expressions. . 2. Click Import and th locate the .dat file conta I hen aining the exp pressions. 3. Click Open. A mess O sage appears, informing you if the import was successf If an expre i u t ful. ession to be im mported alrea exists in th list, it will b skipped. ady he be 4. Click Assign to Clients. A
3 368
Administrator Track
TO MODIFY AN EXPRESSION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Click the name of the expression that you want to modify. A new screen appears. 3. Modify the settings. 4. Click Save. The screen closes. 5. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO EXPORT EXPRESSIONS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Click Export. 3. Save the resulting .dat file to your preferred location.
TO DELETE EXPRESSIONS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Select the expressions that you want to delete and click Delete. 3. Click Assign to Clients.
B.3.4 File Attributes

File attributes are specific properties of a file. You can use two file attributes when defining digital assets, namely: File type File size For example, a software development company may want to limit the sharing of the companys software installer to the R&D department, whose members are responsible for the development and testing of the software. In this case, the OfficeScan administrator can create a policy that blocks the transmission of executable files that are 10 to 40MB in size to all departments except R&D. By themselves, file attributes are poor identifiers of sensitive files. Continuing the example in this topic, third-party software installers shared by other departments will most likely be blocked. Trend Micro therefore recommends combining file attributes with other digital asset definitions for a more targeted detection of sensitive files.
NOTE the full list of supported file types, please refer to the OfficeScan Administrators For
Guide.
TO ADD A FILE ATTRIBUTE LIST:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click Add. A new screen displays. 3. Type a name for the file attribute list. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
369
Student T Textbook
4. Type a description that does not exceed 256 by in length. e ytes 5. Choose a file type sc cope.
Sel lected file typ The file types that you will select in the next step are digital assets. pes: t u Non-selected fil types: The file types that you will not select in the n le next step are d digital t
ets. asse 6. Depen nding on the option you cho in the prev o ose vious step, you can select fi types or lea u ile ave file typ unselected pes d. 7. If a file type you wan to include is not listed, y can type th file types e e nt i you he extension und der Other rs.
Sep parate file exte ensions by sem micolons. You can add the wildcard char u racter (*) befo the file ext ore tension. For ex xample, typing g
*.fm adds the ext m tensions .fm, .fme, .fml, and .fmp to the list. d 8. Type the minimum and maximum file sizes in b m bytes. Both fil sizes must b whole num le be mbers larger than zero. t 9. Click Save. The scre closes. S een 10. Back in the Digital Asset Definitions screen, click Assign to Cl n A s lients.
Figure B.5: File Attribute Screen es
3 370
Administrator Track
TO ADD A FILE ATTRIBUTE LIST USING THE "COPY" OPTION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select FileAttributes. 2. Select the name of a file attribute list and then click Copy. A new screen appears. 3. Type a unique name for the file attribute list. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
4. Accept or modify the other settings. 5. Click Save. The screen closes. 6. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO ADD FILE ATTRIBUTE LISTS USING THE "IMPORT" OPTION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click Import and then locate the .dat file containing the file attribute lists. 3. Click Open. A message appears, informing you if the import was successful. If a file attribute list to be imported already exists, it will be skipped. 4. Click Assign to Clients.
TO MODIFY A FILE ATTRIBUTE LIST:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click the name of the file attribute list that you want to modify. A new screen appears. 3. Modify the settings. 4. Click Save. The screen closes. 5. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO EXPORT FILE ATTRIBUTE LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click Export. 3. Save the resulting .dat file to your preferred location.
TO DELETE FILE ATTRIBUTE LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Select the file attribute lists that you want to delete and click Delete. 3. Click Assign to Clients.
B.3.5 Keywords
Keywords are special words or phrases. You can add related keywords to a keyword list to identify specific types of data. For example, "prognosis", "blood type", "vaccination", and "physician" are keywords that may appear in a medical certificate. If you want to prevent the transmission of medical certificate files, you can use these keywords in a Digital Asset Control policy and then configure OfficeScan to block files containing these keywords.
371
Student T Textbook
Commonly used words can be combin to form m y c ned meaningful key ywords. For e example, "end", "read", "if" and "at" can be combined to form keyw ", n d words found i source code such as "E in es, ENDIF", "END D-READ", and "AT END". d You can us predefined and customized keyword liists. se
NOTE the full list of Predefined Keywor Lists, pleas refer to th OfficeScan For rd se he
Administ tration Guide. e
TO VIEW SETTINGS FOR PREDEFINED KEYWORD L S R D LISTS:
1. On the dropdown box on top of the Digital As Definition screen, sele Keywords e b sset ns ect s. 2. Click the keyword list name. t 3. View settings in the screen that op s pens. 4. To exp keywords port s:
Clic Export. ck Sav the resulting .csv file to your preferred location. ve g y d
Figure B.6: File Attribute Screen es
Customi ized Keywo Lists ord

Create cust tomized keyw word lists if non of the pred ne defined keywo lists meet y ord your requirem ments. There are several criteria that you can choose from when configu s a uring a keyword list. Akeyw word list must sa atisfy your cho osen criteria before OfficeS Scan subjects i to a DigitalA it Asset Control policy. Cho oose one of th following cr he riteria for each keyword list h t:
3 372
Administrator Track
CRITERIA
Any keyword All keywords All keywords within <x> characters
RULE
A file must contain at least one keyword in the keyword list. A file must contain all the keywords in the keyword list. A file must contain all the keywords in the keyword list. In addition, each keyword pair must be within <x> characters of each other. For example, your 3 keywords are ABCDE, FGHIJ, and WXYZ and the number of characters you specified is 20. If OfficeScan detects all keywords in the order FGHIJ, ABCDE, and WXYZ, the number of characters from F to A and from A to W must be 20 characters at most. The following data matches the criteria: FGHIJ####ABCDE############WXYZ
The following data does not match the criteria:
FGHIJ*******************ABCDE****WXYZ
When deciding on the number of characters, remember that a small number, such as 10, will usually result in faster scanning time but will only cover a relatively small area. This may reduce the likelihood of detecting sensitive data, especially in large files. As the number increases, the area covered also increases but scanning time might be slower
Combined score for keywords exceeds threshold
A file must contain one or more keywords in the keyword list. If only one keyword was detected, its score must be larger than the threshold. If there are several keywords, their combined score must be larger than the threshold. Assign each keyword a score of 1 to 10. A highly confidential word or phrase, such as "salary increase" for the Human Resources department, should have a relatively high score. Words or phrases that, by themselves, do not carry much weight can have lower scores. Consider the scores that you assigned to the keywords when configuring the threshold. For example, if you have five keywords and three of those keywords are high priority, the threshold can be equal to or lower than the combined score of the three high priority keywords. This means that the detection of these three keywords is enough to treat the file as sensitive.
Table B.3: Customized Keyword Lists
TO ADD A KEYWORD LIST:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Keywords. 2. Click Add. A new screen displays. 3. Type a name for the keyword list. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
4. Type a description that does not exceed 256 bytes in length.
373
Student Textbook
5. Choose one of the following criteria and configure additional settings for the chosen criteria:
Any keyword All keywords All keywords within <x> characters Combined score for keywords exceeds threshold
6. To manually add keywords to the list: 6.1. 6.2. 7.1. 7.2. Type a keyword that is 3 to 40 bytes in length and specify whether it is case-sensitive. Click Add. Click Import and then locate the .csv file containing the keywords. Click Open. A message appears, informing you if the import was successful. If a keyword to be imported already exists in the list, it will be skipped.
7. To add keywords by using the "import" option:
8. To delete keywords, select the keywords and click Delete. 9. To export keywords: 9.1. 9.2. Click Export. Save the resulting .csv file to your preferred location
NOTE the "export" feature to back up the keywords or to import them to another Use OfficeScan server. All keywords in the keyword list will be exported. It is not possible to export individual keywords.
10. Click Save. The screen closes. 11. Back in the Digital Asset Definitions screen, click Assign to Clients.
374
Figure B.7: Add Keyword List screen
TO ADD A KEYWORD LIST USING THE "COPY" OP E PTION:
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select K Keywords. 2. Select the name of a customized keyword list an then click Copy. A new screen appea k nd w ars. 3. Type a unique name for the keyw e word list. The n name must no exceed 100 bytes in lengt and ot th cannot contain the following char t f racters:
<*^|&?\/
4. Accept or modify th other settin t he ngs. 5. Click Save. The scre closes. S een 6. Back in the Digital Asset Definitions screen, click Assign to Cl n A s lients.
TO ADD KE EYWORD LIST USING THE "IMPORT" O TS E OPTION:
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select K Keywords. 2. Click Import and th locate the .dat file conta I hen aining the key yword lists. 3. Click Open. A mess O sage appears, informing you if the import was successf If a keywo i u t ful. ord list to be imported already exists, it will be skipp b a ped. 4. Click Assign to Clients. A
TO MODIFY A KEYWORD LIST: Y D
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select K Keywords. 2. Click the name of th keyword lis that you wan to modify. A new screen appears. t he st nt n 3. Modify the settings. y
375
Student Textbook
4. Click Save. The screen closes. 5. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO EXPORT KEYWORD LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Keywords. 2. Click Export. 3. Save the resulting .dat file to your preferred location.
TO DELETE KEYWORD LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Keywords. 2. Select the keyword lists that you want to delete and click Delete. 3. Click Assign to Clients.
B.4 > Digital Asset Templates

A digital asset template combines digital asset definitions and logical operators (And, Or, Except) to form condition statements. Only files or data that satisfy a certain condition statement will be subject to a Digital Asset Control policy. For example, a file must be a Microsoft Word file (file attribute) AND must contain certain legal terms (keywords) AND must contain ID numbers (expressions) for it to be subject to the "Employment Contracts" policy. This policy allows Human Resources personnel to transmit the file through printing so that the printed copy can be signed by an employee. Transmission through all other possible channels, such as email, is blocked. You can create your own templates if you have configured digital asset definitions. You can also use predefined templates.
B.4.1 Predefined Digital Asset Templates

OfficeScan comes with a set of predefined templates that you can use to comply with various regulatory standards. These templates cannot be modified, copied, exported, or deleted.
Please refer to the OfficeScan Administration Guide for a detailed list of predefined Digital Asset Templates.
B.4.2 Customized Digital Asset Templates

Create your own templates if you have configured digital asset definitions. A template combines digital asset definitions and logical operators (And, Or, Except) to form condition statements.
376
Administrator Track
Condition Statements and Logical Operators

OfficeScan evaluates condition statements from left to right. Use logical operators carefully when configuring condition statements. Incorrect usage leads to an erroneous condition statement that will likely produce unexpected results.
TEMPLATE PURPOSE SAMPLES OF DATA PROTECTED As the last example in the table illustrates, the first digital asset definition in the condition statement can have the "Except" operator if a file must not satisfy all of the digital asset definitions in the statement. In most cases, however, the first digital asset definition does not have an operator.
CONDITION STATEMENT
[Definition 1] And [Definition 2] Except [Definition 3]
INTERPRETATION AND EXAMPLE

A file must satisfy [Definition 1] and [Definition 2] but NOT [Definition 3]. For example: A file must be [an Adobe PDF document] and must contain [an email address] but should not contain [all of the keywords in the keyword list].
[Definition 1] And [Definition 2] Or [Definition 3] And [Definition 4]
At least one of the following must be true: A file must satisfy [Definition 1] and [Definition 2] A file must satisfy [Definition 3] and [Definition 4] For example: A file must be [an Adobe PDF document] and must contain [3 keywords with a combined score of 10]. OR A file must be [a Microsoft Word document] and must contain [all of the keywords in the keyword list].
Except [Definition 1]
A file must not satisfy [Definition 1] For example: A file must not be [a multimedia file]
Table B.4: Digital Asset Template Samples
TO ADD A TEMPLATE:
1. Click Add. A new screen displays. 2. Type a name for the template. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
3. Type a description that does not exceed 256 bytes in length. 4. Select digital asset definitions and then click the Add icon. When selecting definitions:
Select multiple entries by pressing and holding the CTRL key and then selecting the
definitions.
377
Student T Textbook
Use the search fe e eature if you have a specific definition in mind. You ca type the ful or h c an ll
par name of th definition. rtial he

Eac template ca contain a maximum of 3 definitions. ch an m 30
4.1.
To create def finitions: 4.1.1. Click the icon next to Available definitions a select from the followin t t and m ng option ns: Add ne expression ew n Add ne file attribu ew ute Add ne keyword ew
4.2.
In the screen that appears, configure sett definition. tings for the d
5. If you selected an ex xpression, type the number of occurrence which is th number of times e es, he an expression must occur before OfficeScan su O ubjects it to a D Digital Asset Control policy y. 6. Choose a logical ope erator for each definition. h 7. To rem move a definiti from the list of selected definitions, c ion l d click the trash bin icon h 8. Click Save. The scre closes. S een 9. Back in the Digital Asset Templates screen, click A n A Assign to Cli ients.
Figure B.8: Add Digital Asset Template screen e
3 378
Administrator Track
TO ADD A TEMPLATE USING THE "COPY" OPTION:
1. Select a customized template and then click Copy. A new screen appears. 2. Type a unique name for the template. The name must not exceed 100 bytes in length and cannot contain the following characters: 3. < * ^ | & ? \ / 4. Accept or modify the other settings. 5. Click Save. The screen closes. 6. Back in the Digital Asset Templates screen, click Assign to Clients.
TO ADD TEMPLATES USING THE "IMPORT" OPTION:
1. Click Import and then locate the .dat file containing the templates. 2. Click Open. A message appears, informing you if the import was successful. If a template to be imported already exists, it will be skipped. 3. Click Assign to Clients.
TO MODIFY A TEMPLATE: 1. Click the name of the template that you want to modify. A new screen appears.
2. Modify the settings. 3. Click Save. The screen closes. 4. Back in the Digital Asset Templates screen, click Assign to Clients.
TO EXPORT TEMPLATES:
1. Click Export. 2. Save the resulting .dat file to your preferred location.
TO DELETE TEMPLATES:
1. Select the templates that you want to delete and click Delete. 2. Click Assign to Clients.
B.5 > Digital Asset Control Channels

Users can transmit digital assets through various channels. OfficeScan can monitor the following channels:
Data recorders (CD/DVD) Email clients FTP HTTP and HTTPS IM Applications Peer-to-peer applications PGP Encryption
379
Student Textbook
Printer Removable storage SMB protocol Synchronization software (ActiveSync) Webmail Windows clipboard
When OfficeScan detects a "burn" command initiated on any of these devices or software and the action is "Pass", data recording proceeds. If the action is "Block", OfficeScan checks if any of the files to be recorded is or contains a digital asset. If OfficeScan detects at least one digital asset, all files - including those that are not, or do not contain, digital assets - will not be recorded. OfficeScan may also prevent the CD or DVD from ejecting. If this issue occurs, instruct users to restart the software process or reset the device. OfficeScan implements additional CD/DVD recording rules:
To reduce false positives, OfficeScan does not monitor the following files: .bud .dll .gif .gpd .htm .ico .ini .jpg .lnk .sys .ttf .url .xml Two file types used by Roxio data recorders (*.png and *.skn) are not monitored to
increase performance.
OfficeScan does not monitor files in the following directories:
*:\autoexec.bat*:\Windows ..\ApplicationData..\Cookies ..\LocalSettings..\ProgramData ..\ProgramFiles..\Users\*\AppData ..\WINNT
ISO images created by the devices and software are not monitored.
B.5.1 Email Clients

OfficeScan monitors email transmitted through various email clients. OfficeScan checks the emails subject, body, and attachments for digital assets. Monitoring occurs when a user attempts to send the email. If the email contains digital assets, OfficeScan will either allow or block the email.
B.5.2 FTP
When OfficeScan detects that an FTP client is attempting to upload files to an FTP server, it checks for the presence of digital assets in the files. No file has been uploaded at this point. Depending on the Digital Asset Control policy, OfficeScan will allow or block the upload. When you configure a policy that blocks file uploads, remember the following:
When OfficeScan blocks an upload, some FTP clients will try to re-upload the files. In
this case, OfficeScan terminates the FTP client to prevent the re-upload. Users do not receive a notification after the FTP client terminates. Inform them of this situation when you roll out your Digital Asset Control policies.
380
Administrator Track
If a file to be uploaded will overwrite a file on the FTP server, the file on the FTP server
may be deleted.
B.5.3 HTTP and HTTPS

OfficeScan monitors data to be transmitted through HTTP and HTTPS. For HTTPS, OfficeScan checks the data before it is encrypted and transmitted.
B.5.4 IM Applications
OfficeScan monitors messages and files that users send through instant messaging (IM) applications. Messages and files that users receive are not monitored. When OfficeScan blocks a message or file sent through AOL Instant Messenger, MSN, Windows Messenger, or Windows Live Messenger, it also terminates the application. If OfficeScan does not do this, the application will become unresponsive and users will be forced to terminate the application anyway. Users do not receive a notification after the application terminates. Inform them of this situation when you roll out your Digital Asset Control policies.
B.5.5 Peer-to-Peer Applications

OfficeScan monitors files that users share through peer-to-peer applications.
B.5.6 PGP Encryption

OfficeScan monitors data to be encrypted by PGP encryption software. OfficeScan checks the data before encryption proceeds.
B.5.7 Printer
OfficeScan monitors printer operations initiated from various applications. OfficeScan does not block printer operations on new files that have not been saved because printing information has only been stored in the memory at this point.
B.5.8 Removable Storage

OfficeScan monitors data transmissions to or within removable storage devices. Activities related to data transmission include:
Creation of a file within the device Copying of a file from the host machine to the device Closing of a modified file within the device Modifying of file information (such as the files extension) within the device
When a file to be transmitted contains a digital asset, OfficeScan either blocks or allows the transmission.
381
Student Textbook
NOTE Device Control action has a higher priority than the Digital Asset Control action. The For example, If Device Control does not allow copying of files to a removable storage device, transmission of digital assets will not proceed even if Digital Asset Control allows it. NOTE Additional configurations on the OfficeScan server are required to enable the monitoring of data transmissions on embedded floppy disk drives. Contact your support provider for configuration instructions.
The handling of file transmission to a removable storage device is a straight forward process. For example, a user who creates a file from Microsoft Word may want to save the file to an SD card (it does not matter which file type the user saves the file as). If the file contains a digital asset that should not be transmitted, OfficeScan prevents the file from being saved. For file transmission within the device, OfficeScan first backs up the file (if its size is 75MB or less) to %WINDIR%\system32\dgagent\temp before processing it. OfficeScan removes the backup file if it allowed the file transmission. If OfficeScan blocked the transmission, it is possible that the file may have been deleted in the process. In this case, OfficeScan will copy the backup file to the folder containing the original file.
B.5.9 SMB Protocol

OfficeScan monitors data transmissions through the Server Message Block (SMB) protocol, which facilitates shared file access. When another user attempts to open, save, move, or delete a users shared file, OfficeScan checks if the file is or contains a digital asset and then allows or blocks the operation.
B.5.10 Synchronization Software (ActiveSync)

OfficeScan monitors data transmitted to a mobile device through synchronization software. OfficeScan supports the following synchronization software developed by Microsoft:
Microsoft ActiveSync 4.5 Windows Mobile Device Center
NOTE required Windows Mobile Device Center version depends on the endpoints The operating system. For more information, visit the Microsoft website. If the data has a source
IP address of 127.0.0.1 and is sent through either port 990 or 5678 (the ports used for synchronization), OfficeScan checks if the data is a digital asset before allowing or blocking its transmission.
B.5.11 Application Version

When OfficeScan blocks a file transmitted on port 990, a file of the same name containing malformed characters may still be created at the destination folder on the mobile device. This is because parts of the file have been copied to the device before OfficeScan blocked the transmission.
382
Administrator Track
B.5.12 Webmail
Web-based email services transmit data through HTTP. If OfficeScan detects outgoing data from supported services, it checks the data for the presence of digital assets.
B.5.13 Windows Clipboard

OfficeScan monitors data to be transmitted to Windows clipboard before allowing or blocking the transmission. OfficeScan can also monitor clipboard activities between the host machine and VMWare or Remote Desktop. Monitoring occurs on the entity with the OfficeScan client. For example, an OfficeScan client on a VMware virtual machine can prevent clipboard data on the virtual machine from being transmitted to the host machine. Similarly, a host machine with an OfficeScan client may not copy clipboard data to an endpoint accessed through Remote Desktop.
Important: For a detailed list of supported channels please refer to the OfficeScan Administration
Guide.
B.6 > Digital Asset Control Actions

When OfficeScan detects the transmission of digital assets, it checks the Digital Asset Control policy for the detected digital assets and performs the action configured for the policy.
B.6.1 Transmission Scope

OfficeScan performs an action based on the defined transmission scope.
SCOPE
All transmissions
DESCRIPTION
OfficeScan performs an action if the endpoint transmits digital assets to private and external networks. Tip: Trend Micro recommends choosing this scope for external clients.
383
Student Textbook
Only transmissions to external networks
OfficeScan performs an action only if the endpoint transmits digital assets to external networks. Digital assets transmitted to private networks are not monitored. Hosts on private networks have the following IP addresses: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 However, if a private IP address is defined in the Digital Asset Control exception, OfficeScan will perform the action for the exception. For example, if the IP address is in the list of blocked transmission targets, OfficeScan will block the transmission to the host that uses the IP address. Tip: Trend Micro recommends choosing this scope for internal clients
Table B.5: Digital Asset Control Transmission Scope
B.6.2 Actions
The following table lists the Digital Asset Control actions.
ACTION
Primary Actions Pass Block Additional Actions Notify the client user
DESCRIPTION
OfficeScan allows the transmission OfficeScan blocks the transmission OfficeScan displays a notification message to inform the user of the data transmission and whether it was passed or blocked. You can modify the message from Notifications > Client User Notifications > Digital Asset Transmissions tab.
Capture data
Regardless of the primary action, OfficeScan will save a copy of the data to <Client installation folder>\DLPLite\Forensic. Select this action to evaluate data that is being flagged by Digital Asset Control. Clients do not send the data to the server.
Table B.6: Digital Asset Control Actions
384
Administrator Track
B.6.3 Decompression Settings

OfficeScan does not scan password-protected compressed files for digital assets. In addition, OfficeScan will not scan compressed files for digital assets if you configure the following settings:
Decompressed size of any single file exceeds __ MB: The entire compressed file is not
scanned if it contains a file that exceeds the limit

Total number of embedded layers in compressed file exceeds __: The entire compressed
file is not scanned if it has more than the specified number of embedded layers
Total number of files in compressed file exceeds __ (1-2000): The entire compressed file
is not scanned if it contains more than the specified number of files A compressed file is scanned if it is not password-protected or does not exceed any of the decompression limits. The detection of at least one digital asset triggers an action on the entire compressed file. Depending on the action, the entire file will be passed (transmitted) or blocked.
B.7 > Digital Asset Control Exceptions

Digital Asset Control exceptions define the destination of digital assets, that is, the intended recipients of digital assets transmitted through various channels. An exception overrides the action configured for a policy. For example:
A policy blocks the transmission of digital assets through email, except emails sent to
approved internal email domains.

A policy allows the transmission of digital assets to removable storage devices, except
those sent to blocked devices. The following exceptions are available:
385
Student Textbook
EXCEPTION
Approved or blocked transmission targets
AFFECTED CHANNEL
HTTP HTTPS FTP SMB protocol Printer IM application (for file transfers)
DESCRIPTION
OfficeScan allows or blocks the transmission of digital assets to the specified targets if the transmission is through the affected channels and the specified ports. Identify a target by its: IP address Host name FQDN Network address and subnet mask, such as 10.1.1.1/32
EXAMPLE
10.1.1.1:5-20 host:5-20 host.domain.com:20 10.1.1.1/32:20
Approved or blocked internal email domains
Email clients
OfficeScan allows or blocks the transmission of email to the internal email domains.
xyz.com
Approved or blocked devices
Removable storage
OfficeScan allows or blocks the transmission of data to or within the removable storage devices.
XYZ Mass Storage Device
Table B.7: Digital Asset Control Exceptions
B.8 > Creating Digital Asset Control Policies

You can start to create Digital Asset Control policies after you have configured digital asset definitions and organized them in templates. In addition to digital asset definitions and templates, you need to configure channels, actions, and exceptions when creating a policy.
TO CREATE A DIGITAL ASSET CONTROL POLICY: 1. In the client tree, click the root domain icon to include all clients or select specific domains or clients.
2. Click Settings > Digital Asset Control Settings. 3. Click the External Clients tab to configure a policy for external clients or the Internal Clients tab to configure a policy for internal clients. 4. Select Enable Digital Asset Control.
386
5. Config the follow settings: gure wing

Tem mplate Setting gs Cha annel Settings s Act tion Settings Exc ception Settin ngs
6. If you selected doma ain(s) or client(s) in the clie tree, click S ent Save. If you c clicked the roo ot domain icon, choose from the fol n e llowing option ns:
Ap pply to All Cl lients: Applies settings to a existing clie and to any new client a all ents y added
to an existing/fu a uture domain. Future domaiins are domain not yet crea at the tim ns ated me you configured th settings. u he
Ap pply to Futur Domains Only: Applies settings only to clients add to future re O ded
dom mains. This op ption will not apply settings to new client added to an existing dom s ts n main.
Figure B.9: Digital Asset Control Settin > Template screen ngs e
TEMPLATE SETTINGS E
1. Click the Template tab. t e 2. If you are on the Ex xternal Clien tab, you ca apply templ settings to internal clien by nts an late o nts selectin Apply sett ng tings to inter rnal clients. I you are on the Internal Clients tab, y If you can apply template settings to exte s ernal clients b selecting Ap by pply settings to internal s clients s. 3. Select templates from the Availab template list and then click Add. W m ble es n When selecting g ates: templa
387
Student Textbook
Select multiple entries by pressing and holding the CTRL key and then selecting the
templates.
Use the search feature if you have a specific template in mind. You can type the full or
partial name of the template. 4. If no template exists or if a template is not found in the Available templates list, you can perform any of the following tasks:
Create a new template by clicking the icon next to Available templates. The Digital
Asset Templates screen displays. After creating the template, select it and then click Add.
Import a list of templates by clicking Import under Selected templates and then
locating the .csv file containing the templates. 5. To move a template up or down the Selected templates list, select a template and then click Up or Down until the template is in its correct position. It is not possible to move several templates at a time. 6. To export your chosen templates, click Export and then save the resulting .csv file to your preferred location.
CHANNEL SETTINGS
1. Click the Channel tab. 2. If you are on the External Clients tab, you can apply channel settings to internal clients by selecting Apply settings to internal clients. If you are on the Internal Clients tab, you can apply channel settings to external clients by selecting Apply settings to internal clients. 3. Select the channels for the policy.
388
Figure B.10 Add Digital Control Setting > Channel s creen 0: C gs
ACTION SETTINGS
1. Click the Action tab t b. 2. If you are on the Ex xternal Clien tab, you ca apply action settings to in nts an n nternal clients by selectin Apply sett ng tings to inter rnal clients. I you are on t Internal C If the Clients tab, y you can apply action sett tings to extern clients by s nal selecting App settings to internal clie ply o ents. 3. Select the transmissi scope. ion 4. Select a primary acti and any ad ion dditional actio ons. 5. Specify decompressi settings. y ion
389
Student T Textbook
Figure B.11: Add Digital Control Settings > Action scre een
EXCEPTION SETTINGS
1. Click the Exception tab. t n 2. If you are on the Ex xternal Clien tab, you ca apply the ex nts an xceptions to in nternal clients by s selectin Apply sett ng tings to inter rnal clients. I you are on t Internal C If the Clients tab, y you can apply the except tions to extern clients by s nal selecting App settings to internal clients. ply o gure oved and block lists ked 3. Config the appro 3.1. 3.2. 3.3. Add transmis ssion targets. Separate targe ts by commas S s. Add internal email domain Separate do ns. omains by com mmas. Add a removable storage device identifie by its vend The device model and s d ed dor. serial nal. ore ID are option To add mo devices, cllick the icon.
3 390
Figure B.12: Add Digital Control Setting > Exception screen C gs n
B.8.1 Dev List Tool B vice T

Run the Device List Too on each end ol dpoint to quer external dev ry vices connecte to the endp ed point. The tool sc cans an endpo for extern devices and then displays device infor oint nal d rmation in a browser wi indow. You ca then use th information when config an he n guring device e exceptions for r Digital Ass Control an Device Con set nd ntrol.
TO RUN TH DEVICE LIST TOOL: HE I 1. On the OfficeScan server comput navigate to <Server installation e s ter, o folder> >\PCCSRV\A Admin\Utility y\ListDeviceI Info.
2. Copy listDeviceInf l fo.exe to the target endpoin nt. 3. On the endpoint, do e ouble-click list tDeviceInfo.e exe. 4. View device informa d ation the brow window t displays. D wser that Digital Asset Control and Device Control use the following information: e
Ven ndor (required d) Mo odel (optional) ) Ser ID (option rial nal)
391
Student Textbook
B.9 > Digital Asset Control Widgets

Data Asset Control widgets show a summary of digital asset transmissions. Widgets include:
Digital Asset Control - Top Detections Digital Asset Control - Detections Over Time
These widgets are available on the OfficeScan servers Summary dashboard.
B.9.1 Digital Asset Control Notifications

OfficeScan comes with a set of default notification messages that inform you, other OfficeScan administrators, and client users of digital asset transmissions.
B.9.2 Digital Asset Control Notifications for Administrators

Configure OfficeScan to send you and other OfficeScan administrators a notification when it detects the transmission of digital assets, or only when the transmission is blocked. OfficeScan comes with a set of default notification messages that inform you and other OfficeScan administrators of digital asset transmissions. You can modify the notifications and configure additional notification settings to suit your requirements.
TO CONFIGURE DIGITAL ASSET CONTROL NOTIFICATIONS FOR ADMINISTRATORS:
1. In the Criteria tab: 2. Go to the Digital Asset Transmissions section. 3. Specify whether to send notifications when transmission of digital assets is detected (the action can be blocked or passed) or only when the transmission is blocked. 4. In the Email tab: 4.1. 4.2. 4.3. Go to the Digital Asset Transmissions section. Select Enable notification via email. Select Send notifications to users with client tree domain permissions. You can use Role-based Administration to grant client tree domain permissions to users. If transmission occurs on a client belonging to a specific domain, the email will be sent to the email addresses of the users with domain permissions.
If an OfficeScan client belonging to Domain A detects a digital asset transmission, the email will be sent to mary@xyz.com, john@xyz.com, and chris@xyz.com. If a client belonging to Domain B detects the transmission, the email will be sent to mary@xyz.com and jane@xyz.com. 4.4. 4.5. Select Send notifications to the following email address(es) and then type the email addresses.
392
4.6.
Accept or mo odify the defau subject and message. Yo can use tok variables t ult d ou ken to represent data in the Subject and Messag fields. a ge Go to the Dig Asset Tran gital nsmissions sectiion. Select Enable notification via pager. e n Type the mes ssage. Go to the Dig Asset Tran gital nsmissions sectiion. Select Enable notification via SNMP trap. e n Accept or mo odify the defau message. Y can use to ult You oken variables to represent data s in the Messag field. ge Go to the Dig Asset Tran gital nsmissions sectiion. Select Enable notification via NT Eve Log. e n ent
5. In the Pager tab: 5.1. 5.2. 5.3. 6.1. 6.2. 6.3.
6. In the SNMP Trap tab: p
7. In the NT Event Lo tab: og 7.1. 7.2.
reen Figure B.13: Standard Notifications scr
Token Va ariables for Digital Asset Contro Notificatio r ol ons

%USER% % %COMPU UTER% %DOMAIN N% %DATETIME% %CHANN NEL% %TEMPLA ATE% The user logged on to the co omputer when transmission w detected was ere on ed Computer whe transmissio was detecte Domain of the computer e Date and time transmission was detected e transmission w detected The channel through which t was The digital ass template th triggered the detection set hat
393
Student T Textbook
B.9.3 Dig Asse Control Notifica B gital et ations for Client Users r
OfficeScan can display notification me n n essages on clie computers immediately after it allows or ent y blocks the transmission of digital assets. To notify u users that digi asset trans ital smission was ct N ient user whe you create a Digital Asse en et blocked or allowed, selec the option Notify the cli olicy. Control po
TO CONFIG GURE DIGITAL ASSET CON L NTROL NOTIFI ICATIONS FOR CLIENT USE : ERS 1. Click the Digital Asset Transmission tab. t ns
2. Accept or modify th default mes t he ssage. 3. Click Save. S
Figure B.14 Client User Notifications screen 4: N
B.10 > Dig gital Ass Con set ntrol Lo ogs

Clients log digital asset tr ransmissions (blocked and allowed transmissions) and send the logs to d s i I nd ies nutes. To keep the p the server immediately. If the client is unable to sen logs, it retri after 5 min size of logs from occupy too much space on the hard disk, ma s ying h e anually delete logs or config a gure log deletion schedule. n
TO VIEW DIGITAL ASSE CONTROL LOGS: ET 1. In the client tree, click the root do omain icon to include all cli ients or select specific domains nts. or clien
2. Click Logs > Digita Asset Cont Logs or V L al trol View Logs > Digital Asse Control Lo et ogs. 3. Specify the log criter and then cl Display L y ria lick Logs. 4. View lo Logs con ogs. ntain the follow informat wing tion:
Date/Time digita asset transm al mission was de etected Com mputer where transmission was detected e n d Do omain of the computer IP address of the computer e The process that facilitated the transmission of a digital a e t e n asset. The proc depends on cess
the channel.
Cha annel through which the dig asset was transmitted h gital s
3 394
Act tion on the tra ansmission Tem mplate that tri iggered the de etection Use name logge on to the co er ed omputer Description, whi includes ad ich dditional detaiils about the t transmission
ve ed V) xport to CSV Open the fi or V. ile 5. To sav logs to a comma-separate value (CSV file, click Ex save it to a specific location. l
Figure B.13: Digital Asset Control Logs screen t
B.11 > Unin nstallin Data Protec ng ction

If you unin nstall the Data Protection module from P a m Plug-in Manag ger:
All Digital Asset Control conf figurations, set ttings, and log are removed from the gs d
ficeScan serve er. Off

All Device Contr configurati rol ions and settin provided by the Data P ngs Protectionmod dule
m are removed from the server.

The Data Protec e ction module is removed fro clients. i om Dig gital Asset Con ntrol policies will no longer be enforced on clients. r Dev Control will no longer monitor acce to the follo vice w ess owing devices: : COM and LP ports PT IEEE 1394 interface i Imaging dev vices Infrared dev vices Modems PCMCIA card Print screen key
You can re einstall the Da Protection module anytim After rein ata me. nstallation, act tivate the licen nse using a vali Activation Code. id C
395
Student Textbook
TO UNINSTALL DATA PROTECTION FROM PLUG-IN MANAGER:
1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Uninstall. 3. Monitor the uninstallation progress. You can navigate away from the screen during the uninstallation. 4. Refresh the Plug-in Manager screen after the uninstallation. OfficeScan Data Protection is again available for installation.
B.12 > Device Control Permissions

Device Control permissions are used when you:
Configure exceptions for USB storage devices. Device Control allows you to block access
to all USB storage devices, except those added to the exception list. For devices in the exception list, you can grant full control to these devices or limit the level of access.
Allow access to USB storage devices, CD/DVD, floppy disks, and network drives. You
can grant full control to these devices or limit the level of access. The scanning function in OfficeScan complements and may override the device permissions. For example, if the permission allows a file to be opened but OfficeScan detects that the file is infected with malware, a specific scan action will be performed on the file to eliminate the malware. If the scan action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is deleted.
B.12.1 Device Control Exception Lists

If you allow access to USB storage devices, CD/DVD, floppy disks, and network drives, you can control the device permissions. For example, you can grant read-only or read-and-execute permission. The exception lists override the permissions and grant full access to the devices.
TO MANAGE ACCESS TO EXTERNAL DEVICES (DATA PROTECTION ACTIVATED):
1. In the client tree, click the root domain icon to include all clients or select specific domains or clients. 2. Click Settings > Device Control Settings.
396
Figure B.14 Device Contr Settings > Internal Client screen 4: rol I ts
3. Click the External Clients tab to configure se t C o ettings for exte ernal clients or the Interna al Client tab to confi ts igure settings for internal cliients. f 4. Select Enable Device Control. xternal Clients tab, you can apply setting to internal c s n gs clients by selec cting 5. If you are on the Ex y nts. nal b, ply Apply settings to internal clien If you are on the Intern Clients tab you can app setting to external clients by selec gs c cting apply se ettings to internal clients. 6. Config the permi gure ission for USB storage deviices. B
All low Access: Grants access to the device.. You can con G nfigure the lev of access (f vel for
exa ample, grant re ead-only acces and except ss) tions.

Blo Access: The device wil not be visibl to the user (for example, from Window ock T ll le ws
Exp plorer). 7. Config the permi gure ission for CD/DVD, flopp disks, and n py network drives For CD/DV s. VD and flo oppy disks, you can choose "Allow Acces or "Block Access". For network drive the ss" es, permis ssion is always "Allow Acce s ess".
397
Student T Textbook
All low Access: Grants access to the device.. You can con G nfigure the lev of access (f vel for
exa ample, grant re ead-only acces and except ss) tions.

Blo Access: The device wil not be visibl to the user (for example, from Window ock T ll le ws
Exp plorer) and no notification displays. o 8. Config the permi gure ission for COM and LPT p ports, IEEE 13 interface, imaging devic 394 ces, infrare devices, mo ed odems, PCMC card, and print screen k CIA key.
All low Access: Grants full acc to the dev G cess vice Blo Access: The device wil not be visibl to the user (for example, from Window ock T ll le ws
Exp plorer) and no notification displays. o 9. If you selected doma ain(s) or client(s) in the clie tree, click S ent Save. If you c clicked the roo ot n e llowing option ns: domain icon, choose from the fol
Ap pply to All Cl lients: Applies settings to a existing clie and to any new client a all ents y added
to an existing/fu a uture domain. Future domaiins are domain not yet crea at the tim ns ated me you configured th settings. u he
Ap pply to Futur Domains Only: Applies settings only to clients add to future re O ded
dom mains. This op ption will not apply settings to new client added to an existing dom s ts n main.
B.13 > Dev Con vice ntrol Notificat tions

Notificatio messages di on isplay on endp points when D Device Contro violations o ol occur. Administra ators can mod the default notification m dify t message, if ne eeded.
TO MODIFY THE CONTE OF THE NOTIFICATION MESSAGE: Y ENT 1. Click the Device Co t ontrol Violatio tab. on
2. Modify the default messages in th text box pro y m he ovided. 3. Click Save. S
Figure B.15: Client User Notifications screen N
3 398
B.14 > Dev Control Lo vice ogs

Clients log unauthorized device access instances and send the log to the serve A client tha d s gs er. at nuously aggreg gates the logs and sends the after a 24-h em hour time per riod. A client t that runs contin got restarte checks the last time the logs were sent to the server If the elapse time exceed 24 ed l t r. ed ds hours, the client sends th logs immed he diately. To kee the size of logs from occ ep cupying too m much he m te eletion schedu ule. space on th hard disk, manually delet logs or conf figure a log de
TO VIEW DEVICE CONT TROL LOGS:
1. In the client tree, click the root do omain icon to include all cli ients or select specific domains nts. or clien 2. Click Logs > Device Control Lo or View L L ogs Logs > Devic Control Lo ce ogs.
Figure B.16 Device Contr Log Criteria screen 6: rol
3. Specify the log criter and then cl Display L y ria lick Logs. 4. View lo Logs con ogs. ntain the follow informat wing tion:
Date/Time unau uthorized acce was detecte ess ed Com mputer where external devi is connecte or where n e ice ed network resource is mapped d Com mputer domai where exter device is connected or where network resource is in rnal
map pped
Dev type or network resour accessed vice n rce Tar rget, which is the item on th device or n he network resour that was a rce accessed Acc cessed by, whi specifies where access w initiated ich w was Per rmissions set for the target f
5. To sav logs to a comma-separate value (CSV file, click Ex ve ed V) xport to CSV Open the fi or V. ile save it to a specific location. l
399
Student T Textbook
Figure B.16: Device Control Logs Export option 6 r r
4 400
Administrator Track
Appen ndix C: Virtual De op V eskto Infrastruc e (VD S I cture DI) Support PlugP -in
Trend Micr Virtual Des ro sktop Support is a plug-in t t tool that optim mizes virtual d desktop protec ction by regulatin the activity of OfficeSca clients to de ng y an ecrease resour consumpti required f rce ion for on-demand and schedule scanning ac d ed ctivities and u updates. Additionall this plug-in includes the VDI Pre-Scan Template G ly, n n Generation Tool to remove GUIDs fro golden im om mages and to optimize scan nning so that the base comp ponents of the golden tem mplate image are scanned over and over again for each instance of t image, allo o h the owing OfficeScan to check only the parts tha have change This tool s n y at ed. supports Offi iceScan 10.5 c clients and above.
C.1 > What Is Virt De t tual esktop I Infrastr ructure e?

For many companies, th successful deployment of advanced vir c he d f rtualization tec chnologies in the datacenter is fueling a ne wave of vir ew rtualization in pursuit of str n reamlining the management and e t T s, isioning, and e other ease performance of desktop computing. To lower costs speed provi eading enterpr rises are now llooking to virt tualize their desktop platfor rms. management burdens, le ructure (VDI) is similar to s shared applica ation infrastruc ctures, like Cit trix Virtual Desktop Infrastr e ws erver. With VD each user has access to applications v a DI, via Metaframe and Window Terminal Se legacy PC, a thin client, or even a refu o urbished low-p performance P But instea of using a s PC. ad shared s hared server-h hardware platfo form, every us works with an independe ser h ent operating system on a sh copy of the operating system, which can be custom e c mized to the sa degree as a physical des ame sktop. A key stren of VDI is its ability to support a fulll range of desk ngth s ktop types. VD gives users the DI s features the need, such as personal st ey torage space, a granular c and control over o operating-syste em features, bu without the failure issues associated wi running on an isolated h ut e s with n hardware platf form that is phys sically remote from highly skilled IT supp s port. This app proach creates opportunities for s cost and re esource optimi ization in seve areas. eral
C.1.1 Imag C ge-based Client De eploymen nt

VDI signif ficantly stream mlines the depl loyment of co omputing resources to end u users. Virtualiz zed endpoints are typically based on a sing template v a b gle virtual machine (VM), called the gold im e d mage. This image includes a ba operating system, driver for running on the VM pl e ase s rs latform, relev vant
401
Student Textbook
patches, and standard applications. Deploying new virtualized desktops is as easy as creating a copy of the base image and starting it up a new instance of the core VM framework on the VDI host system.
C.1.2 Operational Benefits of Client-Machine Virtualization

In VDI environments, all operating systems and applications (VMs) run on powerful, central server clusters. This minimizes the importance of the hardware performance of the desktop PC used to access the remote VM, which after a certain threshold provides no incremental benefits to the end user because application processing is supplied by the datacenter. But not only can hardware refresh cycles be extended; VDI also offers these additional benefits:
Improved Regulatory Compliance
Controls mandated by regulations can be implemented and enforced to virtualized endpoints in a repeatable, streamlined fashion with the management infrastructure in immediate and complete control over the total hardware environment. In a VDI environment the backup data never leaves the high-performance infrastructure inside the datacenter. The entire process of backing up becomes easy, fast, and painless.
Easier, Faster Endpoint Backup
Data Protection
In a VDI environment, data resides on a central server cluster and never leaves the secure boundaries of the corporate datacenter where the physical security of data is inherently easier to implement and enforce.
Operations, Maintenance, and Support
Adding or replacing memory, hard-disk capacity, and other resources can occur without interruption. The benefits of fault-tolerance and redundancy are instantly available to all uses. Controlling the state of endpoints for the deployment of patches and new applications is also easier.
C.2 > Trend Micro OfficeScan VDI Support

The risk profile of a desktopwhether physical or virtualis very different from that of a server. Desktop machines are used more dynamically and interact within a wider range of potentially dangerous environments. Risks increase for desktop usage due to the difficulty of controlling users who frequently:
Surf the web and might access malicious web content. Might be lured into exposing confidential information Open potentially malicious email-attachments Install applications and tools on their desktops
C.2.1 VDI-Specific Requirements

When multiple virtualized desktops share a common hardware platform, even a powerful server cluster can quickly become overwhelmed. For desktops in particular, there are certain resourceintensive operations that cause no issue when executed on individual PCs, but can quickly result in an extreme load in a VDI environment. Foremost among these are:
402
Appendix C: Virtual Des x sktop Infrastruc cture (VDI) Supp port Plug-in
Figure C.1: Simultane eous Scanning Activity Drive CPU Usage Up on All VMs Simultaneou es s usly ystem Scans Full Sy
when full-sys stem scans are scheduled to take place at a certain time and e o t e, all virtualized de esktops reside on the same underlying ha e ardware, the re esulting demand for simultaneou disk access will slow dow not only oth application but the sca r us w wn her ns anning process itself. A VDI-aware endpoint secur solution m serialize full scans for all e rity must stems on the same VDI host. s sys Larger clien updates pre nt esent challeng similar to f ges full-system sca ans an must be treated in a simil fashion in order to lesse demand and on the unde nd lar en d erlying ho storage an network re osts nd esources. Load balancing fo data transfer must also be d or e ad ddressed with VDI-aware en V ndpoint securiity.
Compo onent Updates s
C.2.2 Ben C nefits of the Office t eScan VD Suppor Solutio DI rt on

The right endpoint secur for virtual desktops is a important i e rity l an ingredient for success as VM M density increases. Indust try-leading pro oducts such as Deep Securi and Core P s ity Protection for n virtualized sec curity. Virtual Machines clearly demonstrate Trend Micros leadership in the area of v n s point-protectiion solution to include VDI o I-aware client t OfficeScan 10.5 includes the first endp management. The Office eScan 10.5 plu ug-in for virtua desktop sup al pport extends endpoint pro otection to VD DI environments and provid these important feature des es:
Serialization of Full System Scans per VDI-Ser rver
OfficeS Scan will allow only one w vir rtualized endp point at a time to perform a full system sc With this serialized can. approach, the ov verall impact on performan is low, yet all systems w be scanned nce will d on after the oth ne her. Similar to th serialization of full scans he n s, Of fficeScan man nagement will only update a many as thr virtualized desktops per VDI as ree ser at the sam time. rver me
Serialization of Clien Updates pe VDI-Server nt er
403
Student T Textbook
Figure C.2: Sequence Scanning Activity Signific ed A cantly Improves Global Perf formance Pre-Sc canning and Whitelisting of Base Images W
Most virtual desktops wil be created u al ll using the same base im e mage. Administrators can p pre-scan and w whitelist the ele ements of tha base at im mage. The resu is that in ea instance of virtual deskt ult ach f top, OfficeSca will only sc an can for deviations fr r rom the base image. This elliminates most extraneous s i scanning, resu ulting in much shorter scan times which ultimatelly contribute t lower perfo r w to ormance impa act nd roductivity. an increased pr
C.3 > Usin the Virtual Deskto Supp Plu 3 ng V op port ug-in
When the VDI-support plug-in is inst V talled, OfficeS Scan servers ca communicate with VMw an ware vCenter or Citrix XenServers servers to retrieve inf r t formation abo which Offi out ficeScan clients are on the sam physical ser me rver, and then modify their behavior acco ordingly.
Figure C.3: The VDI-Supp port Plug-in as it Appears in the Plug-in Manager of the OfficeScan Co s onsole
Using the VDI-support plug-in is relatively simple. All you need to do is enter your VMware V r vCenter or Citrix XenServer connectio settings to the plug-ins single configu r on uration page.
Installation of the VDI-sup pport plug-in is similar to the installation of other OfficeScan plug-ins. F s f For n ager and instal lling plug-ins, s 5.14 > Plug Manager on see g-in guidance on the use of the Plug-in Mana page 212.
To add serv connectio follow the steps: ver ons, ese 1. Launch the plug-in interface by cl h i licking Plug-i Manager > Trend Micr Virtual in ro Desktop Support > Manage Pr rogram.
4 404
Appendix C: Virtual Des x sktop Infrastruc cture (VDI) Supp port Plug-in
Figure C.4: Configuri the VDI-Su ing upport Plug-in Settings
2. Specify which server setting to use: VMware vC y r Center or Citri XenServers rix s 3. Select Enable this connection to the server. c o 3.1. 3.2. Specify the se erver name or IP address an logon passw nd word. Optionally en nable proxy co onnection.
Specify th proxy server name or IP address and p he port. If the prox server requ xy uires authentic cation, specify the user nam and passwo y me ord. Click Test connection to verify that the OfficeSc server can successfully n t can
o connect to the server. 4. Click Save. S To add ano other server co onnection: 1. Click Add new vCe A enter/XenSer rver connecti ion. 2. Repeat the steps to provide the pr t p roper server in nformation 3. Click Save. S
405
Administrator Track
Appen ndix D: Cisco Net C o twork k Admissio Co ol (NA A on ontro AC)

OfficeScan provides seam n mless integrat tion of the Cis Trust Age enabling th most effec sco ent, he ctive policy enfo orcement with a Cisco Sel hin lf-Defending N Network. It al includes a Policy Server for lso r automated communicati with Cisco Access Cont Servers (A ion o trol ACSs). When i integrated wit th Trend Micr Network VirusWall or an NAC devic the policy server can rem ro V ny ce, medy, redirect t, restrict, den or permit access to devi connectin to the netw ny, ices ng work. If a PC is vulnerable o or becomes in nfected, Office eScan can automatically iso olate it and its network segm ments until all PCs are updated or cleanup is complete. d
D.1 > Cisco NAC Overvie o O ew

Traditional administra lly, ators have focu used on using firewalls and VPNs to prev malware from g vent entering th network. Today, howev corporate networks are becoming mo intertwined heir T ver, ore d with partne networks, remote sites, sm offices, a remote cli er r mall and ients, and the fortress approach is becoming le viable beca s ess ause so many o outsiders need to pass in an out of a d nd companys network. Therefore, the Cisco NA initiative fo AC ocuses on con ntrolling threa inside the n ats network by enforcing admission priv ovation of thi idea a vileges and antivirus and sec curity policies The key inno s. is is that it all lows endpoint client devices to communiicate with the network abou security issu t ut ues. The compo onents of an OfficeScan network using C O Cisco NAC are e
A network access device (NAD n D) A Cisco Access Control Server (ACS) C C An OfficeScan cl lient with a Ci isco Trust Ag gent (CTA) ins stalled The Trend Micro Policy Serve e o er An OfficeScan se erver
EoU (SSL & MD5) OSCE Client N AD ACS cy Policy Server OSCE Server Radius (MD5) HCAP (S & MD5) SSL Synchronization n (HTTP)
Policy Enforcement
Policy Creation
AV Cr redential Vali dation
Figure D.1: The Components of an Offic ceScan Networ Using Cisco NAC rk o
407
Student Textbook
The NAD is a Cisco-manufactured router with network access control functionality built in to it. When a client attempts to access the network, the router initiates the antivirus and other security checks that are the foundation of Cisco NAC. The Cisco ACS is responsible for the creation of the policies on how to handle devices attempting to access the network. The Trend Micro Policy Server validates the antivirus credentials for an OfficeScan client. The ACS communicates with the CTA on the client to find out what kind of antivirus components the client has. The ACS passes the information to the Policy Server, which checks the clients antivirus components against the list of the latest antivirus components. (The Policy Server has this list through regular synchronization with the OfficeScan server.) The Policy Server communicates the status of the clients antivirus components back to the Cisco ACS. The Cisco ACS, in turn, communicates the client status back to the router so the router can enable or block the clients access to the network.
D.1.1 Cisco NAC2 Support

Cisco NAC2, released in November 2005 extends admission control security beyond the perimeter devices supported in the original NAC.
Network Appliance Type
Remote Access Concentrators Routers Switching Platforms
Model
Cisco ASA 5500 series, Cisco VPN 3000 series
Cisco 83x, 17xx, 18xx, 28xx, 38xx,
Cisco Catalyst 65xx, 45xx, 49xx, 37xx, 35xx, 29xx
Wireless Platforms
Cisco Catalyst 6500 WLSM, Cisco Aeronet access point, Cisco Aeronet lightweight access point, Cisco Wireless LAN Controller
Table D.1: NAC2 Supported Hardware
The updated Cisco Trust Agent (CTA) supports most current Windows operating systems and some Linux platforms (see the table below). The new CTA also enables NAC2 to expand admission control coverage to unmanaged or agentless devices, including guest laptops. It does not support x64 platforms.
Operating System
Red Hat Linux Windows NT Windows 2000 Windows XP Windows 2003
Version
Enterprise Linux 3.0 4.0 (with Service Pack 6) Professional and Server (with Service Pack 4) Professional (up to Service Pack 2) Server and Enterprise Server
Table D.2: NAC2 Supported Operating Systems
You can deploy the NAC2 CTA to new computers, or upgrade CTA version 1 clients to CTA version 2. When you view the network tree shown in the Cisco NAC Agent Deployment
408
Appendix D Cisco Network Admission Control (NAC) D: k
window, yo can check the current CT version of your clients. You can upda any clients that ou t TA f ate s are current running CT version 1 to CTA versio 2 or deploy to new client using the C tly TA t on y ts Cisco NAC > Ag gent Deploym ment compon nent.
Figure D.2: Agent Deploy yment Options: Upgrading C lients to NAC2 2
D.1.2 Cisc NAC2 Support: Whats N in Ve D co : New Version 8.0 0

Ma achine/User id dentity VL LAN assignme ent Ma achine posture states: bootin running, lo e ng, ogged-in
D.2 > Definition of Term 2 o ms

NAD Hard dware device us to segment the network. T sed t This device cou be a router, uld , switc or firewall. However, the f ch, first version of Cisco NAC uses only Cisco Adva anced series ro outers (80072 00). The Cisco IOS must be upgraded in orde to accommod er date the new ha ands. andling protoco and comma ols The Cisco server re esponsible for p policy formulat tion. It can perf form local dential validatio or query the Policy Server for external credential on e cred valid dation. The Trend Micro se erver responsib for evaluatin a clients an ble ng ntivirus compliance. Software that must be installed o n the client com t mputer to communicate ween the Office eScan client, the router, and A e ACS in the validation process. betw The communication link between the CTA and t OfficeScan client. It ns n the performs antivirus status queries and remediati on actions. Antivirus information gathered fr om the client, i including virus pattern file ts, versions, scan engine versions, vi rus scan result and so on. Cred dential validatio process whe the clients c on ere credentials are checked against the ACS po olicies that are defined. This p rocess results in a client ss partially access the network, s being able to acces the network, being able to p eing blocked from the networ rk. or be ntirely by the A A po osture validatio performed en on ACS. A po osture validatio where some or all credentia are validate by a server on als ed external to the ACS such as the T S, Trend Micro Po licy Server. A po osture validatio result return by the ACS. The token tells the router on ned . what level of acces the client sho t ss ould have to th e network. Actio taken on a client when it is found to be no on c s oncompliant with ACS polic cies.
Cisco ACS S
Policy Ser rver CTA Posture Plug-In Credential l Posture n Validation
Local Valid dation External n Validation Token Remediati ion
409
Student Textbook
D.3 > Dataflow

All communication on a network using Cisco NAC must be securely authenticated and encrypted. This security is based on SSL. Certificates must be obtained from a Certification Authority, which could include your networks own Certification Authority server or a thirdparty Certification Authority such as VeriSign or Thawt. You must obtain certificates for both the CTA and the ACS before you can install either. There are three phases in the posture validation process:
Posture request External validation Remediation
D.3.1 Posture Request

The NAD initiates the posture validation process by sending a posture request to the ACS. Posture validation is initiated for any new device attempting to access the network. In addition, the NAD runs a posture validation for connected clients on a timed basisevery 720 seconds (or 12 minutes) by default, although the timer can be configured on the router and accepts values from 300 to 86,400 seconds (5 minutes to 24 hours). The NAD also polls the clients every 300 seconds (by defaultpossible values are 30 to 1,800 seconds) about whether or not the client has had a change in its antivirus status. If the client has changed its antivirus status, it will trigger the posture validation process.
NOTE information on how to change the timer configurations, see Appendix E: For Configuring the Cisco ACS and NAD.
PEAP Session
In order to proceed with the posture validation process, a Protected Extensible Authentication Protocol (PEAP) session must be set up between the client and the ACS. (see the figure below) Extensible Authentication Protocol (EAP) is a protocol that can encapsulate other authentication protocols such as Transport Layer Security (TLS) or MD5. PEAP uses TLS to encapsulate EAP yet again for an added layer of security. The router uses EAP over UDP to relay the request to the ACS. The ACS begins negotiation of the TLS encryption method by sending its public certificate to the client. If the client returns the proper encrypted session key and the ACS and client can negotiate a TLS encryption method that both can understand, then the PEAP session is established.
410
Administrator Track
Appendix D: Cisco Network Admission Control (NAC)
EAPoUDP
EAPoRadius
Public Certificate Encrypted Session Key TLS Encryption Method N egotiated Encrypted PEAP Session O SCE Client + CTA ACS
Figure D.3: Setting up a PEAP Session to Exchange Credential Information
NOTE communication between the OfficeScan client and the ACS flows through the NAD. All
CTA and OfficeScan Client Communication

Once the PEAP session is established the ACS queries the CTA about the clients credentials. The CTA then must communicate with the client through the Posture Plug-In to retrieve those credentials. The following credentials can be checked:
Pattern File date or version Scan Engine version Real-time scanning status Software name, version, and identification
The policies defined by the ACS and the Policy Server determine which of the above credentials the Posture Plug-In retrieves from the client.
queries the OfficeScan client. The OfficeScan client sends the required information to TMabPP.dll. TMabPP.dll sends the information to the CTA, which forwards it through the NAD to the ACS. (See the figure below.)
TMabPP.dll. When the CTA receives a query from the ACS, it queries TMabPP.dll, which
The portion of the Posture Plug-In that is responsible for retrieving credentials from the client is
411
Student Textbook
Client Com puter
O SCE Client
TM a bPP.dll
TM a bPPa ct.ex e
Posture Plug-in
Cisco Trust Agent
Posture Request from N AD
Posture Credentials to N AD
Figure D.4: CTA and OfficeScan Client Communication
D.3.2 External Validation

If the ACS were performing a local validation, it could proceed with the validation process after receiving credentials from the client. However, using the Trend Micro Policy Server to validate OfficeScan clients makes the process of configuring policies much simpler and less timeconsuming for you. To perform this external validation, the ACS must communicate with the Policy Server (see the figure below).
SSL Tunnel
HTTP Post W W W -Authentication Request W W W -Authentication Response (MD5) HCAP Session Data
ACS
Figure D.5: Communication between the ACS and the Policy Server
Policy Server
Host Credential Authorization Protocol (HCAP) is used to secure communications between the ACS and the Policy Server. Setting up an HCAP session involves encapsulating HCAP in HTTP messages and transmitting them over SSL. Once the SSL tunnel is created, the ACS issues an HTTP post command to the Policy Server and the Policy Server uses HTTP digest authentication to authenticate to the ACS.
412
Administrator Track
When the ACS and the Policy Server have a properly authenticated HCAP session, the ACS sends the clients credentials to the Policy Server. The Policy Server checks those credentials against its policies and responds to the ACS with one of the following five tokens:
Healthy Checkup Quarantine Infected Unknown
The names of the tokens are defined by Cisco and cannot be changed. However, the tokens mean nothing in and of themselvesyou define the credentials that will result in a specific type of token. You also define the actions that will be taken for each type of token by defining Access Control Lists (ACLs) and associating them with tokens. The ACS forwards the token and the ACL to the NAD. The NAD then enforces the action.
NOTE NAD stores the ACL for the client until it times out. This prevents posture The validation from having to be performed for every packet coming from a particular client.
D.3.3 Remediation
Based on the token it receives and its associated actions, the NAD can either grant the client full access, grant it partial access, or block it entirely. However, the NAD also forwards the token to the client where additional remediation actions can be performed. These remediation actions can bring a client into conformance with your policies, allowing you to protect your network and also allowing the client to attempt to access the network again. To communicate the remediation action to the OfficeScan client, the CTA must once again communicate with the OfficeScan client through the Posture Plug-In. For this communication, traffic flows through TMabPPact.exe (see the figure below).
413
Student Textbook
Client Com puter
O SCE Client
TM a bPP.dll
TM a bPPa ct.ex e
Posture Plug-in 2
Cisco Trust Agent
Remediation Response from N AD
Figure D.6: CTA and OfficeScan Client Communication
The client can perform the following remediation actions:

Update Now
NOTE When an Update Now is forced as a remediation action, the OfficeScan client will only update directly from the OfficeScan server, it will not use an
Enable real-time scan Scan Now Cleanup Now Client pop-up message
NOTE can define what this alert message will say. You
414
Appendix D Cisco Network Admission Co D: k ontrol (NAC)
D.4 > Conf 4 figurati ion

To configu Cisco NAC on your Off ure C ficeScan netw work, you conf figure the follo owing compon nents:
Off ficeScan (usin the managem console) ng ment ) The Trend Micro Policy Serve e o er
In addition you must co n, onfigure the Cisco ACS and the NAD. C d
For instruct tions on how to do so, see Ap o ppendix E: Con nfiguring the Ci Cisco ACS and N NAD on page 425.
D.4.1 Offic D ceScan Configuration C

The follow can be configured on th OfficeScan management console: wing he n t
Com mmunication with the Polic Server cy The client certificate e CT deploymen TA nt
Add Poli Server icy

To add a Policy Server in the OfficeSc managem ent console, c P n can click Cisco NA > Policy AC Server. Th click the Add link. hen A
Figure D.7: Add Policy Se erver Page
In the Policy Server Add dress field, ent the name a port numb of the Pol Server. 43 is ter and ber licy 343 the default port, but this port is set up during installlation of the P s p Policy Server a may have been and e changed. The password was also defin during ins T ned stallation.
NOTE you install Policy Server with the Office If P w eScan server, t OfficeScan setup wizard the n d
automatic cally creates the link to the Policy Server f you. P for
Deploy CTA C
Once youv imported th certificate, you can deplo the CTA. T CTA can be installed on ve he oy The n Windows 2000/2003 or XP Pro client For instruc 2 ts. ctions on how to do so, see Appendix E: w Configurin the Cisco ACS and NAD on page 425.. ng A D
415
Student T Textbook
NOTE Like the certificate, the age can also be installed on t server at s ent e the server installat tion,
see Office eScan Server Installation.
Use the Of fficeScan man nagement cons to deploy the agent by clicking on C sole y Cisco NAC on the n sidebar, sel lecting the clie from the browser tree t which you want to deplo the CTA, a ents oy and to clicking on Agent Deplo n oyment on th sidebar. Th Agent Installl/Uninstall dial box comes up he he log (see the fig below). gure
Figure D.8: Agent Install/ /Uninstall Page
You can in nstall, upgrade, or uninstall the CTA from this page. Yo can also ch t m ou hoose whether you r want the CTA to be auto C omatically uninstalled when the OfficeSc client is un n can ninstalled.
NOTE you upgrade a client certificate, you wi ll need to man If nually uninstall then reinstall the
CTA.
Preserve exis Cisco Trust Agent status means you don want an in sting t m nt nstallation to o overwrite the C CTA if one is alr ready installed Unless you are upgrading or certain you have never i d. a g u installed the C CTA on any of the clients you selected, you may want to check this rad button, ot t u u dio therwise the se erver will reinstall the CTA an your setting will be lost. nd gs x Click Save and the Set In nstall CTA con nfirmation box appears.
Figure D.9: Set Install CT Page TA
To verify th the CTA has been prop hat h perly deployed check the CT program v d, TA version on the e management consoles browser tree. b
Import Client Certif C ficate

The CTA uses a certifica establish a secure PEAP communicat u ate P tion channel b between the CTA and ACS. The certificate is bundled with the CTA iinstallation pa T e w ackage. You m import th must he certificate on OfficeScan before you can deploy the CTA. The sa certificate for the CTA must o n c e ame e A be importe on both AC and OfficeScan. ed CS
NOTE Importing the certificate for ACS is descr e ribed in Appen ndix E:Configur ring the Cisco ACS
and NAD on page 425.
4 416
The certific can be im cate mported for OfficeScan by u using the Offi iceScan manag gement conso To ole. do this, clic Cisco NAC > Client Certificate on the sidebar. ck C
NOTE is also possible to import this certificat e for OfficeScan during serv installation To It ver n.
review this process, see Chapter 4: OfficeScan Serv Installation on page 63. e ver n
Figure D.10 Import Client Certificate Page 0: t P
You must enter the path and filename for the certif e h e ficate. It must be installed o a local drive on on e the server. Then click Im mport.
D.4.2 Pol Serve Configuration D licy er

The follow must be configured on the Policy Ser wing c rver:
Com mmunication with the OfficeScan server r Syn nchronization Rul les Pol licies
There are three ways to access the Pol Server: t a licy

Fro the start menu of the co om m omputer where Policy Serve is installed, select Progra e er ams >
Tre Micro Po end olicy Server for Cisco NA > Policy S f AC Server Consol le.
Fro a web brow om wser. Use this URL: https:/ s //<servernam me>:<portnum mber>/antibo ody.
NOTE default po number is 4343. The ort
Fro the OfficeScan managem om ment console by clicking Ci isco NAC > Policy Server on r
the sidebar, then selecting the link you creat when you added the Po n ted olicy Server to ficeScan. Off
Summar Page ry
The summ page gives you information about the configuratio of your Pol Server, mary s e on licy including how many Off h ficeScan serve are register with the P ers red Policy Server a the numbe of and er rules and policies in effect on the Poli Server (see the figure be p icy e elow). You can export rules, n policies, an server lists to be used on another Polic Server by c nd n cy clicking Expor then impor rt, rt those rules, policies, and server lists by clicking Imp d y port. In additi ion, you can v view the current log es een n rent log of machine that have be validated by clicking on the View curr validation lo link. The list of registered Of fficeScan serve shows you all the Office ers u eScan servers registered to t the ver her utbreak mode. A link is also provided that you t Policy Serv and wheth they are in normal or ou can use to manually sync chronize an OfficeScan serv with the P O ver Policy Server.
417
Student T Textbook
Figure D.11: Summary Pag ge
Add OfficeScan Server

For the Po olicy Server to be consistent notified of the most curr tly rent version of antivirus components, at least one OfficeScan server needs t be registere with the Po e s to ed olicy Server. To o register an OfficeScan se erver with the Policy Server click Config r, gurations > O OfficeScan n urrently regist tered OfficeSc servers ap can ppears. To add a d Servers on the sidebar. A list of the cu new server click the Add link. The Ad OfficeScan S r, dd dd Server page app pears (see the f figure below).
Figure D.12: Add OfficeSc Server Pag can ge
To add a se erver, you mu enter an Of ust fficeScan serv address. Yo may enter an IP address a ver ou s, our hostname, or a Fully Qu ualified Domai Name (FQD in DN). You mu also enter t port for yo ust the n d or OfficeScan server. The default port fo OfficeScan is 8080. You must also choose th policies tha Policy Serve will use for the server in n a he at er normal or in outbreak mode. Normal mode is the every day oper m l e ration of your network. Ou r utbreak Mode occurs whe a network administrator deploys a man outbreak prevention p en a nual k policy to their OfficeScan clients. Typic n cally, this is in response to a new threat, b before a p n but pattern file or scan engine is av vailable to pro otect the organ nization.
4 418
Outbreak mode policies are normally much stricter , and if even a single client connected to the m server has a manual outb break preventi policy dep ion ployed, the Po olicy Server wi see OfficeScan ill as being in outbreak mode and will ch hange the toke it sends th ACS accord ens he dingly. Therefo ore, you may want to exercise tighter contr over who iis allowed to d w rol deploy outbre prevention eak n when using Cisco NAC. g
Synchro onization
In order fo the Policy Server to provi current va or S ide alidation inform mation to the ACS, it needs to e have inform mation from the OfficeScan server about the most upt n t -to-date patter files and sc rn can engine vers sions. You con nfigure how often the Polic Server will synchronize w the OfficeScan o cy with servers regi gistered to it. You can select a time from e Y t every three m minutes to ever 24 hours. T ry To configure this option, cli Administr t ick ration > Sche eduled Synch hronization a enter the t and time interval (in minutes) whe you want sy n en ynchronizatio to occur. on
Figure D.13: Scheduled Sy ynchronization Page n
NOTE you do not want to wait for the next sc heduled synch If hronization cycle, you can
always pe erform a manu synchroniza ual ation by clickin the Synchr onize with Off ng ficeScan link on the Summ mary screen.
Rules
Rules defin which antiv ne virus settings the Policy Serv will check and the respo t ver k onse it will tak if ke the criteria are met. Afte defining rule you will use them in a Po er es e olicy. You can nnot delete a r rule that is in us by a policy unless you de se elete it from p policy first. To manage rules click o s Configura ations > Rule es.
Figure D.14 Rules Page 4:
From the rules page, you can select ru to add, ed or delete. T following default rules are r u ules dit, The already set up for you:
419
Student T Textbook
Check kup
The checkup rules checks the patt tern file versio n. If it is 1 to 4 versions older than c n, n ken e the current version the Policy Se rver will return a Checkup tok to ACS. The rule also specifies that the event must be logged the pattern file must be t d, ated, a cleanup must be perfo ormed, and the client must be notified. upda The quarantine rule also checks t he pattern file version. If it is 5 or more vers e sions ver oken to ACS. Th rule specifie all he es old, the Policy Serv will return a Quarantine to s the ule. the same remediation actions as t Checkup ru In addition, it will order that the client be scanned for viruses. c This rule checks that real-time sca is disabled. If it is, the Polic Server retur an cy rns an In nfected token to ACS. Remediiation actions s specified are: lo the event, og enab real-time sc ble canning, and no otify the client. The healthy rule ch hecks whether r ether the scan real-time scan is enabled, whe a version is current. If the client engine is current, and whether th e pattern file v c lthy turned to ACS. No remediation meets all of these criteria, a Healt token is ret on d. actio is performed
Quara antine
Not Protected Healthy
NOTE action taken by the NAD for any toke is complete ly customizable by configuring The en
ACLs and redirect URLs in ACS. s
To create your own rules, click Add. The New Rule p y T page appears (see the figure below). e
Figure D.15: New Rule Page
4 420
To create a new rule, you need simply name it, chec all the crite that must match in orde to u y ck eria er return a po ositive result fo the rule, then select the a or actions you wa taken if th rule criteria are he a ant matched.
NOTE you select multiple criteri all must ma If m ia, atch in order to match the ru o ule.
Policies
A policy is the set of rule against whi client cred es ich dentials are che ecked. Each O OfficeScan ser rver can be con nfigured with only two polic one for n o cies: normal mode a one for ou and utbreak mode e, although yo can have different polici sets for dif ou d ies fferent OfficeS Scan servers. You can creat te new policie but you wil have to mak a policy eith the norma mode policy or the outbreak es, ll ke her al y mode polic in order for Policy Server to use it. Yo can also edi the existing normal and cy r r ou it outbreak mode policies by changing which rules the use. Click C m b w ey Configuration > Policies to ns s bring up th Policies page he e.
Figure D.16 Policies Page 6: e
Rules are read in a top-d down order an if the criteriia for a rule is matched, Pol Server wil nd s licy ll o ng eria y here f respond to ACS accordin to the crite defined by the rule. If th is no match for any of the rules, the policy will defi a no-match response an return it to ACS. No-mat response p ine h nd tch criteria for the default po olicies are set up as shown iin the table be elow.
Rules in Use
Not d Protected Quarantin n e Checkup p
No Match Log Response
E Enable Up pdate R Real-Time S Scanning
Clea anup and Scan d
Notif fy
Normal Mode
Healthy
Outbreak Mode
Healthy
Infected
Table D.3: No-match Response Criteria for the Defau Policies N a ult
421
Student T Textbook
Figure D.17: Edit Policy Page P
To define your own poli you must first name it. Y may then select which of the curren y icy, You n h ntly defined rul you want to apply to the policy. Use th up and dow arrows at t right of th les o e he wn the he Rules in us field to dete se ermine the ord rules will b read in. Fin der be nally, define th actions you want he u to be taken if no rules re n eturn a match. .
NOTE default re The esponse if no rule matches m r maps back to t token that ACS will retur to the rn
the NAD.
Policy Se erver Summ mary

The Trend Micro Policy Server works with Cisco N y s NAC in an Off fficeScan netw work in the following way: w 1. ACS se ends client cre edentials to th Policy Serve he er. 2. The Po olicy Server ch hecks which mode the OffiiceScan server is in and runs either the no m r ormal or outb break mode policy. 3. The Po olicy Server ev valuates all the rules defined by the policy in a top-dow order. e d y wn 4. If a ma atching rule is found, the Po olicy Server re esponds back to ACS with t specified t the token and rem mediation acti ions as defined in the match rule. hed 5. If no matching rule is found, the policy server r m p responds back to ACS with the specified k h d token and remediation actions as defined in the Default Respo of the poli a e onse icy.
4 422
Administrator Track
D.5 > Files and Services

The CTA, Posture Plug-In, and Trend Micro Policy Server have the following associated files and services:
D.5.1 CTA
DEFAULT INSTALL DIRECTORY C:\Program Files\Cisco Systems\CiscoTrustAgent SERVICES Cisco TrustAgent
Cisco TrustAgentLogging Service
PROCESSES ctad.exe
ctalogd.exe
REGISTRY HKLM\Software\CiscoSystems\CTA
NOTE CTA uses port 21862. An outbreak prevention policy can disrupt CTA The communication with the router if you block port 21862, which could prevent the client from being able to access the network.
D.5.2 Posture Plug-In

DEFAULT INSTALL DIRECTORY C:\Program Files\Cisco Systems\CiscoTrustAgent\Plugins\Install
D.5.3 Policy Server

DEFAULT INSTALL DIRECTORY C:\Program Files\Trend Micro\Policy Server SERVICES Trend Micro Policy Server for Cisco NAC PROCESSES PolicyServer.ex REGISTRY HKLM\Software\Trend Micro\Antibody Policy Service
423
Administrator Track
Appen ndix E: Config ng th C gurin he Cisco AC an NA C o CS nd AD

E.1 > The Cisco ACS C A
NAC repre esents only a portion of Cisco ACS. This course addresses only the A p ACS configurati ions related to NAC. Impor o rtant NAC-rellated configur rations in ACS include: S
Com mmunication with the route er Installation of th certificates he The NAC extern user databa e nal ase AC and group CLs ps A clientless user account c Glo obal authentic cation for PEA AP An unknown use policy er Log gs
To navigate in ACS, you should be fam u miliar with the sidebar men pictured in Figure C.1. e nu
Figure E.1: ACS Sidebar Menu A M
E.1.1 Com E mmunicati with the Route ion t er

To configu communic ure cation with the router, click Network Co e onfiguration. If your NAD is D not display select Add Entry under the AAA C yed, d Clients table. Yo must fill in the hostname of ou n e the router, its IP address and the RAD s, DIUS key sha ared between t router and ACS. the d All commu unications betw ween the rout and the AC use RADIU authentica ter CS US ation. Choose RADIUS (Cisco IOS/P ( PIX) from the drop-down menu next to Authenticate U o Using.
425
Student T Textbook
E.1.2 Cert E tificates

You must install and con i nfigure the cer rtificates for b both the ACS and the CTA. To install the e server certi ificate, select System Confi S figuration > A Certifica Setup > I ACS ate Install ACS Certificate e.
Figure E.2: Install New Ce ertificate
Input the lo ocation of the certificate fil the private key file, and a private key p e le, password. To install the client certi t ificate, click Sy ystem Config guration > A Certificat Setup > ACS ACS te Certificati Authority Setup. The page has a fielld for the CA certificate file Enter the cl ion y p e. lient certificates full path. s Once youv installed the client certifi ve icate, you mus tell the ACS to trust it. Cl System st S lick Configura ation > ACS Certificate Se C etup > Edit C Certificate Tr rust List. A c checklist of ins stalled certificates appears. Click in the check k kboxes next to the name of the client certificate you ju o f ust installed. After instal lling both cert tificates, you will need to re w estart ACS. Select System C Configuration > n Service Co ontrol > Rest tart.
E.1.3 The NAC Ext E ternal Us Datab ser base

Configurin the NAC da ng atabase consis of creating a list of crede sts entials that are mandatory f a e for client to ac ccess the netw work. To access these config gurations, select External U Databas > User ses Database Configuratio > Network Admission Control > C on k n Create New C Configuration n, me abase and sele Configure. U ect Under the Man ndatory Credent Types, click the tial k enter a nam for the data Edit List button. b
Figure E.3: Edit Credentia Types al
4 426
Append E: Configurin the Cisco AC and NAD dix ing CS
You can se elect your man ndatory creden ntials by moviing them from the available credentials list on m e the left to the selected cr t redentials list on the right. T Trend Micro O OfficeScan so oftware will be e listed as Tr rend AV.
NOTE can confi You igure exceptio to the man ons ndatory creden ntials on either the router or the r r
ACS. This chapter expla ains under NAD Configuratio how to conf D on figure exceptio on the rou ons uter.
To set up ACS to use the Trend Micro Policy Serve click Exter A o er, rnal User Da atabases > Database Configuratio then under Credential V on r Validation Pol licies, click th External he utton. Policies bu
Figure E.4: External Polic Configuration cy
You must enter the URL of the Policy Server in eith CGI or IS e L y her SAPI format. T URL tell This ls ACS where to send the HCAP requests for validatio Trend Mic has done i e H on. cro internal testin and ng found ISAP to have mu better per PI uch rformance, esp pecially on Ap pache Web ser rvers. On Apa ache servers, ISA performe 280 responses per second On IIS serv API ed d. vers, ISAPI pe erformed 150 responses per second. CGI, on the oth hand, perf p her formed 100 re esponses per s second on Ap pache and less tha 100 respon per secon on IIS. an nses nd The URLs should be ent tered as follow ws:
CGI ISAPI I https://<pol lsrv>:<port#>/an ntibody/cgi-bin n/PostureReque est.exe https://<pol lsrv>:<port#>/an ntibody/cgi-bin n/PostureReque est.dll?Posture eRequest
You must also enter the Username an Password y specified w a nd you when you insta alled the Polic cy Server. warding Credent Types, spec the creden tial cify ntials you want to forward t the Policy S to Server Under Forw for validati Because th is a Trend Micro Policy Server, it will validate only Trend AV. ion. his y l y
E.1.4 ACL and Gr E Ls roups

Once the Policy Server has checked a clients credentials, it sends the informat P h s tion back to A ACS. ACS is resp ponsible for fo orwarding the decision abo network ac e out ccess back to t router so t the that the router can enforce it ACLs are ma c t. apped to spec tokens so that the rout will know w cific o ter what action to ta according to which toke it receives. ake en
427
Student T Textbook
To create an ACL, click Shared Profile Component > Downloa a e ts adable IP ACL then click th Ls he Add button n.
Figure E.5: Downloadable IP ACL Conte e ent
You use sta andard Cisco IOS paramete to define t action that should be tak You can ers the t ken. specify eith permit or deny. any is a wildcard indiicating the sou of a pack with an IP her urce ket address ran from 0.0.0 to 255.255.255.255. nge 0.0 Once youv defined an action by crea ve ating an ACL,, you must ass sociate that ac ction with a particular token by editin the groups that are name for the tok t ng ed kens. To do th click Group his, p Setup, selec the proper group name fr ct g rom the drop-down menu, t then click Ed Settings. dit
Figure E.6: Assigning an ACL to a Grou up
There are a large numbe of configura settings fo groups. Th course desc er able or his cribes only two: Assigning an ACL to a group and assi a g igning a URL to which a de enied client can be redirecte ed. To assign an ACL to the group, under Downloadable ACLs, enable the Assign IP ACL: check a e r e P kbox. e Choose the name of the ACL you created and wish to associate w the group e h with p.
Figure E.7: Assigning a Redirect URL R
To assign a redirect URL under Cisco IOS/PIX RA L, ADIUS Attribu enable the checkbox ne to utes, e ext [009/001] cisco-av-pair. Ty in the UR you wish to redirect the c ype RL o client to. You can also spec u cify f ill rection by usin the postur ng retoken= com mmand. the type of token that wi trigger redir
E.1.5 Configure a Clientless User E C s

In order to allow access to clients with no AV crede o h entials, for exa ample to Win ndows 95/98/ME clients that cannot have a CTA installe you need t create a clie t ed, to entless user, ei or ither in ACS o on the router. This user will need a name and a passwo To config l e ord. gure this user, click User Setu tup.
E.1.6 Glob Authe E bal entication for PEA n AP

Configurat tions for PEAP are on the Global Authen G ntication Setu page in the ACS console. To up . access this page, click Sy ystem Config guration > Gl lobal Authen ntication Setu up.
4 428
Administrator Track
Appendix E: Configuring the Cisco ACS and NAD
You have the choice of enabling the following protocols:

EAP-MSCHAPv2 EAP-GTC EAP-MSCHAPv2 is a protocol that is widely used by Microsoft clients in PEAP communications. You probably want to enable it. EAP-GTC allows the exchange of cleartext authentication token cards. Enabling it here will allow those token cards to be exchanged inside the PEAP tunnel for better security. You must enable CNAC for credential authentication information to be exchanged in the PEAP tunnel.
CNAC
You can cause a message to appear on the client machine every time the posture validation process is initialized by typing one into the field next to Cisco client initial message: This message would appear every five minutes on the client and would probably be disruptive, so you would want to have a good reason to enable it. The ACS allows caching of PEAP credentials so that a session can resume after a client is disconnected, then reconnects before the session times out. This improves performance, but it is a potential security risk. Setting the parameter to zero disables this feature. Enable Fast Reconnect is a feature that allows clients to resume communication without setting up a new PEAP tunnel. This is a security risk. The feature is enabled by default; Trend Micro recommends unchecking the checkbox to disable this feature.
E.1.7 Files and Services

Default Install Directory
C:\ProgramFiles\CiscoSecureACSv3.3
Services
CSAdmin CSDbSync CSMon CSTacacs CSAuth CSLog CSRadius
Processes
CSAdmin.exe CSAuth.exe CSDbSync.exe CSLog.exe CSMon.exe CSRadius.exe CSTacacs.exe
Registry
HKLM\Software\Cisco\CiscoAAAv3.3
429
Student Textbook
E.1.8 Debug Logs

Debug logs for Cisco ACS are created automatically and daily. You can find the current days debug log atC:\ProgramFiles\CiscoSecureACSv3.3\CSAuth\Logs\auth.log. The debug logs from previous days are renamed Auth<yyyymmdd>.log.
E.2 > NAD Configuration

The information given here about configuring a NAD is specific to the Cisco advanced series routers (8007200) that are currently the only type of NAD available. A list of useful router commands is included here. Remember that you must upgrade the Cisco IOS to accommodate the new handling protocols and commands.
E.2.1 Configure AAA Authentication for NAC

The router uses IOS Auth-Proxy to intercept client traffic and to enforce policies obtained from the ACS server. Auth-Proxy defines the routines responsible for data path intercept, triggering of posture validation and enforcement of network access policies sent down by the authenticating ACS server. The following commands are important:
Configure AAA RADIUS for EAPoUDP

aaaauthenticationeoudefaultgroupradius
Configure Authentication Proxy for AAA RADIUS

aaaauthorizationauthproxydefaultgroupradius
Set an IP Admission Inactivity Timer

ipadmissioninactivitytimer{minutes}
NOTE When no activity occurs after this time expires, revalidation starts over. The inactivity timer default is 10 minutes.
E.2.2 Configure Communication with ACS Server

The router sees the ACS simply as a radius server. You must specify the ACS server. You may also specify ports if youve changed any of the defaults. The default RADIUS auth-port number is 1645 and the acct-port number is 1646. These are also the defaults for the Cisco ACS. You must also specify the RADIUS server key string, which must match the ACS key string. Finally, specify the router interface that the ACS is connected to.
radiusserverhost{name|ipaddress}{authportportnum{acctportportnum}
430
Administrator Track
radiusserverkey{7string|string}
NOTE 7 option enables the key exchange to be encrypted. The
ipradiussourceinterface{interface}
E.2.3 Define Access Lists

You do not have to have posture validation for all traffic that goes through the router. You can define an interface ACL and an intercept ACL to control which traffic is validated and which is not. The interface ACL is also referred to as the default access list.
accesslist{accessnum}permitipanyhost{routerIPaddress}
In this example, the permitipanyany statement allows unvalidated traffic to access other areas of the network, including the internet. Some customers may not want any network access at all until clients are validated so denyipanyany may be more appropriate. You must also configure an ACL to specify what will be subject to posturing. Packets that match this intercept ACL are intercepted.
accesslist{accessnum}denyipanyhost{routerIPaddress}
Notice the intercept ACL mirrors the interface ACL, except that traffic denied by the intercept ACL is specifically permitted by the interface ACL. Doing this subjects the traffic to the posture validation process. You must assign your intercept ACL to the clients you want to be subject to posture validation using the following command:
ipadmissionname{rulename}eapoudplist{stdaccesslistnum}
The std-access-list-num is the same as the access-num that you assigned to your intercept ACL in the previous command.
E.2.4 Clientless Access

To enable machines without a CTA to access the network, you need to configure the following on the router:
eouclientlessusername{username} eouclientlesspassword{password} eouallowclientless
The abbreviation eou is for EAP over UDP. Define a username and password for your clientless users. You may define an ACL for them on the router or in the ACS.
431
Student Textbook
E.2.5 Clear Posture Validation Cache

Clearing the validation cache will force the revalidation of a client. The first command below demonstrates how to clear the cache for all clients. The second clears it for a specific IP address.
clearipauthproxycache* cleareouip{ipaddress}
E.2.6 Force Revalidation

Another way to force revalidation is to use the force revalidation command.
eourevalidateall eourevalidateip{ipaddress}
E.2.7 Display Validation Results

If you wish to view the results of validation for all clients or a specific client, the following commands are available:
showeouall showeouip{ipaddress}
E.2.8 Troubleshooting Commands

The following commands will help with troubleshooting:
IOS Show Commands

showeou[all]|[ipx.x.x.x] showipadmissioncacheeapoudp showaccesslist
EOU Commands
eouinitializeall eouinitializeipx.x.x.x eourevalidateall eourevalidateipx.x.x.x
Clear Commands
clearipadmissioncacheeapoudp cleareou[all]|[ipx.x.x.x]
432
Administrator Track
Debug Commands
debugeouall debugeap debugipadmissioneapoudp
433
Administrator Track
Appen ndix F: Trend Mic S rt T d cro Smar Prote on Ne ork (S ) P ectio etwo SPN)
Because co onventional se ecurity solution no longer a ns adequately pro otect against the evolving se of et Web threat users need a new approa Trend Mic delivers th approach w the Trend ts, ach. cro hat with d Micro Smart Protection Net rt twork (SPN).
Figure F.1: The Trend Mic Smart Prot T cro tection Netwo rk (SPN)
F.1 > What is Tren Micr SPN? t nd ro ?

The Trend Micro Smart Protection Network (SPN) is composed of a global n N ) d network of threat intelligence technologies and sensors that provide c e s t comprehensiv protection a ve against all type of es threatsfr rom malicious files, spam, phishing, and W threats, t denial of se s p Web to ervice attacks, Web vulnerabilit and even data loss. By incorporating in-the-cloud reputation, sc ties, g canning, and uces correlation technologies, the Trend Micro SPN redu reliance o convention pattern file n , M on nal e downloads and eliminate the delays associated with desktop upd es a h dates. Businesses benefit fro om increased network bandw n width, reduced processing p d power, and associated cost savings.
435
Student T Textbook
The proces in the figur below, is ve straightforw ss, re ery ward. Howeve with the am er, mount of malw ware being seen in the security industry, kee y eping up with the volume is a challenge. The question h raised on th customers end, then, is How many u he s updates per da will be acce ay eptable? This is s critical in li of the fac that not all computers willl receive the u ight ct c update in time to protect th e hem well, for many reasons. With this in mind, protectin individual d m W m ng devices and sy ystems is impo ortant, but it is on a first step. nly
Figure F.2: The pattern update challenge in security management. u .
The Trend Micro Smart Protection Network (SPN) is a next-gen N ) neration cloud d-client conten nt security inf frastructure th delivers sec hat curity that is s smarter than c conventional a approaches by y blocking th latest threat before they reach a users PC or a com he ts s mpanys netwo Leveraged ork. d across Tren Micros sol nd lutions and se ervices, the Tr rend Micro Sm Protection Network mart n combines unique Interne u et-basedor in-the-cloud d technolog with light gies ter-weight clie ents. By checkin URLs, emai and files ag ng ils, gainst continu uously updated and correlat threat data d ted abases in the cloud customers always have im d, a mmediate acce to the lates Trend Micr protection ess st ro wherever th connect to the Internet hey o t.
Figure F.3: Moving content security int the cloud ke to eeps up with t he threat popu ulation.
4 436
Administrator Track
Appendix F: Trend Micro Smart Protection Network (SPN)
By moving the largest portion of patterns or signatures into the cloud, it is possible to:
Significantly reduce endpoint memory consumption Protect our customers in real time Reduce the need for pattern updates to our customers Reduce bandwidth consumption on corporate networks Increase awareness of threats affecting our customers Solve the pattern file download volume problem
The Trend Micro Smart Protection Network (SPN) is security made smarter for many reasons. Key characteristics of this innovative security solution model include:
New Threats, New Defense Extensive cloud-based threat protection network, correlated processing, immediate and automatic protection Light-weight clients communicate with cloud-based threat protection network, reducing resource requirements on the endpoint Communication with cloud network upon each connection, always providing access to the latest protection, on network or off Threat protection across Web, messaging and endpoints in on-site or hosted solutions Protection against all types of threatsmalicious files, spam, phishing, Web threats, DoS, Web vulnerabilities, data leakage Neighborhood Watch approach to security
Stronger, Faster ProtectionLighter on Your System Resources Anywhere, Anytime Security
Multi-Layered Protection
Comprehensive Security
Better Together Security
Backed by Proven Content Security Leadership and Expertise
20 years of Internet content security leadership, 1,000 security experts worldwide, 24/7
The Trend Micro Secure Protection Network (SPN) incorporates a complete end-to-end security solution, based on the high level of threats and growing malware numbers, increased cyber crime, and expanding threat landscape. This model includes Protection, Enforcement, Review and Education, as shown in the figure below.
437
Student T Textbook
Figure F.4: Trend Micro Smart Protection Network w S with Complete End-to-end Se ecurity Solutio ons.
The Trend Micro Smart Protection Network (SPN) is composed of the follow compone N ) d wing ents:
We reputation technology eb t Em reputation technology mail n File reputation te e echnology Cor rrelation techn nology with behavior analys sis Fee edback loops Thr intelligenc (threat collection, threat analysis) reat ce
Web Rep putation Te echnology

As a critica element of the Trend Mic Smart Pro tection Netwo (SPN), W reputation al t cro ork Web technology guards against Web-based threats befor they endang a network or a users PC By y re ger C. assigning a relative reput tation score to domains and individual pa o d ages within th domains, Web hese reputation technology weighs several factors, includ w ding:

Websit age tes Histori location changes ical c Other factors that might indicate suspicious be m ehavior
The techno ology then adv vances this ass sessment thro ough malware behavior anal lysis, monitori ing network tra affic to identif any malwar activity orig fy re ginating from a domain. Tre Micro We end eb reputation technology al performs website conten crawling an scanning to complement this lso w nt nd o t analysis wit a block list of known bad or infected s th d sites. Access t malicious W pages is th to Web hen
4 438
Administrator Track
Appendix F: Trend Micro Smart Protection Network (SPN)
blocked based on domain reputation ratings. To reduce false positives and increase accuracy, Trend Micros Web reputation technology assigns reputations to specific pages or links, rather than an entire site, as sometimes only portions of a legitimate site are hacked.
Email Reputation Technology

As an additional layer of protection, email reputation technology can stop up to 80 percent of email-based threats, including emails with links to dangerous websites, before these threats reach the network or the users PC. Email reputation technology validates IP addressesor computer addressesagainst both a reputation database of known spam sources and a dynamic service that can assess email sender reputation in real time. Reputation ratings are further refined through continuous analysis of the IP addresses behavior, scope of activity, and prior history. Malicious emails are blocked in the cloud based on the reputation of the senders IP address, preventing threats such as botnets from reaching the network or the users PC. The reputation status is continually updated to ensure that a good reputation is restored when infected bots are cleaned, resuming delivery of legitimate email.
Smart Scanning Technology

The Trend Micro Smart Protection Network leverages file reputation technology, in addition to Web and email reputation technologies. Cyber criminals frequently move individual files with malicious content from one website to another to avoid detection, making file reputation checking a critical element to security in a Web 2.0 world. File reputation capabilities also address the fact that a reputation may not yet be assessed for a website that contains a malicious file. In addition, any file attached to an email is checked for malware. Malware in email attachments, if installed, can access the Web as an implementation mechanism. Files should also be checked on the Web itself. File reputation technology essentially checks the reputation of a file against an extensive database before permitting the user to download it. To accomplish this, a data crawl of each file hosted on a Web page or attached to an email, as well as an assessment of each files reputation, is performed to continuously update a database of file reputation in real time.
Correlation Technology with Behavior Analysis

The Trend Micro Smart Protection Network uses correlation technology with behavioral analysis to correlate combinations of threat activities to determine if they are malicious. Although a single email or other component of a Web threat may appear innocuous, several activities used in conjunction can create a malicious result. So a holistic viewgained by examining the relationship between and across the different components of a potential threatis required to determine if a threat is actually present. For example, a user may receive an email from a sender whose IP address has not yet been identified as that of a spam sender. The email includes a URL to a legitimate website that is not yet listed as malicious in a Web reputation database. By clicking on the URL, the user is unknowingly redirected to a malicious website hosting information stealers that are downloaded and installed on the users computer, gathering private information for criminal purposes. Behavior analysis also correlates activities of a single session on the same protocol (e.g. an SMTP attachment with a suspicious double extension), as well as activities during multiple network connection sessions on the same protocol (e.g. a downloader blended threat in which individual files that each appear to be innocent are downloaded, but together form a malicious program). In addition, activities of multiple sessions and different protocols (e.g. SMTP and HTTP) are
439
Student Textbook
correlated to identify suspicious combinations of activities (e.g. an email with a URL link to several recipients and an HTTP executable file download from the linked Web page). Information learned in the behavior analysis function at the gateway is looped back to provide the Web reputation technology and database with site-threat correlation data and to update the email reputation database of known bad IPs and domains. Similarly, information acquired at the endpoint is looped back to the file scanning capability at the gateway, network servers, and the Web reputation capability in the cloud. Both feed-through and loop-back techniques are needed to ensure real-time, Web threat protection across the entire network. By correlating different threat components and continuously updating its threat databases, Trend Micro has the distinct advantage of responding in real time, providing immediate and automatic protection from email and Web threats.
Feedback Loops
Additionally, because Trend Micro solutions act as a single, cohesive security platform, built-in feedback loops provide continuous communication between Trend Micro products and Trend Micros threat research centers and technologies in a two-way update stream to ensure rapid and optimal protection against the latest threats. Functioning like the "neighborhood watch" approach occurring in many communities, Trend Micros extensive global feedback loop system contributes to a comprehensive, up-to-date threat index that enables real-time detection and immediate, smarter together protection. Each new threat identified via a single customers routine reputation check, for example, automatically updates all Trend Micros threat databases around the world, blocking any subsequent customer encounters of a given threat. Because the threat information gathered is based on the reputation of the communication source, not on the content of the specific communication, latency is not an issue, and the privacy of a customers personal or business information is always protected.
Threat Intelligence
Trend Micro supplements user feedback and submissions with internal research culled from researchers in the United States, the Philippines, Japan, France, Germany, and China. Multilingual staff members at TrendLabsTrend Micros global network of research, service and support centersrespond in real time, providing 24/7 threat surveillance and attack prevention to detect, pre-empt, and eliminate attacks. Using a combination of technologies and data collection methodsincluding Honey Pots, Web crawlers, customer and partner submissions, feedback loops, and TrendLabs threat research Trend Micro proactively gains intelligence about the latest threats. This threat data is analyzed and correlated in real time via queries of Trend Micros malware knowledge databases in the Internet cloud and by TrendLabs research, service, and support centers.
440
A Appendix F: Tren Micro Smart Protection Net nd t twork (SPN)
F.2 > A Multilaye 2 ered Fra amewor for E rk Enterpr rise-Wid de Prote ection
Keeping IT resources, data, and users secure is a co T omplex proposition in today threat ys landscape, when an infec ction can quic occur. Wh the antivir vendor get samples fro ckly hile rus ts om sources, su as infected customers, HoneyPots, in uch d H ndustry submis ssions, and cra awling activities, it takes time to analyze the samples, add the samples t a master pa e d to attern databas and deploy the se, y e mer pens before yo systems ca be our an pattern in a batch update to the custom database. All this happ updated. That is why a multilayered fr T m ramework with protection a many levels is important. h at Trend Micr uses a mult ro tilayered framework, such a that in the f as figure below. I contains It solutions th span mess hat saging, Web, endpoint, and network secu e urity.
Figure F.5: Trend Micro Multilayered Fr M ramework
441
Administrator Track
Appen ndix G: Stand ne Sm t S dalon mart Scan Ser S n rver Deplo ent & D oyme Mana ment M agem
Although the Smart Scan Server can be installed on your OfficeS t n b n Scan Server, yo can also in ou nstall standalone servers. Mult tiple installatio are recomm ons mended for fa ailover purpos This appe ses. endix h a mart er. describes how to install and manage a standone Sm Scan Serve
G.1 > Standalone Smart Scan S t Server Deploy yment

G.1.1 Reco G ommende System Require ed m rements
For the sta andalone Smar Scan Server, these are the minimum requirements: rt e
Virtualiz zation Requ uirements

VM Mware ESXi Server 3.5 Upd 2 date VM Mware ESX Se erver 3.5 or 3.0 0 VM Mware Server 2.0 2
NOTE purpose-built, hardened, performance-t A tuned 64-bit L Linux operating system is
included with the standalone server. w
Hardwar System Requireme re R ents

2.0 GHz Intel Co ore2Duo 64-b processor s bit supporting Int Virtualizati Technolog or tel ion gy
equ uivalent
512 MB of RAM 2 M 10 GB of availab disk space ble Mo onitor that sup pports 800 x 600 resolution with 256 colo or higher 6 ors
NOTE Smart Scan Server automat tically partitio ns the detecte disk space a required. ed as
443
Student Textbook
Virtual Machine Requirements

Red Hat Enterprise Linux 5 64-bit for VMware ESX 3.5, VMware ESXi 3.5, or VMware
Server 2.0
Red Hat Enterprise Linux 4 64-bit for VMware ESX 3.0 512 MB RAM 2.0 GHz processor 10 GB available disk space 1 network device
NOTE Install VMware Tools after successfully installing Smart Scan Server.
Browser Requirements
Microsoft Internet Explorer 6.0 or later (for access to the Web product console)
G.1.2 Installation Considerations

Consider the following when setting up your local Smart Scan Server:
Smart Scan Server is a CPU-bound application. This means that increasing CPU
resources increases the number of simultaneous client connections handled. For standalone servers, the number of processors allocated to the virtual machine will affect the performance of the server.
Additional memory might be required if there is a large number of concurrent
connections between Smart Scan Servers and OfficeScan clients.

Network bandwidth may become a bottleneck depending on network infrastructure and
the number of simultaneous connections.

Because the integrated Smart Scan Server and the OfficeScan server run on the same
computer, the computers performance may reduce significantly during peak traffic for the two servers. Consider using standalone Smart Scan Servers as the primary Smart Scan source for clients and the integrated server as a backup server to reduce the traffic directed to the OfficeScan server computer.
If you install the integrated Smart Scan server, consider disabling the OfficeScan firewall.
The OfficeScan firewall is intended for client computer use and may affect performance when enabled on server computers. See the Administrators Guide for information on disabling the OfficeScan firewall.
NOTE Consider the effects of disabling the firewall and ensure that it adheres to your security plans.
444
Appendix G: St tandalone Smart Scan Server D rt Deployment & M Management
G.1.3 Inst G talling Loc Smar Scan Se cal rt ervers

After decid which and how many Smart Scan ser ding d S rvers to instal proceed wit Smart Scan ll, th server insta allation.
Standalo Smart Scan Serve Installat one er tion

The standa alone Smart Sc Server installation proce formats yo existing sy can ess our ystem for prog gram installation VMware installation requi the creatio of a virtual machine bef n. ires on l fore installation. You need the following information for the installa t f ation:
Pro server info oxy ormation A virtual machin server that fulfills the req v ne f quirements for your network r k
RUNNING THE INSTALL T LATION PROGRAM After prepa aring the requ uirements for installation, ru the installat i un tion program to begin installation n. TO INSTAL THE STAND LL DALONE SERV : VER 1. Create a virtual mach on your VMware ESX server and sp hine V X pecify the virt machine t tual to boot fr rom the Smart Scan Server ISO.
2. Power on the virtual machine. Th Installation Menu display with the fol l he ys llowing option ns:
Install Smart Scan Se erver System Memory Test m t Exit Ins stallation Select this option to i install Smart S can Server to t new virtual the ne. machin perform memo diagnostic tests to rule out Select this option to p ory t emory issues. any me Select this option to e the installa exit ation process and to boot from m m other media.
Figure G.1: Installatio Menu on
3. Select Install Smar Scan Serve The license acceptance p rt er. e page appears.
NOTE From this scre on, you ca access the r een an readme from a button in the lower left hand e
corner of the installatio screen. on
A ntinue. The Ke eyboard Selec ction page app pears. 4. Click Accept to con
445
Student T Textbook
Figure G.2: License Agreement and Keyboard Se A d election
5. Select the keyboard language and click Next to continue. Th Hardware C he Components ears. Summary page appe The in nstallation prog gram perform a scan to de ms etermine if the system speci e ifications have been e met an displays the results. If the hardware co nd e e ontains compo onents that do not meet the o e system requirements the installati program h m s, ion highlights thos component and installation se ts can pro oceed as long as there is a hard drive and network dev h d vice. If there is no hard driv and s ve no netw work device, installation cannot continue i e.
Figure G.3: Hardware Components Summary and Network Set e s d ttings Configuration
6. Click Next to contin The Netw N nue. work Settings page appears.. If there are multiple netw e work devices, configure sett tings for all de evices. (Only one device can be active on boot.) b
NOTE change the active on boot device afte r installation, log on to the C To e Command Line e
Interface (CLI).
7. Config network settings. gure s

Specify the Active on Bo network d oot devices, host n name, and
ous f the e miscellaneo settings. If you specify t host name manually, the miscellaneo settings ar also configu ous re urable.
Click Next to continue. The Time Zo page appears. t one
4 446
Figure G.4: Time Zon and Authen ne ntication Confi guration
8. Specify the time zon and click Next to continu The Authe y ne N ue. entication pag appears. ge 9. Specify passwords fo the "root" and "admin" a y or accounts. Sma Scan Serve uses two art er different levels of ad dministrator ty ypes to secure the server. e
Tip
For best secur rity, create a highly unique p h password know only to you Use both upp wn u. per and lower case alpha characters, num merals, and sp pecial characte The passw ers. word must be a minimum of 6 characte and a maximum of 32 ch aracters. m ers
Ro account This oot
account is used to gain access to th operating sy he ystem shell an has nd n all rights to the server. This ac ccount includ the most p des privileges.
Ad dmin account This accoun is the defau account use to access Sm nt ult ed mart Scan Ser rver Web and CLI pr W roduct consol This accou includes a rights to the Smart Scan les. unt all e Server applicatio but does not include acc rights to the operating system shell. on, n cess g
Trend Micro recomm mends using a strong, uniqu password. ue

Typ the "root" and "admin" passwords. pe p Clic Next to co ck ontinue. The Installation Su I ummary page a appears.
Figure G.5: Installation Summary and Installatio n Progress Ind a dicator
10. Confir the summa information. rm ary Review the summary information on this page. If any of the information o this page w y n on require a different configuration, click Back. O es c , Otherwise, cli Next to co ick ontinue and cl lick Contin at the con nue nfirmation me essage. The In nstallation Pro ogress page app pears
447
Student T Textbook
NOTE Continuing with the installa ation formats a partitions the necessary disk space an and y nd
installs th operating sy he ystem and app plication. If the is any data on the hard d ere a disk that canno be ot erased, ca ancel the insta allation and ba up the info ack ormation befor proceeding. re
11. A message appears when the insta w allation is com mplete. The installation log i saved in the is e /root/ /install.log file for refere ence.
Figure G.6: Installation Complete
12. Click Reboot to restart the virtua machine. Th initial Comm R al he mand Line In nterface (CLI) logon page ap ppears and dis splays the Sma Scan Serve URL and th Web produ console UR art er he uct RL.
NOTE Trend Micro recommends disconnecting t CD ROM de r d the evice from the virtual machine e
after Sma Scan Serve is installed. art er
Figure G.7: CLI Logon
13. Use "a admin" to log on to the CLI or the Web p I product conso to manage Smart Scan S ole Server. Log on to the Web product conso to perform post installat n p ole m tion tasks such as configuri h ing proxy settings. Log on to the CLI shell if you n o I need to perfor additional c rm configuration, , eshooting, or housekeeping tasks. g trouble
4 448
POST-INST TALLATION The follow are recom wing mmended post t-installation ta asks:
Aft successfully installing Sm Scan Serv install VM ter y mart ver, Mware Tool Refer to ls.
VM Mware docume entation for more informatiion. m

If your network uses a proxy server, configu proxy setti y u s ure tings first. See Configuring g
Pro Settings in G.2.2 Upd oxy i dating Compo onents on pa 451. age
LOGGING ON TO THE STANDALONE SERVER Once Smar Scan Server has restarted, log on using the CLI or W product c rt r g Web console.
To log on to the CLI console, type the adm ministrator user name (admin and passwo r n) ord.
e l C ou rform addition configurat nal tion, Use "admin" to log on to the CLI shell if yo need to per trou ubleshooting, or housekeep tasks. ping
To log on to the Web product console, ope a Web brow t en wser and type the URL indicated
I g eb nsole to perfo ormpost instal llation on the initial CLI banner. Log on to the We product con ks nfiguring prox settings. xy task such as con
Figure G.8: Logon Page
NOTE Smart Sc Server URL is used for co The can L onfiguring Off ficeScan Serve Smart Scan er
Source se ettings as a part of the Smar Scan Server solution. rt r
G.2 > Man 2 naging Standalone Sm S mart Sc Ser can rvers

This sectio discusses maintenance tasks you need to perform af installing t standalone on m fter the e Smart Scan server. n
G.2.1 Usin the Pr G ng roduct Co onsole

The product console con nsists of these elements: e
Naviga ation menu Provides P Work area a
links to the Summ mary, Update, a Support p and pages.
View su ummary inform mation, comp onent status, configure sett tings, update co omponents, or collect diagno r ostic informat tion.
449
Student T Textbook
Figure G.9: Product Cons sole Navigatio Menu on

Summary Update Logs
Provides the Smart Scan Se erver Health, UR and component RL, status. Provides opti ions for configu uring scheduled updates, prox d xy server setti ings, and manu program upd ual dates. Provides valu uable informati on about logge activities ed Provides an option to collec and download diagnostic o ct d information for troublesho n ooting.
Support
Table E.1: Contents of Sm C mart Scan Serv Main Menu ver u
Using th Summar Page he ry

The Summ page displ health, cli connectio and compo mary lays ient on, onent status f the server. for
Figure G.10 Summary Pa 0: age
The server address(es) in the Client Connection sec n ction lists URL used for co Ls onfiguring the n n can nagement con nsole. Clients u this list to use Smart Scan server list on the OfficeSc server man determine the Smart Sca servers to connect and se scan queri to. an c end ies
4 450
Smart Scan servers supp HTTP and HTTPS pro n port d otocols. HTTP allows for a more secure PS e connection but it does use more CPU resources to establish each connection. The URLs fo n, u U o h . or both proto ocols display on the Summary page. o
G.2.2 Upd G dating Co omponen nts

The effecti iveness of Smart Scan Serve depends up using the l er pon latest pattern files.
Configur Manua Updates ring al

Smart Scan Server can perform manua updates for the Smart Vi n al r irus Pattern f file.
Figure G.11: Configuring Manual Update M es
To configu manual updates: ure 1. Click Updates > Pa U attern from th main menu he u. 2. The Co omponent pag appears. ge 3. Click Update Now. U .
Configur Schedu Updat ring uled tes

Smart Scan Server can perform schedu updates f the Smart Virus Patter file. n uled for t rn
451
Student T Textbook
Figure G.12: Configuring Scheduled Upd S dates
To configu scheduled updates: ure 1. Click Update > Pat U ttern. The Co omponent pag appears. ge 2. Select Enable sched duled update es. 3. Select either hourly or 15 minute updates. S 4. Click Save.
Configur an Upd Source ring date e

Use this pa to specify the update so age ource. The def fault update so ource is Trend Micro d ActiveUpd Server. date
Figure G.13: Updates > Co omponent Page
To configu an update source: ure 1. Click Updates > Co U omponent. The Compone page appears. T ent ect 2. Select Trend Micro ActiveUpdate Server or sele Other up T A e pdate source and type a UR RL. 3. Click Save. S
Configur Proxy Settings ring S

If you use a proxy server in the netwo configure proxy setting r ork, gs.
4 452
Figure G.14 Configuring Proxy Settings 4: s
To configu proxy setti ure ings: 1. Click Administration > Proxy Settings from the main me The Com A S m enu. mponent page appear rs. 2. Select the Use a pro server fo updates ch oxy or heckbox. 2.1. 2.2. 2.3. 2.4. Select HTTP or SOCKS4 for the Prox protocol. P 4 xy Type the Ser rver name or IP address. Type the Por number. rt If your proxy server requires credentials,, type the Use ID and Pas y er ssword.
S 3. Click Save.
Updating the Progr g ram

Update to the latest vers of the pro sion oduct program to take adva m antage of prod enhancem duct ments.
453
Student T Textbook
Figure G.15: Updating the Program e
To update the program: U ogram from the main menu The Progra page appea t u. am ars. 1. Click Update > Pro 2. Click Browse... to lo B ocate the prog gram file. 3. Locate the file and click Open. e c 4. Click Update. U
Downloa ading Diagn nostic Infor rmation

Use the We product co eb onsole to down nload diagnos informatio for trouble stic on eshooting and support.
Figure G.16 Downloading Diagnostic In 6: g nformation
To downlo diagnostic information: oad 1. Log on to the Web product conso n p ole. 2. Click Support from the main me The Supp page appe S m enu. port ears. 3. Click Start. The dow S wnload progress page appe ears.
4 454
Administrator Track
Appendix G: Standalone Smart Scan Server Deployment & Management
4. Click Save when the prompt for the downloaded file appears. 5. Specify the location and file name. 6. Click Save.
Changing the Product Console Password

The product console password is the primary means to protect Smart Scan Server from unauthorized changes. For a more secure environment, change the console password on a regular basis and use a password that is difficult to guess. The administrator passwords can be changed through the Command Line Interface (CLI). The CLI allows you to change the Administrator account passwords. The CLI command uses the configure password command to make the changes.
Tip
To design a safe password consider the following: include both letters and numbers,avoid words found in any dictionary (of any language), intentionally misspell words, use phrases or combine words, use both uppercase and lowercase letters, use symbols.
To change the product console password using the CLI: 1. Log on to the CLI console with the admin account. 2. Type the following to enable administrative commands:
enable
3. Type the following command:

configurepasswordadmin
G.3 > Command-line Reference for Standalone Smart Scan Servers

This section describes the Command Line Interface (CLI) commands that you can use in the standalone Smart Scan server to perform monitoring, debugging, troubleshooting, and configuration tasks. Log on to the CLI through the virtual machine with your admin account. CLI commands allow administrators to perform configuration tasks and to perform debug and troubleshooting functions. The CLI interface also provides additional commands to monitor critical resources and functions. To access the CLI interface, you will need to have the administrator account and password.
COMMAND
configure date
SYNTAX
configure date <date> <time>
DESCRIPTION
Configure date and save to CMOS date DATE_FIELD [DATE_FIELD} time TIME_FIELD [TIME_FIELD] Configure DNS settings dns1 IP_ADDR Primary DNS server dns2 IP_ADDR Secondary DNS server []
configure dns
configure dns <dns1> [dns2]
455
Student Textbook
COMMAND
configure hostname
SYNTAX
configure hostname <hostname>
DESCRIPTION
Configure the hostname hostname HOSTNAME Hostname or FQDN Configure the default Ethernet interface to use DHCP vlan VLAN_ID VLan ID [1-4094], default none VLan: [0] Configure the default Ethernet interface to use the static IP configuration Configure account password user USER The user name for which you want to change the password. The user could be admin, 'root', or any user in the Smart Scan Server's Administrator group. Configure the default server settings. Disable the sshd daemon Enable administrative commands Enable the sshd daemon Exit the session Display an overview of the CLI syntax Display the current session's command line history Reboot this machine after a specified delay or immediately time UNIT Time in minutes to reboot this machine [0] Display current date/time Display network hostname Display network interface information Display network address. Display network DNS servers. Display network gateway Display network routing table Display network timezone Display current system uptime Display Web product console URL Display Smart Scan Server URL
configure ip dhcp
configure ip dhcp [vlan]
configure ip static
configure ip static <ip> <mask> <gateway> [vlan] configure password <user>
Configure password
configure service disable ssh Enable enable ssh Exit Help History Reboot
configure service interface <ifname> disable ssh enable enable ssh exit help history [limit] reboot [time]
show date show hostname show interfaces show ip address show ip dns show ip gateway show ip route show timezone show uptime show url management show url scanservice
show date show hostname show interfaces show ip address show ip dns show ip gateway show ip route show timezone show uptime show url management show url scanservice
456
Administrator Track
Appendix G: Standalone Smart Scan Server Deployment & Management
COMMAND
shutdown
SYNTAX
shutdown [time]
DESCRIPTION
Shut down this machine after a specified delay or immediately time UNIT Time in minutes to shutdown this machine [0] Valid region + zones are: Europe Amsterdam Europe Athens Europe Belgrade Europe Berlin Europe Brussels Europe Bucharest Europe Dublin Europe Moscow Europe Paris Pacific Auckland Pacific Fiji Pacific Guam Pacific Honolulu Pacific Kwajalein Pacific Midway US Alaska US Arizona US Central US East Indiana US Eastern US Hawaii US Mountain US Pacific
Configure timezone Africa Cairo Africa Harare Africa Nairobi America Anchorage America Bogota America Buenos_Aires America Caracas America Chicago America Chihuahua America Denver America Godthab America Lima America Los_Angeles America Mexico_City America New_York America Noronha America Phoenix America Santiago America St_Johns America Tegucigalpa Asia Almaty Asia Baghdad Asia Baku Asia Bangkok Asia Calcutta Asia Colombo
configure timezone <region> <zone> Asia Dhaka Asia Hong_Kong Asia Irkutsk Asia Jerusalem Asia Kabul Asia Karachi Asia Katmandu Asia Krasnoyarsk Asia Kuala_Lumpur Asia Kuwait Asia Magadan Asia Manila Asia Muscat Asia Rangoon Asia Seoul Asia Shanghai Asia Singapore Asia Taipei Asia Tehran Asia Tokyo Asia Yakutsk Atlantic Azores Australia Adelaide Australia Brisbane Australia Darwin Australia Hobart Australia Melbourne Australia Perth
Table G.2: Command-Line Reference Table for Standalone Smart Scan Servers
457
Student Textbook
Appendix H: IPv6 Support in OfficeScan

This appendix is required reading for users who plan to deploy OfficeScan in an environment that supports IPv6 addressing. This appendix contains information on the extent of IPv6 support in OfficeScan. Trend Micro assumes that the reader is familiar with IPv6 concepts and the tasks involved in setting up a network that supports IPv6 addressing.
H.1 > IPv6 Support for OfficeScan Server and Clients

IPv6 support for OfficeScan starts in this version. Earlier OfficeScan versions do not support IPv6 addressing. IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and clients that satisfy the IPv6 requirements.
H.1.1 OfficeScan Server Requirements

The IPv6 requirements for the OfficeScan server are as follows:
The server must be installed on Windows Server 2008. It cannot be installed on
Windows Server 2003, because this operating system only supports IPv6 addressing partially.
The server must use an IIS web server. Apache web server does not support IPv6
addressing.
If the server will manage IPv4 and IPv6 clients, it must have both IPv4 and IPv6
addresses and must be identified by its host name. If a server is identified by its IPv4 address, IPv6 clients cannot connect to the server. The same issue occurs if pure IPv4 clients connect to a server identified by its IPv6 address.
If the server will manage only IPv6 clients, the minimum requirement is an IPv6 address.
The server can be identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server cannot translate a host name to its corresponding IPv6 address.
NOTE FQDN can only be specified when performing a local installation of the server. It is The not supported on remote installations.
H.1.2 OfficeScan Client Requirements

The client must be installed on:
Windows 7 Windows Server 2008 Windows Vista
458
Administrator Track
It cannot be installed on Windows Server 2003 and Windows XP, because these operating systems only support IPv6 addressing partially. It is preferable for a client to have both IPv4 and IPv6 addresses, as some of the entities to which it connects only support IPv4 addressing.
H.1.3 Pure IPv6 Server Limitations

The following are known limitations when the OfficeScan server only has an IPv6 address. 1. A pure IPv6 server cannot:
Deploy clients to pure IPv4 endpoints. Manage pure IPv4 clients.
2. A pure IPv6 server cannot update from pure IPv4 update sources, such as:
Trend Micro ActiveUpdate Server Control Manager 5.5 Control Manager 5.0 Any pure IPv4 custom update source
NOTE IPv6 support for Control Manager starts in version 5.5 SP1.
3. A pure IPv6 server cannot connect to the Trend Micro Online Registration Server to register the product, obtain the license, and activate/renew the license. 4. A pure IPv6 server cannot connect through a pure IPv4 proxy server. 5. A pure IPv6 server will have Plug-in Manager, but will not be able to deploy any of the plugin solutions to:
Pure IPv4 OfficeScan clients or pure IPv4 hosts (because of the absence of a direct
connection)
Pure IPv6 OfficeScan clients or pure IPv6 hosts because none of the plug-in solutions
support IPv6 Most of these limitations can be overcome by setting up a dual-stack proxy server that can convert between IPv4 and IPv6 addresses (such as DeleGate). Position the proxy server between the OfficeScan server and the entities to which it connects or the entities that it serves.
H.1.4 Pure IPv6 Client Limitations

The following are known limitations when the client only has an IPv6 address. 1. Pure IPv6 clients cannot be managed by a pure IPv4 OfficeScan server. Updates to a pure IPv6 client cannot update from pure IPv4 update sources, such as:
Trend Micro ActiveUpdate Server A pure IPv4 OfficeScan server A pure IPv4 Update Agent Any pure IPv4 custom update source
459
Student Textbook
2. A pure IPv6 client cannot send queries to smart protection sources, such as:
Smart Protection Server 2.0 (integrated or standalone) Trend Micro Smart Protection Network (also for SmartFeedback)
NOTE IPv6 support for Smart Protection Server starts inversion 2.5.
3. Pure IPv6 clients cannot connect to the Trend Micro-hosted Certified Safe Software Service. 4. Pure IPv6 clients cannot install plug-in solutions, because none of the plug-in solutions support IPv6. 5. Pure IPv6 clients cannot install the following programs, because they do not support IPv6:
Cisco Trust Agent Check Point SecureClient Support
6. A pure IPv6 client cannot connect through a pure IPv4 proxy server. Most of these limitations can be overcome by setting up a dual-stack proxy server that can convert between IPv4 and IPv6 addresses (such as DeleGate). Position the proxy server between the OfficeScan clients and the entities to which they connect.
H.2 > Configuring IPv6 Addresses

The web console allows you to configure an IPv6 address or an IPv6 address range. The following are some configuration guidelines. 1. OfficeScan accepts standard IPv6 address presentations. For example:
2001:0db7:85a3:0000:0000:8a2e:0370:7334 2001:db7:85a3:0:0:8a2e:370:7334 2001:db7:85a3::8a2e:370:7334 ::ffff:192.0.2.128
2. OfficeScan also accepts link-local IPv6 addresses, such as:

fe80::210:5aff:feaa:20a2
NOTE Exercise caution when specifying a link-local IPv6 address because, even though OfficeScan can accept the address, it might not work as expected under certain circumstances. For example, clients cannot update from an update source if the source is on another network segment and is identified by its link-local IPv6 address.
3. When the IPv6 address is part of a URL, enclose the address in parentheses. 4. For IPv6 address ranges, a prefix and prefix length are usually required. For configurations that require the server to query IP addresses, prefix length restrictions apply to prevent performance issues that may occur when the server queries a significant number of IP addresses. For example, for the Outside Server Management feature, the prefix length can only be between 112 (65,536 IP addresses) and 128 (2 IP addresses).
460
Administrator Track
5. Some settings that involve IPv6 addresses or address ranges will be deployed to clients but clients will ignore them. For example, if you configured the smart protection source list and included a Smart Protection Server identified by its IPv6 address, pure IPv4 clients will ignore the server and connect to the other smart protection sources.
H.3 > Screens That Display IP Addresses

This section enumerates places in the web console where IP addresses are shown.
H.3.1 Client Tree

Whenever the client tree displays, the IPv6 addresses of pure IPv6 clients display under the IP address column. For dual-stack clients, their IPv6 addresses display if they used their IPv6 address to register to the server.
NOTE IP address that dual-stack clients use when registering to the server can be The controlled from Global Client Settings > Preferred IP Address.
When you export client tree settings to a file, the IPv6 addresses also display in the exported file.
H.3.2 Client Status

Detailed client information is available when you navigate to Networked Computers > Client Management > Status. In this screen, you will see the IPv6 addresses of pure IPv6 clients and dualstack clients that used their IPv6 addresses to register to the server.
H.4 > Logs

The IPv6 addresses of dual-stack and pure IPv6 clients display on the following logs:
Virus/Malware logs Spyware/Grayware logs Firewall logs Connection verification logs
461
Student Textbook
H.5 > Control Manager Console

The following table lists which of the OfficeScan server and clients IP addresses display on the Control Manager console. TABLE A-3. OfficeScan Server and Client IP Addresses that Display on the Control Manager Console
OFFICESCAN CONTROL MANAGER VERSION
Dual-stack server Pure IPv4 server Pure IPv6 server
5.5 SP1 IPv4 and IPv6
5.5 IPv4
5.0 IPv4
IPv4
IPv4
IPv4
IPv6
Not supported
Not supported
Dual-stack client
The IP address used when the client registered to the OfficeScan server
Pure IPv4 client Pure IPv6 client
IPv4
IPv4
IPv4
IPv6
IPv6
IPv6
462
Administrator Track
Appen ndix I: Answe to Rev w ers o eview Ques Q stions

Chapter 2
1. OfficeScan supports SSL with wh of the foll s hich llowing web se ervers? (Choo all that app ose ply.) a) Ap pache 2.0.54 b) IIS 4.0 S c) Ap pache 1.3 d) IIS 6.0 S e) Ne etscape Enterp prise Server 6.1 f) IIS 5.0 S 2. What does Virus Ou d utbreak Monit do? tor a) Monitors the vir ruses detected on a client d ruses detected on the netwo d ork b) Monitors the vir essions c) Monitors the number of ne network se M n ew d) Al lerts you when a new virus is discovered n i 3. Which OfficeScan feature include the Intrusio Detection S h fe es on System (IDS)? ? a) DC CS b) Th OfficeScan firewall he n c) Of fficeScan for Wireless W d) Th Policy Serv for Cisco NAC he ver N 4. Which of the follow types of th h wing hreats can a sp pyware/grayw scan dete ware ect? a) Vi iruses b) Ba door prog ack grams c) Tr rojan horses d) Worms W
463
Student Textbook
Chapter 3
1. What is one of the main functions of the server component of OfficeScan? a) Protect the network from malware b) Protect the server from malware c) Download updates and distribute them to clients d) Scan for malware 2. What is one of the major reasons for increased performance in OfficeScan, since version 7.0? a) Simultaneous processing of CGI requests b) The storing of client information in a database c) OfficeScan now supports SQL d) The OfficeScan Master Service processes CGIs faster 3. What does the High Security setting for clients do? a) Enables the OfficeScan firewall b) Locks the .exe and .dll files in the OfficeScan client directory c) Increases the number of files that the client scans for malware d) Changes the rights to the directories and registries on the client
Chapter 4
1. Which of the following areas is not scanned during the pre-scan? a) The boot area and boot directory b) The Windows folder c) The program files folder d) Memory 2. Which of the following does the server pre-scan not scan for? a) Boot viruses b) Adware c) Worms d) Trojan horses
464
Administrator Track
Appendix I: Answers to Review Questions
3. Which of the following components cannot be installed using the setup wizard? a) Trend Micro Policy Server for Cisco NAC b) Outlook mail scanning c) OfficeScan client software d) The CTA 4. How does the setup wizard assign the port that will be used for OfficeScan client-server communication? a) It scans ports and selects one that is not being used. b) It does not assign one; you must input one manually. c) It reads the port assignment from Control Manager configurations. d) It randomly assigns a high-numbered port.
Chapter 5
1. In which of the following ways can Manual Outbreak Prevention protect your network? a) It can block access to shared folders. b) It can block ports from being used. c) It can deny all access to files and folders. d) All of the above 2. What is IntelliScan? a) A method of identifying files to scan by looking at their headers b) A method of identifying files to scan based on the file content c) A method of scanning files based on their extensions d) All of the above 3. What is ActiveAction? a) A specialized cleaning action b) An action that protects the desktop in the most efficient way c) A set of preconfigured scan actions for viruses and other types of malware d) None of the above 4. Which tab can you not prevent from appearing in the client console? a) Firewall tab b) Toolbox tab c) Mail Scan tab d) Scan tab
465
Student Textbook
Chapter 6
1. Which deployment method allows you to install the Mail Scan and Check Point SecureClient Support with the client software? a) Notify install option b) Vulnerability Scanner tool c) Login script setup utility d) Client Packager tool 2. Which deployment method requires using third-party tools? a) Image setup utility b) Remote install option c) Login script setup utility d) Vulnerability Scanner tool 3. Which two deployment methods are accessible from the OfficeScan management console? a) Image setup utility and notify install option b) Notify install option and remote install option c) Vulnerability Scanner tool and Client Packager tool d) Login script setup utility and image setup utility 4. Which deployment methods enforce automatic installation of client software? a) Login script setup utility and Vulnerability Scanner tool b) Client Packager tool and login script setup utility c) Remote install option and image setup utility d) Notify install option and Client Packager tool
Chapter 7
1. For which of the following was the update architecture designed? a) To maximize throughput b) To optimize use of bandwidth c) To use minimum mass storage d) To put ease of installation before throughput considerations
466
Administrator Track
2. In which of the following ways can you create an update agent? a) Edit the servers ofcscan.ini file b) Use the OfficeScan management console to designate an update agent c) Use the setup wizard to install an update agent d) Configure an update agent on the client machine 3. When can the server be configured to automatically deploy updates to clients? a) After a scan b) After a cleanup c) When Manual Outbreak Prevention is stopped d) When it downloads a new component
Chapter 8
1. What does the client mail scan utility scan? a) Netscape Messenger folders b) Eudora Pro folders c) Outlook Express folders d) Email in real-time 2. If you run a DCS cleanup, which of the following does it not clean? a) Unwanted registry entries created by worms or Trojans b) Memory resident worms or Trojans c) Garbage and viral file drops by worms or Trojans d) Viruses discovered in the Program Files directory
Chapter 9
1. Which two modules combine to create the OfficeScan firewall? a) Policy and procedure modules b) Personal firewall and common firewall modules c) Security and exception modules d) Incoming and outgoing traffic modules 2. Which of the following cannot be configured? a) Alert message b) Firewall policies c) Network virus scan d) Firewall profiles
467
Student Textbook
3. Which of the following correctly associates the data flow type with its correct sequence of checks? a) Incoming: firewall policies, IDS, Network Virus Scanning b) Incoming: IDS, firewall policies, Network Virus Scanning c) Outgoing: firewall policies, IDS, Network Virus Scanning d) Outgoing: Network Virus Scanning, IDS, firewall policies 4. Which of the following is a profile not based on? a) Security level b) IP address c) Platform d) User ID 5. Which of the following is not a way to configure changes in the OfficeScan firewall? a) From the OfficeScan Management Console b) From the Outbreak Prevention Policy module in TMCM c) From the Client Console d) From the Rule Set Generator 6. Which of the following security levels is correctly associated with incoming and outgoing traffic? a) Low security: incoming blocked; outgoing blocked b) Medium security: incoming allowed, outgoing blocked c) Medium security: incoming blocked, outgoing allowed d) High: incoming allowed; outgoing allowed
Chapter 10
1. Which of the following can the Vulnerability Scanner do? a) Determine if an antivirus solution is installed on a computer b) Determine whether Windows service packs are up-to-date c) Determine whether users are browsing high-risk Internet sites d) Determine whether spyware is on your network 2. What does Trend Micro recommend doing before using the Restore Encrypted Virus tool? a) Isolating the computer where the infected file resides b) Unplugging the computer from the network c) Backing up important files on the computer where the infected file resides d) All of the above
468
Administrator Track
3. Which of the following does the ServerProtect Normal Server Migration Tool do? a) Uninstall ServerProtect Information Server and install the OfficeScan client software b) Migrate ServerProtect Normal server settings to OfficeScan client settings c) Uninstall ServerProtect Normal Server and install the OfficeScan client software d) Uninstall the Control Manager agent for ServerProtect
Chapter 11
1. What is the maximum number of virus logs the server can store? a) 1,000 b) 5,000 c) 10,000 d) 50,000 2. What is the default number of logs held in the memory queue if you enable the consolidation of redundant virus logs under Virus Bandwidth Settings? a) 5 b) 10 c) 15 d) 2
469

OSCE - 10.6 - ATS - 08august2011 - Letter (1) 20110818 - 634492890825071294

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OSCE - 10.6 - ATS - 08august2011 - Letter (1) 20110818 - 634492890825071294

Uploaded by

Copyright:

Available Formats

Da

Tr d Mi o rend icro Of eScan 10 ffice 0.6

Trend Micro OfficeScan 10.6

2011 Trend Micro Inc.

2011 Trend Micro Inc.

Trend Micro OfficeScan 10.6

2011 Trend Micro Inc.

2011 Trend Micro Inc.

Trend Micro OfficeScan 10.6

2011 Trend Micro Inc.

Trend Micro OfficeScan 10.6

2011 Trend Micro Inc.

2011 Trend Micro Inc.

Trend Micro OfficeScan 10.6

2011 Trend Micro Inc.

Ch ter 1: Tre M o hapt end Micro Offic O ceSca Co e Ov an ourse vervie ew

1.1 > Cours Objec se ctives

2011 Trend Mic Inc. icro

Trend Micro OfficeScan 10.6

1.2 > Target Audience and Prerequisites

1.3 > How to Use This Material

Summary and Review Questions

2011 Trend Micro Inc.

2011 Trend Mic Inc. icro

Trend Micro OfficeScan 10.6

2.1 > What Does Network Security Require?

2.1.1 What Is Your Role in a Comprehensive Security Strategy?

2.1.2 Targeted Access Points and Typical Vulnerabilities

2011 Trend Micro Inc.

Chapter 2: OfficeScan Endpoint Security for Clients and Servers

Points of Access to Networked Systems

Network Management Applications Keyboard-VideoMouse Consoles

User Applications and their Network Interfaces

Local Disk Drives

USB/FireWire/Serial & Parallel Ports

Table 1.1: Network Entry Points and Security Measures

2011 Trend Micro Inc.

Trend Micro OfficeScan 10.6

Types of Security Threats

Table 1.2: Descriptive Matrix of Threat Stages, Methods, and Goals

2.2 > Stopping Costly and Rapidly Evolving Malware Threats

2011 Trend Micro Inc.

Chapter 2: OfficeScan E r Endpoint Secur rity for Clients a Servers and

Figure 2.1: Rise in Unique Malware Sam e mples by Year1

2.2.1 The Cost of Malware Attacks I Rising 2 e M A Is

2011 Trend Mic Inc. icro

Tr rend Micro Off ficeScan 10.6

2.2.3 Exp 2 ploitable Vulnerab V bilities Continue to Be Disco o overed

2.2.4 Cre 2 eativity Expands the Variet of Exp E t ty ploits

2011 Trend Micro Inc. d

Chapter 2: OfficeScan Endpoint Security for Clients and Servers

Remote Access Tool/ Program Backdoor Program

Browser Helper Object

Figure 2.3: Types of Malware and Grayware

2.2.5 Widespread Use of HTTP Opens the Door to Web Threats

2.2.6 Mobile Computing Introduces New Challenges

2011 Trend Micro Inc.

Trend Micro OfficeScan 10.6

2.2.7 Lack of Policy Enforcement Leads to Vulnerability

2.2.8 Protection from Zero-day Exploits Requires Rapid Response

2.3 > OfficeScan Features & Benefits

2011 Trend Micro Inc.