Professional Documents
Culture Documents
Student Textbook
Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Portions of this manual have been reprinted from the Trend Micro OfficeScan 10.5 Installation and Upgrade Guide, copyright 1998-2010, Trend Micro, Inc.; Trend Micro OfficeScan 10.5 Administrators Guide, copyright 1998-2010, Trend Micro, Inc.; and the Trend Micro Smart Scan for OfficeScan Getting Started Guide, copyright 2009-2010, Trend Micro, Inc. Copyright 1998-2011 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Trend Micro, the Trend Micro t-ball logo, TrendLabs, and OfficeScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Alexander Sverdovskva Released: August 2010 v3.61
Administrator Track
Table of Contents
Chapter 1: Trend Micro OfficeScan Course Overview ......................................... 11 1.1 > Course Objectives .............................................................................................................. 11 1.2 > Target Audience and Prerequisites ............................................................................. 12 1.3 > How to Use This Material ............................................................................................... 12 Chapter 2: OfficeScan Endpoint Security for Clients and Servers .................. 13 2.1 > What Does Network Security Require? ...................................................................... 14 2.1.1 What Is Your Role in a Comprehensive Security Strategy? ............................. 14 2.1.2 Targeted Access Points and Typical Vulnerabilities.......................................... 14 2.2 > Stopping Costly and Rapidly Evolving Malware Threats ....................................... 16 2.2.1 The Cost of Malware Attacks Is Rising .................................................................. 17 2.2.2 Attacks Are So Common, Some Have Stopped Counting ............................... 18 2.2.3 Exploitable Vulnerabilities Continue to Be Discovered.................................... 18 2.2.4 Creativity Expands the Variety of Exploits ......................................................... 18 2.2.5 Widespread Use of HTTP Opens the Door to Web Threats ............................ 19 2.2.6 Mobile Computing Introduces New Challenges ................................................. 19 2.2.7 Lack of Policy Enforcement Leads to Vulnerability ........................................ 20 2.2.8 Protection from Zero-day Exploits Requires Rapid Response ..................... 20 2.3 > OfficeScan Features & Benefits .................................................................................20 2.4 > OfficeScan Centralized Management......................................................................... 21 2.4.1 Web-Based Management Console .......................................................................... 21 2.4.2 Vulnerability Scanner.............................................................................................. 22 2.4.3 Configurable and Scalable Update Management ............................................. 22 2.4.4 Configurable Event and Outbreak Notifications .............................................. 24 2.4.5 Server Quarantine Folder ...................................................................................... 24 2.4.6 Comprehensive Logging ........................................................................................ 24 2.4.7 Database Backup Integration ................................................................................ 24 2.4.8 Local and Remote Server Installation ................................................................ 25 2.4.9 Trend Micro Control Manager Integration ......................................................... 25 2.4.10 Integration with Cisco NAC .................................................................................. 25 2.5 > Advanced OfficeScan Client Functionality ..............................................................26 2.5.1 Comprehensive Detection, Prevention, Removal and Quarantine ............... 26 2.5.2 Support for Multiple Platforms and Use Models .............................................. 28 2.5.3 Multiple Client Deployment Options .................................................................... 29 2.5.4 OfficeScan Client Firewall ...................................................................................... 30 2.6 > Trend Micro Advanced Security Technologies .......................................................30 2.6.1 Trend Micro IntelliScan ............................................................................................ 30 2.6.2 SSL Support............................................................................................................... 30 2.6.3 MD5 Message Authentication ................................................................................ 31 2.6.4 Damage Cleanup Services ...................................................................................... 31 2.6.5 IntelliTrap .................................................................................................................... 31 2.6.6 Scan-action Enhancement ...................................................................................... 31 2.7 > New in OfficeScan 10 .................................................................................................... 32 2.7.1 Smart Scan.................................................................................................................. 32
Student Textbook
2.7.2 Active Directory Integration .................................................................................. 32 2.7.3 Role-based Administration..................................................................................... 32 2.7.4 Device Control .......................................................................................................... 32 2.7.5 Expanded Platform Support .................................................................................. 33 2.7.6 Additional Product Enhancements ...................................................................... 33 2.8 > New in Service Pack 1 for OfficeScan 10 .................................................................. 33 2.8.1 Smart Feedback......................................................................................................... 33 2.8.2 Behavior Monitoring ................................................................................................ 34 2.8.3 Enhancements to Existing Capabilities............................................................... 34 2.9 > New in OfficeScan 10.6 ................................................................................................. 36 2.10 > Chapter Summary and Review Questions ..............................................................38
Chapter 3: OfficeScan Application Architecture .............................................. 39 3.1 > Architectural Components and Design Features .................................................... 40 3.2 > OfficeScan Server Architecture .................................................................................. 41 3.2.1 Web Server.................................................................................................................. 42 3.2.2 Console and Client CGIs .......................................................................................... 43 3.2.3 OfficeScan Master Service ..................................................................................... 43 3.2.4 Database Server Service ........................................................................................ 43 3.2.5 Database..................................................................................................................... 44 3.2.6 Control Manager Agent .......................................................................................... 44 3.2.7 ActiveUpdate Server ............................................................................................... 44 3.3 > Smart Scan Server Architecture............................................................................... 45 3.4 > Client-software Architecture ..................................................................................... 46 3.4.1 OfficeScan Client Console ....................................................................................... 46 3.4.2 Threat Detection and Response Components .................................................. 47 3.4.3 Client Application Services and Program Data................................................. 49 3.4.4 Protection for Client Installation Files and Running Services ...................... 50 3.4.5 The Trend Micro Antivirus Scan Engine .............................................................. 51 3.4.6 The Virus Pattern File ............................................................................................. 52 3.4.7 Anti-Spyware Engine ............................................................................................... 52 3.4.8 OfficeScan Proxy Service and Web Reputation Services .............................. 53 3.4.9 The Damage Cleanup Services ............................................................................. 53 3.4.10 The Common Firewall Driver ............................................................................... 54 3.4.11 The Network Virus Pattern File ............................................................................ 55 3.4.12 Client-Server Communication ............................................................................. 55 3.4.13 Normal and Roaming Client Operation Modes ................................................ 55 3.4.14 Update Agents......................................................................................................... 58 3.4.15 Cache Files for Scans............................................................................................. 59 3.5 > Chapter Summary and Review Questions ................................................................62 Chapter 4: OfficeScan Server Installation ......................................................... 63 4.1 > Deployment Planning .................................................................................................... 64 4.1.1 Identify Potential Impact on Network Traffic ..................................................... 64 4.1.2 Consider Smart Scan Server Options .................................................................. 66 4.1.3 Determine the Number of Clients and Plan Update Agents ........................... 67 4.1.4 Verify Target Server(s) Meet Minimum System Requirements .................... 68 4.1.5 Evaluate Your Actual System Requirements ..................................................... 69 4.1.6 Determine Whether You Need to Install a Dedicated Server......................... 70
Administrator Track
Table of Contents
4.1.7 Select a Network Location for Your OfficeScan Server(s) ............................. 70 4.1.8 Verify that Clients Meet the Minimum System Requirements ...................... 70 4.1.9 Plan the Placement of Client Program Files ....................................................... 71 4.1.10 Determine the Number of Domains ..................................................................... 71 4.1.11 Decide How to Deploy the Clients......................................................................... 72 4.1.12 Configure VPN Clients ............................................................................................ 72 4.2 > Installing the OfficeScan Server Software .............................................................. 73 4.2.1 Installation Procedures............................................................................................ 73 4.3 > Performing a Silent Installation .................................................................................. 91 4.3.1 Creating the Response File ...................................................................................... 91 4.3.2 Running Silent Installation ...................................................................................... 91 4.4 > Verifying the Installation .............................................................................................92 4.5 > Chapter Summary and Review Questions............................................................... 94
Chapter 5: OfficeScan Management Console..................................................... 95 5.1 > Using the OfficeScan Management Console .............................................................96 5.1.1 Launching the Management Console .................................................................... 96 5.1.2 Navigating the Management Console .................................................................. 97 5.1.3 Understanding the Client Tree............................................................................... 98 5.2 > The Summary Page .......................................................................................................99 5.2.1 Product License Status (Activated Services Summary) ............................... 100 5.2.2 Networked Computers Summary ....................................................................... 100 5.2.3 Outbreak Status Summary ................................................................................... 102 5.2.4 Update Status for Networked Computers Summary ..................................... 102 5.3 > Security Compliance ................................................................................................... 102 5.3.1 Compliance Reports ................................................................................................ 102 5.3.2 Scheduling Compliance Reports.......................................................................... 107
5.3.3 Security Compliance Reporting for Clients Outside of OfficeScan-Server Management................................................................................................................ 108 5.4 > Smart Protection Server Settings ............................................................................ 116 5.4.1 Configuring Smart Protection Lookup Sources ................................................ 117 5.4.2 Configuring the Integrated Smart Protection Server ..................................... 121 5.4.3 Configuring Smart Feedback Options ................................................................ 122 5.5 > Client Management ..................................................................................................... 124 5.5.1 Client Grouping ......................................................................................................... 124 5.5.2 The Client Management Toolbar .......................................................................... 131 5.5.3 Client Status Information ...................................................................................... 132 5.5.4 Client Search Functions ........................................................................................ 135 5.5.5 Client Management Tasks..................................................................................... 136 5.5.6 Client Management Settings ................................................................................ 139 5.5.7 Update Agent Settings ..........................................................................................149 5.5.8 Client Privileges and Other Settings ..................................................................150 5.5.9 Enable/Disable Unauthorized Change Prevention and/or Firewall Services .........................................................................................................................................154 5.5.10 Web Reputation Services Settings ....................................................................154 5.5.11 Behavior Monitoring ............................................................................................. 160 5.5.12 Device Control ........................................................................................................ 163 5.5.13 Spyware/Grayware Approved List .................................................................... 167 5.5.14 Export/Import Settings ........................................................................................168
Student Textbook
5.5.15 Client Management: Logs ....................................................................................168 5.5.16 Client Management: Managing the Client Tree ..............................................169 5.5.17 Client Management: Export Data ........................................................................ 171 5.6 > Global Client Settings ................................................................................................. 172 5.7 > Computer Location...................................................................................................... 179 5.8 > Firewall Policies and Profiles Configuration.......................................................... 180 5.9 > OfficeScan Client Installation Options .................................................................... 180 5.10 > Client Connection Verification ................................................................................. 181 5.11 > Outbreak Prevention .................................................................................................. 182 5.11.1 Blocking Shared Folders......................................................................................... 183 5.11.2 Blocking Ports ......................................................................................................... 184 5.11.3 Denying Write Access to Files and Folders.......................................................186 5.11.4 Activating the Outbreak Prevention Policy...................................................... 187 5.11.5 Restoring Network Settings to Normal ............................................................. 187 5.12 > Notifications and Event Monitoring ....................................................................... 187 5.12.1 Administrator Notifications................................................................................. 188 5.12.2 Client User Notifications ...................................................................................... 193 5.13 > Administration Settings............................................................................................ 194 5.13.1 Creating Users and Assigning Roles ..................................................................194 5.13.2 Active Directory Settings....................................................................................202 5.13.3 Proxy Settings ...................................................................................................... 204 5.13.4 Connection Settings ............................................................................................ 205 5.13.5 Inactive Clients ..................................................................................................... 206 5.13.6 Quarantine Manager ........................................................................................... 206 5.13.7 Product License..................................................................................................... 207 5.13.8 Control Manager Settings ................................................................................. 208 5.13.9 Web Console Settings ............................................................................................ 211 5.13.10 Database Backup ................................................................................................... 211 5.14 > Plug-in Manager ......................................................................................................... 212 5.14.1 Plug-in Program Installation ................................................................................ 214 5.14.2 Plug-in Program Management ........................................................................... 215 5.14.3 Troubleshooting the Download of a Plugin ..................................................... 216 5.15 > Chapter Summary and Review Questions ............................................................ 217
Chapter 6: Client Software Deployment........................................................... 219 6.1 > Minimum Requirements for Client Software ......................................................... 220 6.2 > Deployment Options for OfficeScan Client Software ......................................... 222 6.2.1 Deploy Client Software Via Browser-based Installation ................................ 223 6.2.2 Deploy Client Software Using Remote Install ................................................. 225 6.2.3 Deploy Client Software Using Login Script Setup.......................................... 226 6.2.4 Deploy Client Software Using the Client Packager Tool ..............................228 6.2.5 Deploy Using the Image Setup Tool .................................................................. 234 6.2.6 Deploy Using the Vulnerability Scanner Tool ................................................. 235 6.2.7 Deploy Through the Security Compliance ....................................................... 236 6.2.8 Windows Server Core 2008 Support ................................................................ 237 6.3 > Verifying the OfficeScan Client Installation ......................................................... 238 6.3.1 Check Files, Services, Processes, and Registry Keys ..................................... 239 6.3.2 Check the Installation Log ................................................................................... 239
Administrator Track
Table of Contents
6.3.3 Verify the Client Status Icon Appears in the System Tray ......................... 240 6.3.4 Verify the Client Installation Using Vulnerability Scanner ......................... 240 6.4 > Post-Installation Considerations for Servers and x64 Desktop Platforms .... 241 6.5 > Chapter Summary and Review Questions ............................................................. 243
Chapter 7: Updates ............................................................................................ 245 7.1 > OfficeScan Update Architecture .............................................................................. 246 7.1.1 Updatable Components.......................................................................................... 246 7.1.2 Component Duplication for OfficeScan Updates ............................................ 249 7.2 > Smart Scan Update Infrastructure ......................................................................... 250 7.3 > Conventional OfficeScan Update Infrastructure .................................................. 251 7.3.1 Update Priority......................................................................................................... 252 7.4 > Viewing Update Information .................................................................................... 253 7.5 > Configuring Server Updates ..................................................................................... 253 7.5.1 Configuring Scheduled Updates ..........................................................................254 7.5.2 Updating the Server Manually ............................................................................255 7.5.3 Specifying Custom Server-Update Sources ....................................................256 7.6 > Deploying Updates to Clients................................................................................... 256 7.6.1 Creating an Update Agent ....................................................................................256 7.6.2 Configuring Automated Client Updates............................................................ 257 7.6.3 Manually Deploying Updates .............................................................................. 258 7.6.4 Configuring the Update Source ..........................................................................259 7.6.5 Update Source Priority ........................................................................................ 260 7.7 > Rolling Back an Update .............................................................................................. 261 7.8 > Chapter Summary and Review Questions ............................................................. 263 Chapter 8: OfficeScan Client User Interface .................................................. 265 8.1 > Unlocking the Capabilities of the Client Console .................................................. 266 8.1.1 Loading/Unloading the OfficeScan Client ..........................................................266 8.1.2 Launching the Client Console .............................................................................. 267 8.2 > Client-Configurable Scan Settings ......................................................................... 267 8.3 > Manual Scan Settings ................................................................................................ 268 8.3.1 Configuring Manual Virus Scan Settings .......................................................... 268 8.3.2 Manual Spyware/Grayware Scanning Options ............................................... 270 8.4 > Real-Time Scan Settings .......................................................................................... 270 8.4.1 Specifying When in Real-time to Scan Files ..................................................... 270 8.4.2 Specifying Files to Scan for Real-time Scanning ............................................ 271 8.4.3 Specifying Actions to Take Against Threats .................................................... 271 8.4.4 Real-time Virus-Scan Target Settings .............................................................. 272 8.4.5 Real-time Spyware/Grayware Scan Action Options ..................................... 272 8.5 > Scheduled Scan Settings .......................................................................................... 272 8.6 > Drag-and-Drop Scanning........................................................................................... 274 8.7 > The Client Console Tabs............................................................................................ 275 8.7.1 The Manual Scan Tab ............................................................................................. 275 8.7.2 The Manual Scan Results Tab ............................................................................. 276 8.7.3 The Firewall Tab ..................................................................................................... 277 8.7.4 The Mail Scan Tab .................................................................................................. 279 8.7.5 The Behavior Monitoring Tab .............................................................................. 281 8.7.6 The Logs Tab...........................................................................................................282
2011 Trend Micro Inc.
Student Textbook
8.7.7 The Toolbox Tab .....................................................................................................283 8.7.8 Client Plug-in Manager .........................................................................................283 8.8 > Performing Updates on the Client .......................................................................... 284 8.9 > OfficeScan Client Real-Time Monitor ..................................................................... 284 8.10 > Proxy Settings ........................................................................................................... 285 8.11 > Chapter Summary and Review Questions ............................................................ 286
Chapter 9: OfficeScan Firewall ......................................................................... 287 9.1 > Client Firewall Overview ............................................................................................ 288 9.2 > Firewall Architecture ................................................................................................. 288 9.2.1 Personal Firewall Module ..................................................................................... 289 9.2.2 Common Firewall Module .................................................................................... 289 9.2.3 Dataflow ................................................................................................................... 292 9.3 > Configuring the OfficeScan Firewall ....................................................................... 293 9.3.1 Configuring Firewall Policies ................................................................................ 293 9.3.2 Firewall Profiles ......................................................................................................299 9.3.3 Firewall Outbreak Monitor ...................................................................................302 9.4 > Firewall Logs ............................................................................................................... 303 9.5 > Chapter Summary and Review Questions ............................................................. 304 Chapter 10: OfficeScan Tools ............................................................................ 307 10.1 > Overview of OfficeScan Tools ................................................................................. 308 10.2 > Vulnerability Scanner................................................................................................ 310 10.2.1 Launching the Vulnerability Scanner ................................................................ 310 10.2.2 Configuring the Settings for Vulnerability Scanner....................................... 311 10.2.3 Starting a Scan ....................................................................................................... 314 10.2.4 Running a DHCP Scan .......................................................................................... 314 10.2.5 Scheduling Scans ................................................................................................... 314 10.2.6 Modifying the TMVS.ini File................................................................................. 315 10.2.7 Running the Vulnerability Scanner in Silent Mode ........................................ 316 10.3 > Server Tuner Tool .......................................................................................................317 10.4 > Gateway Settings Importer Tool ............................................................................ 318 10.5 > Restore Encrypted Virus Tool ................................................................................. 319 10.6 > Client Mover I .............................................................................................................. 321 10.7 > Touch Tool .................................................................................................................. 322 10.8 > ServerProtect Normal Server Migration Tool .................................................... 322 10.8.1 Target Computer Search ..................................................................................... 325 10.8.2 Logon Information ............................................................................................... 325 10.8.3 ServerProtect Normal Server List ................................................................... 325 10.9 > Scheduled Update Configuration Tool .................................................................. 326 10.10 > Chapter Summary and Review Questions .......................................................... 327 Chapter 11: Logs .................................................................................................. 329 11.1 > Overview of OfficeScan Logs .................................................................................... 330 11.1.1 Uploading Virus Logs from the Client to the Server ........................................ 331 11.1.2 Virus Logs .................................................................................................................. 331 11.1.3 Update Logs ............................................................................................................. 333 11.1.4 System Event Logs ................................................................................................. 334 11.1.5 Connection Verification Logs .............................................................................. 335
Administrator Track
Table of Contents
11.1.6 OfficeScan Firewall Logs....................................................................................... 335 11.1.7 Behavior Monitoring Logs ..................................................................................... 336 11.1.8 Device Control Logs ............................................................................................... 337 11.1.9 Saving Logs as Files ............................................................................................... 338 11.2 > Log Maintenance ........................................................................................................ 338 11.3 > Chapter Summary and Review Questions............................................................. 340
Chapter 12: Troubleshooting .............................................................................. 341 12.1 > Troubleshooting Common Problems ...................................................................... 342 12.1.1 Server Installation Error........................................................................................ 342 12.1.2 Recover a Corrupt Database ............................................................................... 342 12.1.3 Client Errors ............................................................................................................ 342 12.1.4 Upgrade Issues ....................................................................................................... 343 12.1.5 Console Issues ....................................................................................................... 344 12.2 > Case Diagnostic Tool (CDT) .................................................................................... 346 12.2.1 Using the CDT ......................................................................................................... 347 12.3 > Manually Enabling Debug Mode.............................................................................. 350 12.3.1 Enabling Debug Mode on OfficeScan Servers................................................ 350 12.3.2 Enabling Debug Mode on OfficeScan Clients .................................................. 351 12.3.3 Enabling Debug Mode for the Vulnerability Scanner ................................... 352 12.3.4 Enabling Debug Mode for DCS ........................................................................... 352 12.3.5 Special Log ............................................................................................................. 353 12.3.6 Installation Debug ................................................................................................. 353 12.3.7 Policy Server Debug ............................................................................................. 353 12.3.8 CTA Debug .............................................................................................................. 353 12.3.9 Posture Plug-In Debug .........................................................................................354 12.3.10 Additional Files to Collect for Technical Support ........................................354 12.3.11 Control Manager Agent Debug ..........................................................................354 12.4 > Viewing Dr. Watson Logs ......................................................................................... 355 12.5 > Problems with Updates ............................................................................................ 355 12.6 > Problems with CPU Utilization ............................................................................... 356 12.7 > Escalating Problems to Trend Micro Support ..................................................... 357 12.8 > Trend Micro Support Contacts ............................................................................... 358 Appendix A: Notification Tokens ...................................................................... 359 Appendix B: Managing Data Protection and Using Digital Asset Control .. 360 B.1 > Data Protection Installation ...................................................................................... 360 B.2 > Data Protection License ............................................................................................ 361 B.3 > Deploying Data Protection to Clients .................................................................... 363 B.4 > Digital Asset Templates............................................................................................ 376 B.5 > Digital Asset Control Channels ............................................................................... 379 B.6 > Digital Asset Control Actions .................................................................................. 383 B.7 > Digital Asset Control Exceptions ............................................................................ 385 B.8 > Creating Digital Asset Control Policies ................................................................. 386 B.9 > Digital Asset Control Widgets.................................................................................. 392 B.10 > Digital Asset Control Logs ...................................................................................... 394 B.11 > Uninstalling Data Protection ................................................................................... 395 B.12 > Device Control Permissions .................................................................................... 396
Student Textbook
B.13 > Device Control Notifications................................................................................... 398 B.14 > Device Control Logs ................................................................................................. 399
Appendix C: Virtual Desktop Infrastructure (VDI) Support Plug-in ............. 401 C.1 > What Is Virtual Desktop Infrastructure? ................................................................. 401 C.2 > Trend Micro OfficeScan VDI Support ..................................................................... 402 C.3 > Using the Virtual Desktop Support Plug-in ........................................................... 404 Appendix D: Cisco Network Admission Control (NAC) .................................. 407 D.1 > Cisco NAC Overview ................................................................................................... 407 D.2 > Definition of Terms .................................................................................................... 409 D.3 > Dataflow ........................................................................................................................ 410 D.4 > Configuration ............................................................................................................... 415 D.5 > Files and Services ...................................................................................................... 423 Appendix E: Configuring the Cisco ACS and NAD .......................................... 425 E.1 > The Cisco ACS .............................................................................................................. 425 E.2 > NAD Configuration ..................................................................................................... 430 Appendix F: Trend Micro Smart Protection Network (SPN) ......................... 435 F.1 > What is Trend Micro SPN? ......................................................................................... 435 F.2 > A Multilayered Framework for Enterprise-Wide Protection............................... 441 Appendix G: Standalone Smart Scan Server Deployment & Management . 443 G.1 > Standalone Smart Scan Server Deployment ......................................................... 443 G.2 > Managing Standalone Smart Scan Servers .......................................................... 449 G.3 > Command-line Reference for Standalone Smart Scan Servers ....................... 455 Appendix H: IPv6 Support in OfficeScan ........................................................ 458 H.1 > IPv6 Support for OfficeScan Server and Clients .................................................. 458 H.2 > Configuring IPv6 Addresses .................................................................................... 460 H.3 > Screens That Display IP Addresses ........................................................................ 461 H.4 > Logs................................................................................................................................ 461 H.5 > Control Manager Console ......................................................................................... 462 Appendix I: Answers to Review Questions...................................................... 463
10
Administrator Track
Knowled dge
equirements o Trend Micr Describe the pur rpose, features functions, b s, benefits, and re of ro ficeScan Off
Describe the pro ogram architec cture, database structure, an communica e nd ations process ses
ed use in OfficeScan
Un nderstand vario methods of deploying c ous o client installati ions Describe the Off ficeScan comp ponents that s support Cisco NAC Ide entify the purp pose of each OfficeScan deb O bugging tool Kn now which wir reless systems are supported and how to deploy and m d manage them
Skills
Per rform pre-inst tallation tasks for OfficeSca an Install OfficeSca on clients an servers and verify install an nd d lation Con nfigure Office eScan for a pa articular enviro onment Update OfficeSc componen such as the virus pattern file, scan eng can nts e n gine,
yware/graywar scan and cle patterns, a other files re ean and s spy onsole Administer Offic ceScan from a web-based m management co
Tro oubleshoot co ommon proble in OfficeS ems Scan
11
Student Textbook
Before you take this course, Trend Micro recommends that you have the following knowledgebase:
General knowledge of TCP/IP Working knowledge of Microsoft Windows desktop and Server 2003/2008 operating
systems
Ability to describe physical components commonly used for network communication Ability to differentiate between the various types of network architectures Familiarity with Secure Sockets Layer (SSL) communication
The student manual is divided into chapters. In addition to defining important concepts and terms, each chapter outlines the various administration tasks you need to perform. Each chapter starts with a list of objectives so that you can see how the chapter fits into your overall course goal. After reading the chapter, you should be able to fulfill the chapter objectives.
Chapter Objectives
Each chapter ends with a summary that outlines the important information explained in the chapter and includes review questions that test your understanding of the chapter material. After reading a chapter, you should be able to answer the questions easily. If you cannot answer a question, you should review the chapter.
Answers to review questions appear in Appendix I: Answers to Review Questions on page 463.
12
Administrator Track
Ch ter 2: Off Scan End nt hapt 2 ficeS dpoin Secu S urity for Clien and C nts Serv S vers
Chapter Objectives s
After comp pleting this ch hapter, you sho be able to ould o:
Exp plain the purp pose of Office eScan Describe the feat tures and bene of Office efits eScan
13
Student Textbook
14
Administrator Track
Characteristics
Physical and logical circuit connections Wired or wireless Local or wide area
Security Solution
Layer-2 encryption VPN Disabling unused ports/jacks Facilities security Circuit-level gateways TCP/IP filtering Separate management subnet Password policy Encryption (ex: SSH and HTTPS) Password policy Screen-saver logins Biometrics Facilities security Security policy and user training Password policy User authentication framework (domain management) Update/patch management Malware scanning, monitoring, vulnerability assessment and policy enforcement Proxy servers Firewalls Intrusion detection Mail gateway scanning Server-side protection Network monitoring Security policy Encryption Boot-sector scanning File scanning and execution monitoring Security policy Desktop policy enforcement File scanning and execution monitoring
Configuration & monitoring interfaces/utilities SNMP/RMON, Telnet, HTTP, and proprietary protocols Physical interface to client and server machines Susceptible to human engineering
Operating System
Execution environment Resource allocation Access control for file systems Access control for shared resources
File sharing Email and groupware Browsers Chat/IM clients Remote consoles Auto-updates Content subscription Floppy, CD-ROM, and DVD disk drives Portable storage (disk drives and memory sticks) Standalone applications
The table above shows that to provide comprehensive network security, you must consider a wide range of potential vulnerabilities across multiple systems (including routers, servers, specialty devices, and end-user PCs). You must also define acceptable practices and enforce restrictions on end-users themselves through a written security policy.
15
Student Textbook
Method
Manual execution Local or remote Accidental - by user Intentional - by hacker
Impact Goal
Disruption Damage Theft Monitoring Partial control Total control
After intrusion, not all threats pass through all stages. A hacker, for example, after a successful intrusion, may or may not transmit harmful or disruptive files to the network, and may or may not take any files from the network. He or she may reconfigure a device in such way that may be disruptive or harmful, or he or she may do nothing further at all. With viral infections, intrusion, transmission, and action do not describe all of the typical malware writers goals. Viruses also seek to copy themselves to other files and eventually other systems, thereby expanding the scope of impact. Likewise, the methods used may also assume multiple characteristics. The components of many web threats, for example, are often loaded accidentally by the user, but are later activated either programmatically or by direct contact from a malware writer/hacker. Subsequent activities may include further intrusions, as well as the transmission and/or downloading of additional components that may include any number of additional behaviors that are viral, worm-like, trojan-like, and so on.
16
Administrato Track or
Another ad dministrators concern abou front-door attacks, pro ut r otecting front-end web serv vers and other applications, that he or she neglects the u a upkeep of anti i-spam and an nti-spyware solutions, leaving the net l twork vulnera to web th able hreats and othe client vulne er erabilities that often install bac door trojan and keylog ck ns ggers that enab data theft, give hackers r ble remote contro of ol clients, and consume sys d stem resources s. Virtually an nything that a computer hac can do us step-by-s cker sing step procedure can also be es programme for automa (and repe ed ated etitive) playbac from virtua anywhere on the local ck ally network or the Internet. Collectively, such software is called ma r e alware. The t threat that mal lware poses is ser rious, and dam mage caused by malware can be costly. b n Unfortunat tely, the comp puter industry discovers tho ousands of new vulnerabiliti every year. w ies . Malware at ttacks are grow not only in cost and fr wing requency, but the each new generation of f exploits is more ambitiou and more difficult to det and remo than the one before. Mu of m us d tect ove uch todays mal lware is no lon written by technical en nger b nthusiasts for mere bragging rights, but b g by trained pro ofessionals wh hose goal is tot control of the target. tal
AV-T Considerab more viruses, worms and other malware than e Test. bly w r ever. Data comp piled by Andreas Marx (listed in ar rticles in the AVText news arch 11 January 2008). Retrieved from: www.av-te st.org/index.php A hive 2 f p?menue=2&sub b=Newsarchiv&la ang=0
17
Student T Textbook
2.2.2 Att 2 tacks Are So Com e mmon, Som Have Stopped Counting me d g
The numbe of reported malware atta er d acks increases every year. In 2000, the CE * Coordin n ERT nation Center reco orded 21,756 reported malw attacks. R ware Reported attac increased on average more cks than 37,000 per year, thr 0 rough 2003 wh annual inc hen cidents reache 137,529. CE ed ERT notes th hat each report incident may involve one site or hun ted o ndreds (or eve thousands) of sites and may en ) be ongoing for long per g riods of time. After 2004, CERT stated that attacks against Inter d s rnet-connected systems hav become so d ve commonpl lace that a ne metric wou need to be developed to give meaning to their ongoing ew uld e o g analysis. Su ubsequent data does, howev indicate th the trend h been cont a ver, hat has tinuous to the present.
Figure 2.2: CERT/CC-recorded annual growth from 2 2004 to 2006 averaged ove 45%. 6 er (2008 include estimated Q4 reporting.) es Q
18 8
Administrator Track
Malware
Virus
Trojan Horse
Worm
Grayware
Hacking Tool
Commercial Tool
Application Cracker
Information Stealer
DOS/DDOS
Phone Dialer
Password Stealer
Key Logger
Adware
Spyware
Cookies
19
Student Textbook
20
Administrator Track
Database backup Local and remote server installation options Trend Micro Control Manager integration Integration with Cisco NAC Advanced client functionality Comprehensive detection, prevention, removal and quarantine Support for multiple platforms and use models
64-bit client support Roaming mode for mobile clients Check Point SecureClient Support for VPNs
Multiple client deployment options OfficeScan client firewall Advanced security technologies SSL support MD5 message authentication Damage Cleanup Services
21
Student Textbook
to one or many workstations from one or many domains; you do not need to apply the same antivirus policy to every client within a domain. To help you manage clients, the client tree provides access details about the status of OfficeScan clients. You can see the current version of each OfficeScan component, determine if OfficeScan firewall, intrusion detection system (IDS), or update agent functionality is enabled. For infections, you can view the name of the virus and the date and time the infection was detected. In addition, OfficeScan includes two features to help you locate clients on your network: Simple Search and Advanced Search. You can use Simple Search to search for clients that have a specific IP address. You can use the Advanced Search feature to locate clients that meet certain criteria and to display their log information. You can search for clients based on an IP address, or range of addresses, the operating system they use, or the status their virus pattern file, scan engine, virus cleanup template, or damage cleanup service. You can also locate clients that are not using the OfficeScan firewall or currently supporting Outbreak Prevention.
Domain Grouping
OfficeScan now gives you the ability to select whether you want OfficeScan to use computer names from NetBIOS domains, Domain Name Services (DNS) domains, or Microsoft Active Directory domains. You can still configure OfficeScan domains separately; this feature affects only the names of the computers when they appear in the client tree.
22
Administrator Track
Smart Scan servers. Smart Scan is designed to reduce the impact of the ever-increasing volume of pattern-file updates that consume network bandwidth and end-point resources. Automated update capability for both conventional and Smart Scan clients helps keep antivirus software up-to-date without end-user intervention. For conventional-scan clients, OfficeScan supports on-demand (manual) updates and automated (scheduled) updates. OfficeScan update flexibility also extends to conventional-scan mobile users who have the option to download updates directly from the Trend Micro website. Mobile Smart Scan clients can rely on publicly available Trend Microhosted Smart Scan servers when they are outside the firewall. For conventional-scan clients, you can even configure updates for individual components separately.
Incremental Updates
Incremental updates are available for conventional-scan clients. This can significantly decrease the size of downloads. Incremental updates are available for virus pattern files and Damage Cleanup Services, including the Damage Cleanup pattern files, the Spyware/Grayware pattern files, and the Spyware/Grayware cleanup patterns.
Rollbacks
A new pattern file may occasionally trigger false positives. OfficeScan enables you to roll back to a previous version of the virus pattern file and the scan engine. You can roll back the virus pattern file and the scan engine separately.
23
Student Textbook
24
Administrator Track
For more information about Control Manager please visit the Trend Micro website: http://www.trendmicro.com.
25
Student Textbook
For information about Cisco NAC and OfficeScan server installation, see Installing Additional Software Components on page 85. For configuration information related to Cisco NAC, see Appendix E: Configuring the Cisco ACS and NAD on page 425.
ActiveAction
ActiveAction is an option you can choose when configuring virus scans. This option provides automated, virus-handling rules based on the type of virus detected. ActiveAction is easy to enable and functions without user or administrator intervention.
The OfficeScan components include a spyware/grayware scan pattern for detecting types of grayware and a spyware/grayware cleanup pattern that DCS can use to rid your system of these threats, including shutting down running processes so they can be cleaned. OfficeScan enables you to configure an exclusion list for spyware/grayware so that you can choose to keep applications that OfficeScan identifies as grayware.
For more information on OfficeScan anti-spyware capability, see section 3.4.7 Anti-Spyware Engine on page 52.
26
Administrator Track
For more information see section 3.4.8 OfficeScan Proxy Service and Web Reputation Services on page 53, and section 5.5.10 Web Reputation Services Settings on page 154.
Many viruses are hidden in email attachments and may even be embedded in email content. Outlook Mail Scan can perform real-time scanning for incoming Microsoft Outlook messages and attachments as they are downloaded from the Exchange server. Mail Scan can also perform manual scans on individual folders.
For information about enabling end-user access privileges to Outlook mail-scan functions, see Mail Scan Privileges on page 151.
27
Student Textbook
For a complete list of hardware requirements and supported operating systems, see section 6.1 > Minimum Requirements for Client Software on page 220.
Some OfficeScan client features are not available on all operating systems. The table below summarizes key features and their availability based on operating system.
Windows Operating System Features
Manual, Real-time, & Scheduled Scan Component update (manual and scheduled) Web reputation Roaming mode POP3 mail scan Update Agent
XP
Server 2003
Server 2008
Vista / 7
Security Compliance
Damage Cleanup Services Plug-in Manager OfficeScan firewall Behavior Monitoring Device Control Microsoft Outlook mail scan SecureClient support Support for Cisco NAC
28
Administrator Track
NOTE Support for Windows 95, 98, Me, and NT operating systems and the IA64 architecture was discontinued with OfficeScan 8.0. Support for Windows 2000 was discontinued in OfficeScan 10.5. If you are upgrading an installation that supports any of these legacy systems, see Accommodating Unsupported Client Operating Systems on page 71. Tip If you have legacy x64 standalone clients (prior to version 7.3), they can be migrated to an OfficeScan server using the IpxFer.exe tool..
OfficeScan can uninstall third-party antivirus software products for easy migration and, also, provides protection from viruses during the transition process.
29
Student Textbook
For a more detailed description of the capabilities of the OfficeScan firewall, see section 3.4.10 The Common Firewall Driver on page 54.
IntelliScan first examines the header of the file using true file-type identification and checks if the file is an executable, compressed, or other type of file that may be a threat. IntelliScan examines all files to be sure that the file has not been renamedthe extension must conform to the file's internally registered data type. For example, Microsoft Word documents are file extension independent, even if you rename a document from legal.doc to legal.lgl, Word will still recognize and open the document, along with any macro viruses it contains. IntelliScan will identify the file as a Word document regardless of the file extension, and scan it accordingly.
IntelliScan also uses extension checking, that is, the file name itself. The list of extension names to be scanned is updated with each new pattern file. For example, when there was a new vulnerability discovered with regard to .jpg files, the .jpg extension was immediately added to the extension-checking list for the next pattern update.
IntelliScan does not affect crucial applications on the client because it uses minimal system resources.
Because IntelliScan uses true file type identification, it scans only those files that are vulnerable to infection. The scan time is therefore significantly shorter than when you scan all files.
30
Administrator Track
For more information about Damage Cleanup Services and its components, see The Damage Cleanup on page 53.
2.6.5 IntelliTrap
Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps defend your network by blocking files containing real-time compressed executable code. Note that IntelliTrap is a heuristic technology, and therefore can potentially block some files that are actually not threatening. IntelliTrap is a component of the Virus/Malware scan settings.
31
Student Textbook
definition updates are delivered to the cloud only and not to all endpoints.
Lower overhead cost associated with corporate-wide pattern deployments Lower kernel memory consumption on endpoints, with minimal increases over time
32
Administrator Track
Plug-in devices (to include blocking auto-run functionality for USB devices) Optical disks Floppy disks Network resources
For a complete list of hardware requirements and supported operating systems, see section 6.1 > Minimum Requirements for Client Software on page 220 and 4.1.4 Verify Target Server(s) Meet Minimum System Requirements on page 68.
improves the efficient use of CPU resources by monitoring the usage level selected (configurable using the OfficeScan management console) and actual CPU consumption on the client. The OfficeScan client can then adjust the scanning speed if the CPU-usage level has been set to medium or low.
Added controls for scheduled scanning More granular Web reputation settings
allow users with scheduled-scan privileges to postpone, skip, or stop scheduled scan.
now allow you to configure web reputation policies and assign them to one, several, or all OfficeScan clients
33
Student Textbook
identified during the routine reputation checking of one customer automatically updates the Trend Micro threat databases to help to better protect all customers. By continuously processing the threat intelligence gathered through our extensive global network of customers and partners, we have created a better together security infrastructure that delivers automatic, real-time protection against the latest threats.
For a complete list of hardware requirements and supported operating systems, see section 6.1 > Minimum Requirements for Client Software on page 220 and 4.1.4 Verify Target Server(s) Meet Minimum System Requirements on page 68.
34
Administrator Track
seconds (When enabled, the minimum refresh rate is 10 seconds; the maximum is 300.)
Enable and configure a custom timeout setting for the console using the console
interface, instead of having to edit an .INI file (Options range from 10 to 60 minutes in ten-minute increments.) These options are implemented on a new configuration page that you can access by clicking Administration > Web Console Settings on the main navigation menu.
35
Student Textbook
Expanded Active Directory support for multiple forests and trusted domains, along with a comprehensive reorganization of Active Directoryrelated features and configuration options within the management console Support for multiple tiers (nested folders/groupings) within the client tree A new custom client-grouping feature for creating your own Active Directorybased and/or IP-addressbased sorting rules to make it easier to configure and maintain client groupings for large numbers of clients within the client tree
Integration of Web Reputation Services within the locally distributable, cloud-based Smart Scan server infrastructure and a regrouping of Smart Protection Network components
under a single heading within the navigation menu of the management console.
Activity sequencing for virtual-machinebased clients
capability that summarizes data across a large number of profile metrics, provides better access to configuration options, lists query results in a new data format, and expands support for querying and reporting the status of machines that are outside of the local OfficeScan servers management. in the form of Expanded functionality, configuration options, and reporting for update agents that allow you to select from multiple agent relay functions and also run a coverage analysis report to see which clients are configured to check with which relay agents Application filtering added to the client firewall that allows you to block or allow network traffic based on the application from which data may be sent or for which data may be received A probable virus category added to the list detection events for which you may define a custom action to be taken (pass, clean, delete, or quarantine) Trend Micro VSAPI 9.0 integration provides new options for OLE-exploit detection and the ability to use wildcards in scan exception lists.
The ability to enable and disable the unauthorized-change prevention service and/or the client firewall based on client-tree selections of one or more clients, whereas formerly these options were available only as global client settings Exception lists for device-control settings that allow you to define 1) applications that should be allowed to run and 2) applications that should be allowed to run and be allowed full access to all system resources
36
Administrator Track
Most OfficeScan client features available on Windows Server 2008 work on Server Core. The only feature that is not supported is roaming mode.
IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and clients that satisfy the IPv6 requirements Digital Asset Control and expands the range of devices monitored by Device Control. Clients can now scan HTTPS traffic for web
threats.
Increased granularity for defining user roles
based on the menu items, now including individual client-tree toolbar menu items, for which the individual permissions to view and to configure may be granted or revoked to improve the integrity of event data collected from clients and, on many networks, aggregated by Trend Micro Control Manager.
OfficeScan 10.6 improves the overall performance of the management console by migrating certain CGI functions to ISAPI extensions, which average five to ten times faster. On the client side, certain CGI calls to the OfficeScan server have also been rewritten as ISAPI extensions. Additionally, a loading progress indicator has been added to management-console page displays to avoid blank renderings. OfficeScan 10.6 also includes a number of additional backend improvements that do not result visible changes from within the management console or end-user client console but that do enable an individual OfficeScan server to support more total clients, up to approximately 50,000.
37
Student Textbook
Review Questions
1. OfficeScan supports SSL with which of the following web servers? (Choose all that apply.) a) Apache 2.0.52 b) IIS 4.0 c) Apache 1.3 d) IIS 6.0 e) Netscape Enterprise Server 6.1 f) IIS 5.0
2. What does Virus Outbreak Monitor do? a) Monitors the viruses detected on a client b) Monitors the viruses detected on the network c) Monitors the number of new network sessions d) Alerts you when a new virus is discovered 3. Which OfficeScan feature includes the Intrusion Detection System (IDS)? a) DCS b) The OfficeScan firewall c) OfficeScan for Wireless d) The Policy Server for Cisco NAC 4. Which of the following types of threats can a spyware/grayware scan detect? a) Viruses b) Trojan horses c) Back door programs d) Worms
38
Administrator Track
Ch ter 3: Off Scan hapt 3 ficeS Appl A licati Archi ion A itecture
Chapter Objectives s
After comp pleting this ch hapter, you sho be able to ould o:
Ide entify the three main compo e onents of the O rchitecture OfficeScan ar Describe the Off ficeScan serve architecture er e Describe the Off ficeScan client architecture t
39
Student Textbook
The OfficeScan server software provides the core services of the OfficeScan architecture. It consists of a number of programs and information files. The default installation directory for OfficeScan is: C:\ProgramFiles\TrendMicro\OfficeScan. The server provides a repository for client configurations, virus logs, and up-to-date client software. The server also hosts the web-based management console and other control-center functions that provide centralized administration for all clients.
Scalability
To support of larger numbers of clients (more than 1,500), OfficeScan enables you to configure selected clients to function update agents to relieve the throughput burden on the main server and increase the efficiency of the system-wide update process by reducing redundant data transport over local- and wide-area backbone links.
Client support
You can install OfficeScan clients on any computer running Windows XP or later including 32-bit and 64-bit workstation and server editions. The client software provides antivirus/malware scanning, spyware/grayware detection, firewall protection, update capability, and support for additional features and services.
Client-server communication
The client communicates with the server to receive configuration settings, to download component updates, and to upload logs. OfficeScan uses Message Digest 5 (MD5) to validate data integrity of the data transferred. (For a brief description, see MD5 Message Authentication on page 31.) Client-server communication is typically frequent and ongoing. For example, when you use the management console to request firewall logs, the OfficeScan server notifies clients to check for instructions from the server. The clients subsequently upload their logs. The same happens when new updates ready for distribution. The clients (and client update agents) then download updates from the server or their designated update agent.
Management Console
The OfficeScan management console user interface is browser-based, relying on standard technologies such as HTTP/S, HTML, Common Gateway Interface (CGI), and Java. The console gives you access to comprehensive management functions for the server and its clients. You can configure and enforce antivirus policies, update components, scan clients, and install client software on new machines.
NOTE is an industry standard scripting protocol for linking server-side application code CGI with dynamic web-pages that compose a user interface which is thereby deliverable by webservers and readable by browsers.
40
Administrator Track
The figure below illustrates the conventional OfficeScan architecture and shows how the various components interact.
NOTE Trend Micro Control Manager enables you to manage all the Trend Micro products on your network from a central location, including OfficeScan. For more information, go to http://www.trendmicro.com.
clients and update agents. The OfficeScan server stores configuration data for the clients that it manages. When an OfficeScan client is installed and registered, it contacts the OfficeScan server and requests the configuration settings that it should use. When you modify a client configuration, the OfficeScan server notifies affected clients to download the new settings. In addition to storing client configurations, the OfficeScan server stores server-side configurations such as web-server and proxy-server information, the password for the OfficeScan management console, and product licensing information. To configure the client and the server, you can use the OfficeScan management console or the Control Manager management console, if you are running Control Manager. Server components that facilitate updating client and server information include:
Web server Client and console CGIs Master service Database (DB) server service OfficeScan database
41
Student T Textbook
Following sections expla each of the major comp onents shown above in mo detail. ain e n ore
but the version is not 2.x, Offi t s ficeScan will in nstall and use v version 2.2.5. The existing Apache Web serv is not rem ver moved.) pecify which web server to use during the OfficeScan s w u e server installat tion. You can sp
For more in nformation on web server req w quirements, inc cluding those f use with SS please see for SL, 4.1.4 Verif Target Server(s) Meet Minimum System Requirements on page 68. fy s
4 42
Administrator Track
Both console CGIs and client CGIs are stored on the OfficeScan server. The OfficeScan management console invokes console CGIs through the web server running on the OfficeScan server. OfficeScan clients invoke client CGIs through the web server also. Client CGIs facilitate the transfer of client logs, registration information, and other administrative data to the OfficeScan server. For example, if a client detects an infected file, the client invokes a client CGI to send the file to the master service. The master service then takes the action specified by your configuration. If the specified action for infected files is, say, quarantine, the file will then be sent to the quarantine folder.
During the initial installation of the server software, the setup program generates a random port number (you may specify one of your own instead) on which OfficeScan clients will listen for connection from the server. When the server needs to contact the client for updates or configuration changes, the server sends a call-back request to the client communication port. The client, in turn, contacts the server for any available data. The master service is also responsible for checking the Trend Micro ActiveUpdate server for newly available virus-patterns, spyware/grayware scan and cleanup patterns, scan-engine, and program and configuration updates. The master service then notifies clients to contact the server. Clients return log messages to the master service to confirm that updates and configuration changes have been processed.
43
Student Textbook
NOTE database server service does not appear as a service in the Microsoft The Management Console. You can check its runtime status using Windows Task Manager where it appears as DbServer.exe.
The database backup process is a component of the database-server service. The master service communicates with the backup process, controlling the schedule by which backups are performed.
3.2.5 Database
OfficeScan client data and configuration information is stored in the OfficeScan database. Client information includes data such as IP address, computer name, status information, and configuration settings. Status information includes the virus pattern file version, the scan engine version, and the infection count. The client configuration settings include real-time scan settings, manual scan settings, and scheduled scan settings. The OfficeScan 8.0 database engine itself can support a large number clients (up to 50,000) and query millions of records in a single second. Other application modules and system limitations restrict the maximum supportable number of clients per server to less than this number (currently, about 6000). The current database engine (introduced in version 7.0) overcomes certain limitations of MSDE which restricted client support to about 3000 clients per server.
NOTE achieve acceptable performance for more than ~1,500 clients, you should use a To hardware platform that exceeds minimum requirements and plan to designate one or more clients to be update agents.
44
Administrato Track or
Smart Client C
The centra scanning com al mponent of Trend Micros endpoint secu T urity solution is the Smart C Client. Comparabl to the scan engine in trad le ditional conten scanning, th Smart Clien interacts wi nt he nt ith Smart Scan Servers to de n etermine with certainty whe ether a file is i infected or no and what action ot is to take on that file. o
45
Student Textbook
For information on deployment considerations for Smart Scan servers, see 4.1.2 Consider Smart Scan Server Options on page 66. For information on configuration of integrated Smart Scan server settings, see 5.4 > Smart Protection Server Settings on page 116. For information on installing and configuring standalone Smart Scan servers, see Appendix G:
perform on-demand scanning and other tasks based on the privileges you allow. You can limit or expand the functionality of the client console by granting and revoking privileges to individual functions. You can grant privileges to users so they can modify various settings and perform on-demand scans and updates using the OfficeScan client console. You can also revoke these privileges. Granting privileges exposes user-interface access to the associated functions. Revoking privileges may remove interface tabs from display and/or gray-out options listed on drop-down and popup menus. You can, for example, restrict the client console from access to scan settings, as well as from being able to unload and/or uninstall the client program.
46
Administrator Track
Manual scanning options include full-scan and single file scanning capability. You can configure scan settings and initiate manual scanning through the web-based management console or the client console interface. The components that together provide the OfficeScan client with its threat detection and response capability are listed below. Trend Micro releases updates for each of these components as new threats are discovered.
NOTE Additional information for the major components listed below, including the client program, scan engine, pattern files, damage cleanup, and the client firewall, appears in following sections within this chapter.
Core Components
Client program Implemented
as four main services and additional processes (see Client Application Services and Program Data below), the OfficeScan client program provides a framework for the components listed below, including a watchdog function (Trend Micro Unauthorized Change Prevention Service) that monitors client status and automatically restarts services if they are ever stopped.
communication between the client and routers that support Cisco NAC (requires that the Policy Server for Cisco NAC be deployed). of workaround solutions to customer-specific issues or newly discovered vulnerabilities that you can download from the Trend Micro website and deploy to OfficeScan clients and/or the OfficeScan server.
Antivirus Components
Scan engines (32-bit and 64-bit) Consist
conventional-scan OfficeScan clients with virus signatures, which are the unique patterns of bits that identify each virus type. conventional-scan signatures for detecting real-time compression files that packed as executable files. a list of approved compression files.
47
Student Textbook
Hosted by Smart Scan servers, clients do not download this file. It is updated hourly by default and optionally every 15 minutes and contains a majority of the pattern definitions available.
Scan clients download this pattern from the update source using the same methods for downloading other OfficeScan components. It is updated daily and contains the patterns that cannot be hosted by the Smart Scan server.
Anti-Spyware Components
Spyware engines (32-bit and 64-bit) Scans Spyware pattern fie Contains
signatures for spyware/grayware in executable program files, data files, memory modules, the Windows registry and URL shortcuts. to the standard spyware pattern file, but used for real-time anti-spyware scanning. Only conventional scan clients use this pattern. Smart Scan clients use the Smart Scan Agent Pattern for real-time spyware/grayware scanning. Clients send scan queries to a Smart Scan Server if the risk of the scan target cannot be determined during scanning.
NOTE This component is used only if purchase and activate Antivirus and Web Threat Protection services.
newly loaded executables and enables spyware/grayware files to be deleted as they are discovered.
NOTE This component is used only if you activate (purchase) the web-threat protection service. If both antivirus and web-threat protection services are activated, it i t d Anti-rootkit driver (32-bit) This kernel mode driver is used by the spyware scan engine
silent (transparent) proxy services that enable the OfficeScan client to provide Web Reputation Services. HTTP protocol handling for traffic captured by the OfficeScan proxy service and handles rating requests and other functions related to Trend Micro Web Reputation Services.
by Damage Cleanup Services uses to scan for and remove viruses, trojans and trojan processes and other malware.
by the virus cleanup engine to identify viruses, trojan files and other processes to be eliminated.
48
Administrator Track
OfficeScan Firewall
Common firewall driver (32-bit and 64-bit) Provides Common firewall/network-virus pattern file Like
the virus pattern file, this file contains virus signatures that can be detected as it passes through the network interface and before it is written to disk or any other file system.
Web Reputation
URL filtering engine
Facilitates communication between OfficeScan and the Trend Micro URL Filtering Service. The URL Filtering Service is a system that rates URLs and provides rating information to OfficeScan.
in kernel-mode and monitors system events and passes them to Behavior Monitoring Core Service for policy enforcement. in user-mode and provides rootkit detection, regulates access to external devices, and protects files, registry keys, and services.
is used by the behavior monitoring driver to identify normal system events and exclude them from policy enforcement.
contains digital signatures used by the behavior monitoring core service to determine whether a program responsible for a system event is safe. is used by the behavior monitoring core service to check system events against the policies in this pattern.
provides communication with the server performs scanning functions provides network protocol-level monitoring
running an x86 type processor The executable names in plaintext above are the process names for the associated service. Additional, processes include:
PccNTMon.exe monitors running processes and processes being loaded A randomly named process that implements the watchdog service (described below)
49
Student Textbook
OfficeScan database on the server ofcscan.ini file on the client Windows system registry on the client
For a complete list of client services and registry entries, see section 6.3 > Verifying the OfficeScan Client Installation on page 238.
During the OfficeScan server installation you will select a default setting for new clients. After installation, you can change this setting through the management console.
NOTE more information on changing this client security setting, please see section For 5.5.8 Client Privileges and Other Settings on page 150.
The normal setting leaves OfficeScan client program files more vulnerable to attack by malicious programs or otherwise compromised user accounts. The high security option limits OfficeScan installation folder and registry access to Windows administrator and power-user profiles. The table below shows the permissions assigned for the high setting.
Admin
Full Control Modify Read & Execute List Folder Content Read Write
Creator Owner
Power User
SYSTEM
Terminal User*
Users
50
Administrator Track
Access privileges that users have to the OfficeScan client registry entries when the high setting is selected are shown below.
Administrators
Full Control Read
Creator Owner
Power User
SYSTEM
Terminal User*
Users
circumvented The change-prevention service monitors the status of the real-time scan process, NTRtScan.exe (as well as other processes). The real-time scan process, in turn, protects all digitally signed .exe, .dll, and .sys files in the OfficeScan client folder, as well as other important, unsigned files.
Client self-protection settings are part of the OfficeScan global client settings. For more information and instructions on how to change these settings, please see section 5.6 > Global Client Settings on page 172.
51
Student Textbook
Frequent updates to the virus pattern file, which can be downloaded and read by the
engine without the need for any changes to the engine code itself
Technological upgrades in the engine software prompted by a change in the nature of
virus threats, such as a rise in mixed threats like SQL Slammer, for example The Trend Micro scan engine is certified annually by international computer security organizations, including ICSA (International Computer Security Association).
You can download virus pattern files from the following website, where you can also find the current version, release date, and a list of all the new virus definitions that are included in the file:
http://www.trendmicro.com/download/pattern.asp
Assessment Mode
Rootkit Detection
52
Administrator Track
For a more detailed description of Web Reputation Services, see section 5.5.10 Web Reputation Services Settings on page 154.
Scans for remnants of and damage caused by viruses, trojans, worms and other malware and cleans up what it finds.
Is used by the virus cleanup engine to help identify trojan files and processes and other malware; it includes information about fix damage caused by malware threats and remove any lingering remnants.
NOTE VCTs are updated frequently, therefore, Trend Micro recommends that you update your components immediately after you have installed and activated Damage Cleanup Services.
The VCE is a background process the operation of which is transparent to end users and administrators. It does not require configuration.
NOTE Certain clean-up processes may require the host computer to be restarted to complete the removal of a threat. In which case, an on-screen notification is displayed for the affected user.
53
Student Textbook
NOTE can use the OfficeScan firewall on Windows XP machines that also have the You Microsoft Internet Connection Firewall enabled. However, you must manage your policies carefully to avoid creating conflicting policies that produce unexpected results. For example, if you configure one firewall to allow traffic from a certain port but the other firewall blocks traffic from the same port, the traffic will be blocked. For information on how to configure Internet Connection Firewall, see your Microsoft documentation.
Stateful Inspection
The OfficeScan firewall provides stateful inspection, monitoring all connections to the client and tracking connection states and packet sequences. Doing so, the firewall can identify certain intrusion and denial-of-service attempts and block problem traffic before it is processed by host protocol stack.
Intrusion Detection
The OfficeScan firewall also includes an Intrusion Detection System (IDS). When enabled, the IDS can identify patterns in packet formation and traffic sequences that may indicate an attack on the client. The OfficeScan firewall can help prevent these well-known intrusions:
Conflicted ARP LAND Attack Ping of Death Teardrop Too Big Fragment Fragmented IGMP Overlapping Fragment SYN Flood Tiny Fragment Attack
54
Administrator Track
integrates with Outbreak Prevention policies to be able tighten security against specific threats during an outbreak.
Though the client keeps a TCP listening port open, for security reasons, data sent to the client from the server consists mainly of call-back requests. Instead of accepting actual commands or configuration changes directly from the listening port, the client accepts only requests to contact the server and request configuration data on its own. This increases security by requiring a hacker to either compromise the of the OfficeScan server or the routing infrastructure from client to server, as well as spoof the servers hosting functions that respond to client requests. Either way, in the real world if a hacker were to penetrate that far into the network, the OfficeScan system would not be a likely target for further intrusion. The call-back communication model also increases security by enabling the client functions to be more readily locked down. In other words, the fewer types of legitimate messages that the client must be programmed to handle over the open port, the easier it is to readily discard malformed data intended to create buffer overflows or other effects.
55
Student T Textbook
OfficeScan client softwa supports mobile clients t cannot m n are m that maintain contin nuous communication with the OfficeScan server through roaming mode.. Each OfficeS e s h Scan client is capable of operating in roaming mode as well as no r e, ormal mode.
NOTE with many other client functions, roam As y ming mode is a privilege that you can t
selectively grant (enable) or revoke (disable) by usi the manag ing gement console,.
Normal Mode M
Normal mo is designe for worksta ode ed ations and serv running t OfficeScan client that ca vers the n an maintain co ontinuous net twork access to the OfficeS can server. An icon in syste tray indica n em ates the status of the client. o The icons used to indica client statu in normal m u ate us mode are show below. wn
Icon De escription No ormal client (b blue icon) Pa attern file is ou utdated Sc Now, manu scan, or scheduled scan is running can ual Re eal-time scan is disabled i Re eal-time scan is disabled and the pattern f is outdated i d file d Re eal-time scan is not running or has been s topped (red ic i con) Re eal-time scan is not running or has been s topped, and th pattern i he file is outdated (red icon) f d Disconnected fr rom the server r Disconnected, and the pattern file is outdat n ted Disconnected, and real-time scan is disable d s Disconnected, re eal-time scan is disabled, an the pattern file is nd outdated o Disconnected, and real-time scan is not run s nning or has be een stopped (red icon) s Disconnected, re eal-time scan is not running or has been s g stopped, and the patter file is outdated (red icon) a rn Table 3.3: Normal Mode Status Indicato (System T N S ors Tray Icons) Real-time Sc can Enabled Enabled Enabled Disabled Disabled Disabled Disabled Enabled Enabled Disabled Disabled Disabled Disabled
means the pattern file i s outdated; the no symbol e means that real-time sc is disabled, and a red ba se icon means real-time sca is not runnin can s an ng, e otherwise the icon is blue.
5 56
Administrato Track or
Roaming Mode g
Roaming mode is for lap m ptops, noteboo and other mobile comp oks, r puting devices that do not h have continuous access to the OfficeScan server. s e s When in ro oaming mode, OfficeScan clients: , c
Dis splay a differen set of statu icons compa nt us ared to norma mode, and t al thus do not sh how
the disconnecte icon when unplugged fr ed n rom the netwo (see the ta below) ork able
Att tempt to conta the OfficeScan server le frequently and store event logs locally until act ess y
serv using wha ver, atever Interne connection may be availa et able
Do not respond immediately to manual-upd o t date command issued from the managem ds m ment
con nsole, but do seek updates when Scan Now is executed by end users ( s w w (who have suf fficient privileg ges), when a scheduled upd time arrive or when re date es, econnected to the o Off ficeScan serve er
Icon
Description D Roaming client (blue icon) R t Real-time scan is disabled R n Pattern file is outdated P o Real-time Scan is disabled an the pattern file is outdate R n nd n ed Real-time Scan Service is no running (red icon) R n ot d Real-time Scan Service is no running & th pattern file is outdated R n ot he (red icon)
Table 3.4: Roaming Mode Status Indica R e ators (System Tray Icons)
Icon
Description D Smart Scan clie can conne to a Smart Scan Server. S ent ect Smart Scan clie can conne to a Smart Scan Server. S ent ect
57
Student T Textbook
Icon
Description D Smart Scan clie can conne to a Smart Scan Server. S ent ect Smart Scan clie cannot con S ent nnect to a Sm art Scan Serv er. Smart Scan clie cannot con S ent nnect to a Sm art Scan Serv er. Smart Scan clie cannot con S ent nnect to a Sm art Scan Serv er. Offline Smart Scan client can connect to a Smart Scan S O S n Server. Offline Smart Scan client can connect to a Smart Scan S O S n Server. Offline Smart Scan client can connect to a Smart Scan S O S n Server. Offline Smart Scan client can O S nnot connect t a Smart Sca Server. to an Offline Smart Scan client can O S nnot connect t a Smart Sca Server. to an Offline Smart Scan client can O S nnot connect t a Smart Sca Server. to an Roaming Smart Scan client can connect to a Smart Scan Server. R c o n Roaming Smart Scan client can connect to a Smart Scan Server. R c o n Roaming Smart Scan client can connect to a Smart Scan Server. R c o n Roaming Smart Scan client cannot connec to a Smart S R c ct Scan Server. Roaming Smart Scan client cannot connec to a Smart S R c ct Scan Server. Roaming Smart Scan client cannot connec to a Smart S R c ct Scan Server.
Real-time S Scan Stopped Enabled Disabled Stopped Enabled Disabled Stopped Enabled Disabled Stopped Enabled Disabled Stopped Enabled Disabled Stopped
5 58
Administrator Track
By designating update agents in remote offices, you can reduce WAN traffic. Likewise, you can install one or more update agents on each LAN segment to reduce local backbone traffic.
NOTE Update agent capability eliminates the Master and Remote Agents used in OfficeScan 5.5. These agents required Apache Web server on each agent. The new update agents do not require a web server.
For more information about update agents, see Chapter 7: Updates on page 245.
The OfficeScan client can build the digital signature and on-demand scan cache files to improve its scan performance. When an on-demand scan runs, the client first checks the digital signature cache file and then the on-demand scan cache file for files to exclude from the scan. Scanning time is reduced if a large number of files are excluded from the scan.
Digital Signature Cache
The digital signature cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Clients do not scan files whose caches have been added to the digital signature cache file. The OfficeScan client uses the same Digital Signature Pattern used for Behavior Monitoring to build the digital signature cache file. The Digital Signature Pattern contains a list of files that Trend Micro considers trustworthy and therefore can be excluded from scans. Clients build the digital signature cache file according to a schedule, which is configurable from the web console. Clients do this to:
Add the cache for new files that were introduced to the system since the last cache file
was built
Remove the cache for files that have been modified or deleted from the system
During the cache building process, clients check the following folders for trustworthy files and then add the caches for these files to the digital signature cache file:
%PROGRAMFILES% %WINDIR%
The cache building process does not affect a computers performance, because clients use minimal system resources during the process. Clients are also able to resume a cache building task that was interrupted for some reason (for example, when the host machine is powered off or when a wireless computers AC adapter is unplugged).
On-demand Scan Cache
The on-demand scan cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Clients do not scan files whose caches have been added to the on-demand scan cache file.
59
Student Textbook
Each time scanning runs, the client checks the properties of threat-free files. If a threat-free file has not been modified for a certain period of time (the time period is configurable), the client adds the cache of the file to the on-demand scan cache file. When the next scan occurs, the file will not be scanned if its cache has not expired. The cache for a threat-free file expires within a certain number of days (the time period is also configurable). When scanning occurs on or after the cache expiration, the client removes the expired cache and scans the file for threats. If the file is threat-free and remains unmodified, the cache of the file is added back to the on-demand scan cache file. If the file is threat-free but was recently modified, the cache is not added, and the file will be scanned again on the next scan. The cache for a threat-free file expires to prevent the exclusion of infected files from scans, as illustrated in the following examples:
It is possible that a severely outdated pattern file may have treated an infected,
unmodified file as threat-free. If the cache does not expire, the infected file remains in the system until it is modified and detected by Real-time Scan.
If a cached file was modified and Real-time Scan is not functional during the file
modification, the cache needs to expire so that the modified file can be scanned for threats. The number of caches added to the on-demand scan cache file depends on the scan type and its scan target. For example, the number of caches may be less if the client only scanned 200 of the 1000 files in a computer during Manual Scan. Since files must remain unmodified for a relatively short period of time, more caches can be added to the cache file. The caches also expire longer, which means that more files are skipped from scans. If on-demand scans are seldom run, you can disable the on-demand scan cache, since caches would have expired when the next scan runs. To configure cache settings for scans go in the OfficeScan console to:
NETWORKEDCOMPUTERS>CLIENTMANAGEMENT
1. In the client tree, click the root domain icon to include all clients or select specific domains or clients. 2. Click Settings > Privileges and Other Settings. 3. Click the Other Settings tab and go to the Cache Settings for Scans section. 4. Configure settings for the digital signature cache. 4.1. 4.2. 5.1. 5.2. 5.3. Select Enable the digital signature cache. In Build the cache every __ days, specify how often the client builds the cache. Select Enable the on-demand scan cache. In Add the cache for safe files that are unchanged for __ days, specify the number of days a file must remain unchanged before it is cached. In The cache for each safe file expires within __ days, specify the maximum number of days a cache remains in the cache file.
60
Administrato Track or
NOTE prevent al caches added during a sca from expirin on the same day, caches To ll an ng e
expire randomly within the maximum number of da you specified. For examp if 500 files m ays ple, s were added to the cach today and the maximum n he number of day you specified is 10, a fract ys tion of the cac ches will expire the next day and the majo y ority on the su cceeding days On the 10th d s. day, all caches that remain will expire. s w
6. If you selected doma ain(s) or client(s) in the clie tree, click S ent Save. If you c clicked the roo ot n e llowing option ns: domain icon, choose from the fol 6.1. Apply to All Clients: App settings to all existing c plies o clients and to any new clien nt added to an existing/future domain. Fut e e ture domains a domains n yet created at are not d the time you configured the settings. Apply to Fut ture Domain Only: Appli settings on to clients a ns lies nly added to futur re domains. Thi option will not apply settiings to new cl is n lients added to an existing o domain.
6.2.
61
Student Textbook
Review Questions
1. What is one of the main functions of the server component of OfficeScan? a) Protect the network from malware b) Protect the server from malware c) Download updates and distribute them to clients d) Scan for malware 2. What is a major reason for increased performance in OfficeScan, since version 7.0? a) Simultaneous processing of CGI requests b) The storing of client information in a database c) OfficeScan now supports SQL d) The OfficeScan Master Service processes CGIs faster 3. What does the High Security setting for clients do? a) Enables the OfficeScan firewall b) Locks the .exe and .dll files in the OfficeScan client directory c) Increases the number of files that the client scans for malware d) Changes the rights to the directories and registries on the client
62
Administrator Track
63
Student Textbook
simultaneously, such as the start of the work day Balance your organizations tolerance for potentially slower response times, especially during peak-load hours, with the cost of adding additional bandwidth and/or redesigning your network segmentation.
64
Administrator Track
To reduce the network bandwidth used by updates, OfficeScan supports incremental updates for virus pattern files, viurs cleanup templates, and spyware/grayware scan and cleanup patterns. This means that OfficeScan downloads only those parts of the updated files that are new or that have been changed, instead downloading the full file every time. For clients that are not updated regularly, downloading the full file may still be required. Trend Micro releases new pattern files regularly. When an especially threatening new virus or other security risk is actively circulating, Trend Micro will release a new pattern file as soon as a detection routine for the threat is available.
65
Student Textbook
File Type Antivirus/malware pattern file Anti-virus/malware scan engine Anti-spyware/grayware scan pattern file Anti-spyware/grayware active-monitoring pattern file Anti-spyware/grayware scan engine 64-bit Anti-root-kit driver Viurs cleanup pattern Virus cleanup engine 64-bit Network virus pattern file Network virus scan engine (common firewall driver) IntelliTrap pattern files Table 4.1: Typical Sizes for Update Files
Approximate File Size 36 MB 1 MB 7 MB 15 MB 1.3 MB 2.1 MB 60 KB 2.3 MB 300 KB 600 KB 140 KB 2 MB 1 MB 24 MB compressed 760 KB compressed 6.9 MB compressed 8 MB compressed 600 KB compressed 800 KB compressed 120 KB compressed 2 MB compressed 290 KB compressed 1.8 MB compressed 90 KB compressed 150 KB compressed 400 KB compressed
The OfficeScan installation program includes an integrated Smart Scan server that installs on the same computer where the OfficeScan server installed. You can manage the integrated Smart Scan server with the OfficeScan management console. Relying on an integrated deployment of the Smart Scan server is currently recommended for networks with 1,000 OfficeScan clients or less. A standalone Smart Scan server installs on a VMware server. Unlike the integrated server, settings for the standalone server cannot be managed from the OfficeScan management console. The standalone server has its own console where you can manage settings and configurations. Trend Micro recommends using standalone Smart Scan servers for maximizing performance, incorporating redundancy, and use in all networks with more than 1,000 OfficeScan clients.
For information on installing and configuring standalone Smart Scan servers, see Appendix G:
66
Administrator Track
Smart Scan clients managed by one OfficeScan server can connect to the integrated Smart Scan Server service on another OfficeScan server without having to migrate those clients to the new Office Scan server, and without any changes to management of the configuration of the client. Only Smart Scan queries are directed to the new server; all other OfficeScan client functions remain directed to the original OfficeScan server. You should consider the following issues in preparing to deploy local Smart Scan servers:
Smart Scan Server is a CPU-bound application. Increasing CPU resources increases the
number of client connections that can be handled. For standalone servers, the number of processors allocated to the virtual machine will affect the performance of the server.
You may require additional memory if you have a large number of concurrent Smart
computer, the computers performance may reduce significantly during peak traffic for the two servers. Consider using standalone Smart Scan servers as the primary Smart Scan server for clients and the integrated server as a backup server to reduce the traffic directed to the OfficeScan server computer.
The OfficeScan firewall is intended for client computer use and may affect performance
when enabled on server computers. If you install the integrated Smart Scan server, consider disabling the OfficeScan firewall, though also ensure that the server is otherwise protected according to your organizations security requirements.
Clients running Windows XP, Vista, 7, or Server 2003/2008 may be designated as update agents. Each update agent is configured to support a maximum of 250 connections by default. The minimum recommended available disk space is 1 GB. By using multiple update agents, an adequately configured OfficeScan server can support approximately 6000 clients or more.
Tip You can modify the Update Agent connection limit by editing the ofcscan.ini file or using the Server Tuner tool that is described later in Chapter 10: OfficeScan Tools on page 307.
Tip The most common reason that an Update Agent may fail to obtain and deploy updates is insufficient disk space.
You will likely want at least one Update Agent for all the clients at any remote site. You may also want at least one Update Agent per network segment or VLAN.
67
Student Textbook
For information on configuring Update Agents, see Section 7.6 > Deploying Updates to Clients on page 256.
Windows Server 2008 1 GHz Intel Pentium or equivalent for x86 processors 1.4 GHz for AMD x64 processors 2 GHz recommended, AMD x64 and Intel 64 architectures supported Windows Server 2003 800 Mhz Intel Pentium or equivalent for x86 processors If also installing the Integrated Smart Scan Server 1.86GHz Intel Core Duo processor or equivalent NOTE: OfficeScan cannot be installed on Windows 2008 running in the Server Core environment.
Memory
Without Integrated Smart Scan Server 512 MB of RAM (1 GB recommended, 2 GB for Windows Server 2008) With Integrated Smart Scan Server 1 GB of RAM
Disk space
3.1 GB for local installation of the OfficeScan server, OfficeScan client, Policy Server for Cisco NAC, and integrated Smart Scan server 3.5 GB for remote installation of the OfficeScan server, OfficeScan client, and integrated Smart Scan server Gigabit network adapter
Network
Software
Operating system
Windows Server 2003 Windows Server 2003 & 2003 R2 Standard, Enterprise, and Datacenter Editions with Service Pack 2 or later, 32-bit and 64-bit versions Windows Storage Server 2003 & 2003 R2, 32-bit and 64-bit versions
Windows Server 2008 Windows Server 2008 Standard, Enterprise, Datacenter and Web Editions with Service Pack 1 or later, 32-bit and 64-bit versions Windows Server 2008 R2 Standard, Enterprise, Datacenter and Web Editions, 64-bit versions
NOTE: OfficeScan will not install on Windows 2008 if is running in the Server Core environment.
68
Administrator Track
Virtualization platforms OfficeScan supports server installation on guest Windows 2003/ 2008 operating systems hosted on these virtualization platforms:
Web server
VMware ESX/ESXi Server 3.5 and 4 (Server Edition) VMware Server 1.0.3 or later (Server Edition) VMware Workstation and Workstation ACE Edition 6.0 Microsoft Virtual Server 2005 R2 with Service Pack 1 Microsoft Windows Server 2008/2008 R2 64-bit Hyper-V Microsoft Hyper-V Server 2008 R2 64-bit
Microsoft Internet Information Server (IIS) Windows Server 2003, version 6.0 Windows Server 2008, version 7.0 Apache Web server 2.0.x (for Windows Server 2003/2008) If Apache Web server exists on the computer but the version is not 2.x, OfficeScan will install and use version 2.2.5. The existing Apache Web server is not removed.
Other
Administrator or Domain Administrator access on the server computer File and printer sharing for Microsoft Networks installed on the server computer If you plan to install the Cisco Trust Agent (CTA) on the same computer as the OfficeScan server, do not install OfficeScan server on Windows Server 2003 x64 Edition. See the Administrators Guide for more information on CTA requirements.
Web Console
Browser
The number of clients that a single OfficeScan server can manage depends on several factors, including available system resources and the network topology. On average:
A single OfficeScan server equipped with 2 GHz dual processors and 2 GB of RAM can
69
Student Textbook
If a firewall is located between the server and its clients, you must configure the firewall to allow traffic between the client listening port and the server listening port. If a router or firewall in between the server and its clients performs network address translation (NAT), there are several issues to consider:
Clients behind a NAT boundary will appear offline in the management console The OfficeScan server will not be able to initiate connections to clients. This means that
instant notifications for available updates and configuration changes are not possible. Updated and configuration changes can, however, be regularly scheduled in the client software before the client software is deployed.
For more information on managing clients across NAT boundaries, see Section 7.5 > Configuring Server Updates on page 253.
If you are using Trend Micro Control Manager (TMCM), up-to-date communication will
be limited to the polling interval of the Control Manager agent on the OfficeScan server. This is referred to in TMCM and Trend Micro Management Control Protocol (MCP) documentation as the one-way communication for managing TMCM clients.
70
Administrator Track
Verify that each device meets the minimum system requirements as described in section 6.1 > Minimum Requirements for Client Software on page 220
server. You can access the Move Clients page by clicking Clients > Move. If you have already upgraded OfficeScan but have not moved unsupported clients to an unupgraded server:
After the upgrade, the clients will be removed from the list of clients managed by the
in the OfficeScan installation folder after server upgrade. The location is: {Installation
Path}\PCCSRV\Private\unsupCln.txt
Ensure you have an earlier version of OfficeScan server that will manage clients on these
unsupported platforms.
Use a tool to move clients to the earlier version of the OfficeScan server. This tool
notifies clients that an earlier version of OfficeScan server will manage them. When clients receive the notification, they will register to that server. The tool can also verify if the clients were moved successfully. See Using Client Mover for Legacy Platforms in the OfficeScan Installation and Upgrade Guide for more information
71
Student Textbook
Each deployment method is explained in Chapter 6: Client Software Deployment on page 219.
You need to determine which methods are most suitable for your environment. For example, for single-site deployment, IT administrators often use the login script method. Using this method, a call to an executable called autopcc.exe is added to the Windows login script so that when a client without OfficeScan client software logs on to the network, the server automatically launches the client setup wizard. You can also choose a combination of client-deployment methods.
Ensure that the server and clients can ping and telnet each other using their IP addresses or domain names.
Instruct users to restart the OfficeScan tmlisten service after establishing the VPN
connection with the main office. Restarting tmlisten causes the OfficeScan client to attempt to connect to the OfficeScan server to register itself and check for updates.
You cannot use login scripts to install OfficeScan on VPN clients. You can use Client
Packager to install OfficeScan on your VPN clients or you can notify clients to install OfficeScan from an internal web page (browser-based installation).
72
Administrator Track
server. If you use Apache Web Server, the setup program will automatically install it if it is not already installed on your target(s).
OfficeScan will preserve existing configuration settings such as server name, proxy server configuration, and port numbers. You will not be able to modify these settings during upgrade. After the upgrade is complete, you may then use the OfficeScan web console to modify these settings if you wish to do so.
you will need to re-enter these settings when the setup configuration processes prompts you to do so.
73
Student T Textbook
After the in nstallation pro ogram is unpacked and start the Welco screen ap ted, ome ppears (shown n above on th right). Click Next on thi screen to co he is ontinue.
NOTE cancel the installation an exit the set wizard at a time, press Cancel. To nd tup any s
2. Review and Acce the Sof w ept ftware Lice ense Agree ement
To install OfficeScan, yo are required to accept th Software License Agreem O ou d he ment. To do so o select I ac ccept the term of the licens agreement and click Ne ms se ext.
7 74
Administrato Track or
The Client Deployment page lists the installation pa ackage sizes fo installing O for OfficeScan clie ent P v g scan method t clients wi use that ill software. Package sizes vary according to both the s (conventional or Smart Scan) and the distribution m S method to be u used for deliv vering the actu ual L emote installat tion, and software. Listed distribution methods include web iinstallation, re autopcc.exe (install-scrip installation. pt) he n e u rview of the ba andwidthClicking th Help button on this page provides you with an over consumptio issues relat to client deployment. on ted d
You can find this informat tion and additional client-inst tallation inform mation in this t textbook in sec ction 6.2 > Deplo oyment Options for OfficeSca Client Softw an ware, on page 222. e
After reviewing the infor rmation on ea of these pa ach ages, click Ne to proceed to the next s in ext d step the installation process.
75
Student T Textbook
If you selec to install to one or more remote comp ct puters, the setu program pr up rompted you to provide ho names for your target co ost y omputers. The program also provides a b e o browse option to make selecting computer easier. rs The promp for specifyin remote/mu pt ng ultiple targets will appear af you have specified an fter installation path, proxy server options web server o n s s, options, and th computer i he identification method to be used (dom name or IP address) an have entere your activation key(s). Th main I nd ed hese steps are de escribed below Guidelines for specifying multiple/rem target co w. g mote omputers are a also provided below in the or in which these options appear durin the installat b rder s ng tion process.
Figure 4.5: Pre-scan Options (left) and Scanning and Data Collection Progress (right) d
If you selec Do not sca the target computer, th installation program gath resource ct an c he hers information only and dis n splays a progre indicator. ess If you are installing to th local compu i he uter, scanning will begin im g mmediately upo clicking N on Next. If you are installing to re i emote/multipl computers, scanning doe not occur u le es until the actual l installation after the inst n, tallation confi iguration is co omplete.
AVAILABL ACTIONS FOR PRE-SCA DETECTION LE F AN NS If the pre-s scanning process detects a virus, Trojan o similar type of malware, you can choo v or e ose among these actions:
Delete
Clean Cleans
a clea anable file bef fore allowing f access to t file; and fo uncleanable files, full the or e tak a specified subsequent action (the def kes d a fault is renam me)
7 76
Administrato Track or
Renam me
Changes the filename extension of in t e nfected file to .vir to brea application ak ass sociation by extension. If opened, howev any virus/ ver, /malware it co ontains may be e executed. full ac ccess to the fil without tak any action Users will b able le king n. be co opy/delete/op the file as if no detection had occurre pen i n ed.
Pass Allows
You can ta these actio against spy ake ons yware/graywa are:
Clean Terminate Pass Logs
as ssociated proc cesses and dellete registries, files, cookies and shortcuts s wh applicable here e. the inci ident for later assessment Deni access (cop open) to th detected sp ies py, he pyware/grayw componen ware nts
A Deny Access
NOTE specified installation pa will be use for new serv installation only. For The ath ed ver ns
upgrades, the existing path will be used. p
77
Student T Textbook
If your netw work does no require a pro server con ot oxy nfiguration, le eave the option box unchecked n and click Next. N
Figure 4.8: Specifying the Web Server Type and List tening Ports
If the setup program det p tects an existin IIS on the target computer, you may c ng choose either option. Yo may also ch ou hoose either op ption if IIS an Apache 2.0 installation are detected If, nd 0.x ns d. however, neither web server is current installed, O n tly OfficeScan wil install Apach 2.0.63 ll he automatica and the II option will be grayed out (the setup pr ally, IS t rogram does n support an not n automated installation of IIS). f Take note of the HTTP and SSL port numbers. Th will be the ports that yo must use to t hese e ou o m onsole when th installation is complete. If you enable SSL, he n access the OfficeScan management co the SSL po will be used for OfficeSc manageme console ac ort d can ent ccess, and the HTTP port w will not be used d.
USING APACHE WEB SERVER Apache Web serv 2.0.63 or later is require and can be used only wit Windows X ver l ed th XP, rver d Ser 2003, and Server 2008.
7 78
Administrator Track
To use SSL, you must let the OfficeScan setup program install version 2.0.63, if Apache
Web server is not already installed. To use SSL on an existing Apache 2.0x installation, you must pre-configure it to use SSL before installing OfficeScan. If you want the setup program to upgrade an existing Apache installation to version 2.0.63, uninstall the Apache server before performing the OfficeScan installation; otherwise, OfficeScan will use the currently installed version.
By default, the administrator account is the only account created on the Apache Web
server. Trend Micro recommends creating another account from which to run the web server; otherwise the OfficeScan server is vulnerable to being compromised if a malicious hacker takes control of the Apache server.
Before installing the Apache Web server, refer to the Apache website for the latest
If you select IIS, you can choose to run OfficeScan web-based components as:
An IIS virtual website (default) This Under the IIS default website This
option creates a new IIS website object, and allows you to specify the HTTP listing-port number (the default is port 8080).
option installs OfficeScan components under the IIS default website object. The listening-port number (default port 80) is not configurable from the OfficeScan installation program.
SPECIFYING THE HTTP PORT NUMBER If you select to install OfficeScan using either the Apache Web Server or as an IIS virtual website, you can specify the listening port to be used for HTTP traffic. The installation program populates this field with 8080 by default. You may use any available port number.
NOTE Though TCP port numbers range from 1 to 65535, you should choose a port number higher than 1024. Ports 1 to 1023 are well-known or common ports regulated by the Internet Corporation for Assigned Names and Numbers (ICANN). Note also that there are now over 300 registered port numbers between 1024 and 49151, most of which are below 4096.
Though ports 49152 to 65535 are the ports reserved explicitly for private use, and thus guaranteed to be unassigned to common applications, port numbers like 8080, 8081, 8088, 8089, 8888, etc. are popular choices among administrators for alternate web-service ports. In fact, Port 8080 is now the ICANN official alternate port number for web service.
ENABLING SSL If you want to use SSL to protect web-based management console sessions, you must enable it on this screen during installation.
Control Manager will generate a self-signed server certificate upon installation. You can also specify the length of time for which the server certificate will be valid. As with HTTP communication, you may configure the port number that the client and server will use for secure communications. Note that the default port number when selecting to use
79
Student T Textbook
Apache We Server or an IIS virtual website is not the well-know port numb 443, but is 4343 eb a w wn ber instead.
NOTE later access the web-bas managem ent console yo must use th HTTPS To sed ou he
designation for SSL and if you are no using the w d, ot well-known po number 44 you must ort 43, specify th port numbe after the ser he er rver name or I P address. For example: r https://se erver.company y.com:4343/of fficescan.
Figure 4.9: Specifying Ho OfficeScan Clients Will A ow Attempt to Con ntact the Server
NOTE Name and IP address detail above is not s shown if you h have selected t install to to
remote/m multiple destina ations.
There are several factors that you shou take into a s s uld account when making this d n decision. If, fo or example, yo select IP ad ou ddress and lat change the servers IP ad ter e ddress, the ser will lose rver communication its client The only way to restore communicatio is to redep all the clie ts. w on ploy ents. The same situation appli if the serve is identified by domain n s ies er d name and you change the se ervers domain nam me.
WARNING If the server obtains an ad G! r ddress from a DHCP server, choose domain name or ma ake
the IP addr ress static or ensure that the DHCP lease is configured to be permane lease. Also e e ent o, consider us sing a static or permanent assignment eve if you do ch r en hoose domain name.
In most ne etworks, the se ervers IP address is more liikely to chang than its dom name, thus it ge main is usually preferable to id p dentify the ser by domain name. rver n However, you must also consider the reliability and scope of you DNS implem y d ur mentation. If you choose, do omain name, al clients must be able to resolve the nam to contact t server. If y ll t me the your DNS system is unreliable or is not imp plemented for proper resol r lutions throug ghout your onsider wheth by IP addr would be more reliable her ress e. network, co Additionall if the serve computer has multiple ne ly, er etwork interfa cards (NIC Trend Mic ace Cs), cro recommends using one of the IP addr o resses instead of the domain name to ens n sure successfu ul er ation. Althoug you must a ensure tha this IP addr will be sta gh, also at ress atic, client-serve communica as explaine above. ed
8 80
Administrato Track or
serv vices.
NOTE may insta a full versio of OfficeSca or a free ev You all on an valuation (trial) version. Both
require ac ctivation codes. The codes you enter dete y ermine the feat tures and func ctions that are e enabled in the software You can upg n e. grade a trial ve ersion to a full version at any time. y
To register your product and receive an activation c r t a code online fo either full- o trial-version or or n installation click Regist Online. If you already h n, ter f have your activ vation code(s) click Next. ),
11. Choos to Install the Integr se l rated Smar Scan Ser rt rver
The integra Smart Sca Server is in ated an nstalled with th OfficeScan server. The i he n integrated serv ver supports HTTP and HT H TTPS protocol HTTPS is a more secure but is also m ls. e more compute intensive.
81
Student T Textbook
Figure 4.12: Selecting Wh hether to Insta the Integrat Smart Sca Server all ted an
The HTTP port numbe used for SS connection depends on the web serve (Apache or IIS) PS er SL ns er r that you ha selected fo the OfficeS ave or Scan server.
OfficeScan Web Server Settings
Apache we server eb SSL enab bled Apache we server eb SSL disabled IIS default web site t SSL enab bled IIS default web site t SSL disabled IIS virtual web site SSL enab bled IIS virtual web site SSL disabled
Smart Scan n Server SSL Port L 4343 3 4345 5 443 3 443 3 4345 5 4345 5
Table 4.3: HTTP/SSL Por Numbers for OfficeScan a Integrated Smart Scan S H rt and d Servers
8 82
Administrato Track or
Figure 4.13: Selecting to Install the Inte egrated Web R Reputation Service
13. Identify and Vali idate Remo ote/Multipl Installati Destina le ion ations
NOTE This step applies only if you selected to in u nstall to a rem mote computer or to multiple r e
computer in Step 3. Select an Installation Destina rs S ation.
To specify the target com mputer(s), you can manually type the com u y mputer's fully qualified dom main DN), UNC-ty host name or IP addres You may al click Brow to use ype e, ss. lso wse name (FQD Microsoft networking to search for an select comp n o nd puter(s).
Figure 4.14 Specifying Remote/Multiple Installation Destinations (Displayed onl when 4: ly selecting re emote/multiple destinations in step 3.) s
In situation where you have a large list of targets, y can also im ns h you mport compu names fro a uter om text file by clicking Import List. Afte all computer pass the req er rs quired analysis (for which y s you will be prompted on the next screen), the setup pro ogram will inst to machin in the orde in tall nes er which they are listed in the text file. y t In the text file:
Spe ecify one computer name per line Use UNC forma (for example \\msserve e at e, ernameor\\ \fqdn.compan ny.comor
\\1 192.168.0.12)
On these chara nly acters are allow a-z, A-Z,, 0-9, period (..), and hyphen (-) wed: n
When you finish adding target compu uters to the ins stallation desti ination list, cli Next. ick
83
Student T Textbook
Figure 4.15: Validating th Specified Ta he argets for Rem mote/Multiple Installation De estinations e/multiple dest tinations in ste 3.) ep (Displayed only when selecting remote
The setup program will then require you to validate the list of tar p t y e rgets by clickin the Analyz ng ze button (sho in the fig above). The analysis att own gure T tempts to vali idate hardware and software e e requiremen and assess the installatio status for an prior versio of the sof nts on ons ftware to be ny installed.
NOTE least one computer must pass to conti At c t inue with the i nstallation.
e ceeds, you will be prompted for the admi l d inistrator usern name(s) and During the analysis proc password(s of your targ s) gets. After the analysis, the s setup program displays the results. m
Figure 4.16 Results of th Target Analysis for Remo 6: he ote/Multiple Installation Des stinations (Displayed only when selecting remote e/multiple dest tinations in ste 3.) ep
If at least one computer passes the analysis (even th o hough one or more targets m fail), the setup may program will allow you to continue wi the configu w t ith uration of the installation. S e Subsequent installation tasks will not however, be applied to ta n t, e argets that fail..
NOTE future upgrades or rein For nstallations, yo can export t list of targ computers to a ou the get
text file by clicking Exp port in the scre above. een
When the setup program completes it analysis of a targets, click Next. s m ts all
8 84
Administrato Track or
NOTE you are upg If grading the OfficeScan serve locally, the setup program does not display er m
the Insta Other Office all eScan Program screen. Cli ms pgraded autom matically after the r ients will be up server ins stallation is complete and the system retu rns to normal operation.
Select whet ther also to in nstall the Offic ceScan client, policy server for Cisco NA and Cisco Trust AC, Agent for Cisco NAC. Click Next. C C
SELECTING WHETHER TO INSTALL THE OFFICES CAN CLIENT ON THE SER G T T RVER The Office eScan server so oftware is ded dicated to man naging OfficeS Scan clients. It is the Office eScan client softw that prov ware vides the actua protection a al against security risks. ty
Therefore, to protect your OfficeScan server agains security risk you need to install the cl n st ks, o lient n a O rver software.. Choosing to install the clie ent program on the server, as well as the OfficeScan ser during serv installation is a convenie way to ens ver n ent sure that your server is auto omatically protected. Though, you can separately install the cliient software a y afterwards.
UNDERSTA ANDING THE CISCO NAC OPTIONS Like Office eScan, Cisco NAC architect includes a server comp N ture ponent (Policy Server for Ci y isco NAC) and a client comp ponent (Cisco Trust Agent o CTA). or
To use Cisco NAC, you must have Ci isco routers th support it and you must connect to a Cisco hat t Secure Adm mission Contr Server (AC If you are not currently using NAC, you should no rol CS). e y ot install the NAC compon N nents. If you are using NAC please Appe a C, endix D: Cisco N Network Admis ission Control (NA on page 407 for more information. AC) 4 i
85
Student T Textbook
Figure 4.18 Option to Share Informatio with the Tre Micro Sma Protection Network 8: on end art n
To choose to participate in the Trend Micro Smart Feedback Pro e ogram, you sim select y mply yes nd r ndustry type to help Trend M o Micro underst tand your or no an opt whether Select the In organizatio then, click Next. on,
Figure 4.19: Setting Pass swords for Man nagement Con nsole Access a Client Cont and trol
NOTE Save this If yo enter the sa ou ame password for both func d ctions, you will be prompted to l
confirm your decision. Trend Micro re y T ecommends us sing different passwords to better protect t access to the managem ment console.
8 86
Administrato Track or
17. Speci ifying Clien Install Pa Listenin Port and Security Level nt ath, ng d
The Office eScan Client In nstallation scr reen allows yo to specify th installation path for ou he n OfficeScan clients. You can also speci the client liistening port f connection from the se n ify for ns erver. (Note: The options are not available when upgrad an existin installation.) ese e e ding ng
CLIENT INSTALLATION PATH Client softw must be installed in th same direct ware he tory on each c client. The def fault path is Program Files\Trend Micro\OfficeSc Client. Yo may change the path afte completing the M can ou e er server insta allation by editing the ofcsc can.ini file in the OfficeSc PCCSRV directory. But if n can t, you change the path afte deploying cl e er lients, you mu then redep them. ust ploy
Figure 4.20 Specifying the Client Liste 0: ening Port and Security Lev d vel
The variables for you to use in specify the client installation path include: ying
$BO OOTDISK The drive letter of the disk from which the c e m computer boo (default C:\ ots \) $WI INDIR The di irectory where Windows is installed (defa C:\Windo e ault ows) $Pr rogramFiles The Program Files directo that is auto m ory omatically set u in Window up ws
and is usually use for installin software (d d ed ng default C:\Pro ogram Files)
CLIENT LISTENING POR RT The setup program rand p domly generate a high port number and enters it in the Port numbe es e er: field. This port is used fo OfficeScan client-server communications and must be the same f all or n t for clients that are managed by the Office t eScan server. I the random generated p does not If mly port conflict wit network settings, you ma use it if you choose. Oth th ay u herwise, enter a port numbe that er is available for use across your entire network. n CLIENT SECURITY LEV E VEL The securit level option allows you to restrict nonty n o -administrativ ve-level user ac ccounts from accessing th OfficeScan program file directory an registry entr he n es nd ries.
Norma al
gives all us (everyon full rights to the files in the OfficeSc client prog sers ne) n can gram dir rectory and to the OfficeScan client regis entries. o stry the Of fficeScan clien program dir nt rectory to inherit the existin rights of th ng he rget r's iles and gistry entries t inherit to tar computer Program Fi directory a causes reg pe ermissions from the HKLM m M\Software key With this se y. etting, by defa normal ault, users (that is, th hose without Active Directo administra privileges) are limited to A ory ator ) o ad-only permi issions. rea
High causes
87
Student T Textbook
Figure 4.21: Enabling/Dis sabling the Fire ewall for Subs equent Client Deployments
You can ch hange this sett later using the managem ting g ment console.
Figure 4.22 Enabling Assessment Mod and Selectin the Length of the Assess 2: de ng sment Period
Depending on the type of software yo use in your organization and the role o your user g o ou r of groups, it is possible that you will wan make exclus nt sions for certa software p ain products that n wise t empt to remo When the assessment p ove. e period OfficeScan would otherw flag as a threat and atte expires, Of fficeScan can then take auto omated action based on th choices you made during the ns he u assessment period. t
8 88
Administrato Track or
You can als enable asses so ssment mode at any point aft the OfficeS a ter Scan server ins stallation. For m more information and further discussion, see Global Spywa n are/Grayware S Settings on page 174.
You can en nable assessme mode to be active for o to four we ent b one eeks. After you have made y u your selections, click Next.
Figure 4.21: Enabling/Dis sabling the Web Reputation f Subsequen Client Deplo for nt oyments
You can ch hange this sett later using the managem ting g ment console.
Specify the folder to be used for addin OfficeScan program sho e u ng n ortcuts to the S Start button m menu.
Figure 4.23 Specifying a Start Menu Folder for Offic 3: F ceScan Shortc cuts
89
Student T Textbook
NOTE remote in For nstallations, th installation program will c he copy the remote installation log,
named o ofcmasr.log, to the Windows directory of the local mach s hine. On the re emote machine (and also in the Window directory), this log is calle ofcmas.log For more in ws t ed g. nformation, se ee Chapter 12: Troublesho 1 ooting on page 341.
For remote installations, these options are not availlable; in which case, when t installation is e , s h the n complete (shown on the left below), click OK. e c nstallations, se elect the action you wish to take and cl Finish. n(s) lick For local in
9 90
Administrator Track
91
Student Textbook
Switch
-s
Definition
Commands the setup program to perform silent installation Tells the setup program where the response file is located. If the path contains spaces, enclose the path with quotation marks ("); for example, -f1"C:\osce script\setup.iss". Tells the setup program where to create the log file. If the path contains spaces, enclose the path with quotation marks ("); for example, f2"C:\osce log\setup.log".
-f1{path}setup.iss
-f2{path}setup.log
4. Press [Enter]. The setup program then silently installs the server software on the computer.
NOTE can use the same silent installation process to upgrade an OfficeScan server from You an earlier version.
CHECK OFFICESCAN SERVICES AND PROCESSES Verify using the Windows Management Console that the OfficeScan service is running:
OfficeScan Master Service (OfcService.exe) OfficeScan Active Directory Integration Service (OSCEIntegrationService.exe), if role-
Next, verify using the Windows Task Manager that these processes are running:
DbServer.exe iCRCService.exe (if Smart Scan Server is installed) LWCSService.exe (if the Local Web Classification Server is installed) OfcService.exe OfcCMAgent.exe (only if registered to a Control Manager server)
92
Administrator Track
CHECK REGISTRY KEYS Verify that the proper registry keys are on the server. Open a command prompt and enter regedit. Look for the registry keys located in the following registry path.
HKEY_LOCAL_MACHINE\Software\TrendMicroInc. HKEY_LOCAL_MACHINE\Software\TrendMicro
CHECK INSTALLATION LOGS You may also view the logs that the setup wizard created during installation. Errors and successful actions performed by the setup wizard will be recorded in ofcmas.login the Windows directory. If you performed a silent installation, you may also view the setup.log that was created in the path you specified. In the setup.log, check the value for ResultCode: Zero 0 indicates that silent server installation was successfully completed.
For more information about what is contained in ofcmas.log, see Chapter 12: Troubleshooting on page 341.
93
Student Textbook
Review Questions
1. Which of the following areas is not scanned during the pre-scan? a) The boot area and boot directory b) The Windows folder c) The program files folder d) Memory 2. Which of the following does the server pre-scan NOT scan for? a) Boot viruses b) Adware c) Worms d) Trojan horses 3. Which of the following components CANNOT be installed using the setup wizard? a) Trend Micro Policy Server for Cisco NAC b) Outlook mail scanning c) OfficeScan client software d) The CTA 4. How does the setup wizard assign the port that will be used for OfficeScan client-server communication? a) It scans ports and selects one that is not being used. b) It does not assign one; you must input one manually. c) It reads the port assignment from Control Manager configurations. d) It randomly assigns a high-numbered port.
94
Administrator Track
95
Student Textbook
Some of the details for the URL are configurable during the server installation, including the port number, whether SSL must be used, and whether the self-signed public-key certificate (for SSL only) uses the DNS name or the IP address of the server.
If you are not using SSL
and are using the default HTTP port 8080, the URL is:
and are using the default HTTPS port 4343, the URL is:
https://<OfficeScan_server_name_or_IP_address>:4343/officescan Launch one of the Start Menu shortcuts on the OfficeScan server
By default, the server installation program places a shortcut to the OfficeScan management console on the desktop of the server and another one in the Start menu: Start > Programs > Trend Micro OfficeScan Server-[name] > OfficeScan Web Console (HTML). To access the management console for the first time, you must log on using the root account and the password that was configured for the root account during the OfficeScan server installation. Enter the root for the user name and the password that was specified during installation of the server. Click Log On.
96
Administrato Track or
NOTE can configure user acc You counts and ass sign roles to us sers which def fine the privile eges
available to them. This chapter cover all of the fea rs atures and fun nctions of the management how to create n new accounts, , console, including how to create new users. For inf ormation on h ew a ee ating Users an d Assigning Roles on page 194. create ne roles, and assign them, se 5.13.1 Crea
97
Student T Textbook
s Several Of fficeScan featu rely on the client tree as a client-selec ures ction and resu ults-display too ol. Consequen the client tree appears in multiple co ntly, i ontexts on a va ariety of pages within the s management console. More specificall M ly:
The client tree pr e rovides a fram mework for sellecting, organi nizing, and per rforming a wid de
ran of management function on the Net nge ns tworked Com mputers > Cli ient Management pag This is a frequently used page for Offi ge. d ficeScan mana agement and c control that en nables you to create pol u licies, assign client privilege and analyze client status. es, e r The client tree al provides cl e lso lient-selection capability for these functio n ons:
The Scan Now for All Domains fun N D nction at the t of the mai navigation top in
column (this same functio is also availlable directly w s on within certain content pages as s well) plying, and oth herwise mana aging outbreak prevention p k policies on the e Creating, app Networked Computers > Outbreak P Prevention p page ates lect clients o option on the Manual (on-demand) upda using the manually sel N C pdate page Updates > Networked Computers > Manual Up urity-risk logs using the Log > Networ gs rked Comput Logs > ter Viewing secu Security Ris page sks C ents using the Cisco NAC > Agent Dep e ployment pag ge Deploying Cisco NAC age e ns mmary page th display hat The client tree is also used by those function of the Sum sum mmary details for clients wh you click t total numb of clients categorized by hen the ber y con nnection status, malware-de etection status components, -update status, and so on.
9 98
Administrato Track or
In the Offi iceScan client tree, the Off ficeScan Serve is the toper -level containe below whic you er, ch may add cli groups. In the OfficeSc interface, these groups are called do ient n can omains. The OfficeScan installation creates a Defa n c fault domain automatically.
NOTE With OfficeSc 10.5, you can configure a can c automated clie grouping b ent based on NetB BIOS,
Active Directory, or DN domain by using the Netw NS u worked Compu uters > Client Grouping pag ge. a stom rules bas on IP addr sed ress ranges an nd/or multiple Active Directo ory You can also create cus is domains. When the custom client gr roups option i selected, an additional me option nam n enu med Custom Client Group appears in the Networke d Computers s ps section of the navigation column of management console.
When basic sorting optio are enable on the Net c ons ed tworked Com mputers > Cli ient Groupin ng page, the Manage Client Tree dropdow menu on t toolbar of the Client Ma M wn the f anagement pa age allows you to add domai move them and as dele them as ne ins, m, ete eeded, as well as move clien nts d other. When cu ustom client-g grouping is en nabled, the con nfiguration of the f from one domain to ano client tree is determined by the custom i mizable rules t you create on the Netw that e worked Computer > Custom Client Group > Manage Client Grou page. rs ps e ups
For more in nformation abo how to configure the auto out omated groupi of clients, s section ing see 5.5.1 Client Grouping on page 124. t n
99
Student T Textbook
5.2.1 Prod 5 duct Lice ense Stat (Activ tus vated Ser rvices Su ummary)
The top section of the Summary page lists the serviices you have purchased an have activat e nd ted. piration/renew notices als display in th area, as dep wal so his picted in the f figure below. T The Service exp management console dis splays reminde ers:
14 days before an evaluation/t n trial-version liicense expires 60 days before a full-version li icense expires 30 days before th grace period ends (applie only to fullhe es -version licens ses)
If a license has expired and the grace period is over component updates will b disabled. a p r, be Scanning will continue to work for ful w o ll-version licen using outnse -of-date comp ponents.
NOTE There is no gr race period for evaluation/t rial-version lic censes; update and scanning es
are disabl along with all other clien features upo expiration o the evaluati led nt on of ion/trail period d.
Clicking m more info takes you to the Administ tration > Pro oduct License page where you e can view ad dditional detai about the status of your licences, view renewal instr ils s w ructions, and e enter new activat codes. tion
The Smart Scan Server summary identifies the scan servers to wh smart clie connect. Using s n hich ents rovided, you access the con a nsoles of the S Smart Scan ser rvers listed. the links pr
10 00
Administrato Track or
Numerical data the Netw worked Comp puters summar that is unde ry erlined provid hyperlinks t de that s d ria such as online or infecte ed. initiate client-tree-view searches based on the criteri indicated, s The results are displayed in the clients d -tree view on t Networke Computer > Client the ed rs Managem ment page.
Figure 5.7: Content Display after Clicki a Number in the Networked Computer Summary ing rs
Detectio Status on
The detecti status sect ion tion shows total number of detections in two categorie f n es, virus/mal lware and sp pyware/grayw ware, along w the total n with number of infe ected comput ters. Clicking on a total numb of infected computers s hows search results in th same way as n ber d h he s clicking a total in the Co onnection Status section, sim to the fig milar gure above.
Figure 5.8: Top 10 Securi Risk Statistics for Netwo Computers ity ork s
101
Student Textbook
As illustrated in the figure above, clicking the name of a threat opens a new browser window and displays the corresponding entry for the threat in the Trend Micro online Virus Encyclopedia. To return to the Summary page from the Top-10 statistics page, click the Back button. You can also reset the top-10 statistics in any category by clicking on the corresponding Reset Count button. Clicking on a numbered total displays the corresponding query results in the client tree on the Networked Computers > Client Management page, as described above. To return to the Summary page from the Client Management page, click Summary in the navigation column.
Are managed by the OfficeScan server and that are already part of the OfficeScan client tree such that they comply with update, settings, services, and scan compliance policies.
Are computers within your Active Directory network domains but that not managed by the OfficeScan server to comply with security policies.
102
Administrato Track or
Complianc reports are created and vi ce c iewed using th Security C he Compliance > Compliance Assessmen > Complia nt ance Report page.
Identifies whether com s mputers in the network have the correct s e services and if these f ser rvices have be disabled. This is becaus e specific user might have the ability to een T rs dis sable OfficeSc services or there might be some issue with these s can r es services.
NOTE Services, Scan Compliance, and Settings t N The S n tabs are limited to the displa ay
information ab bout clients run nning OfficeSc 10.5 or late Only the Co can er. omponents tab b provides inform p mation about clients running earlier versio of the client software. c g ons
Compo onents
Ident tifies compone inconsiste ent encies with com mputers in the network. Th e his rep determin whether th computers h port nes he have the latest components or if compon t s nents ins stalled in the clients are new than those the server ha Scheduled updates ensur c wer e as. re re tha computers have the same components as the Office at e s eScan server. H However, ther are ins stances when clients are disconnected, ha not gotten the latest updates, or ave n do ownloaded upd dates before the server. Identifies whether compute in the netw I ers work have succ cessfully perfo ormed sca tasks. Sche an eduled or Rem scans ens mote sure that comp puters do not have security thr reats but there are instances when clients have not per e s s rformed scan t tasks or were un nable to compl scanning. lete Identifies whether com s mputers in spec domains have the sam configuratio cific me on set ttings as those designated by the adminis e b strator. These configuration settings have to n e be consistent, depending on those set by th administrat for every d e t he tor domain, to ens sure les confusion. This is particu ss T ularly helpful a after moving c clients from o domain to one an nother or when the network added a new client to the d n k domain.
Scan Compliance C
Setting gs
amically based on the tab th The conten nt-display area of the Comp a pliance Report changes dyna t d hat you select at the top of the page. If no computers a discovered to be in nona t o are d -compliance, t then the content-display area in the lower half of the pag will be blan When one or more nonh ge nk. -
103
Student T Textbook
compliant computers are listed, you ca select comp e an puters as a gro or individ oup dually and then n ction button at the top of th list to attem to remedy the non-com he mpt y mpliance. click the ac
Figure 5.10: Taking Action to Bring Non n-compliant Co omputers into Compliance o
The table below identifie the individu componen associated with each tabbed section of the b es ual nts compliance report along with relevant notes about the creation a e g t and/or use of this informati ion.
Tabbed Section S
Services
Components Listed
Antivirus s Anti-spyw ware Firewall putation Web Rep Behavior Monitoring/De r evice Control ers Compute with Noncomplian Services nt Smart Sc Agent Patte can ern Virus Pat ttern IntelliTra Pattern ap IntelliTra Exception Pa ap attern Virus Sca Engine an Spyware Pattern ring Spyware Active-monitor Pattern Spyware Scan Engine eanup Template e Virus Cle Virus Cle eanup Engine rn Common Firewall Patter n Common Firewall Driver n r Behavior Monitoring Dri r iver Behavior Monitoring Co r ore
e Note: If one or more computers have or es, two o more non-compliant service numb Computers with Nonber s comp pliant Services will be less tha an um the su of all categories.
Componen nts
Updat Now te
e Note: If one or more computers have or ed s, two o more outdate components the numb of Computers with Outdated ber Comp ponents will be less than the sum e of all categories.
10 04
Administrator Track
Tabbed Section
Components Listed
Service Behavior Monitoring Configuration Pattern Digital Signature Pattern Policy Enforcement Pattern Behavior Monitoring Detection Pattern Program Version Computers with Outdated Components No scheduled or remote scan performed for the last (x) days Remote or Scheduled scan exceeded (x) hours Computers That Need to be Scanned
Scan Compliance
Scan Now
Note: If one or more computers fall under both of the criteria, the number for Computers That Need to be Scanned will be less than the sum of the individual categories. Scan Compliance assesses clients only if Scheduled Scan is enabled.
Apply Domain Settings
Settings
Scan Method Manual Scan Settings Real-time Scan Settings Scheduled Scan Settings Scan Now Settings Privileges and Other Settings Additional Services Web Reputation Behavior Monitoring Device Control Spyware/Grayware Approved List Computers with Inconsistent Configuration Settings
Note: If one or more computers have two or more inconsistent settings, the number of computers in Computers with Inconsistent Settings will be less than the sum of all categories.
105
Student Textbook
2. From the Services tab: 2.1. 2.2. 2.3. View computers with non-compliant services. Select computers from the query result. Click Restart OfficeScan Client to force the clients to restart OfficeScan on their computers.
NOTE After performing another assessment and the client still appears as noncompliant, manually verify the client service.
3. From the Components tab: 3.1. 3.2. 3.3. View computers with components inconsistent with the OfficeScan server. Select computers from the query result. Click Update Now to force clients to download components.
4. From the Scan Compliance tab: Scan Compliance only assesses clients if Scheduled Scan has been enabled. 4.1. 4.2. View computers that have not successfully scanned computers. Leave the default time or specify one or both of the following:
Number of days the client had not performed scheduled or remote scan Number of hours the remote or scheduled scan task had exceeded
4.3. 4.4.
Select computers from the query result. Click Scan Now to force clients to perform a manual scan.
NOTE OfficeScan disables the option to click Scan Now if the client exceeded the time specified for remote or scheduled scan. Manually verify the client computer.
5. From the Settings tab: 5.1. 5.2. 5.3. View computers with settings inconsistent with the domain. Select computers from the query result. Click Apply Domain Settings to ensure that client settings are consistent with the domain.
RECOMMENDED TASKS:
Within the Compliance Report tabs, click a number link to display all affected computers
106
Administrato Track or
Scheduled compliance re eports include client details in CSV-file at e ttachments. T There is one attachment each for serv t vices, compon nents, scan com mpliance, and settings detai as represen d ils, nted by the tabs of the same name on the Compliance R s n C Report page of the managem console. f ment To configu scheduled assessments for compliance reports: ure f e 1. Click Security Com S mpliance > Co ompliance A Assessment > Scheduled C Compliance Repor rt. 2. Enable scheduled qu e uery. 3. Specify a title for the report to be used in the su y e ubject line of the email mes ssages to be se ent.
Figure 5.12: Scheduli Compliance Reports to b Run Daily at a Selected T ing be Time
107
Student Textbook
5. Specify the email address(es) that will receive the report. 6. Specify the schedule. 7. Click Save.
Important: For email messages containing scheduled security-compliance report information to be
sent properly, you must correctly configure the SMTP settings on the Notifications > Administrator Notifications > General Settings page.
To use Outside Server Management, ensure that the OfficeScan server computer is part of the network to query Active Directory domains and IP addresses. The list below provides an overview of the tasks required to enforce security compliance using the Outside Server Management tool. 1. Define Active Directory/IP Address Scope and Query. 2. Check unprotected computers from the Query Result. 3. Install the OfficeScan client. Refer to Installing with Security Compliance. 4. Configure Scheduled Query. 5. Install client with OfficeScan. Refer to Installing with Security Compliance.
108
Administrato Track or
appear indi icating that T current ou The utside server m management r report is out-o of-date. Please e perform se erver managem query to get the latest information. This notice m appear ment may independen of the notic to define th scope of th outside-serv nt ce he he ver-manageme query. ent
To configu the Active Directory sco and start t query proc ure ope the cess: 1. To def the Active Directory fo the first tim verify that t OfficeSca server is fine e or me, an the configu as a mem ured mber of an Active Directory domain. If y will be def y you fining the scop pe based on IP address then simpl click Defin Active Dire o ses, ly ne ectory domai / IP addr ins ress scope or click Defin in the head of the Ac ne der ctive Directory y/IP address Scope sectio of on ge b lp the pag (top right, below the Hel icon).
Figure 5.14: Setting the Active Directory/IP Add t dress Scope fo Querying Un or nmanaged Nod des
2. In the page that ope use Active Directory an ens, e nd/or IP addr to query: ress
Fro Active Dir om rectory Scope, select the objects to query , y.
If you have not previously con y p nfigured the A Active Directo Integration parameters o the ory n on Administration > Active Dir rectory > Act Director Integration page, a link to the tive ry n Act Directory Integration page will appea in the Activ Directory s tive y p ar ve scope selection n box You must configure your Active Direc x. c r ctory domain i identification and access
109
Student T Textbook
cred dentials befor being able to define an A re Active Director scope for u with the ry use Ou utside Server Management compliance rep M c port.
NOTE N Trend Micro recommends enablin the on-dem d ng mand assessment option to o
pe erform real-tim queries for more accurat results. Disa me r te abling on-demand assessme ent ca auses OfficeSc to query th database in can he nstead of each client. Querying only the h da atabase can be quicker but is less accurat i te.
Tip If querying for the firs time, select an object with less than 100 accounts an T st h 00 nd
re ecord the time to complete the query. Use this as your p e t e performance b benchmark.
Clic the plus or minus button to add or de ck n elete IP addres ranges. ss 3. Under Advanced Se ettings, specify the ports use by OfficeSc servers to communicate with y ed can o e S mly he ber ficeScan server OfficeScan clients. Setup random generates th port numb during Off ation. installa
Tip To vi the communication port used by the O iew t OfficeScan ser rver, go to
Networked Computers > Client Manag gement and se elect a domain Check the n. Listen Port column next to the IP addre column. Ke a record of port number t ess eep rs for your ref ference.
3.1.
Click Specify ports (hyper y rlink). The commun nication port of the local Of o fficeScan serv is listed aut ver tomatically (an nd cannot be del leted). If you have no other OfficeScan s h r servers within the scope of the Active Direct tory/IP Addre query, you will not need to enter addi ess u d itional ports.
Figure 5.15: Specifying Additional OfficeS Scan Client-Se erver Communication Ports
3.2. 3.3.
Type the port number and click Add. Re t epeat this step until you hav all the port p ve t numbers you want to add. Click Save.
Import rtant: The que may take a long time to co ery omplete, espec cially if the que scope is bro ery road.
Do not perform anoth query until the Outside S t her il Server Manage ement page disp splays the resu ult. wise, the curren query sessio terminates a the query process restar nt on and y rts. Otherw
4. Choose whether to check a comp c puters connec ctivity using a p particular por number. Wh rt hen ction is not established, Off ficeScan imme ediately treats the computer as unreachab r ble. connec The de efault port num mber is 135.
NOTE Enabling this setting sp peeds up the q query. When co onnection to a computer can nnot
be es stablished, the OfficeScan se erver no longe needs to per er rform all the other connectio on verifi ication tasks before treating a computer a unreachable b g as e.
11 10
Administrato Track or
5. To sav the scope an start the qu ve nd uery, click Sav and re-ass ve sess. (To save the settings o e only, click Save only.) ess n uery yed -right header a of the bo area ottom Progre information about the qu is display in the topconten nt-display table of the Outsi Server Man e ide nagement pag ge.
When the query is completed, a dialog box app d pears that notifies you that t query has the eted ully. d otification by clicking OK. The top-right t comple successfu You can dismiss this no header area of the co r ontent-display table now re y eports the date and time of the last succes e ssful query, and the Cancel button chan to a Settiings button, w nges which provides access to a s uling tool for enabling regul Outside Se e lar erver Managem assessme ment ents. schedu
Figure 5.17: Reviewin the Results of a Successf Query of U nmanaged Com ng s ful mputers
111
Student Textbook
2. Use the search and advanced search functions to search and display only the computers that meet the search criteria. If you use the advanced search function, specify the complete name for the following items:
Computer name IP address OfficeScan server name Active Directory tree
Use the wildcard character (*) if unsure of the complete name. OfficeScan will not return a result if the name is incomplete and the wildcard character is not specified. 3. To save the list of computers to a file, click Export. 4. For clients managed by another OfficeScan server, use the Client Mover tool to have these clients managed by the current OfficeScan server. The Security Status section classifies computers as identified in the table below.
Status
Managed by another OfficeScan server No OfficeScan client installed Unreachable
Description
The OfficeScan clients installed on the computers are managed by another OfficeScan server. Clients are online and run either this OfficeScan version or an earlier version. The OfficeScan client is not installed on the computer.
The OfficeScan server cannot connect to the computer and therefore cannot determine whether there is no client installed on the computer or, if a client is installed, whether the client is managed by another OfficeScan server or is unmanaged. The computer is a part of the Active Directory domain but OfficeScan is unable to determine the status. Note: The OfficeScan server database contains a list of clients that the server manages. The computer queries the Active Directory for the GUID to compare with the list of OfficeScan clients in the database. If the computer is not in the list, the computer will be categorized as "Unresolved Active Directory Assessment".
NOTE OfficeScan server database contains a list of clients that the server manages. The The computer queries the Active Directory for the GUID to compare with the list of OfficeScan clients in the database. If the computer is not in the list, the computer will be categorized as "Unresolved Active Directory Assessment". Tip For various situations, including those related to upgrades and migrations in which you cannot use the management console to change the OfficeScan server to which clients connect, you can use the Client Mover tool. For more information, see Chapter 10: OfficeScan Tools.
112
Administrato Track or
Installing the Office g eScan Clien from Sec nt curity Com mpliance
To improv security com ve mpliance, Offi iceScan provid a method for installing client softwar des re directly fro the Securit Compliance query results page. Howev this metho will not wo om ty e s ver, od ork for target computers if any of these co c a onditions are t true:
The OfficeScan server is instal e s lled on the tar rget. The target runs Windows XP Home, Windo Vista/7 H e W ows Home Basic, o Windows or
Vis sta/7 Home Premium. For these platform you must u another deployment me P ms, use ethod.
PREPARIN TO INSTAL NG LL If the targe computer ru Windows Vista/7 Busin et uns ness, Enterpri or Ultimat Edition, you ise, te u must perfo the follow steps on the computer before you ca install the c orm wing t an client through h Security Co ompliance:
1. Enable a built-in adm e ministrator account and set the password for the accou t d unt. 2. Disable the Window firewall. ws 2.1. 2.2. Click Start > Programs > Administrat Tools > Windows Fir tive rewall with Advanced Se ecurity. For Domain Profile, Privat Profile, and Public Profil set the firew state to o te d le, wall off.
3. Open Microsoft Ma M anagement Console (click St > Run an enter servi tart nd ices.msc) and start d the Remote Registry service. Whe installing th OfficeScan client, use the built-in y en he e istrator accoun and passwo nt ord. admini
113
Student T Textbook
If a Trend Micro or a thi ird-party endp point security program is in nstalled on the computer, ch e heck can matically uninst the softwa and replace it with the O tall are e OfficeScan clie ent. if OfficeSc can autom For a list of endpoint sec curity softwar that OfficeS re Scan automati ically uninstall open the ls, following files in {installationpath f h}\PCCSRV\Ad min. You can open these fil with a text les t editor like Notepad. N
tmunin nst.ptn tmunin nst_as.ptn
If the softw on the ta ware arget computer is not includ in the list, manually unin ded nstall it first. Depending on the uninstallation process of the soft g ftware, the com mputer may or may not nee to r ed restart after uninstallatio r on. Finally, bef fore starting th installation process, reco the logon credentials for each compu he n ord uter you plan to deploy the cl o lient to. Offic ceScan will pro ompt you to s specify the log credentials gon s during inst tallation.
Important You cannot use this metho to update th OfficeScan c t: u od he client. If an ear rlier OfficeScan n
client versio is already in ion nstalled on a computer and y click Install the installatio will be skipp co you ll, ion ped and the clie will not be updated to this version. ent u s
PERFORMI THE INST ING TALLATION To install the OfficeScan client from the Security C t n t Compliance pa age:
1. Select one or more computers fro the list of c c om computers in the content-d display area, an nd then cl Install, lo lick ocated in the top-left of the table header area. t 2. Specify the administ y trator logon ac ccount for eac computer a click Log on. OfficeSc ch and g can starts installing the client on the ta i c arget compute er.
11 14
Administrato Track or
1. Click Security Com S mpliance > Outside Server Manageme r ent. 2. Click the Settings button in the top-right head of the cont t b t der tent-display ar The Sched rea. duled Outsid Server Man de nagement Asse essment page appears.
3. Ensure that the Ena e able schedule query chec ed ckbox is selec cted. 4. Specify the schedule hourly, daily weekly, or m y e: y, monthly.
NOTE you spe If ecify the 31st of each month and the mont has less tha 31 days, the o h th an
asses ssment happen on the last day of the mo nth. ns d
5. Click Save. S
115
Student Textbook
Trend Micros Smart Protection solution relies on an advanced scanning architecture, that leverages anti-malware signatures, web reputations, and threat databases that are stored in-thecloud. Smart Protection leverages file-reputation technology to detect security risks and webreputation technology to proactively block websites. Trend Micro also continues to harvest anonymously sent information from Trend Micro products worldwide to proactively determine each new threat. OfficeScan provides two types of local Smart Protection Servers:
Integrated Smart Protection Server
The OfficeScan server setup program includes an integrated Smart Protection Server that installs alongside the core OfficeScan server software is installed. After the installation, you can manage the settings for this server on the Smart Protection > Integrated Server page of the OfficeScan management console. Standalone Smart Protection Servers install on a VMware or Hyper-V server. Standalone server has a separate management console and is not managed from the OfficeScan Web console.
The Smart Protection menu in the navigation column of the OfficeScan management console provides access to configuration parameters that allow you to determine which clients connect to which Smart Protection servers. You can also configure the integrated Smart Protection server that can be installed on the same host as the core OfficeScan server software. You can also configure the op-in/opt-out options for participation in the Trend Micro Smart Protection Network feedback program.
116
Administrator Track
Smart Protection servers host the Smart Scan Pattern. This pattern is updated hourly, but can also be updated every 15 minutes, and contains the majority of the pattern definitions. Smart Scan clients do not download this pattern. Clients verify potential threats by sending scan queries to the Smart Protection Server. Using the identification information sent in the query, Smart Scan checks the reputation of each file against an extensive in-the-cloud database. Since the malware information is stored in the cloud, up-to-date information it is available instantly to all users. High performance content delivery networks and local caching servers minimize latency during the checking process. The cloud-client architecture offers more immediate protection, eliminates the burden of pattern deployment, and significantly reduces the overall client footprint. There are no component download overlaps between the Smart Protection Server and the OfficeScan server because each server downloads a specific set of components. A Smart Protection Server only downloads the Smart Scan Pattern while the OfficeScan server downloads all the other components.
pages
Assigns reputation scores to web domains and individual pages or links within sites Allows or blocks users from accessing sites
To increase accuracy and reduce false positives, Trend Micro web-reputation technology assigns reputation scores to specific pages or links within sites instead of classifying or blocking entire sites since there are times that only portions of legitimate sites are hacked and reputations can change dynamically over time.
117
Student T Textbook
Figure 5.22 Smart Prote 2: ection Source Settings for In nternal Clients s
You can ch hoose whether to use the standard list for clients or cre custom li r r eate ists. To config gure the Smart Protection sou P urce: 1. Click Smart Protection > Smart Protection S S t Sources > In nternal Client ts. 2. Select whether clients will use the Standard List or Custom L w t Lists. 3. Click Notify All Cli N ients. Smart Scan clients au S utomatically re to the list you have efer t configu ured.
11 18
Administrator Track
3. Specify the Smart Protection Servers name or IP address. To obtain the Smart Protection Server address of the integrated Smart Protection Server, go to Smart Protection > Integrated Server and find the server address column of the Client Connection information table at the top of the page. To find the URL for standalone Smart Protection Servers, open the standalone servers console and see the Summary page. 3.1. 3.2. Select which reputation services should be used on this server and specify the port number for which these connections should be made. Click Test Connection to verify that a connection to the server can be established.
Tip Because the integrated Smart Scan Server and the OfficeScan server run on the
same computer, the computers performance may reduce significantly during peak traffic for the two servers. To reduce the traffic directed to the OfficeScan server computer, assign a standalone Smart Scan Server as the primary scan source and the integrated server as a backup source.
4. Click Save when the test connection is successful. From the Standard Smart Protection Server List page, you can also perform these functions:
Modify the servers address by clicking the link under Smart Protection Server Address Open the console of a local Smart Protection Server by clicking the Launch console
link
Delete a server by selecting the checkbox for the server and clicking Delete Export the list to a .dat file by clicking Export and then clicking Save. Import a list exported from another server by clicking Import and locating the .dat file Choose whether clients will refer to the servers in the order in which they appear on the
list or randomly (when you select Order, you can use the arrows in the Order column to move servers up and down the list; however, the integrated server will always be last on the list)
119
Student T Textbook
4. Specify the Smart Pr y rotection Serv vers name or I address. IP To obtain the Smart Protec e ction Server a address of the integrated Sm Protection mart n Server, go to Smart Protec ction > Integ grated Server and find the server addre r ess e nection inform mation table at the top of th page. t he column of the Client Conn To find the URL for standalone Smart P U Protection Ser rvers, open the standalone e servers conso and see the Summary pa ole age. 4.1. 4.2. Select which reputation ser rvices should b used on th server and specify the po be his ort w onnections sho ould be made.. number for which these co Click Test Co onnection to verify that a c connection to the server ca be establish o an hed.
5. Select whether clients will refer to the servers in the order in which they ap w o n n ppear on the l or list random If you sel Order, you can use the arrows under the Order co mly. lect u r olumn to move e servers up and down the list. s n 6. Click Save when the test connecti is successf S e ion ful. You can modify an IP ad m ddress range and its corresp a ponding custo list by click the link u om king under IP Range. You can also import and ex Y i xport custom llists in the sam way as stan me ndard lists.
12 20
Administrato Track or
5.4.2 Con 5 nfiguring the Integ grated Sm Prot mart tection S Server
The Integrated Smart Pr rotection serve shows statu information for the integ er us n grated server, he ired ervices, the Sm Scan patt mart tern version, a and including th URL requi to access the servers se the web-blocking list ver rsion. You can also perform manual com n m mponent updat at any time by tes e pdate Now, as well as togg services on and off and c a gle n configure upd settings. date clicking Up
Figure 5.25 Integrated Smart Protecti Server Sta 5: S ion atus and Update Settings
You can ch hoose whether to use the in r ntegrated file-r reputation serv or the int vice tegrated wibreputation service by selecting/deselec cting the corre esponding che eckboxes at th top of the p he page. g ns fo Deselecting both option causes the following:
The Trend Micro Smart Protection Server s e o service (iCRCS Servfice.exe) s stops. The integrated se e erver stops up pdating compo onents from th ActiveUpd server. he date Clie ents will not be able to send scan queries to the integra server. b d s ated
Clients can connect to th integrated the integrated file-reputatio service usin HTTP or n he t d on ng HTTPS. HTTPS allows for a more secure connectiion, while HT uses less b H TTP bandwidth.
121
Student T Textbook
To import web-reputatio service app on proved/blocke rules: ed S rated Server. 1. Click Smart Protection > Integr 2. Click Import in the Web Reputa I ation Service A Approved/Blo ocked List se ection. 3. Select a .CSV file to upload. 4. Click Upload. U
Figure 5.26: Importin Approved/B ng Blocked Rules for the Integr s rated Web Rep putation Service
To configu Smart Prot ure tection server update setting gs: 1. Click Smart Protection > Integr S rated Server. 2. To upd the patter automatica enable sch date rn ally, heduled updat and configu the update tes ure e schedu You can choose to upda hourly or e ule. ate every 15 minu utes. onent updates 3. Select the location from where yo want to dow fr ou wnload compo s. 3.1. If you choose ActiveUpdat server, ensu that the se e te ure erver has Inter connectio rnet on and, if you are using a prox server, test if Internet co xy onnection can be established d using the proxy settings. If you choose a custom update source, s up the appr e set ronment and ropriate envir update resour for this update source. Also ensure t there is a functional rces that connection between the server compute and this upd source. If you need er date f assistance setting up an upd source, c date contact your su upport provid der.
3.2.
4. Click Save. S
12 22
Administrato Track or
The inform mation that Trend Micro col llects from yo computer i our inlcudes: File ch hecksums Web si accessed ites File inf formation, inc cluding sizes and paths a Names of executable files s
Important You do not need to particip t: n pate in Smart F Feedback to pr rotect your com mputers. Your
participatio is optional and you may op out at any tiime. Trend Mic recommend that you on a pt cro ds participate in Smart Feed dback to help provide better o p overall protect tion for all Tren Micro custo nd omers. rminate your participation to the program a p o anytime from t manageme console. the ent You can ter
For more in nformation abo how the Sm out mart Protection Network wor and the ben n rks nefits that it provides, visit www.smart tprotectionnetw twork.com.
Tip Sm mart Feedback uses the same global proxy settings (Adm k y ministration > Proxy Settin ngs
> Externa Proxy) used for Web Reputation Servic and the Glo al d ces obal Smart Sca server. an
To modify your participa ation in the pr rogram: S t 1. Click Smart Protection > Smart Feedback.
2. Select/ /deselect Ena Trend Micro Smart Fe able M eedback. 2.1. 2.2. To help Tren Micro unde nd erstand your o organization, s select the indu ustry in which your company doe business. es To send infor rmation about potential sec t curity threats i the files on your client in computers, se elect the Ena feedback of suspicious program files checkbox. able s
NOTE les sent to Smart Feedback contain no use data and are submitted only Fil er
for threat an nalysis.
2.3.
Set the criteri for sending feedback by s ia selecting the n number of det tections (5, 10 15 0, or 20) that must occur and the duration of time in min d nutes (1, 5, 10 15, 30, 45 or 60) 0, r pse dback was last sent. that must elap since feed
123
Student T Textbook
3. Specify the maximum bandwidth OfficeScan u ses when send feedback to minimize y m ding k networ interruption rk ns. 4. Click Save. S
When one of the top thr grouping settings, that is NetBIOS do ree s s omain, Active Directory do e omain, omain, are sele ected, you also retain the op o ption to create custom folders within the e e or DNS do client tree on the Netwo o orked Compu uters > Clien Manageme page, and manually drag nt ent gand-drop existing clients from one fol e s lder to anothe to fine-tune your client-tr configurat er e ree tion.
12 24
Administrator Track
Tip The top three grouping methods are intended to simplify the default client-tree-folder
assignment for newly installed clients. Afterwards, Trend Micro generally assumes that you would then move those clients from their domain-name-determined default locations to a more permanent client-tree location based on department, function, or whatever other scheme that you may want to use to organize OfficeScan clients. An important disadvantage of manual (or non-rules-based) client-tree configuration is that if a clients network-domain assignment is subsequently changed, no corresponding change occurs in the OfficeScan client-tree.
When custom client groups is selected on the Client Grouping page, an additional menu option named Custom Client Groups appears in the Networked Computers section of the main navigation column of management console, and you no longer have the ability to create new folders using the toolbar on the Client Management page. All refinements to client-tree folders and membership rules for those folders must afterwards be managed using the Networked Computers > Client Grouping page.
Tip The custom client groups option is designed to provide a top-to-bottom rules-based
method for organizing the client tree. You may then optionally schedule a regrouping process by which existing clients within the client tree may be reassigned a client-tree location based on the current domain or IP-address configuration parameters of the client. Trend Micro generally assumes that changes that may occur between regroupings is likely to be small. But, for organizations that must manage a large number of computers and coordinate the management of them across multiple application-level and network-level systems within a dynamic environment of job-role changes, asset relocations, and organizational changes, OfficeScan custom-client groups allow you to mirror the domain and IP-addressing policies that you may have already established for other management-related systems, such that changing the domain assignment or IP-address of a client because that client has changed functional contexts can now automatically correspond to a change in OfficeScan policy.
To configure client grouping method: 1. Click Networked Computers > Client Grouping. 2. Specify client grouping method. 3. Click Save or Save and create domain now.
For information about configuring the client tree using the options available on the Manage Client Tree dropdown menu on the Client Management page, see section 5.5.16 Client Management: Managing the Client Tree on page 169.
Note that that the add, rename, move, and remove domain options on this dropdown menu are not available when the custom client groups grouping method is selected. Further information about managing the client tree using custom client groups may be found in the present section, below.
125
Student T Textbook
Figure 5.29 Selecting to Add a Grouping Rule for Cu 9: ustom Client G Groups
This page displays all of the rules that you may have previously c d e created; it allow you to add new ws d rules, delet old rules, an prioritize th current list of rules; it dis te nd he splays the stat of each rul tus le along with other profile information, and it provide a button to run your curr sorting ru a es rent ules on demand d. There are two types of custom groupi t c ings that you c create: can
Active Directorybased
This typ of custom c pe client groupin allows you t map Active ng to e Di irectory struct tures to the OfficeScan clien tree. This e nt enables organi izations that h have alr ready invested a lot of effor in organizing their Active Directory sch d rt g e hemes to be a to able rep produce and them within OfficeScan eas t O sily. This type of custom client grouping allow you to crea grouping r c ws ate rules tha operate ind at dependently of your active d f directory struc cture. In some cases, existin e ng Ac ctive Directory structures co y orrespond ver well to the security group ry pings that are most eff fective for ma anaging Office eScan clients. W Where this is not the case, IP-addressba ased gro ouping rules can be used in c nstead. IP-base definitions can also be used to supplem ed ment or provide excep ptions for oth Active Dir her rectorybased rules.
IP Add dressbased
To add an Active Direct tory grouping: N C ent ient Groups > 1. Click Networked Computers > Custom Clie Groups > Manage Cli Add > Active Directory. 2. Enable and specify a name for the rule. e e
12 26
Administrato Track or
Figure 5.30: Adding a Custom Grouping Rule Ba sed on Active Directory Info ormation
3. Specify the Active Directory dom y D main(s) or folde er(s) for this c client group. 3.1. Optionally en nable Duplicat Active Dire te ectory structur into the Of re fficeScan clien tree nt to map an Ac ctive Directory folder with s y subdomains, t an OfficeSc domain in to can nstead of mapping in ndividual fold to OfficeS ders Scan domains.. Specify the OfficeScan clie O ent-tree folder that will be m r mapped to the selected Acti e ive Directory dom main(s). (Note can select o one client e: only t-tree folder de estination.) 3.2.1. To cre a new fold in the clien tree, hover the mouse ov the target eate der nt ver domain folder, and then click the +icon that appears. n t t 3.2.2. Enter a name for the new folder, and then click the check m to the righ of k mark ht xt te (Click the x to cancel.) the tex box to creat the folder. ( 3.2.3. Option nally: you can edit or delete a folder that you have just created by e selectin it, hovering the mouse o ng g over the (blue) folder name, and then sele ) , ecting the edi (pad with pe it encil) or delet (rubbish bin icon. te n) OfficeScan maps Active Directory doma to OfficeScan domains When mapp m D ains s. ping domains with hout subdoma ains, only the d domain folder will appear. I the Active r If Directory has subdomains, the OfficeSc an client tree copies the fol s , lder structure with the correspon nding subdom mains. S t he lient page. 4. Click Save. The client group displays in the list of rules on th Manage Cli Groups p When the mouse is hovered over an informatio item related to the rule, a h on d additional pro ofile mation about th rule is disp he played in the P Preview pane. inform
3.2.
127
Student T Textbook
Figure 5.31: The Man nage Client Gro oups List after Creating and Running a Ru r d ule
5. Sort th priority of the existing lis Refer to M he t st. Managing the P Priority of Cu ustom Group Sorting Rules below g w. 6. Click Save to save th changes or Save and Cr S he r reate Domain Now. If yo select to run the n ou rules now, progress is indicated to the right of t bottom ro of action b n o the ow buttons.
NOTE Clicking Save and Run rules now crea S ates the destin nation folder in the OfficeSc can
client tree but does not move exi t s isting clients t o the specified domain. Also running the d o, rules may take a long time to com mplete, especi ally if the scop is broad. pe
To add an IP address gro ouping: N C ping > Add > IP Address s. 1. Click Networked Computers > Client Group 2. Enable and specify a name for the rule. e e
3. Specify a single IP address or an IP address ran y I nge. 4. Specify the OfficeSc client-tree folder that w be mapped to the specifi address(es y can will d fied s).
Important You can only select one Off t: y fficeScan client t-tree folder.
4.1. 4.2.
To create a new folder in th client tree, hover the mo he ouse over the target domain n hen appears. folder, and th click the +icon that a en Enter a name for the new folder, and the click the ch e f heck mark to the right of th he text box to cr reate the folde (Click the to cancel.) er. x )
12 28
Administrato Track or
4.3.
Optionally: yo can edit or delete a folde that you ha just created by selecting it, ou r er ave d hovering the mouse over th (blue) folde name, and then selecting the edit (pad with he er g d pencil) or delete (rubbish bin) icon. b
S t he lient Groups p page. 5. Click Save. The client group displays in the list of rules on th Manage Cl When the mouse is hovered over an informatio item related to the rule, a h on d additional pro ofile mation about th rule is disp he played in the P Preview pane. inform 6. Sort th priority of the existing lis Refer to M he t st. Managing the P Priority of Cu ustom Group Sorting Rules below g w. 7. Click Save to save th changes or Save and Cr S he r reate Domain Now. If yo select to run the n ou rules now, progress is indicated to the right of t bottom ro of action b n o the ow buttons.
NOTE Clicking Save and Run rules now crea S ates the destin nation folder in the OfficeSc can
client tree but does not move exi t s isting clients t o the specified domain. Also running the d o, rules may take a long time to com mplete, especi ally if the scop is broad. pe
Figure 5.33: Changin the Order of the Custom- Client-Groups Sorting Rules ng s
2. Select the client grou to move an click or to move u or move do each up nd up own corresp ponding rule. Rules that cha ange position are highlighte in red and a underscor ed are red. After being moved, the correspon b nding ID num mber for affect client grou ted uping rules (th far he left col lumn of row) reflects each rules position in the list. r n 3. Click Save. S
129
Student T Textbook
1. Click Networked Computers > Custom Clie Groups > Manage Cli N C ent ient Groups.
Figure 5.34: Highligh hted Delete an Enable/Disa nd able Tools for C Custom Client Grouping Rules t
2. In the far left colum select one or more indiv mn, o vidual rules by clicking the c y checkbox that t corresp ponds to the rule(s) that you want to dele Select the checkbox in the header row to r u ete. w select all current rule a es. 3. Click Delete. D 4. In resp ponse to the confirmation prompt Are y sure you w to delete the selected p you want e rule(s)? click OK. ?, 5. Click Save. S To enable/ /disable custom group sorti rules: ing 1. Click Networked Computers > Custom Clie Groups > Manage Cli N C ent ient Groups. 2. Click the status icon in the status column that corresponds to the rule tha you want to t s t at o enable or disable. Al lternatively, yo can click th name of th target rule, t ou he he then select or ct eckbox on the Edit Groupin Rule page, and then click e ng deselec the enable this rule che k Save. S 3. Click Save.
To schedul client group le pings: 1. Click Networked Computers > Client Group N C ping > Sche edule Domain Creation. n
13 30
Administrato Track or
Figure 5.35: Schedul ling Custom Client Grouping Rules to be R Periodically g Run
2. Select Enable sched duled groupin rule. ng 3. Specify the schedule y e. 4. Click Save. S
The Client Management page also pro t ovides search c capabilities to find and sele clients base on o ect ed name only (simple search or a broad range of criter (advanced search). You can review sta h) ria atus information using the co an n ontent area of the client-tree view. You ca also use th status butto e he on provides to display the same informat o tion, but in a r report-type format.
131
Student T Textbook
Figure 5.37 Working with Client Status Information Using the Tree View Tool 7: h s
13 32
Administrator Track
Firewall Information
Enabled/disabled Firewall policy Intrusion Detection System (IDS) Accumulated firewall logs Accumulated IDS logs Accumulated network virus logs Firewall logs per hour IDS logs per hour Network virus logs per hour Last firewall count sent
133
Student T Textbook
NOTE Unlike many other network management programs, Of ficeScan allow you to selec o k ws ct
and apply actions and settings to individually selec y s cted clients, to whole domain or the entir ns, re network. In other words to give a sin s, ngle client a un nique setting, y do not hav to create a new you ve group for it. r
The conten (right-hand) area of the tr view is no populated w client data until a doma is nt ) ree ot with a ain selected or the result(s) of a search are displayed. Th Status butt in the tree o e he ton e-view tool bar r ccess to an alt ternate view of the data disp played in the c content area fo all selected for provides ac clients. to display clie data, you c select the OfficeScan S ent can Server root object, a single dom main, or one or more clients within a dom or advanc search resu Selecting r main ced ults. g clients and clicking the Status button displays client data in a sepa S d t arate (pop-up) browser win ) ndow e ble or ngle the that includes expandable and collapsib sections fo each client. Selecting a sin client in t icking Status produced resu shown be ults elow. tree and cli
Using the Status button S n
Figure 5.38 Client Status Detail Displa 8: ayed Using the Client Manag e gement Status Button s
Client data is grouped in seven section including: b a n ns, basic informa ation, along wi program, ith component, firewall, viru us/malware sc spyware/ can, /grayware scan data, and pri n ivileges information Using this window, you can also reset statistics virus/malware, sp n. w c pyware/grayw ware, and firewal events using the buttons at the top of t page. ll g a the
13 34
Administrato Track or
Figure 5.39 Search Func 9: ctions Availabl on the Clien Managemen Page le nt nt
finds first matches for characters entered in th textbox. s he Wildcards are not allowe but the sea ed, arch function behaves as though a wildca is automat ard tically he at added to th end of any text string tha you enter.
The textbo oxsearch butt tool ton
For examp if you have a hundred cl ple, e lients whose h hostnames all begin with the string acme e, pressing th search butto will take yo to the first client with a h he on ou hostname that begins with t t those characters. Pressing the search button again will tak you to the n match, an so on. n ke next nd an see the resu displayed i a group, use nd ults in Advanced Search. For ex xample, you can find clients based on IP address, oper c s rating system, or p one omponents is out hardware platform. You can also find clients based on whether o or more co date or bas on other aspects of a cli sed a ients status
To locate clients based on various oth criteria c o her
Clicking Ad dvanced Searc at the top of the Netwo ch o orked Compu uters > Client Management t page launch a search-c hes configuration page in a new browser wind (shown b p w dow below).
135
Student T Textbook
Your search results are displayed in th client tree v d he viewer. An obj called Se ject earch Results appears in the domain-tr list on the left, and clien that match your search c ree nts h criteria are list in ted the content area to the ri ight.
You can us list of the re se esults to check other status information, perform upda and other k ates r tasks, chan settings, or view logs, th same as you would if nav nge r he u vigating a norm domain. mal
Figure 5.42 Tasks Menu on the Toolba of the Client Management Page 2: ar t t
You may select any num mber of clients from the clie nt tree, individ dually or by se electing whole e domains or even the Off r ficeScan Serve icon to sele all online c er ect clients in all do omains. Once you have select your target clients, clicki a task item launches a ta tool that c ted t ing m ask corresponds to the o task you ha selected. ave
Scan No Task ow
Selecting Scan Now laun nches the same scan initiatio on/notificatio tool that is launched if yo on ou n only n click Scan Now for All Domains in the navigation menu. The o difference is that when you select Scan Now for All Domains from the main na n m avigation men the client-t viewer is nu, tree populated by default wit all online clients. b th
NOTE can initia manual/on-demand scan for online cl ients only. Off You ate ns fline and roaming
clients will not appear in the Scan Now tool even if you specifical select them before clickin lly m ng Scan Now w.
Selecting Scan Now from the drop-do menu on the Client Ma m own anagement pa populates t age the v nts ns rently selected Thus, if onl a d. ly client-tree viewer with only those clien or domain that are curr single clien is selected, that client only appears in th initiation/n nt t y he notification to as shown in the ool, figure below.
13 36
Administrato Track or
Figure 5.43 Starting a Manual Scan fo Single Client Using the Scan Now Tool 3: M or t
select target clients from the list and click Init t s tiate Scan No If you do not ow. o select any clients, scan-n notificatio will be sen to all clients When the O c now ons nt s. OfficeScan ser rver confirms th a client ha received a notification, a g hat as n green tick mar is placed on the client ico rk n on.
To start sc canning,
WARNING Performing a Scan Now is resource inte G! ensive. Using t high setting for CPU usage the
generally consumes more than half of CPU resource s. When perfo rming Scan No on a compu e ow uter that is in us you may want to change the Scan Now CPU usage c se, w configuration t medium or low. to
The Scan Now toolbar also makes the functions a N a ese available:
Mo odify your man scan setti nual ings by clickin Settings. ng Sen stop-scan notifications to selected clie nd n o ents by clicking Stop Scan N g Now. In the event that some notifica t t ations fail, you can quickly select these cl u lients by clicki ing
in which case you may stop th notification process by cl w u he n licking Stop N Notification. You can pe erform a simp search for hostnames usiing the textbo and Search button at the top ple h ox e of the Scan Now page. n
Figure 5.44 Uninstalling an OfficeScan Client from t Client Man 4: n the nagement Page e
137
Student T Textbook
Clicking In nitiate Uninst tallation caus the OfficeS ses Scan server w notify the s will selected OfficeScan clients to la aunch the unin nstallation app plication. Afte initiating th uninstallatio you can ca er he on, ancel the notifica ation on un-no otified compu uters by clickin Select Unng -notified Com mputers, and then Stop Unin nstallation.
Selecting Tasks > Spyw T ware/Graywa Restore on toolbar of th Client Man are n nagement page he causes the OfficeScan se erver to query the selected c clients for Spy yware/Graywa logs and are he yware/Grayw tool. ware launches th Restore Spy
Figure 5.45 Restoring Previously Rem 5: moved Spyware from the Clie Manageme Page e ent ent
To view de etails for each item that can be restored, c click View. A details page d displays in the same e browser wi indow. Click Back to return to the previ ous page. B n To restore spyware/gray yware: ments that you want to resto ore. 1. Select the data segm R ceScan will no otify you of th restore statu You can th check the he us. hen 2. Click Restore. Offic spywar re/grayware re estore logs for a full report.. r
13 38
Administrato Track or
Figure 5.46 Settings Menu on the Toolbar of the Clie Manageme Page 6: ent ent
You may select any num mber of clients from the clie nt tree. You m select indi may ividual clients or s mains. Selecting the OfficeSc Server ico selects all c g can on clients in all do omains. Once you whole dom have select your target clients, clicki an item fro the setting menu launc ted t ing gs ches configura ation om page for th type of setti he ings you have selected.
Scan Me ethods
Selecting a domain, com mputer, or grou of compute and then c up ers choosing the S Scan Methods s m s h ntional scan to Smart Scan for o option from the Settings menu allows you to switch from conven the selected devices. d
Switching from conventi f ional scan to Smart Scan re S equires careful planning and execution. If you l d f are switchin clients from convention scan to Sm art Scan, prep by doing the following: ng m nal pare :
139
Student Textbook
Product license
To use Smart Scan, ensure that you have activated the licenses for the following services and that the licenses are not expired: Antivirus Web Reputation and Anti-spyware If connection to the Global Smart Scan Server requires proxy authentication, specify authentication credentials. If you installed the integrated server during OfficeScan server installation, configure the update settings for this server and ensure the server has the latest updates. If you want clients to connect to this server through a proxy server, configure proxy settings. Consider disabling the OfficeScan firewall on the server computer. When enabled, the OfficeScan firewall may affect the integrated servers performance. If you have not set up any of these servers, install them first before switching clients to Smart Scan. Trend Micro recommends installing multiple servers for failover purposes. Clients that are unable to connect to a particular server will try to connect to the other servers you have set up. Add the Smart Scan Servers you have set up to the Smart Scan Server list. Clients refer to the list to determine which Smart Scan Server to connect to. Configure location settings. OfficeScan includes a location awareness feature that identifies the client computers location and determines whether the client connects to the global or a local Smart Scan Server. This ensures that clients remain protected regardless of their location. Ensure that clients can connect to the OfficeScan server. Only online clients will be notified to switch to Smart Scan. Offline clients get notified when they become online. Roaming clients are notified when they become online or, if the client has scheduled update privileges, when scheduled update runs. Also verify that the OfficeScan server has the latest components because Smart Scan clients need to download the Smart Scan Agent Pattern from the server. If you have Trend Micro Network VirusWall Enforcer installed, install a hot fix (build 1047 for Network VirusWall Enforcer 2500 and build 1013 for Network VirusWall Enforcer 1200) and update the OPSWAT engine to version 2.5.1017 to enable the product to detect a clients scan method.
OfficeScan server
Whenever you switch client scan methods, whether you are switching to Smart Scan or back to convention scan, consider the following:
Number of clients to switch Switching a relatively small number of clients at a time allows efficient use of OfficeScan server and Smart Scan Server resources. These servers can perform other critical tasks while clients change their scan methods.
140
Administrator Track
Timing
When switching to Smart Scan for the first time, clients need to download the full version of the Smart Scan Agent Pattern from the OfficeScan server. The Smart Scan Pattern is only used by Smart Scan clients. When switching back to conventional scan, clients will likely download the full version of the Virus Pattern and Spyware-active Monitoring Pattern from the OfficeScan server. These pattern files are only used by conventional scan clients. Consider switching during off-peak hours to ensure the download process finishes within a short amount of time. Also consider switching when no client is scheduled to update from the server. Also temporarily disable Update Now on clients and re-enable it after the clients have switched to Smart Scan.
Scan Options
Regular virus scanning is essential to keep your network free of computer viruses. OfficeScan provides three scanning methods to detect viruses before they start to multiply, spread, and damage your data.
Manual scan Real-time scan Scheduled scan
Manual scanning allows you and end users, if you give them permission, to scan for malware on demand. Real-time scanning monitors system activity in real time and scans for malware constantly. With real-time scanning, you select whether to notify users when a virus is detected or silently report the event back to OfficeScan server. Scheduled scanning enables you trigger system scans on a daily, weekly, or monthly basis.
NOTE Scan Now and Manual Scan are the same type of scan; they differ only in how they are started. Scan Now is the term applied to scans run by you (the administrator) from management console; Manual Scan is the term applied to scans run from the local client interface. OfficeScan allows you to create separate configurations for each use model.
141
Student T Textbook
The Scan Settings section allows you to specify whe S t ether to scan h hidden folders network dri s, ives, compressed folders, and OLE objects For scanning compressed files, you can choose how many d d s. g d n layers of co ompression to scan (1 to 6). The more lay scanned, the more thorough your sc o yers cans will be, but in some case you risk ove t es erburdening sy ystem resourc ces.
Important Office 2007 applications use Zip compre t: 7 u ession to save f files based on the Open XML L
format. To scan Office 20 files, you must enable Sc compresse files. To cle s 007 m Scan ed lean/delete file es Office 2007 files that bee infected with malware, you must enable Clean/delete infected files w 7 en th u e within compressed files under Global Client Settings.. d G S
When a file contains mu e ultiple Object Linking and E L Embedding (O OLE) layers, O OfficeScan sca up ans to the num mber of layers you specify (1 to 10) and sk the remaining layers. Fo example, if you y kips or f have a Mic crosoft PowerP Point docume that has an embedded W ent n Word file that itself contains an s embedded Excel spreads sheet, and the limit is set to 2, the OLE o e o object that is t Excel the et s E ection heuristi ically identifie malware by es spreadshee will not be scanned. OLE Exploit Dete checking Microsoft Offi files for exploit code. OL Exploit D M ice LE Detection is als limited by t so the specified maximum-layer m rs-to-scan threshold. For virus/m malware scann ning, you can also select the options (w ese which simply d not pertain to do n normal spy yware/graywar scanning): re
Sca boot area an Ena able IntelliTra ap
14 42
Administrator Track
Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering the network by blocking real-time compressed executable files and pairing them with other malware characteristics.
NOTE IntelliTrap can incorrectly block safe files. Thus, Trend Micro recommends quarantining (not deleting or cleaning) files when IntelliTrap is enabled. If your users regularly exchange real-time compressed executable files, you should disable IntelliTrap.
CPU usage options include high, medium, and low settings. The high setting enables the fastest scan, but may use 50 percent or more of the clients CPU resources. A low setting means the scan will take longer, but users will be more likely to be able to continue working efficiently during a scan. Enabling scan exclusions allows you to specify directories, files, and/or file extensions to exclude from scanning. You can specify a maximum of 250 directories, files and file extensions. When making a custom entry, you must specify whether the path entered should overwrite, be added to, or be removed from the client scan exclusion list. You can also disable scan exclusions at any time. You can also configure scan exclusion settings for a particular scan type and then apply the same settings to all the other scan types.
NOTE you selected the OfficeScan Server root icon in the client tree before loading the If Manual Scan Settings page, you will have the option to apply your settings to all current and future clients in all domains or apply your settings only to new clients and future domains. WARNING! Use wildcards cautiously. If you use the wrong character, OfficeScan might exclude
from scanning files or directories that could potentially have security threats.
If you select the option to Exclude directories where Trend Micro products are installed, OfficeScan automatically excludes the directories of these Trend Micro products from scanning:
ScanMail for Microsoft Exchange (all versions except version 7). If you use version 7, add the following folders to the exclusion list: \Smex\Temp \Smex\Storage \Smex\ShareResPool ScanMail eManager 3.11, 5.1, 5.11, 5.12 ScanMail for Lotus Notes eManager NT InterScan Messaging Security Suite InterScan Web Security Suite InterScan Web Protect InterScan VirusWall 3.53 InterScan FTP VirusWall
143
Student Textbook
InterScan Web VirusWall InterScan E-mail VirusWall InterScan NSAPI Plug-in InterScan eManager 3.5x
If you have a Trend Micro product that is NOT included in the list above, add the product directories to the scan exclusion list manually.
Tip You can configure OfficeScan to exclude Microsoft Exchange 2000/2003 directories on
the Networked Computers > Global Client Settings > Scan Settings page. If you use Microsoft Exchange 2007, manually add the directory to the scan exclusion list. For scan exclusion details, see: http://technet.microsoft.com/en-us/library/bb332342.aspx.
OfficeScan will not scan a file if its file extension matches any of the extensions included in this exclusion list. You can specify a maximum of 250 file extensions. A period (.) is not required before the extension.
For Manual Scan, Scheduled Scan, and Scan Now,
wildcard character.
For Real-time Scan,
use an asterisk (*) as a wildcard character when specifying extensions. For example, if you do not want to scan all files with extensions starting with D, such as DOC, DOT or DAT, type D*.
Tip You can also use ? and * as wildcards when specifying extensions. For example, if you want to scan all files with extensions starting with D, such as DOC, DOT or DAT, you can type .D? or .D*. NOTE can select to discard any changes you make and restore the default extensions You last saved by clicking Restore to Default.
MANUAL SCAN ACTION SETTINGS Configuring scan actions allows you to specify what OfficeScan will do with the files in which it detects a security threat. You have the following choices:
ActiveAction
consists of a set of preconfigured actions for various types of malware. If you are not familiar with scan actions or if you are not sure which scan action is suitable for a certain type of virus, Trend Micro recommends using ActiveAction, which provides these benefits:
Time-saving and easy to maintain Updateable scan actions ActiveAction uses the scan actions that Trend Micro recommends. You do not have to spend time customizing the scan actions. To ensure that clients are protected against the latest threats, ActiveAction settings are updated in every new pattern file.
OfficeScan 10.6 uses the category of probable virus/malware to the types of detections for which you can choose a custom action. Even if you select to use ActiveAction, you can still select a custom action for detections of probable virus/malware.
144
Administrato Track or
allows you to select a singl action for a detections. If o le all you select clean as the first action, you must spec a second a e y cify action.
Using the same action fo all malware s or e
allo you to spe ows ecify actions in six categoriz of n zes malware, in ncluding: jokes, trojans, viru uses, test virus packer ob ses, bjects, and oth Select the her. action you want for each category. Yo can choose from these ac h ou ctions:
Selecting a specific actio for each th on hreat type
Pass s Delete Rena ame Quar rantine Clean Allows program access to file even if a thr m es reat is detected d. Deletes the file that triggere d the action. Changes the fi extension to .vir. Subseque viruses disc ile o ent covered will be given the extensions .vi1, .vi2 and so on. 2, m to ine n an Encrypts and moves the file t the quaranti directory on the OfficeSca server. The UR or UNC path of the quarant RL h tine directory m must be specified. OfficeScan att tempts to clean the file. Not a ll infected files are cleanable; n when selecting clean, you mu select a sec g ust cond action.
allow you to spe ws ecify a differen virus/malw quarantine nt ware e directory. You can enter a URL or UN path. If th directory sp Y r NC he pecified is inva OfficeSca alid, an uses the de efault quaranti directory on the client c ine o computer: {installationp path}/SUSPECT. is ena abled by defau You can di ult. isable this fea ature by desele ecting the checkb OfficeSca backs up fil on the clien to the {ins box. an les nt stallationpa ath}/backup directory.
Backing up files before cleaning p c Spyware/G Grayware actio options on
Clean Pass
inc clude:
Terrminates processes and d p deletes registrie files, cookies and shortcuts. es, s Spyware/gray yware detection are logged fo assessment, but otherwise n ns or no action is taken n.
145
Student T Textbook
Configurat options fo real-time sc settings ar the same as for manual sc settings, tion or can re can described above, with th exception a hese ns:
The page include options to enable/disable virus/malwa and spywa e es e e are are/grayware
scanning.
The User Activi on Files (discussed belo options a added. e ity ( ow) are The Scan floppy disk during system shutdo e y own option i added. is
Real-time scanning mon s nitors user activ vities that inv volve creating (writing), mod difying (rewrit ting), and retriev (reading) files. ving f
The User Activity on Fi iles setting specifies s
when files should b scanned. T table below n be The w explains th basic conseq he quences of the three option available. e ns
User Action
Open a read-only file e Sca files being an crea ated/modified Copy or move a file from an excluded m director ry File scan nned when writt (if destinatio is ten on not also excluded) File NOT scanned T File scan nned when writt (if destinatio is ten on not also excluded)
Option
Sca files being ret an trieved Sca files being an crea ated/modified and retrieved
File scanned
File scanned
14 46
Administrato Track or
Table 5.2: Target Activiti for Real-tim Scan Setti ngs T ies me
Action opt tions for real-t time scanning are also very much the sam as for the m me manual-scan configurati options de ion escribed in the previous sec e ction. There ar however, a few notewor re, rthy exceptions:
The options to enable/disable the display o f end user not e e tification messages for
viru us/malware sc canning and sp pyware/grayw scanning are added. Yo can enable ware ou not tifications for either, both, or neither type of scanning o es g.
The option to d e deny access in nstead of clea is added to the spyware/g an grayware actio on
opt tions, and the option to pa is remove (To disable actions taken on detected ass ed. e n spy yware/graywar simple disa the spywa re, able are/grayware scanning option at the top of the Tar page.) rget All other options are the same as for manual scanniing. Please see the section a o e m e above on Man nual Scan Settin for more information. ngs, i
147
Student T Textbook
Configurat options fo scheduled scanning are id tion or s dentical to tho discussed in the section for ose n Manual Sca Settings above, except fo the addition of the sched configura an or n dule ation itself, sho own in the figur above. You can specify th frequency o scheduled s re u he of scans in daily, weekly, or , monthly in ncrements. You can also spe ecify a time of day for each option. Both the weekly an f nd monthly op ptions include drop-down menus for quiick and easy co e m onfiguration. Action opt tions for sched duled scans ar also the sam as for manu scans. Plea see these re me ual ase sections for more inform mation about the options av t vailable to you u.
Scan No Settings ow s
lows Selecting Settings > Sca Now Setti S an ings on the to oolbar of the C Client Manage ement page all you to defi how scans are run when the Scan Now function is used. The con ine n ow nsole presents Scan s Now confi iguration optio in a popup window. Ta on this pag allow you t specify targ ons p abs ge to gets for the scan and the actio to be take when threa are detected n ons en ats d.
Configurat options fo Scan Now settings are co tion or overed in the M Manual Scan S Settings sectio on above. For more inform r mation please see this section OfficeScan provides sepa n. arate configurations for Scan Now and Manu Scan functions so that yo have the fl N ual lexibility to create settings f for ou
14 48
Administrato Track or
scans execu from the management console (Scan Now) that a different th those used for uted t n are han d executing scans from the local client console (Manu Scan). s e c ual
1.1.
Select the com mponents that you want the Update Agent to distribut to downstre t e te eam clients (new starting from OfficeScan ve s O ersion 10.5):
Compone updates ent Domain settings Client pro ograms and ho fixes ot
1.2.
Click Save.
2. Add ta arget compute to the Upd ers dates > Netw worked Comp puters > Upd date Source customized update source list and select the u a update agent as the update source. Requireme for clients selected to fu ents s unction as upd agents in date nclude:
Com mputer operating system: Windows XP, Vista, 7, or Se W erver 2003/20 008 800 MHz Intel Pentium or equ 0 P uivalent RA AM: 512 MB minimum 1 GB recommended on Windows XP or Server 20 2 m, P, 003 1 GB minimum, 1.5 GB recom G mmended on W Windows Vist 7 or Server 2008 ta, r Ava ailable disk sp pace: 700 MB
NOT TE Update agents may fail to obtain and deploy comp d ponents if adeq quate disk space is
not available. Make sure to use only clients wit sufficient di space as up a e o th isk pdate agents. An addit tional 20 KB fo every domain setting upda and 160 M B for program or ms/hot-fix upda ate ate is nee eded.
In the clien tree, update agents displa a different iicon once upd agent functionality is nt e ay date enabled: . To specify update source for update agents and as sign clients to specific upda agents, go to es o ate rked Comput > Update Source page ters e e. the Updates > Networ
2011 Trend Mic Inc. icro
149
Student T Textbook
Figure 5.55 Privileges Ta on the Clien Privileges a Other Sett 5: ab nt and tings Page
Privilege Tab es
ROAMING PRIVILEGE This privile allows use to enable ro ege ers oaming mode When in roa e. aming mode, c clients can onl ly update com mponents from the OfficeScan server. Ro m oaming clients cannot send logs to the s OfficeScan server. The OfficeScan ser also cann manage ro n O rver not oaming clients, including , initiating ta and deplo asks oying client settings. SCAN PRIV VILEGES Leaving an option in this section unch n hecked causes the client con nsole to gray out the y correspond set of con ding nfiguration op ptions in the u interface a user and, thus, bloc end-users f ck from modifying the settings th you choose. hat
NOTE user can start a manua scan from th client conso no matter which options you Any al he ole, s
select her Changing these privileges determines o re. only whether u users can chan the nge paramete of the scan. ers
SCHEDULE SCAN PRIV ED VILEGES In this sect tion, you can allow users to either postpo scheduled scans or stop them entirely a one d p y through the client conso These priv ole. vileges are desiigned especial for users w commonly use lly who y nsive applicatio and freque ons ently work irre egular hours o who are reg or gularly subject to t CPU-inten tight deadli ines to complete jobs that require CPU-in r ntensive proc cessing.
15 50
Administrator Track
FIREWALL PRIVILEGES You may select to show the Firewall tab on the client console and whether to allow users to enable and disable the OfficeScan firewall, intrusion detection system, and firewall notification messages.
If you leave the Display the Firewall tab checkbox unselected, the client console will not display the Firewall tab and users will not have access to the firewall settings. You may also select to allow clients to send firewall logs to the OfficeScan server. To select how often (in minutes, hours, or days) the clients with this privilege will send their logs to the server, go to Networked Computers > Global Client Settings and select from the options available under Firewall Log Settings.
BEHAVIOR MONITORING PRIVILEGES If you select to Display the Behavior Monitoring tab on the client console, targeted domains and clients will be able to manage their own exceptions list for approved and blocked applicaitons. MAIL SCAN PRIVILEGES If you leave the Display mail scan tab checkbox unselected, the client console will not display the Mail Scan tab, and users will not have access to the Mail Scan settings.
NOTE can configure Mail Scan only by using the client console. You Tip To prevent users from later modifying Mail Scan settings, you can first configure the settings on the client, then disable the Mail Scan tab in the management console.
TOOLBOX PRIVILEGES These client tools are add-on components available only through the client interface. At the time of writing, Check Point SecureClient Support is the only tool in the toolbox. If you disable the Toolbox tab, your users will not be able to access this component. PROXY SETTING PRIVILEGES If selected, users can configure proxy settings for client connections. However, user-configured proxy settings are used only when:
Users perform an on-demand update using the Update Now function. Allowing
mobile users, for example, to configure custom proxy settings may be required for them to access the Trend Micro ActiveUpdate server directly. (Access to the Update Now function is an additional privilege that you may selectively grant or revoke.)
When automatic proxy server detection is turned off and when automated configuration
by configuration script is not being used. (You can configure automated client proxy settings on the Networked Computers > Global Client Settings page.)
COMPONENT UPDATE PRIVILEGES These options allow you to grant users more control over updates. Clients with these privileges display the corresponding Update Now and/or Enable Scheduled Update options on the pop-up menu when a user right-clicks on the status icon in the system tray.
151
Student T Textbook
Granting th privilege to enable/disab scheduled updates does not give clien the ability t he o ble nts to configure the update sch t hedule. This up pdate schedulle is still an Of fficeScan glob parameter and is bal accessible only through the manageme console. o t ent
NOTE configure the update schedule, click U To Updates > Netw worked Computers - Automatic
Update. The update sch T hedule configuration is place under the h ed heading Sched dule-based Update.
UNINSTAL LLING AND UNLOADING N Users may attempt to un ninstall the clie software u ent using the clien program-g nts group folder in the n Start menu through the Add or Remo Programs utility in the C u, ove Control Panel or by direct l, access thro ough the Wind dows file syste em.
Users may attempt unloa (turn off) the OfficeScan client tempo ad n orarily by right t-clicking the client ows ay ng fficeScan. status icon in the Windo system tra and choosin Unload Of
Tip Of fficeScan allow you to require a password when users a ws d attempt to uni install and/or
unload th client softw he ware. If you do not want user to be able to unload or uninstall the clie rs o ent software, require passw words for thes functions an do not reve the passwo se nd eal ords.
Other Se ettings
Figure 5.56 Other Settin Tab on the Client Privile ges and Other Settings Page 6: ngs e r
UPDATE SETTINGS Selecting an option enab the corres n bles sponding func ctionality. Uns selecting or lea aving an optio on unselected disables it.
Client download ts updat from the tes Trend Micro d ActiveUpdate Serve er o dates directly fr rom the Trend Select to allow clients to download upd Micro ActiveUpdate Serv if the updat source(s) yo name in the ver te ou global con nfiguration is/a unreachable are e.
15 52
Administrator Track
Important: If you want to deploy scheduled updates to clients, you must select this option. To allow users to stop a scheduled update, select the Stop scheduled scan option on the Privileges tab. The update schedule is on Updates > Networked Computers - Automatic Update, under Schedule-based Update.
Clients can update components but not upgrade the client program or deploy hot fixes
Select to permit clients to update pattern files, but restrict clients from upgrading the client program or deploying hot fixes. This option can stop potentially large updates from occurring outside of administrative planning and control.
WEB REPUTATION SETTINGS When selected, the OfficeScan client displays a notification to users when the web reputation service blocks a URL that violates a web-reputation policy. BEHAVIOR MONITORING SETTINGS When selected, the OfficeScan client displays a notification to users when a program is blocked, and depending on the configuration parameters applied to target may offer options for how to handle each incident. SCHEDULED SCAN SETTINGS When you enable this option, a notification message displays on the client computer minutes before Scheduled Scan runs. Users are notified of the scan schedule (date and time) and their Scheduled Scan privileges, such as postponing, skipping, or stopping Scheduled Scan.
The number of minutes is configurable. To configure the number of minutes, go to Networked Computers > Global Client Settings > Scheduled Scan Settings > Remind users of the Scheduled Scan __ minutes before it runs.
CLIENT SECURITY SETTINGS You can change the file permissions for user access to the OfficeScan client installation directory and registry settings.
High The client installation directory inherits the rights of the Program Files folder and the clients registry entries inherit permissions from the HKLM\Software key. For most Active Directory configurations, this automatically limits normal users (those without administrator privileges) to read-only access. Full rights to the OfficeScan client program directory and the OfficeScan client registry entries are given all users (everyone).
Normal
For more information on permissions granted per Windows user type, see Chapter 3: OfficeScan Application Architecture, File-System Security Options for Client Installations on page 50.
POP3 EMAIL SCAN SETTINGS When selected, this setting enables POP3 mail scan on the client console. This setting only applies to clients with the mail scan privileges. CLIENT CONSOLE ACCESS RESTRICTION When selected, users will not be able launch the client console from the system tray or from the Windows Start menu. They will, however, still be able to do so from the OfficeScan client installation folder.
153
Student T Textbook
RESTART NOTIFICATIO ON Select this option to disp a message prompting u play e users to restart the client com t mputer to fini ish S sage displays a after a particu security ris has ular sk cleaning infected files. For Real-time Scan, the mess been scann For Manu Scan, Scheduled Scan, an Scan Now the message displays once and ned. ual nd w, e only after OfficeScan fin O nishes scannin all the scan targets. ng
5.5.9 Ena 5 able/Disa Unau able uthorized Change Prevention and/o d or Firewal Service ll es
The Networked Computers > Clien Managem ent > Setting > Addition Services p nt gs nal page d U ention Service and the Firew e wall allows you to enable and disable the Unauthorized Change Preve Service for clients runnin Windows XP, Vista, and 7. r ng X d
Figure 5.57 Enabling the Unauthorized Change Prev 7: e d vention and Fir rewall Service es Unauth horized Chang Prevention Service (TMB ge BMSRV.EXE)
Regulates ap pplication beha avior an verifies prog nd gram trustwor rthiness. Beha avior Monitor ring, Device C Control, Certifi fied Sa Software Se afe ervice, and Cl lient Self-Prot tection all requ this servic uire ce. Pr rotects clients and servers o the networ using statefu inspection, high on rk ful pe erformance ne etwork virus sc canning, and e elimination.
WARNING Enabling or disabling the Firewall servic temporarily disconnects t clients from the G! F ce y the
network. En nsure that you change the settings only d u s during non-crit tical hours to m minimize netw work interruptions.
15 54
Administrato Track or
The reques for a URL rating is made using a specia formatted DNS request that function as a st r ally d t ns database qu to the WRS-controlled domain nam uery d mespace. Encoded in the DN response f NS from the WRS DNS servers is a threat score for the origiinally requeste URL. If the client fails tw D s ed e wice to receive a response to the DNS look or if the in kup nformation re eturned is not sufficient to o obtain a reputation score, the cl lient will use HTTP to conn to an HT H nect TTP-based rati server. ing
Tip Yo can use the Administrati > Proxy Se ou ion ettings > Exte ernal Proxy pa to specify age
proxy ser rver authentication credenti ials for clients to use when c connecting to the Trend Micro Web repu utation servers and. Global Smart Scan Se s S erver
at U shold defined by the selecte security lev ed vel If the threa score for a URL is lower than the thres (described below), the in nternal proxy blocks access to the URL a returns a m b and message to the e users web browser (or whatever other process may have initiated the connecti w y d ion). The OfficeScan client also di n isplays a messa age.
Figure 5.58 User Notification Message for Web Rep 8: es putation Servi ices
If the threa score for th URL is high than the sp at he her pecified thresh hold, the inter proxy rnal establishes the connectio and allows data to pass t and from w browser (o other host on to web or process). The specifi methodolog and algori ic gies ithms by whic Trend Micr assigns scores are the res of ch ro sult a dynamic and constantly evolving pro ocess of moniitoring and an nalysis. Curren the thresh ntly, hold 1, ed ored at 61. In other words, if you restrict t score for a safe site 81 while unrate sites are sco nt connection to safe sites only, then all URLs access by the clien over the m ns s l sed monitored port ts much exceed a value of 80. Additiona numerical th al hresholds corr respond to the other securit e tyns n hion. level option available in a similar fash
155
Student T Textbook
15 56
Administrator Track
enable/disable Smart Protection Serversupport for WRS is located on the Smart Protection > Integrated Server page, and for standalone servers on main configuration page of the server.
For more information about Smart Protection server options, see 5.4 > Smart Protection Server Settings, on page 116.
With WRS enabled on one or more Smart Protection Servers, you can then enable/disable use of WRS services on the Smart Protection Server for selected clients/client groups on the Networked Computers > Client Management > Settings > Web Reputation Settings page (shown above). By leaving the option to Query Trend Micro Smart Protection Network if there is no match in Smart Protection Server unselected, these client-management settings allow you to restrict WRS queries to your local Smart Scan server(s) only. This ability to restrict WRS queries to your local Smart Scan server(s) prevents query data about your users URL requests from leaving your local network. This provides the benefits of reduced Internet traffic and enhanced privacy by eliminating WRS queries to Trend Microhosted servers. However, when you select this configuration, the WRS security level is also restricted to blocking only those URLs that have been blacklisted in the current version of threat information on the Smart Scan server as dangerous or verified to be fraudulent or a known source of threat (the low setting). Suspicious and highly suspicious URL information is not replicated downstream to locally hosted Smart Scan servers. To enable blocking for suspicious and highly suspicious URLs, the option to Query Trend Micro Smart Protection Network if there is no match in Smart Protection Server must also be selected. Selecting both Smart Protection options for WRS reduces Internet traffic by eliminating queries for URLs that can be matched by local Smart Scan server(s), but does not prevent query data containing internal browsing activity from leaving the local network.
157
Student T Textbook
To configu the web reputation polic for externall or internal co ure cy omputers: 1. Click Networked Computers > Client Mana N C agement and select target c clients using th he client tree. t 2. Click Settings > Web Reputatio Settings. S on 2.1. 2.2. 2.3. Select the Ex xternal Comp puters or Int ternal Compu uters tab, dep pending on the e policy you wa to configu ant ure. Verify that th Enable We reputation policy check he eb kbox is selecte ed. Optionally en nable the follo owing:
Assessme (Internal/E ent External) Wh in assessm When ment mode, W Reputatio Web on
Service wi log all URL but will allow it to pass. T ill Ls ow Trend Micro p provides assessmen mode to allo you to eva nt ow aluate URLs an then take a nd appropriate ac ction based on your evaluatio y on.
Use the Smart Protecti Server We Reputation Service (Internal only) ion eb
Internal cl lients connect to the Smart Protection Se t erver and uses the Web s Reputation Service to determine the status of the U d URL.
Protection Server (Inte n ernal only)
Query Tre Micro Sma Protection Network if th end art n here is no mat in Smart tch
In nternal clients connect to th Smart Prote he ection Network if the Smart Protection Serv cannot de i P vice etermine the s status of the U URL.
2.4.
Select a secur level. Offic rity ceScan provid four securi levels that determine wh des rity hether access to a UR will be blo RL ocked or allow wed.
Low Medium High Blocks only pages that are ver B rified to be frau udulent or know sources of threat wn Blocks pages that are verified to be or suspe cted of being fraudulent or kn B nown sources of threa at Blocks pages that are verified as fraudulent, sources of thre spam or that B eat, are suspected of being so. This may include u a o s unrated pages.
Tip Reme ember that as you set the se ecurity level h igher, the web threat b
detection ra improves but the possibi ate b ility of false po ositives also in ncreases.
Specify if you want to bloc Untested U u ck URLs. Untested URLs have not been asse d essed by Trend Mic While Tre Micro actiively tests web pages for safety, users ma cro. end b ay
15 58
Administrato Track or
encounter un ntested pages when visiting n or less po w new opular web sit Blocking a tes. access to untested pages can impr rove safety, bu it may also p ut prevent access to safe page es. 2.5. Add URLs to the Approve o ed/Blocked Liist. (Separately add URLs to the External and y o l Internal Clien nts.) 2.5.1. Specify whether to enable the Ap proved or Blo y e ocked URL Li feature. ist 2.5.2. Specify a URL in the text box. y e Use th wildcard character (*) any he ywhere on the URL. e 2.5.3. Select whether to ap pprove or bloc the URL. ck 2.5.4. Repeat required step until all UR you want t approve are added to the list. t ps RLs to e 2.5.5. To exp the list to a .dat file, cliick Export an then click S port o nd Save. 2.5.6. If you have exported a list from a d another server and want to i r import it to th his t he he n screen, click Import and locate th .dat file. Th list loads on the screen. 2.6. To submit we eb-reputation feedback, use the provided URL. The U links to th e d URL he Trend Micro Web Reputati Query sys ion stem. This system provides details about blocked URL and allows users to send W Reputati feedback t Trend Micr Ls u Web ion to ro.
2.7.
Select whethe to Allow cl er lients to send logs to the O d OfficeScan s server. This op ption is available to both the inte o ernal and exter configura rnal ation. You can use this option to n analyze block URLs and, later, add saf URLs to th approved U list, which can ked fe he URL h be managed on the Global Client Setting page. o gs
3. Click Save. S
159
Student T Textbook
Mic crosoft Intern Explorer net 6 with SP2 or higher o 7.x 8.x Mo ozilla Firefox 3.5 to 4.x.x 3
Important To help ensu that the Of t: ure fficeScan client does not inte nt erfere with crit tical server
applications behavior mo s, onitoring is disa abled on serve platforms. er You can en nable behavior monitoring by modifying the servers regis y e stry settings. S 6.4 > PostSee Installation Consideration for Servers and x64 Deskto Platforms on page 241 fo more details n ns a top for s.
To configu behavior monitoring, cli Networke Computer > Client M ure m ick ed rs Management and select the target clients or domains fro the client t o om tree. Then, on the toolbar a n above the clien nt tree, click Settings > Be S ehavior Moni itoring Settin ngs.
The Behav Monitorin Settings pag provides th configura vior ng ge hese ation options:
Enable Malware Beh e havior Blocking g
Enables/d disables behav monitorin for the dete vior ng ection of malware activ and simila threats. (De f vity ar efault: enabled d.)
2011 Trend Micro Inc. d
16 60
Administrator Track
Enables/disables the monitoring of selected system events, such a change to the hosts file that can redirect TCP/IP connections to malware sites or the installation of an Internet Explorer plugin that may represent any number of unknown risks. (Event monitoring is disabled by default.) An executable file can be manually approved or blocked by specifying the full path to the program and adding it to the approved or blocked programs list using the configuration tool provided in the lower half of the page.
Ask When Necessary Prompts users to allow or deny processes that may have violated Behavior Monitoring policies Deny Always block processes associated with an event and record this action in the logs
End-user prompts are pop-up notifications that ask users to select to allow or to deny a process to execute, and also whether to add the program to the allowed or blocked exceptions list. If the user does not respond within the amount of time specified in the global configurations options for behavior monitoring, the OfficeScan client allows the process to continue. The table below identifies monitorable events and explains how the corresponding system changes may be used by malicious programs. This information is available on the Behavior Monitoring Settings page by mousing over the name of each policy and reading the text displayed in the detail column on the far right.
Events Description
Many malicious programs create copies of themselves or other malicious programs using the names of Windows system files. This may be done to override or replace system files, avoid detection, or discourage users from deleting the files. The Hosts file matches domain names with IP addresses. Many malicious programs modify the Hosts file so that the Web browser is redirected to infected, non-existent, or fake websites. Suspicious behavior can be a specific action or a series of actions that is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should be used with caution. Spyware/grayware programs often install unwanted Internet Explorer plugins, including toolbars and Browser Helper Objects.
Default Action
Assess
Assess
Suspicious Behavior
Assess
Assess
Assess
161
Student Textbook
Events
Description
page, trusted websites, proxy settings, and menu extensions.
Default Action
Modifications in Windows Security Policy can allow unwanted applications to run and change system settings.
Assess
Configuring Windows applications to load a malicious program library (DLL) automatically allows malicious code to run every time an application starts. Shell settings can associate a malicious program with certain file type, launching the program when a file is double-clicked in Windows Explorer. Malicious programs can also use shell settings to track program use and start alongside legitimate applications. Windows services have special functions and typically run continuously in the background with full administrative access. Malicious programs can hide themselves by running as services. Certain Windows system files determine system behavior, including startup programs and screensaver settings. Many malicious programs modify system files to launch automatically at startup and control system behavior. Malicious programs often attempt to modify the firewall policies to allow themselves to access to the network and the Internet.
Assess
Shell Modification
Assess
New Service
Assess
Assess
Many malicious programs perform various actions on built-in Windows processes. These actions can include terminating or modifying running processes Adding or modifying the autostart entries in the Windows registry can cause malware to launch every time the computer starts.
Assess
162
Administrato Track or
To add pro ograms to the approved/blo ocked exeptio lists, enter t full filesyst path to th on the tem he program an click Approve Program or Block P nd ms Programs base on the purp ed pose of your entries. Pro ogram items entered will the be displaye in the corre e en ed esponding tab at the bott bles tom of the page e.
Tip To add multiple entries at once, separate ea pathname with a semicolon (;).. o ach
Approv Programs List ved
This lis may contain a maximum of 100 entries List items m st n s. may be deleted by cli e icking the item correspond trash icon ms ding n. Of fficeScan enab the Appro bles oved Program List feature by default. The Device Co ms e ontrol fea ature also allow full access to these prog ws grams.
The Off ficeScan client will always bl t lock programs in this list fr rom be started. Th list may co eing his ontain a maxim mum of 100 e entries. List ite may be de ems eleted by clicking the items correspo y onding trash ic con.
If you selec domain(s or client(s) on the client t cted s) o tree, click Save to apply sett e tings to the domain(s) or client(s). If you selected the root icon,, choose from these options: f m
Apply to All Clients t Applies settin to all existin clients and t any new client added to an ngs ng to existing/futur domain. Futu domains ar domains not yet created at the re ure re time you conf figure the setti ngs. Applies settin only to clien added to fu ngs nts uture domains. This option will not apply settings to new clients added to an e s s existing domain n.
163
Student T Textbook
and, combi ined with file scanning, help guard again security ris Device Co ps nst sks. ontrol is availa able only on com mputers runn x86 type platforms. ning p To configu device con ure ntrol, click Networked Com mputers > Cl lient Manage ement and sel lect the target clients or dom c mains from the client tree. T e Then, on the to oolbar above t client tree, click the Settings > Device Con ntrol. Choosin Block Aut ng toRun functio in USB dev on vices prevents s maliciously altered autor y run.inffiles from instructi ing the OS fro running ap om pplications.
Device con ntrol governs data access ba d ased on the pe ermissions you select for files stored on t u the various typ of devices monitored. pes
Permissio ons
Full access s
Read only
No access
The scanni functions in OfficeScan complement and may over ing i n rride the devic permission For ce ns. example, if the permissio allows a file to be opene but OfficeS f on ed Scan detects th the file is hat infected wi malware, a specific scan action will be performed o the file to e ith e on eliminate the malware. If the scan acti is Clean, th file opens a f ion he after it is clean However if the scan a ned. r, action is Delete, the file is de eleted. New startin from Offic ng ceScan 10.5, yo can also cr ou reate exception lists to ensu access to n ure programs that are shared by groups of people or to ensure that p t d f o people can edi documents o it on storage driv ves.
16 64
Administrator Track
Applications in this list are exempt from Device Control policies and have full access to external storage devices and network resources.
Applications in this list can be run from external storage devices, but do not have access to external devices.
To manage access to external devices: 1. Click Networked Computers > Client Management > Settings > Device Control. 2. Select the checkbox to enable device control. 2.1. 2.2. Choose whether to block or allow the AutoRun function (autorun.inf) on USB devices connected to the computer. Select the permissions for each device type.
3. Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access, which includes all operations that OfficeScan blocks. 4. Add device-access-control exceptions to the exception lists as required. 4.1. 4.2. To approve an application for full access to all device types, select Grant full access to all device types, enter the full path of the program, and then click add. To allow an application to be run from an external device, select Allow to be run from devices, enter the full path of the program, and then click add.
Tip Use wildcards (* ?) as a substitute for drive letters or file names. The maximum number of entries is 100. However, you can add up to 1,000 entries in the .ini file.
5. If you selected domains or clients on the client tree, click Save to apply settings. If you selected the root icon, you can also choose from the following options:
Apply to All Clients Apply to Future Domains Only Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings. Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
When using the DLP plug-in, the Device Control Settings page displays new device control features implemented with DLP in OfficeScan 10.6.
165
Student T Textbook
Important Device Contr only suppor 32-bit platfo t: rol rts forms.
Important By default, Device Control is disabled on 3 t: D i 32-bit versions of Windows S s Server 2003 an nd
Windows Se erver 2008.
Important The types of devices that OfficeScan can monitor depe on whether the Data t: f O n end r
Protection license is activ vated. Data Pro otection is a se eparately licens module an must be acti sed nd ivated an before it ca be used.
For more in nformation on Device Control when using D DLP, see Appen ndix B: Managin Data Protec ng ction and Using Digital Asset Control on page 360. D Co
16 66
Administrato Track or
Apply the approved list to one or seve clients and domains, or to all clients that the serve a eral d r er manages. The approved list applies to all Scan Type which mea that the sam approved list T es, ans me will be used during Manu Scan, Real d ual l-time Scan, Sc cheduled Scan and Scan N n, Now. OfficeSca an can accomm modate a max ximum of 1024 spyware/gra ayware in the approved list. . To manage the spyware/ e /grayware app proved list: 1. Click Networked Computers > Client Mana N C agement > Se ettings > Spy yware/Grayw ware Appro oved List. 2. On the Spyware/Gr e rayware names table, select a spyware/gra s ayware name. To select mu ultiple names, press the Ctr key while se rl electing.
Tip Yo can also typ a keyword in the Search f ou pe field and click Search. Office eScan refreshe es
the table with the name that match the keyword. es
4. If you selected doma or clients on the client tree, click Sav to apply se ains s ve ettings. cted i from the follow options: wing If you selec the root icon, you can also choose fr
Apply to All y Client ts Apply to Future y Doma ains Only Applies settin to all existi clients and to any new clie added to an ngs ing ent n existing/future domain. Fut ure domains ar domains not yet created at the re t ings. time you configure the setti ngs ents added to fu uture domains. This option will Applies settin only to clie not apply settings to new cl lients added to an existing domain.
167
Student T Textbook
Exporting settings create a .datfile in the directo you specify es ory y. To import settings back to the same server or anoth server: sel the root, d her lect domain, or c h o tings, then clic Settings > Import Sett ck tings. individual client to which you want to apply the sett The Impor Settings pag (shown in th figure abov allows you to input the path and filen rt ge he ve) u name of the .dat file or click Browse to use the Open Fiile dialog to fi it. t B e ind
Figure 5.68 Logs Menu on the Toolbar of the Client Management Page 8: o r
These options provide direct access to the same cap d o pability that is provided on the Logs > s ed urity Risks pa as shown in the figure b age, Networke Computer Logs > Secu below.
For more in nformation on using OfficeScan log data, in cluding the sea u arch, display, a delete func and ctions, please see Chapter 11: Log on page 329 C gs 9.
When searc ching for log data you may select any num d mber of client from the cli tree. You may ts ient select indiv vidual clients or whole dom o mains. Selecting the OfficeSc Server icon selects all cl g can lients in all doma ains.
16 68
Administrato Track or
Figure 5.69 Log > Netwo 9: orked Compute Logs > Secu er urity Risks Pag ge
Once you have selected your target cli h ients, clicking an item in the logs menu la e aunches a sear rch configurati page for th type of log you have sele ion he ected. After co onfiguring the search criteri e ia, clicking Di isplay Logs displays log da that match the criteria you have sele d ata hes a ected.
5.5.16 Cli 5 ient Mana agement: Managin the Cli : ng ient Tree e
OfficeScan 10.5 introduc the ability to use a rulen ces -based system for creating O OfficeScan domains, assigning clie to them, and periodica re-sorting clients based on the rules th ents ally hat you create. This system is enabled by selecting cus i stom client gro oups on the N Networked rs G e. Computer > Client Grouping page
For more in nformation abo how to man out nage OfficeSca Custom Clie Groups, see section 5.5 > an ent e Client Mana agement on page 124.
The Manag Client Tree drop-down menu at the to of the clien tree on the C ge e m op nt Client Manage ement page provid you with these options: des t :
Figure 5.70 Manage Clie Tree Menu on the Toolba of the Client Management Page 0: ent ar t t
NOTE When the Custom Client Gr roups feature is used, the Ad Domain and Rename Dom dd d main a ble. so using drag-and d-drop, and wit th options are not availab You are als not able to move clients u the Move Client tool, yo are only allowed to move clients to ano e ou e other OfficeSc server. You can u cannot move clients to another folde To do so wh using cust om client grou m er. hen ups, you must create a rule that accomplishes your goal and plac that rule in t proper ord within the list ce the der of sorting rules. When one of the manual sorting o ptions are use the Sort Cli g ed, ient option is n not available.
A domain in OfficeScan is a group of clients that sh the same configuration and run the same i n f hare e n tasks. When a client is in nstalled or moved from one domain to an e nother, the cli adopts the ient e settings of the domain to which it join o ns.
169
Student T Textbook
OfficeScan domains do not need to mirror your Miicrosoft Wind n m dows domain a assignments. Members of a single Mic o crosoft Windo domain m be assigne across any n ows may ed number of OfficeScan domains based on any crit n teria you choo By creatin domains an assigning cl ose. ng nd lients to them, yo can simplif your manag ou fy gement and co onfiguration ta asks. in nclude, groupi clients bas on ing sed departments, the functio they perfo ons orm, or a comb bination of th two. You ca also, as tim he an me progresses, group clients temporarily or permanentl according t the risk of i , s o tly to infection and for high-risk cl lients apply more secure configurations t m than you woul normally as ld ssign otherwise.
Common manual domain m n-management strategies t
By default, OfficeScan si imulates your network dom mains. The dom and clien names in th main nt he i t es main puter names in your network. n client tree initially have the same name as the dom and comp However, you can delete or rename th domains th OfficeScan has created f you, create a y e he hat n for e new domai or transfer clients from one domain to another, reg in, o o gardless of you existing ur Microsoft domain struct d ture.
Tip Yo can also gro clients by existing NetBI ou oup IOS names, Ac ctive Directory names, or DN y NS
hierarchy This setting is located on the Networked Computers > Global Client Settings page y. t d under the heading, Cli e ient Grouping. To add a do omain
1. Click Manage Clien Tree > Ad Domain on the toolbar. M nt dd n 2. Type a name for the domain you are adding. e 3. Click Add. The new domain appe in the clie tree. A w ears ent
To rename a domain
from the Networked Compu m uters > Client Manageme page: t ent
1. Select the domain yo want to ren ou name. 2. Click Manage Clien Tree > Re M nt ename Doma on the too ain olbar. 3. Type a new name fo the domain. or 4. Click Rename. The domain appe in the clie tree under the new name R e ears ent e.
17 70
Administrator Track
To move a client
1. Select the client(s) that you want to move. 2. Click Manage Client Tree > Move Client on the toolbar. 3. Select whether to move clients to another domain or OfficeScan server. 3.1. To move clients to another domain, select Move selected client(s) to another domain, then select the target domain from the drop-down menu and select whether to apply the settings of the new domain to the clients.
Tip You can also drag and drop clients from one domain to another within the client tree.
3.2.
To move clients to another OfficeScan server, select Move selected client(s) to another OfficeScan server, then enter the name and port number of the other server.
from the
Networked Computers > Client Management page: 1. Click Manage Client Tree > Sort Client. 2. Click Start in the Sort Client dialog that appears. 3. Wait for the sorting process to complete, and then verify the results.
To delete a domain
1. Delete all clients within the domain you want to remove or, alternatively, move all clients within the domain to be deleted to another domain. Only empty domains may be deleted. (You can move clients to other domains by simply dragging and dropping them on the domain you wish to which move them.) 2. Select the domain you want to delete. 3. Click Manage Client Tree > Remove Domain/Client on the toolbar. 4. Click Yes when the confirmation prompt appears. The domain will be deleted.
To delete a client
NOTE Deleting a client removes it from the client tree, but does not uninstall the client
software on the target computer. Even if deleted, the OfficeScan client can still perform serverdependent tasks, such as updating components. The server, however, will no longer be able to send configuration changes or other notifications to the client.
1. Select the client you want to delete. 2. Click Manage Client Tree > Remove Domain/Client on the toolbar. 3. Click Yes when the confirmation prompt appears. The client will be deleted.
171
Student T Textbook
the client tr Data for selected client is saved to a to a .csv (co ree. s ts omma-separat values) file ted e, which you can view usin Microsoft Excel and othe spreadsheet programs. ng E er t
Figure 5.72 Internet Exp 2: plorer File Dow wnload Dialog f Exporting O for OfficeScan Cli ient Data
Lab Exercise 3: Conf figure Smar Scan rt Lab Exercise 4: Conf figure Client Settings t
17 72
Administrato Track or
th checkbox to specify whi his ich co ompressed files OfficeScan should skip ba s ased on (a) th size of each extracted file and he e (b) the number of files within the compres sed file. All cl ) n lients managed by the serve d er ch heck these sett tings when sca anning compre essed files for virus/malwa and r are spyware/graywa during Ma are anual Scan, Re eal-time Scan, Scheduled Sca and Scan N an, Now Select this checkbox to add an d Of fficeScan scan n-now link to the Windows shell so that t option app t the pears in Wind dows co ontext menus. This allows users to scan fiiles and folder by right-clic rs cking a file or fol and clicki Scan with OfficeScan Client. lder ing h
Figure 5.74: Windows Shell Integra ation for Office eScan Client S Software Exclud the OfficeSc server dat de can tabase folder from Real-tim Scan Sele me ecting
prevents OfficeScan from sca anning its own database. (Se n elected by def fault.)
NOTE Trend Mic recommen preserving this selection to prevent an possible cro nds g n ny
corru uption of the database that may occur dur m ring scanning.
173
Student Textbook
If the OfficeScan client and a Microsoft Exchange 2003/2008 server exist on the same computer, OfficeScan will not scan the Exchange server folders for virus/malware and spyware/grayware during Manual Scan, Real-time Scan, Scheduled Scan and Scan Now. For Microsoft Exchange 2007 folders, you need to manually add the folders to the scan exclusion list. For scan exclusion details, see http://technet.microsoft.com/en-us/library/bb332342.aspx.
GLOBAL VIRUS/MALWARE SETTINGS The following scan setting applies only to virus/malware:
Clean/Delete infected files within compressed files
Select this checkbox if you want to clean or delete compressed files. Enabling this setting may increase computer resource usage during scanning and scanning may take longer to complete. This is because OfficeScan needs to decompress the compressed file, clean or delete infected files within the compressed file, and then re-compress the file. OfficeScan supports only certain compressed file formats, including ZIP and Office Open XML, which uses ZIP compression technologies. Office Open XML is the default format for Microsoft Office 2007/2010 applications such as Excel, PowerPoint, and Word.
GLOBAL SPYWARE/GRAYWARE SETTINGS The following scan settings apply only to spyware/grayware:
Enable assessment mode Because
cleaning terminates processes and deletes registries, files, cookies and shortcuts, assessment mode was designed to allow you to first evaluate whether regularly detected spyware/grayware is legitimate (acceptable to your organization) or not. During the evaluation you would then have the opportunity to add accepted grayware instances to the spyware/grayware approved list.
NOTE approved list is configurable on a per-domain/per-client basis and is The accessible from the Networked Computers > Client Management page. On this page, select the clients you wish to configure, then click Settings > Spyware/Grayware Approved List to configure the list.
When in assessment mode, OfficeScan logs spyware/grayware detections but does not attempt to clean/remove the detected instances.
NOTE Assessment mode overrides current user and/or administrator scan actions. Therefore, even if Clean is the current action for the clients Manual Scan configuration, cleaning will not occur during assessment mode.
a few weeks) because unwanted spyware/grayware outbreaks may occur. Determine how much time you need to collect spyware/grayware samples on your network and limit assessment mode to that period of time.
Regularly examine the OfficeScan logs to determine which, if any, detected items
investigate it no further, you can send the files to Trend Micro for analysis.
174
Administrator Track
NOTE can choose enable assessment mode when installing the OfficeScan You server software. For more information, see step 19. Choosing Assessment Mode Options on page 88).
Scan for cookies -
Some cookies track clicks that users make and record information that users enter into non-encrypted web-forms. Spyware cookies can be used by malicious individuals to collect information. Select this option to scan for potentially harmful cookies
Sometimes counting cookies as spyware incidents can give you an artificially high perception of risk.
OfficeScan displays a notification message minutes before scanning runs to remind users of the scan schedule (date and time) and any Scheduled Scan privilege you grant them. The notification message can be enabled/disabled by going to Networked Computers > Client Management > Settings > Privileges and Other Settings > Other Settings tab > Scheduled Scan Settings. If disabled, no reminder displays.
Only users with the "Postpone Scheduled Scan" privilege can perform the following actions:
Postpone Scheduled Scan before it runs and then specify the postpone duration. If Scheduled Scan is in progress, users can stop scanning and restart it later. Users
then specify the amount of time that should elapse before scanning restarts. When scanning restarts, all previously scanned files are scanned again. The maximum postpone duration/elapsed time users can specify is 12 hours and 45 minutes, which you can reduce by specifying the number of hour(s) and/or minute(s) in the fields provided.
Automatically Stop Scheduled Scan When Scanning Lasts More Than __ Hour(s) and __ Minute(s) OfficeScan stops scanning when the specified amount of time is exceeded
and scanning is not yet complete. OfficeScan immediately notifies users of any security risk detected during scanning.
Skip Scheduled Scan When a Wireless Computer's Battery Life is Less Than __ % and its AC Adapter is Unplugged OfficeScan immediately skips scanning when Scheduled Scan
launches if it detects that a wireless computer's battery life is running low and its AC adapter is not connected to any power source. If battery life is low but the AC adapter is connected to a power source, scanning proceeds.
Resume a Missed Scheduled Scan
When Scheduled Scan did not launch because OfficeScan is not running on the day and time of Scheduled Scan, scanning is launched when OfficeScan is running at the exact time Scheduled Scan is set to run, regardless of the day.
175
Student Textbook
While the ability to send logs is a client/domain setting, the frequency by which firewall logs may be sent is a global parameter. This parameter applies only to clients with the privilege to send firewall logs. You may select the frequency in increments of minutes, hours, or days and specify the number using the associated drop-down list.
COMMON FIREWALL DRIVER UPDATE SETTINGS To avoid temporary disconnection from the network and other disruptions to end-user workflow that may occur if the Common Firewall Driver is updated during client upgrade, select to enable the OfficeScan client to Update the Common Firewall Driver only after a system reboot. This allows users to receive other non-disruptive updates as soon as they are available, but does not update the firewall driver until the next time the machine is shutdown and restarted.
NOTE OfficeScan clinets must be running version 8.0 SP1 or newer to use this feature. Clients running older software will still be prompted to restart immediately whenever updates to the Common Firewall Driver are deployed.
load a kernel mode driver. This can happen after installing a hot fix or an upgrade package. Restarting the computer installs the new version, and no further restart is required. This alert appears as a notification message.
176
Administrator Track
When a service stops, OfficeScan waits a certain number of minutes before restarting the service.
Specify the maximum retry attempts for restarting a service. Manually restart a service if it remains stopped after the maximum retry attempts. If a service remains stopped after exhausting the maximum retry attempts, OfficeScan waits a certain number of hours to reset the failure count. If a service remains stopped after the number of hours elapses, OfficeScan restarts the service.
To prevent programs and users from modifying or deleting OfficeScan files, OfficeScan locks all digitally-signed files with .exe, .dll, and .sys extensions in the root of client-installation folder, along with these unsigned files:
bspatch.exe bzip2.exe INETWH32.dll libcurl.dll libeay32.dll libMsgUtilExt.mt.dll msvcm80.dll MSVCP60.DLL msvcp80.dll msvcr80.dll OfceSCV.dll OFCESCVPack.exe patchbld.dll patchw32.dll patchw64.dll PiReg.exe ssleay32.dll Tmeng.dll TMNotify.dll zlibwapi.dll
NOTE Protection does not extend to subfolders under the root folder.
If you enable Protect OfficeScan Client Processes, OfficeScan blocks all attempts to terminate these processes:
177
Student Textbook
commands and notifications from the OfficeScan server and facilitates communication from the client to the server. real-time, scheduled, and manual scans on OfficeScan clients.
NTRtScan.exe | OfficeScanNT RealTime Scan performs TmProxy.exe | OfficeScan NT Proxy Service scans
target application
TmPfw.exe | OfficeScan NT Firewall provides
behavior monitoring) regulates access to external storage devices and prevents unauthorized changes to registry keys and processes
NOTE date, this setting can be deployed only to clients running on x86 platforms. To
If you enable Protect OfficeScan Client Registry Keys, OfficeScan blocks all attempts to modify, delete, or add new entries under the following registry keys and subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PCcillinNTCorp\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMCSS
NOTE date, this setting can be deployed only to clients running on x86 platforms. To
If you enable Protect OfficeScan client services, users will no longer be able stop OfficeScanrelated client services by using either the Microsoft Service Management Console or the net stop command. You can cross-reference the service names below with the process names listed above for brief explanations of the function of each service. OfficeScan NT Listener (TMListen.exe) OfficeScanNT RealTime Scan (NTRTScan.exe) OfficeScan NT Proxy Service (TMProxy.exe) OfficeScan NT Firewall (TmPfw.exe) Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe)
OfficeScan. Only certain types of malware, such as worms, are network viruses. Network viruses use protocols, such as TCP, FTP, UDP, HTTP, and email protocols to replicate. Unlike other
178
Administrator Track
malware, they typically do not alter system files or modify hard-disk boot sectors, for example. Instead, they typically infect active memory and cause their hosts to flood the network with traffic, which can cause slowdowns and even complete network failure. By enabling OfficeScan clients to send network virus logs to the OfficeScan server on an hourly basis, the OfficeScan server can then send them to your Control Manager server(s) to ensure that the active monitoring, consolidation, and reporting capabilities of Control Manager have up-todate information about the state of the network.
Causes clients to uses a proxy auto-configuration (PAC) script set by the network administrator to detect the appropriate proxy server. To use this option, you must provide the UNC path or a URL to the script.
179
Student T Textbook
To add inte ernal gateway addresses to the computert -location conf figuration: 1. Click Networked Computers > Computer L N C Location. 2. Enter the dot-decim IP address of the interna gateway. t mal al 3. [option Enter the MAC (Ethern address. I you use priv IP addres nal] net) If vate ssing on your interna network, providing the MAC address o the gateway can add an e al M of y extra layer of securit Because MA addresses are globally u ty. AC unique, if your mobile client go to anoth r ts her networ that uses th same intern IP address scheme, the O rk he nal OfficeScan cli can still ient disting guish between networks bec cause the MAC addresses w be differen C will nt. 4. Click Add. A
NOTE not confus the Comput Location se Do se ter etting with the Smart Scan S e Source setting gs.
Computer Location is used only to de u etermine whet her a client is internal or external. Once a Smart Scan client is det termined to be internal, it w connect to a Smart Scan server according e will to the set ttings you configure at Smart Scan > Sma Scan Sour art rce.
5.8 > Firew Polic an Profiles Con wall cies nd nfigurat tion
OfficeScan firewall conf n figuration page are accessib by clicking Networked Computers > es ble g Firewall > Policies or Networked Computers > Firewall > P N C Profiles in the navigation e column. Fo information on configura or n ation options and how to im mplement Off ficeScan firew wall policies, please see Chapt 9: OfficeScan Firewall on p ter n page 287.
Client deplo oyment options are covered in Chapter 6: C s i Client Software Deployment o page 219. For e on information about the bro n owser-based in nstallation optio see section 6.2.1 Deploy C on, n Client Software Via e Browser-ba ased Installation on page 223. For informa ation about the remote instal e llation option, see 6.2.2 Deploy Client Softw ware Using Rem mote Install on pa 225. age
18 80
Administrato Track or
The connection-verificat tion utility also provides you with the abi schedule c o ility connection u verification that will run at regular int ns n tervals, based on the setting you choose gs e.
To verify th current sta of client connections: he atus c 1. Click Networked Computers > Connection Verification. N C . 2. Click Verify Now. V 3. Click OK to close th confirmatio message. O he on To configu regularly sc ure cheduled conn nection verific cations: 1. Click the Scheduled Verification tab on the Ne t t etworked Com mputers > Connection Verific cation page. 2. Select Enable sched duled verificat tion. fied 3. Select a frequency (o once, hourly, daily, or weekl every specif day) d kly 4. Specify a time of day y y. 5. Click Save. S
181
Student T Textbook
After you have run a ver h rification, you can view the results in the client tree or by viewing th he connection n-verification logs on the Lo > Netwo l ogs orked Compu Logs > C uter Connection Verificatio page. on
The Networked Computers > Outb break Preven ntion page allo you to con ows nfigure and de eploy Outbreak Prevention by first selecting target domaiins and/or clie using the familiar clien tree P y g ents e nt tool.
NOTE Outbreak prevention may remain in effec for a maxim um of 96 hour To block/de ct rs. eny
access to files or folder an ongoing basis, you sho uld use your n rs b network domai in/directory controls rather than using OfficeScan for this purp ose. r n
After selecting your target clients/dom mains, click St Outbreak Prevention on the toolba to tart k ar launch the Outbreak Pre evention Settin page. On this page you can select the type of polic ngs e cies you want to deploy and configure them o m. You can also specify dur ration that the Outbreak Pr e revention polic should be in effect and cies e d w u t Prevention po olicy is being configure whether end users should be notified that a Outbreak P implemented and what the notification should say. t n
18 82
Administrato Track or
WARNING Deploy Outb G! break Preventi only in res ponse to an ou ion utbreak. Take special care w when
configuring your Outbrea Prevention settings. Inco rrect configur g ak ration can caus network se communica ation problems s.
With share folder block enabled, you can speci fy access privi ed king y ileges to share folders by ed clicking the hyperlink that is the title of policy. Opti e o tions for acces privileges in ss nclude:
Allow read access only Deny full access Users will be able to read files, but cannot modify them s o t y Users (and malware will have neit s e) ther read nor w write access
Figure 5.79 Configuring Shared Folder Blocking for Outbreak Prev 9: r vention Policie es
Make your selection and click Save to return to the Outbreak Pre d o e evention Setti ings page.
183
Student T Textbook
NOTE trusted port is the port you assigned for OfficeScan client-server communication The t
during server installatio on.
On the Por Blocking pa click Add and the Add Ports to Bloc page appea Options fo rt age, d ck ars. or blocking po include: orts
Block all ports (inclu a uding ICMP)
This option w block all p will ports, includin the Internet ng t Co ontrol Messag Protocol (IC ge CMP) used by PING and tr y race-route fun nctions. Th option doe not block th OfficeScan trusted port the port th OfficeScan uses his es he n t, hat n to communicate with clients. If you want to block the tr e o rusted port, se elect the Bloc ck tru usted port ch heckbox on th Port Blockin page. he ng
WARN NING! If you block the Office eScan trusted port, the Offic ceScan server and clients w not r will
be able to communic e cate, and you will be unable t cancel outb w to break preventi (or make o ion other modific cations to sett tings from the management console) unti l the policy expires. Block specified ports This s
18 84
Administrato Track or
Figure 5.81: Specifying Ports that the Outbreak Prev O vention Policy Will Block
A number of ports are known to be vulnerable to T k v Trojan attacks. OfficeScan e enables you to o pecific ports during a virus outbreak. d selectively block these sp
Port Num mber
23432 31337 18006 12349, 666 67 80 21 3150, 2140 0 10048 23 6969 7626 10100 21544 7777 6267 25 25685 68
Trojan T
Asylum A Back Orifice B Back Orifice 20 B 000 Bionet B Code Red C DarkFTP D Deep Throat D Delf D EliteWrap E GateCrash G Gdoor G Gift G Girl Friend G GodMsg G GW Girl G Jesrto J Moon Pie M Mspy M
Port Number
1120 7300 31338, 31339 0, 139 4444 44 8012 7597 4000 0 666 1026, 64666 22222 2 11000 0 113 1001 3131 1243, 6711, 6776, 4 27374 6400 0 12345 1234 5,
Trojan
Net Bus Net Spy Nuker Prosiak Ptakks Qaz RA Ripper RSM Rux Senna Spy y Shiver Silencer SubSari Sub Seven n Thing Valvo line
NOTE you select the All Trojan Ports option, y may be blo If t you ocking commo only used ports
(such as port 80 for the Code Red Trojan). Howeve you can use the All Trojan Ports option, and p e er, e n then manually delete po orts from the list as describe below. ed
185
Student T Textbook
When you have finished configuring the settings an saved them you can retu to the Port d t nd m, urn p g uding the bloc cked ports, Blocking page and view a list of your port blocking settings, inclu protocol, comments, and traffic direct c d tion. You mod or delete ports to block by selecting them dify k in this list and choosing Edit or Delete. a
5.11.3 Den 5 nying Wri Acces to Files and Fold ite ss s ders
Some virus are program ses mmed to mod or delete f dify files and folde on their ho computers You ers ost s. can configu OfficeScan to prevent viruses from m ure n v modifying or d deleting files a folders on your and n clients duri a virus out ing tbreak. To deny write access to files and folde deploy Ou ers, utbreak Preve ention using th procedure he bove. When th Outbreak Prevention Set he P ttings page appears, select t Deny wri the ite outlined ab access to fi and folder checkbox. You can then specify whic directories a file extens iles rs n ch and sions to protect by clicking the hyperlink th is the name of the policy b e hat e y.
Figure 5.82 Write Acces Denial Settin for Outbre Prevention Policies 2: ss ngs eak n
To protect specific direc ctories, enter a directory pat in the Directory path fie If you ent th eld. ter aths, separate the entries with semicolons (;). When you finish enteri the directo s ing ory multiple pa path you want to protect click Add to transfer the path to the Protected dire w t, o ectories field.
NOTE OfficeSca server will also protect an subdirector The an a ny ries in the spec cified paths.
The deny write feature sets permission for specific files, not dire w ns c ectories, so on you specif the nce fy directory to be protected you must sp o d, pecify which fi inside the directory will be protected files e l d. These options are availab ble:
All files in the pr rotected direct tories Spe ecified extensi ions Ind dividual filenam (files to protect) mes
If you selec files with the following extensions, y must spec the extens ct t you cify sions you wan nt. After confi iguring the set ttings and clicking Save, a c confirmation p page will appe ear.
18 86
Administrato Track or
You can en nable, disable, or edit the no otification tha will appear a a pop-up m at as message on eac ch selected cli to inform users that the outbreak has ended. ient e s Click Restore Settings to disable out tbreak prevent tion and click OK in respon to the nse t n subsequent confirmation message.
187
Student T Textbook
The Notifications section of the navig gation column also contains configuration options for n s n s n ure ns, modifying the messages that end users receive when you configu scan action firewallviolation in ncidents, or web-reputation blocking inciidents to resul in user notif lt fication, along with g whatever other security-related actions you may hav selected. o ve
sho be notifie of a potenti outbreak an how you should be noti ould ed ial nd ified. Standard notifications ar triggered by single events Outbreak no n re y s. otifications ar triggered on re nly when a def fined threshold for multiple events across all clients is exceeded. d e s Both confi iguration page include the same series of tabbed pages: es f
The metho for configu od uring standard and outbreak notifications is basically th same. k he 1. You se elect the criter according to which notif ria t fications will b sent (every time a threat is be our, detecte and every time ten threa are detecte within an ho for exam ed, t ats ed mple). 2. You th enable or disable the va hen arious media b which a not by tification migh be sent (em ht mail, pager, etc.) and in most cases spec the conten of the notif m cify nt fication. sy. he tions available on each e Its that eas Following sections outline describe th specific opt configurati page. ion
18 88
Administrato Track or
Figure 5.85 General Sett 5: tings for OfficeScan Admini strator Notific cations
To configu administrator notificatio settings: ure on 1. Specify information in the fields provided. y p
For the SMTP an SNMP Tra Server IP a r nd ap address fields, you can speci either an IP ify P
2. Click Save. S
189
Student T Textbook
To configu standard notifications: ure n 1. On the Criteria tab, specify whet e , ther to send no otifications wh virus/ma when alware and spywar re/grayware are detected or only when th action on th security r r he hese risks is unsucc cessful. 2. On the Email, Pager SNMP Trap and NT Eve Log tabs: e r, p, ent 2.1. 2.2. 2.3. Enable notifications for vir rus/malware a spyware/g and grayware. For email not tifications, spe ecify the emaill recipients an accept or m nd modify the def fault subject. Accept or mo odify the defau notification messages. ult n
NOTE When modifyi message content, use to ing oken variables in message fie elds only. Toke en
variables are not allowe in the subje fields. ed ect
3. Click Save. S
ENABLING EMAIL NOTI G IFICATIONS To enable email notifications, you mu select the ust Enable notification via ema checkbox ail x. ts bled lt. he specify whethe email recipi er ients Email alert are not enab by defaul You have th option to s will get not tifications from all domains or only from managed dom m s m mains.
19 90
Administrato Track or
NOTE %CV is a variable for the na ame of the vir us detected. % %CC is a variab for the nam ble mes
of clients that have detected the virus (see Append A: Notificat dix tion Tokens).
The messag section ena ge ables you to in nclude various data in the em notificati such as th s mail ion he path of the infected file, the action tak and more e ken, e.
ENABLING PAGER NOT G TIFICATIONS Pager notif fications send messages to an alphanume pager. Not enabled by d a eric t default, you ca an enable page notification in the same way as email notifications. To receive pa notificati er ns e ager ions, you must have a modem installed on the OfficeScan server and c h m t configure the General Sett tings n for notifica ations, which include the CO port the m i OM modem uses a enter the pagers teleph and hone number. On the Pager ta you can cr O ab, reate the alpha anumeric message that you want to be se ent.
191
Student T Textbook
ENABLING SNMP TRAP NOTIFICAT G TIONS You can also use SNMP to send notif P fications to dif fferent parts o your network. Select the of otification via SNMP Trap checkbox, ty the IP add ype dress of your n networks SNM MP Enable no server, spec the comm cify munity name, and (optionallly) modify the message. a e
ENABLING NT EVENT LOG NOTIFICATIONS G Configurin NT Event Log notificatio is similar t other notifi ng L ons to fications. Selec the Enable ct e Notificatio via NT Eve Log checkbox and (opt on ent tionally) modi the messag ify ge.
19 92
Administrato Track or
To configu outbreak notifications: ure n 1. On the Criteria tab, specify the number of det e , n tections and de etection perio for each risk. od
Off ficeScan will send a notifica s ation message when the num mber is exceed For exam if ded. mple
Bef fore notificatio criteria for firewall-viola on r ation and shared-folder-sess sion monitorin ng
will be used to tr l rigger an outbr reak notificatiion, you must explicitly ena monitorin of t able ng these functions by selecting th correspondiing checkbox.. b he
Un nder Shared Fo older Sessions, click the num mber link to v view the comp puters with sha ared
fold and the computers acc ders c cessing the sha ared folders. 2. In the Email, Pager, SNMP Trap, and NT Even Log tabs, e nt enable notifica ations for the ble vents and (opti ionally) modif message co fy ontent in the sa manner a for ame as availab types of ev standar rd-notification configuratio described iin the previou section abo n ons us ove.
NOTE OfficeSca reports firewall violation and shared fo an older session outbreaks through
email only. l
3. Click Save. S
193
Student T Textbook
Off ficeScan block a URL that violates a We Reputation policy or detects device-ac ks eb n ccess-
con ntrol or behav vior-monitorin policy viola ng ation. To modify the message for a specific security risk, u the tabs on the Notific f use cations > Clie ent n ifications pag and edit the message as it appears in th correspond text box. ge e t he ding User Noti
All notifica ation configurations on the Client User N Notification pa are global configuration age n variables. However, the display of use messages is a function of the action set H er f ttings that you u configure for the OfficeS f Scan scan eng gines and othe security serv er vices. In other wo ords, an indiv vidual client displays these m messages only if the security policies that you y have applie to the clien are configur to do so. O ed nt red OfficeScan clie security policies are ent configured using the Ne d etworked Com mputers > Cl lient Manage ement page.
19 94
Administrato Track or
Figure 5.93 Adding a User Role and De 3: efining the Clie Tree Scop and other A ent pe Access Permiss sions
You can cr reate multiple customized ro that you c later edit o delete acco oles can or ording to your needs, and you can assig multiple use to a single role. OfficeSc also has tw built-in ro gn ers can wo oles, fy which you cannot modif or delete:
Administr rator Guest Use er Users with the Administrator r U A role can config ure all menu items. Delegate this role to other Of r fficeScan admin nistrators or us sers. Delegate this ro to users wh o want to view the Web conso for referenc D ole ole ce purposes. Users with the Gues User role hav no access to the following p s st ve o menu items: m n Plug-in Manager Admin nistration > User Roles r Admin nistration > User Accounts r Guest users hav view access to all other me items. G ve enu
Add custom roles if non of the built- roles meet your requirem m ne -in t ment. You can configure ea n ach custom rol to have vie or config le ew gure access to specific men items and s o nu sub-items. Ac ccess to specific OfficeScan do omains on the client tree ca e annot be contr rolled for each role. If the c h client ble, ns u nd es tree is visib all domain display. You can manage all built-in an custom role at Administr ration > User Roles. r Role-based administratio involves th following ta d on he asks: 1. Definin user roles. ng 1.1. 1.2. Specifying the OfficeScan domains that the role can c e d configure or vi iew. Specifying the role permiss e sions that defiine the level of user access t the various to elements of th user interfa he ace.
2. Config guring user acc counts and assigning a role to each user.
195
Student T Textbook
How to perf form these tas is discussed in more detai below. sks d il
When defin a role, yo can delegate tasks to chilld domains to restrict admin ning ou nistrative user to rs specific tas without int sks terfering with parent domaiins. Limiting t presentatio of the the on management console to configuration pages related to a defined role allows ad n d dministrative u users to focus on on their sp nly pecific respons sibilities. You can also assig view only access to pa u gn y ages without gra anting an adm ministrator the ability to mod the associ dify iated configur ration paramet ters.
Figure 5.94 Highly Granular Options Available for C onfiguring Use Roles 4: A er
Role-based administratio can simplif managemen by reducing the complexi of the d on fy nt g ity OfficeScan infrastructur and is espec n re, cially helpful iif you already have a robust Active Direc t ctory infrastructu that define existing adm ure es ministrative bo oundaries. Ac ctive Directory integration y enables you to use existin administra u ng ative user-acco ount credentia from multials -forests and tr rusted domains, making it so th neither sen IT manag m hat nior gement nor ad dministrative u users themselv ves must keep track of separ login cred rate dentials for the OfficeScan m e management c console. There are three types of role permissio t ons:
Menu Items for Serv vers/Clients (Shown
he e.) hich in th figure above Specify wh server or client me items that all users can see or configu regardless of selected d enu t ure, s domains. This role should have the necessary per e rmissions on t OfficeSca root directo to ensure t the an ory that e ns bled. the view and configure option can be enab Specify me items that all managed d enu t domains can s or see co onfigure.
client management tree drop-do menu item t t own ms tha can be seen or configured for each dom on the O at n d main OfficeScan clie tree. ent
Each role can be given permission to view or config c p gure menu ite ems. Not selec cting an option n means the menu item wi be hidden when the user role logs on t the OfficeS ill w to Scan web cons sole. vers/Clients settings, only u s users with adm ministrative pr rivileges that For Menu Items for Serv manage all domains can set configure permission.
19 96
Administrato Track or
NOTE Each user role will get the default domain settings if th role was imported from d n he
another server. The imp s ported role will retain the pe ermissions for the global me items. r enu However each domain will have to reconfigure the client manage w ement menu items and restructure the domain permissions. n
To add a new user role: n 1. Click Administratio > User Ro > Add. A on oles
Tip If you are cr reating role wi similar acc ess to an exist ith ting role, you m find it eas may sier
to be egin by copying the existing role and then modifying it. Y can do this by selecting the You g chec ckbox next to the role and th clicking Co hen opy.
1.1. 1.2.
Enter a name for the role in the Name field. e i Type a descri iption of the role (optional) .
2. Click Define Client Tree Scope and specify th domain(s) that this role can see or D t he configu You must define the cl ure. t lient tree scop such that yo be able to c pe ou configure acce to ess the clie manageme menu item ent ent ms. 2.1. Click Save.
197
Student T Textbook
3. Click the Global Me Items tab Specify whiich menu item the role can see or config t enu b. ms n gure for the following: e 3.1. Specify which server or client men items that all y r nu users can see or configure, regardless of selected dom mains. This role should have the e rmissions on the OfficeScan root director to ensure th the view a t n ry hat and necessary per configure opt tions can be en nabled.
Menu items fo servers/clients or Menu items fo managed do or omains
3.2.
Spec menu item that all man cify ms naged domain can ns
Figure 5.97: Configuring Permissio for Access to Items on t Client Man ons s the nagement Page e
19 98
Administrator Track
4.1. 4.2.
Select domains from the client tree scope. Specify which Client Management Menu Items the role will be allowed to see.
NOTE you select the Configure permission for an item, the View permission If will be automatically selected.
4.3.
Optionally, click Copy settings of the selected domain to other domains to copy client management role permissions to other domains.
5. Click Save. The new role displays on the User Roles list. Note the following:
You cannot grant access to the User Roles and User Accounts menus. Only users with
the built-in administrator role and those using the root account created during OfficeScan installation can configure roles and accounts.
You cannot grant View-only access to Plug-in Manager. Plug-in Manager is an
independent program and OfficeScan does not control its functions so if you grant access to it, it must be configure access. From the User Roles page, you can also perform the following functions:
Modify a role by clicking the role name (this brings up a page similar to the Add User
page).
Delete a user role by selecting the checkbox next to it and clicking Delete. Export role definitions by clicking Export. Role definitions will be exported to a .dat file. Import role definitions by clicking Import and browsing to a saved .dat file you exported
previously.
Important: Importing a role with the same name as an existing role on the User Roles page will
overwrite the existing role.
199
Student T Textbook
3. Type the user name, full name, an password (w , nd which you nee to confirm ed m).
NOTE Password must be bet ds tween 1 and 24 characters. 4
5. Assign the account a user role fro the drop-d n om down menu. 6. Click Save. S You should notify the us of his or her account cre d ser h luding usernam and password. me edentials, inclu
ADDING ACTIVE DIREC CTORY ACCOU UNTS You can ad individual Active Directo users or gr dd A ory roups by click the Add b king button and selecting th Active Dire he ectory User or Group radio button. How r o wever, you can add multiple users n or groups at the same tim using the Add from Ac tive Director button. Thi page also let you a me A ry is ts use wildcar to locate users, groups, or domains, w rds u while the Add User page req quires that you u enter the fu user or gro name and domain name ull oup e.
To add Active Directory accounts: y A on ccounts. 1. Click Administratio > User Ac 2. Click Add from Act Directory A tive y.
2 200
Administrato Track or
3. Search for an accoun (user name or group) by specifying the user name a domain to h nt e and o which the account belongs. When OfficeScan f b n finds a valid ac ccount, it disp plays the accou unt u nd name under User an Groups.
Tip Use the wild dcard characte (*) to search for multiple accounts. If yo do not spec er h ou cify
the wildcard character, include the complete a w account name. OfficeScan will not return a . result if the accoun name is incomplete. nt
4. Click > to move the account from the User and Groups field to the S e f rs s Selected Users and s Group field. ps 5. Select a role for the account. 6. Click Save. S Users can now log in to the managem console u n ment using their Act Directory domain name tive y es and passwo ords. If you spec an Active Directory gro all memb ers belonging to a group ge the same ro If cify oup, g et ole. a particular account belo r ongs to at least two groups a the role fo both group are differen t and for ps nt:
The pe ermissions for both roles are merged e
If a user configu a particul setting and ures lar d the is a conflic between permissions for the setting, th higher perm ere ct he mission applie es. For exampl User John le, nDoe logged o on wi the followi roles: Adm ith ing ministrator, Po ower User.
NOTE Authorization Manager Run n ntime supports only English, French, Germ s man, and Japan nese
language versions.
PERFORMI ADDITION USER ACCOUNT MAN ING NAL C NAGEMENT TA ASKS After you have added ac h ccounts, you can also modif them, enabl or disable th fy le hem, change t their roles, delet them, or ass them a sin sign-on f the Trend Micro Contro Manager co te sign ngle for ol onsole.
To mod dify user acco ounts
Tip Use this opt tion to change a users passw word or assign a new one if the user has n
forgo otten the original one.
201
Student Textbook
click the icon in the Enable column on the User Accounts page. Note that you cannot disable Active Directory group accounts. If you do not want users on the group to access the management console, delete the group from the user accounts list and create new accounts for individual users you want to have access. The root account cannot be disabled. Select the checkbox by the user account and click Change Role. the checkbox by the user account and click Delete.
Create a new user account in Control Manager. When specifying the user name, type the account name that appears on the OfficeScan console. Assign the new account access and configure rights to the OfficeScan server. See Trend Micro Control Manager documentation for more information on the process.
NOTE Single sign-on enables users to access the OfficeScan management console from the Control Manager console.
If a Control Manager user has access and configure rights to OfficeScan but does not have an OfficeScan account, the user cannot access OfficeScan. The user sees a message with a link that opens the OfficeScan Web consoles logon screen. Users who log on using Control Managers root account can access OfficeScan even without an OfficeScan account.
See Chapter 11: Logs on page 329 for more information about working with OfficeScan logs.
Gives you the ability to assign specific responsibilities to administrative users and use their domain accounts to access the management console.
Automatically groups clients to OfficeScan-configuration domains in the OfficeScan client tree based on Active Directory name and domain or IP addresses to identify clients.
202
Administrato Track or
He you to ens elps sure that com mputers in the network that are no managed by the OfficeScan server com with the c ot y mply companys sec curity guidelin nes.
To integrat Active Dire te ectory with Of fficeScan: 1. Click Administratio > Active directory > A A on d Active Directo Integratio ory on. 2. Under Active Direct tory Domains specify the A s, Active Directo domain na ory ame.
Figure 5.100: Adding an Active Dir g rectory Domain and Access Credentials n
3. Click Enter domain credentials. E n Enter domain credentials and an encryption key if the Office d e y eScan server is not part of t the networ However, these are optional if the Of rk. fficeScan serve is already p of the netw er part work. ctive 4. When prompted, en the user name and passw nter n word OfficeS Scan will use to query the Ac o ory Directo domain.
Import rtant: Ensure that the doma credential d t ain does not expire e.
5. To ent more than one Active Directory doma click the p button. (C ter D ain, plus Click the minu us button to delete Act Directory domains.) Sp n tive pecify domain credentials se eparately. 6. Specify an encryp ying ption key and a file that Off ficeScan can u to transfor plain text i use rm into cipher text when sto oring the domain credentials in the Office s eScan databas provides se onal T on rts mats. additio security. This encryptio key suppor all file form 7. Click Save or Save and synchron Active D S a nize Directory. Active Dire ectory synchro onization activ is indicate at the botto right of th Active Dire vity ed om he ectory Integration page. An ani n imated process graphic is allso displayed t the right of the Enter to f domain cre edentials butt (not show in the graph below). Su ton wn hic uccessful synchronizations a are indicated by a green chec b ckmark (or tic mark) place to the right of the Ente domain ck ed t er credentials button. (Start and comple etion times are also recorde in the system event logs.) e ed m )
Figure 5.101: Activity and Completion Indicators for A d Active Directo Synchroniz ory zation
203
Student T Textbook
2. Under Active Direct tory Domains specify the A s, Active Directo domain na ory ame. 3. Specify domain cred y dentials. 4. Specify an encryptio key and file that OfficeSc uses to tra y on e can ansform plain ntext into ciphertext when storing the do s omain credenti in the Off ials ficeScan datab base. 5. Click Save and sync S chronize Act Directory tive y. To automa atically synchro onize Active Directory dom D mains with the OfficeScan d e database: 1. Click Administratio > Active Directory > S A on D Scheduled Sy ynchronizatio on.
Figure 5.102: Configu uring Schedule Synchroniz ed zations with Ac ctive Directory Domains y
2. Select Enable sched duled Active Directory sync D chronization. 3. Specify the frequenc (daily, week or monthly by which sy y cy kly, ly) ynchronizations should be perform and the time of day that synchroniza med t ations should begin. For we eekly synchr ronizations, yo may also sp ou pecify a day of the week; an for monthly synchronizat f nd y tions, you ma specify the day of the mo ay onth. 4. Click Save. S
2 204
Administrato Track or
clients and the OfficeSca server uses a proxy, you need to enter the proxy ser an s r rver, port, logi gin t roxy page. name, and password in the Intranet Pr
NOTE your server receives a DH If r HCP-assigned IP address, Tr end Micro reco ommends usin ng
the DNS name to ensure that if your server obtains a different IP address, clien will still be n s s P nts e able to fin it using DNS nd S.
To configu connection settings: ure n 1. Click Administratio > Connec A on ction Settings s. 2. Type the domain na ame/IP addres and port nu ss umber of the O OfficeScan we server. eb 3. Click Save. S The connection settings you specify ar written to t ofcscan.in file, which is then pushed out re the ni d can c ver. to OfficeSc clients so they can still communicate with the serv
205
Student T Textbook
To configu OfficeScan to automatic ure n cally remove in nactive clients s: 1. Click Administratio > Inactive Clients. A on e 2. Select Enable autom matic removal of inactive cllients. l ys ceScan consid a client ina ders active. 3. Select how many day should pass before Offic 4. Click Save. S
The default OfficeScan server installat folder is % s tion %ProgramFil les%\TrendMicro\OfficeS Scan. The default client installa ation folder is %ProgramFi s iles%\TrendM Micro\Office eScanClient.
2 206
Administrato Track or
NOTE the OfficeScan client is unable to send the encrypted file to the OfficeScan serve If d er
for any re eason, such as a network connection prob lem, the encry s ypted file rema ains in the clie ent quarantin folder. The client will atte ne empt to resend the file when it connects to the OfficeSca d n o an server.
To change quarantine fo olders location on the serve go to the sc action con n er, can nfiguration pa ages ed rs M ab). (Networke Computer > Client Management > Settings > {Scan Type} > Action ta
NOTE can also change the qu You uarantine direc ctory by editin the ofcscan.ini file. Under ng r
[server_ini_section], change the path for Quaran c ntine-Folder= .
To configu the quaran ure ntine manager: er 1. Accept or modify th default capa t he acity of the qu uarantine folde and the ma aximum allowe ed size for a file stored in the quaran ntine folder. Th default valu are specifi in the pag he ues fied ge. 2. Click Save Quarant S tine Settings. . 3. To rem move all existin files in the quarantine fo ng older, click De elete All Qua arantined File es.
207
Student T Textbook
The status of your licens appears at the top of the page. Remin ses e nders occur in these instances:
Full version 30 days befo grace perio ends ore od When the lic cense is alread expired and grace period is over (comp dy d ponent update will e
be disabled but scanning will proceed u b w using out-of-da componen ate nts)
Eva aluation (Trial) version When the lic cense is alread expired (com dy mponent upda scanning and all client ate,
features are disabled) d To activate e/renew a serv license: vice 1. Click the name of th service. t he 2. In the Product Licen Details pa click New Activation C nse age, w Code.
Figure 5.108: Adding a New Activa g ation Code to R Renew an Offic ceScan Servic ce
3. Enter the activation code in the page that open and click Sa t p ns ave.
NOTE must register a service before y ou can activat it. Contact y You t te your Trend Mic cro
sales representativ for more inf ve formation abo ut your Regist tration Key and Activation C Code.
4. Back in the Product License Deta page, click Update Info n ails k ormation to r refresh the pag ge with th new license details and th status of th service. Thi page also pr he e he he is rovides a link to your detailed license available on the Trend Mic website. e t cro
2 208
Administrato Track or
NOTE manage OfficeScan usin Control Man To O ng nager, you mu first install the Control ust
Manager server softwa on one or more servers a activate th software. Fo information on are m and he n or how to in nstall and use Control Manag please see the Control M C ger, e Manager docum mentation. After you Control Man ur nager server(s) are set up, y ou may then r register the Of fficeScan serve er with the Control Manag you choose The Control Manager Sett C ger e. tings page sho ows registratio on status an other option nd ns.
To register the OfficeSca server to a Control Man r an nager server: 1. Click Administratio > Control Manager Se A on l ettings. The C Control Manag Settings pa ger age appear rs. 2. Verify the Connectio Status. If the OfficeScan server is not already regist on n t tered to a Con ntrol ger r ppear in red. Manag server, the words Not registered ap 3. Under Connection Settings for Entity displa name, ent the name b which the ay ter by hould be know to the Con wn ntrol Manager server. OfficeScan server sh
NOTE name you specify is the name th at Control Ma nager will use to identify the The e i e
devic in the Produ Directory of Control Man ce uct o nager interface e.
nager Server Settings, ente the IP addr or FQDN (fully qualifie S er ress N ed 4. Under Control Man n nager server t which you w to registe to want er. domain name) of the Control Man 4.1. Also, enter th port numbe that the Con he er ntrol Manager server uses t receive r to connections from Control Manager clien f nts/agents.
4.2.
If the web ser that Cont Manager u requires authentication enter the rver trol uses n, username and password in the Web ser d rver authentication section. Otherwise, l leave this section blank. b
209
Student T Textbook
5. If there is a proxy se erver between the OfficeSca server and the Control M an Manager serve er, t oxy Control Manag server ger select the Use a pro server for communicatiion with the C checkb under Pro Settings. The associated options beco editable. box oxy T d ome 5.1. 5.2. 5.3. Select the Pro protocol to use: HTTP,, SOCKS4, or SOCKS5. oxy t r Enter the FQ QDN or IP add dress of the proxy server an the port th it uses. nd hat If the proxy server uses aut s thentication, e enter the user ID and passw word.
6. If you have a router with NAT (N Network Addr Translatio enabled an your Office ress on) nd eScan server is on the inter rnal/private/t translated side of the router and the Con e r ntrol Manager server is on the external/public si you can co ide, onfigure the r registration of the OfficeSca f an server with the Cont Manager server so that the Control M trol Manager serve will use an er externa al/public IP address of the router/NAT device instead of the intern a d nal/private IP P address that the Off ficeScan server uses on the llocal network To make thi work, you m k. is must: 6.1. Configure a static port map s pping on the r router/NAT d device that ma an externa IPaps al addressTCP P-port combin nation to the in nternal IP add dress and TCP port 443 of t P the OfficeScan se erver. Select the En nable two-way communicat y tion port forw warding checkbox on the Control Mana Settings page. ager p Enter the external IP addre of the rout ess ter/NAT devi that you w use, along with vice will the external TCP port num T mber.
6.2. 6.3.
NOT there are no NAT dev TE If a vices between the OfficeSca server and the Control n an
Mana ager server, t two-way comm munication por forwarding is NOT required for two-way rt y comm munication. Also note that although you lose real-time upd e dates and cont trol, two-way c communication is n not required for other Control Manager functio r ons.
7. After entering all req e quired settings click Test C s, Connection to verify that y o your OfficeSca an server can connect to the Control Manager serv t l ver. R isplays the pro ogress of the r registration an indicates wh nd hen 8. Click Register. A progress bar di registra ation is compl lete. Upon completion, the Control Man nager Settings page is update to ed reflect the connectio status. on
NOTE Once the OfficeScan server is registered, the managem r , ment of update functions is e
transferre to the Cont ed trol Manager console and the options wi c ese ithin the mana agement conso ole are disabled (grayed ou ut).
To verify th the Office hat eScan server appears correc in the Con a ctly ntrol Manager management console: 1. Log on to the Contr Manager co n rol onsole and cliick Products on the main m menu.
2 210
Administrato Track or
2. Go to the Managed Products pa d age. 3. Look to see that you OfficeScan server appear in the produ directory. t ur rs uct
To configu the web co ure onsole settings s: 1. Click Administratio > Web Co A on onsole Setting gs. 1.1. 1.2. Select Enabl auto refresh and then se le h elect the refres interval. Av sh vailable selecti ions range from 10 to 300 secon in varying intervals. Th default is 30 seconds. 0 nds g he 0 Select Enabl Timeout Se le etting and the select the ti en timeout interv Available val. selections ran from 10 to 60 in 10-min intervals. The default is 30 minutes. nge o nute
S 2. Click Save.
211
Student T Textbook
To enable a scheduled backup, click in the appropriiate checkbox Scheduled b n x. backups are no ot y ct hen OfficeScan to perform the backup. You may o enabled by default. Selec the time wh you want O choose a daily, weekly, or monthly bac o ckup. Whiche ever you choose, you may th select the hen starting tim Trend Mic recommen backing up the database during non-b me. cro nds p e business hours s. To save sch heduled datab backup co base onfigurations,, click Save. T perform an immediate ba To n ackup to the spec cified path, clic Backup Now. ck N
WARNING Abnormal server shutdow during a b ackup can cor G! wns rrupt the datab base. For
information on how to recover a corrup database, s ee Chapter 12: Troubleshooting on page 3 n pt 341.
WARNING The Plug-in Manager insta G! allation packag does not su ge upport remote installation. Y You
must open the OfficeScan web-based management c m console in a br rowser that is running on the e OfficeScan server itself. (Using Remote Desktop to a accomplish thi is supported is d.)
2 212
Administrato Track or
To install the Plug-in Ma t anager: 1. Click the installation here link on the Plug-in Manager pag t n o n ge.
2. Read subsequent no otice with rega to Plug-in Manager requ ard uirements and click Downlo oad Plug-i Manager. in 3. At the File Downloa prompt, sel to Run th file (or sele to save the setup.exe fil ad lect he ect le ally w nload is comp plete). After th installer pro he ogram is launc ched, manua launch it when the down follow the on-screen prompts to complete the iinstallation. n c
4. Return to the Plug-in Manager pa to verify th installation. The Plug-in Manager page is n age he e automa atically popula with avail ated lable plug-in p programs. The cu urrently install version of Plug-in Mana is listed at the top. If a newer version is led ager t n availab the newer version is liste along with a Download button. ble, ed, h
213
Student T Textbook
To update the current ve ersion of Plug Manager: g-in P ger sion of Plug-in Manager is a n available, click k 1. If the Plug-in Manag shows that a newer vers Down nload.
2. When the download is complete, click Upgrad Now. d de 3. When the upgrade is complete, cli OK. s ick
NOTE Plug-in Manager downloads the package from the Tren Micro ActiveUpdate serve s nd er,
the defau download source, to a tem ult mporary folder (\PCCSRV\Do r ownload\Product). If Plug-in Manager is un nable to downl load the packa age, it automat tically downloads again afte 24 er hours. To manually trig o gger Plug-in Ma anager to dow wnload the pac ckage, restart t OfficeScan the n Plug-in Manager service from the Mic crosoft Manag ement Consol e.
2. Monito the downlo progress. Navigating aw from this p or oad N way page during th download w he will not abort the proces ss.
2 214
Administrato Track or
3. After Plug-in Manag downloads the package,, a new page d P ger s displays, providing you the followi options: In ing nstall Now or Install Later. Click Install Now. r 4. After the installation the current plug-in progra version di t n, am isplays. You ca manage the an e plug-in program, by clicking Man n nage.
Figure 5.119 A Plug-in Pr 9: rogram Management Interfa Displayed w ace within the Plug Manager P g-in Page
The Office eScan client so oftware includ a Plug-in M des Manager client component t communi t that icates with the se erver (for more information see 8.7.8 Cllient Plug-in M n, Manager on p page 283. When you install a plug-in that functio as an add- to existing OfficeScan c ons -on g client software the e, anager notifies OfficeScan clients to insta the program s c all m. Plug-in Ma
NOTE client Plu The ug-in Manager has the same system requir rements as the OfficeScan e
client. The only addition requiremen is Microsoft XML Parser ( MSXML) version 3.0 or later e nal nt t r.
The installa ation path for a plug-in pro r ogram on the c client computer is {%Progra amFiles%}\ TrendMicr ro\{Pluginprogramname . e}
215
Student Textbook
The Trend Micro ActiveUpdate server is the default update source for OfficeScan. Internet connection is required to connect to this server. If the server computer connects to the Internet through a proxy server, ensure that Internet connection can be established using the proxy settings. If you have specified multiple update sources: 1. Ensure the server computer can connect to the first update source on the list. If the server computer cannot connect to the first update source, it does not attempt to connect to the other update sources. 2. Check if the first update source contains the latest version of the Plug-in Manager component list (OSCE_AOS_COMP_LIST.xml) and the plugin installation package. If the update source is an intranet location: 1. Check if there is functional connection between the server computer and the update source. 2. Check if the update source contains the latest version of the Plug-in Manager component list (OSCE_AOS_COMP_LIST.xml) and the plugin installation package.
216
Administrator Track
Review Questions
1. In which of the following ways can Manual Outbreak Prevention protect your network? a) It can block access to shared folders. b) It can block ports from being used. c) It can deny all access to files and folders. d) All of the above 2. What is IntelliScan? a) A method of identifying files to scan by looking at their headers b) A method of identifying files to scan based on the file content c) A method of scanning files based on their extensions d) All of the above 3. What is ActiveAction? a) A specialized cleaning action b) An action that protects the desktop in the most efficient way c) A set of preconfigured scan actions for viruses and other types of malware d) None of the above 4. Which tab can you NOT prevent from appearing in the client console? a) Firewall tab b) Toolbox tab c) Mail Scan tab d) Scan tab
217
Administrator Track
219
Student Textbook
NOTE OfficeScan client software supports Citrix Presentation Server version 4.5 (32-bit and 64-bit versions) and Platinum Edition version 4.0 beginning with version 8.0, service pack 1.
OfficeScan Client for Windows XP/Server 2003 32-bit and 64-bit Editions
Operating System
Windows XP Professional with SP2 or later Windows XP Home with SP2 (32-bit only) Windows Server 2003 & 2003 R2 Standard, Enterprise, Datacenter, and Web Editions with SP 2 or later Windows Storage Server 2003 & 2003 R2 Microsoft Cluster Server 2003 Guest XP/Server 2003 OSs hosted on these virtualization platforms:
o Microsoft Virtual Server 2005 R2 with Service Pack 1 (32-bit OSs only) o VMware Workstation and Workstation ACE Edition 6.0 o VMware ESX/ESXi Server 3.5 or 4 (Server Edition) o VMware Server 1.0.3 or later (Server Edition) o Microsoft Windows Server 2008 & 2008 R2, 64-bit Hyper-V o Microsoft Hyper-V Server 2008 R2, 64-bit
File sharing configuration Hardware
On Windows XP computers, Simple File Sharing must be disabled for users to successfully install the OfficeScan client 300 MHz Intel Pentium processor or equivalent; including AMD x64 or Extended Memory 64 Technology (EM64T) processors 256 MB of RAM (512 MB recommended) 350 MB of available disk space Microsoft Internet Explorer 6.0 or later, if performing web-based setup Disable Simple File Sharing on Windows XP computers so users can
Browser
220
Administrator Track
OfficeScan Client for Windows Vista / Windows 7 32-bit and 64-bit Editions
Operating System
Windows Vista Home, Premium, Business, Enterprise, & Ultimate Windows 7 Home, Premium, Business, Enterprise, & Ultimate Guest Windows Vista / 7 OSs hosted on these virtualization platforms:
o VMware ESX/ESXi Server 3.5 or 4 (Server Edition) (4 only for Win 7) o VMware Server 1.0.3 or later (Server Edition) o VMware Workstation and Workstation ACE Edition 6.0 o Microsoft Windows Server 2008 & 2008 R2, 64-bit Hyper-V o Microsoft Hyper-V Server 2008 R2, 64-bit
Hardware
800 MHz Intel Pentium processor or equivalent; or AMD x64 or Extended Memory 64 Technology (EM64T) processor Windows 7: 1 GHz Intel Pentium processor or equivalent (2 GHz recommended) 1 GB of RAM (1.5 GB recommended, 2 GB recommended for Windows 7) 350 MB of available disk space
Browser
If performing web-based setup: Vista: 7 : Microsoft Internet Explorer 7.0 or later Microsoft Internet Explorer 8.0 or later
OfficeScan Client for Windows Server 2008/2008 R2 32-bit and 64-bit Editions
Operating System
Windows Server 2008 SP1 & 2008 R2 Standard, Enterprise, Datacenter, and Web Editions or later Microsoft Cluster Sever 2008 Guest Windows Server 2008 OSs hosted on these virtualization platforms:
o VMware ESX/ESXi Server 3.5 or 4 (Server Edition) o VMware Server 1.0.3 or later (Server Edition) o VMware Workstation and Workstation ACE Edition 6.0 o Microsoft Windows Server 2008/2008 R2 64-bit Hyper-V o Microsoft Hyper-V Server 2008 R2 64-bit NOTE: OfficeScan can be installed on Windows 2008 running in the Server Core environment.
Hardware
1.4 GHz (2GHz recommended) Intel Pentium processor or equivalent, including AMD x64 or Extended Memory 64 Technology (EM64T) processors 512 GB of RAM (2 GB recommended) 350 MB of available disk space Microsoft Internet Explorer 7.0 or later, if performing web-based setup
Browser
221
Student Textbook
NOTE may need more RAM and disk space if you install client tools such as Outlook Mail You Scan or any future plug-ins.
Instruct the users via email to go to the internal web page and download the clientsoftware setup files. This option works with all supported operating systems.
OfficeScan Remote Installation
Using the OfficeScan management console, you can deploy the client software to clients using the built-in remote installation capability of the OfficeScan server. This option works with all supported operating systems except Windows Vista/7 Home Basic and Home Premium editions, and XP Home edition.
Login Script Setup
Automate the installation of the client software when users log on to the domain. This option works with all supported operating systems.
Client Packager
Deploy the client-software setup or update files by creating an MSI package that you can distribute via email or install using Active Directory or Microsoft SMS. This option works with all supported operating systems.
Client Disk Image
The Image Setup Utility assists in the creation of disk images (using third-party imaging software) with client with OfficeScan client stalled for later deploying clones of the image to other computers. This option works with supported 32-bit Windows XP and Server 2003 or earlier operating systems only, and does not work with Vista, 7, or Server 2008 editions.
Trend Micro Vulnerability Scanner (TMVS)
Install the client software using the Trend Micro Vulnerability Scanner tool. This option works with all supported operating systems except Windows Vista/7 Home Basic and Home Premium editions, and XP Home edition
Security Compliance
Push the client software to unprotected clients found in the Security Compliance report. This option works with all supported operating systems except Windows Vista/7 Home Basic and Home Premium editions, and XP Home edition.
Microsoft SMS
Deploy the MSI package using Microsoft System Management Server (SMS). Packager MSI installers are compatible with and are well-suited for use with Active Directory GPOs. You must have Microsoft BackOffice SMS installed.
222
Administrator Track
Supported installation methods and some of their features and benefits are summarized in the tables below.
Windows XP Home SP3 Vista/7 XP Pro, Home Basic & Server 2003 Premium Vista/7 BusiServer 2008 ness, EnterStandard, Ent., prise, Ultimate & Datacenter
Web page install Remote Install Login script Client packager Client disk image TMVS Security Compliance SMS
32-bitonly
Web Page Suitable for WANbased deployment Leverages management tools Requires end user intervention Requires IT resource Suitable for mass deployment Bandwidth consumption End user requires local admin rights
High
Remote Install
Login Scripts
Client Packager
TMVS
HIgh
High, if all at once High, large packages
*
Yes/No
Low, if scheduled
High, if all at once
High
Low, if scheduled
Table 6.2: Deployment Methods for OfficeScan Client Software * Client packager MSI installers are compatible with Active Directory GPOs.
223
Student T Textbook
preconfigu ured email mes ssage that you can send from the email program install on the local u m led machine fr rom which you are using the managemen console. u e nt To open th Initiate Bro he owser-based In nstallation pag click Netw ge, worked Comp puters > Clie ent Installatio > Browser on r-based in the navigation co e olumn of the management console.
Type the su ubject line you want to appear in your em message, and then click Create Ema A u mail k ail. window fro your defau email appli om ult ication appear as shown in the figure ab rs, n bove. The subjec line you specified and the link to the in ct e nstallation page are already i the message e in e window. The default UR for the client-installation website is RL n https://<s servername>/ /officescan/c console/html l/ClientInsta . Edit the m all message if you u choose, add recipients, and click Send d a d.
NOTE email not The tification optio obviously re on elies on users to complete the actual
installatio of the client software. These users mus also have ad on t st dministrative r rights on the lo ocal computer and be able to enable the browser to use Active X cont r b e trols to complete the installatio on.
The URL for client insta f allation is also provided on the log-on pag of the Offi age iceScan management console. Yo can also, of course, go d ou o directly to the page by enter the URL f ring from t e stem requirem ments. As seen from the end n d-users or any client that meets the minimum sys administrat tors perspecti to install the OfficeScan client via we browser: ive, t n eb 1. Click the link sent vi email (as de t ia escribed above or click the link on the lo e), e og-on page of the f manag gement consol or navigate directly to the client-install page using a browser. le, e l
For OfficeScan servers using SSL, the defau URL for th client-instal page is r s S ult he ll
For OfficeScan servers that ar not using SS use the h r s re SL, http resource identifier ins e stead
of the https id t dentifier and the correct port number (de t efault 8080). 2. Select to install the WinNTChk ActiveX contro by clicking anywhere in t yellow W A ol the mation bar that appears at th top of the c t he content windo of the brow and choo ow wser osing inform Install ActiveX con l ntrol 3. Click Install Now to start installi the Office I t ing eScan client.
2 224
Administrato Track or
Once insta allation is complete, the brow window will display a notice that th Client wser he installation is complete, and if the cli must be r n ient rebooted an ad dditional notic will appear in a ce separate wi indow. You ca also verify the installatio by checking to see that th OfficeScan an on g he n client icon appears in the Windows sy e ystem tray.
NOTE the browser-based client software insta If allation is unsu uccessful, the browser window
will displa a message to confirm this This messag e also lists po ssible reasons for the ay t s. s unsuccessful installatio along with recommended solutions. on, r d
To begin a remote instal llation, click Networked C omputers > Client Instal N llation > Rem mote gation column of the Office n eScan manage ement console e. in the navig
225
Student Textbook
Use the network navigation tree on the Remote Installation page to select the computers to which you want to deploy client software. You may also use the search feature to find computers. Click Add to add computers to the list of selected computers. Once you have selected all your targets, click Install.
NOTE Users do not need administrative rights on their local computers. The OfficeScan administrator specifies the local username and password. NOTE When installing to multiple computers, all unsuccessful installations are logged. You do not have to supervise individual installation once the process begins. If an installation fails, it does not affect other installations.
cleanup file, and program files An important benefit of this deployment method is that you can install the client regardless of the user privileges that are assigned to the user that is logging on. When creating the login script, you must provide an Administrator account and password. No special end-user privileges are required.
NOTE Obviously, to enforce the use of the login script installation method, client computers must be listed in the Windows Active Directory of the server that is performing the installation.
To add autopcc.exe to the login script using Login Script Setup: 1. On the OfficeScan server, click Start > [All] Programs > Trend Micro OfficeScan Server {Server Name} > Login Script Setup. 2. The Login Script Setup utility loads. It displays a tree showing all domains on your network.
226
Administrato Track or
3. Browse for the Wind dows Server whose login sc w cript you want to modify, se t elect it, and th hen rver main r click Select. The ser must be a primary dom controller and you must have istrator access Login Script Setup promp you for a u name and password. s. t pts user d admini 4. Type your user nam and password. Click OK to continue. T User Selection page app y me The pears. The Users list shows the compute that log on to the server The Selected users list sho s ers n r. d ows ers mputer login script you wan to modify. nt the use whose com
To modify the lo ogin script of a single or mu ultiple users, se elect them fro the Users and om
5. Click Apply when all the target us are in the Selected use list. A mes A a sers e ers ssage appears inform you that you have mod ming y dified the serve login script successfully er ts y. 6. Click OK. The Logi Script Setup utility will re O in p eturn to its initial screen.
To modify the lo ogin scripts of other servers repeat steps 2 to 4. f s, To close Login Script Setup, click Exit. S c
NOTE When an unprotected computer logs on to the serv c vers whose log scripts you gin u
modif fied, autopcc.e will automatically install the client to i exe it.
NOTE {Server_name}is the com mputer name or IP address of the OfficeSca server and r f an
ofcscan is the shared name of the PCCSRV folder where autop P r pcc.exe is loca ated.
227
Student T Textbook
The Windo 2003/200 login script is on the Win ows 08 ndows 2003/2 2008 server (th hrough a net l logon shared dire ectory), under: :
\\Wind dows2003or20 008server\s systemdrive\w windir\sysvo ol\domain\scr ripts\ofcsca an.bat
6.2.4 Dep Clien Softwa Using the Clien Packag Tool 6 ploy nt are g nt ger
Client Pack kager can com mpress setup an update file into a self-e nd es extracting file t simplify de to elivery via email, CD-ROM, or similar media. C
When user receive the package, they simply double rs p e-click the file to run the se e etup program. OfficeScan clients install using Clien Packager re n led nt eport to the se erver on which the package was e created. Th tool is espe his ecially useful when deployin installation or update file to clients in loww ng es n bandwidth remote office es.
WARNING Client Packa G! ager installatio packages re on equire > 160 M free disk sp MB pace on the tar rget
client, and Windows Insta aller 2.0 is req quired for MSI packages. Als the end use must have lo so, er ocal Administrator privileges. .
NOTE can use Microsoft Outlook and the C lient Packager send mail option. However You M r r,
installatio packages may not be suit on m table for email in all environ ments. .EXEs are the follow wing sizes (MSIs are slightly larger): XP/Vista/7/2003/2 008 client, 49 MB, 64-bit clients, 58.4 M 9.8 MB.
Client Pack kager can crea two types of self-extractiing files: ate o
Execut table
Th file type con his nforms to Mic crosoft's Wind dows Installer package specification For more iinformation o MSI, see th Microsoft e ns. on he ebsite. we
2 228
Administrator Track
Tip Trend Micro recommends using Active Directory to deploy an MSI package with Computer Configuration instead of User Configuration. This helps ensure that the MSI package will be installed regardless of which user logs on to the machine.
To create a package with the Client Packager GUI: 1. Launch {OfficeScanPath}\PCCSRV\Admin\Utility\ClientPackager\ClnPack.exe to run the tool. The Client Packager console opens (shown above).
NOTE must run the program locally on the OfficeScan server. You
3. For the Windows operating system type, select the Windows operating system, 32-bit or 64-bit, for which you want to create the package (when creating executable files only). 4. For Scan method, choose Conventional Scan or Smart Scan.
NOTE This determines the default scan method for the client package. However, the client will adopt the scan method of the OfficeScan server domain that it joins. For example, if the client uses smart scan, and the default OfficeScan server domain is using conventional scanning, the client will switch to conventional scanning.
Force overwrite with latest version Overwrites old versions with the latest version.
This checkbox is enabled only when you select Update as the package type.
Disable pre-scan (only for fresh install) Disables the file scanning that OfficeScan
performs before installation. 6. Select from among the following update agent options under Update Agent Options:
229
Student T Textbook
WARN NING! If you se elect the upda agent optio here, you m ate on must then use t Scheduled the d
Update Configuration Tool to enab and configu scheduled updates. You can find e ble ure instruc ctions for using this tool imm g mediately follo owing the instr ructions for th packager to he ool.
Pro ovide compone service Enables the cl ent E lient to act as an update age and provid ent de
upd dates to Office eScan pattern files and othe application components. er
Pro ovide setting service Enab s bles the client to act as an u update agent a provide up and pdates
to OfficeScan settings. O
Pro ovide program service Ena ables the clien to act as an update agent and provide nt
pro ogram updates for the Offic s ceScan client. 7. Select the utilities to include in the package: o e
Mai Scan Scans Microsoft Outlook mailbo il O rity oxes for secur risks Che Point Secu eck ureClient Support Suppor for Check P rt Point SecureCl lient for Wind dows
XP P/Vista/7/Ser 2003 rver 8. Under Components, select the components to include in th installation package (only for o he y ng p creatin an update package):
Antivirus Fire ewall Com mmon compo onents Anti-Spyware/G Grayware Vir Cleanup rus
9. For so ource file ensure that the location of the ofcscan.ini file is correc To modify the l e i ct. path, click c to bro owse for the ofcscan.ini file. By default, th file is loca in the o this ated \PCCS SRV folder of the OfficeSca server. f an 10. In Out tput file, click to specify the file name (for example ClientSetu y e e, up.exe) and th he locatio to create the client packa on age. 11. Click Create to buil the client pa C ld ackage. When Client Packag finishes cr n ger reating the pac ckage, the me essage Packag created suc ge ccessfully. app pears. To veri successful package creat ify tion, check the output dir t rectory you sp pecified.
12. Send th package to your users via email, or co py it to a CD or similar me and distrib he edia bute among your users. g
WARNING You can sen the package only to those clients that r G! nd e e report to the s server where the
package wa created. Do not send the package to cli as o ients that may report to ano y other OfficeSc can server.
2 230
Administrato Track or
For Upda Agents Using the Scheduled Update C ate s: e d Configuratio Tool on
Use the Sch heduled Upda Configurat ate tion Tool to e enable and con nfigure schedu updates o uled on OfficeScan clients acting as update ag n g gents that you installed using Client Packa g ager. This tool is l available on on update agents that Client Packager installs. nly C r
To use the Scheduled Up pdate Configu uration Tool: e t P ndows Explor rer. 1. On the update agent that Client Packager installled, open Win 2. Go to the OfficeSca client folder. an 3. Double-click SUCT Tool.exe to ru the tool. Th Schedule U un he Update Config guration Tool consol opens. le 4. Select Enable Sche eduled Updat te. 5. Specify the update frequency and time. y fr 6. Click Apply. A
5. Below Software Sett tings, right-clic Software i ck installation, a then selec New and and ct Packa age. 6. Locate and select the MSI packag e ge.
231
Student Textbook
computer (if you select User Configuration) or when the computer restarts (if you select Computer Configuration). This method does not require any user intervention.
Published The MSI package is made available in the Add/Remove Programs page,
which users can access from Control Panel. To run the MSI package, inform users to go to the Add/Remove Programs page and select Add New Programs from the menu items. The MSI package will display and users simply click Add to start installing the client.
Before it can deploy the package to target computers, the SMS server needs to obtain the MSI file from the OfficeScan server.
Local - The Remote -
SMS server and the OfficeScan server are on the same computer
The SMS server and the OfficeScan server are on different computers
To obtain the package locally: 1. Open the SMS Administrator console. 1.1. 1.2. 1.3. 1.4. On the Tree tab, click Packages. On the Action menu, click New > Package From Definition. The welcome page of the Create Package From Definition Wizard appears. Click Next. The Package Definition page appears. Click Browse. The Open page appears.
2. Browse and select the MSI package file created by Client Packager, and then click Open. The MSI package name appears on the Package Definition page. The package shows Trend Micro OfficeScan Client and the program version. 2.1. 2.2. Click Next. The Source Files page appears. Click Always obtain files from a source directory, and then click Next. The Source Directory page appears, displaying the name of the package you are creating and the source directory. Click Local drive on site server. Click Browse and select the source directory where the MSI file is located. Click Next. The wizard creates the package. When it completes the process, the name of the package appears on the SMS Administrator console.
232
Administrator Track
1. On the OfficeScan server, use Client Packager to create a setup package with an .exe extension (the .msi package is not supported). (For instructions on creating an .exe file, see 6.2.4 Deploy Client Software Using the Client Packager Toolon page 228 above.) 1.1. 1.2. 1.3. 1.4. 1.5. 1.6. On the computer where you want to store the source, create a shared folder. Open the SMS Administrator console. On the Tree tab, click Packages. On the Action menu, click New > Package From Definition. The welcome page of the Create Package From Definition Wizard appears. Click Next. The Package Definition page appears. Click Browse. The Open page appears.
2. Browse and select the .exe package file created by Client Packager, and then click Open. The .exe package name appears on the Package Definition page. The package shows Trend Micro OfficeScan Client and the program version. 2.1. 2.2. Click Next. The Source Files page appears. Click Always obtain files from a source directory, and then click Next. The Source Directory page appears, displaying the name of the package you are creating and the source directory. Click Network path (UNC name). Click Browse and select the source directory where the installation file is located (the shared folder you created). Click Next. The wizard creates the package. When it completes the process, the name of the package appears on the SMS Administrator console.
To distribute the package to target computers: 1. On the Tree tab, click Advertisements. 2. On the Action menu, click All Tasks > Distribute Software. The Welcome page of the Distribute Software Wizard appears. 2.1. 2.2. 2.3. Click Next. The Package page appears. Click Distribute an existing package; then click the name of your setup package. Click Next. The Distribution Points page appears.
3. Select a distribution point to which you want to copy the package, and then click Next. The Advertise a Program page appears. 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. Click Yes to advertise the client setup package, and then click Next. The Advertisement Target page appears. Click Browse to select the target computers. The Browse Collection page appears. Click All Windows NT Systems. Click OK. The Advertisement Target page appears again. Click Next. The Advertisement Name page appears. In the text boxes, type a name and comments for the advertisement, and then click Next. The Advertise to Subcollections page appears.
233
Student Textbook
4. Choose whether to advertise the package to subcollections. You can choose to Advertise the program only to members of the specified collection or Advertise the program to members of subcollections as well. 4.1. 4.2. 4.3. Click Next. The Advertisement Schedule page appears. Specify when to advertise the client setup package by typing or selecting the date and time in the list boxes. If you want Microsoft SMS to stop advertising the package on a specific date, click Yes. This advertisement should expire, and then specify the date and time in the Expiration date and time list boxes. Click Next. The Assign Program page appears. Click Yes, assign the program, and then click Next.
4.4. 4.5.
Microsoft SMS creates the advertisement and displays it on the SMS Administrator console. When Microsoft SMS distributes the advertised program (that is, the OfficeScan client program) to target computers, a page will display on each target computer. Instruct users to click Yes and follow the instructions provided by the wizard to install the OfficeScan client to their computers. Known Issues when Installing with Microsoft SMS
Unknown appears in the Run Time column of the SMS console. If the installation is unsuccessful, the installation status may still show that the installation
To deploy using disk imaging, follow these steps: 1. Install the operating system, all desired applications, and the OfficeScan client software to create the source of the disk image. 2. Copy imgsetup.exe to the computer from the OfficeScan servers {installation path}\PCCSRV\Admin\Utility\ImgSetup folder. 3. Run imgsetup.exe. A RUN registry key will be created under HKEY_LOCAL_MACHINE. 4. Use your disk-imaging application to create a disk image of the OfficeScan client. 5. Deploy the image created by the disk-imaging application.
234
Administrato Track or
6. When the newly ima aged compute is started for the first time Imgsetup.ex will er r e, xe atically start an create one new GUID v nd value. The clie will report this new GU to ent t UID automa the ser and the se rver erver will crea a new recor for the new client. ate rd w The Image Setup tool cr e reates a new GUID, but it d G does not chang the name o the comput in ge of ter the OfficeS Scan database. To avoid hav two com ving mputers with th same name you must he e, manually ch hange the com mputer name or domain nam of the clon OfficeSca client. o me ned an
NOTE Image Se The etup tool creat a new GUID for OfficeSca however yo will still nee to tes D an, ou ed
use a thir rd-party tool to create a new security iden o w ntifier (SID) an d GUID for you Microsoft ur Windows network. Also, to avoid havi two compu ing uters with the same name in the OfficeSca n an database, you must at least change the computer n l name or doma in name of the clone. e
This tool is not particula suitable fo mass deploy s arly or yment, but it w help ensu that unprot will ure tected computers do not access the network. (This tool rep s . places the NT Client Instal [cnic.exe] t T ller tool ersions of Off ficeScan befor OfficeScan 6.5.) For mor information about other re re n found in ve features of the Vulnerab f bility Scanner tool, see Chapt 10: OfficeSca Tools on pa 307. t ter can age
NOTE can use Vulnerability Scanner on com You V S mputers runni ng Windows 2000 or Server r
2003/200 however, the computers cannot be run 08; t s nning Termina Server. You cannot install al OfficeSca clients with Vulnerability Scanner to a c an computer with the OfficeSca server insta h an alled.
To launch the Vulnerabi Scanner from the Offic ility fr ceScan server,, open Window Explorer a ws and go to {inst tallationdi irectory}\PCC CSRV\Admin\U Utility\TMVS folder. Doubl le-click TMVS.exe e.
235
Student T Textbook
Once the Vulnerability Scanner is laun V S nched, click Se ettings. The V Vulnerability Scanners installation options are in the final box of the Settin page unde OfficeScan server Settin for n n x ngs er n ng (Install and Log Report): Specify an OfficeScan serv (e.g. MySe d O ver erver).
Figure 6.9: Installation Settings on the Vulnerability Scanner Setti e ings Page
When the Vulnerability Scanner determines that a c V S computer is no protected b suitable ant ot by tivirus software, you can config it to deplo the OfficeS y gure oy Scan client sof ftware.
NOTE order to remotely install the client soft In tware, the use who is logge on must hav er ed ve
administr rator rights. To bypass this problem, you c provide an Install accoun that the o p can nt Vulnerabi ility Scanner will use to insta the client. w all
If you wan to automatic nt cally install Of fficeScan clien select the nt, Auto-install O OfficeScan Cli ient for unprote ected computer checkbox. Type a user n . name and a pa assword for a user account on the target computer that has the privil c t leges required to install the OfficeScan cl d lient. Click OK K. If you wan to send a log to the Office nt g eScan server r reporting the s status and out tcome of the remote inst procedure select the R tall e, Report log to O OfficeScan se erver checkbo ox.
Vis Home Prem sta mium. If you have compute running th platforms choose anot h ers hese s, ther clie deploymen method. ent nt
2 236
Administrator Track
If the target computer runs Windows Vista/7 Business, Enterprise, or Ultimate Edition, you must perform the following steps on the computer before you can install the client through Security Compliance: 1. Enable a built-in administrator account and set the password for the account. 2. Disable the Windows firewall. 2.1. 2.2. Click Start > Programs > Administrative Tools > Windows Firewall with Advanced Security. For Domain Profile, Private Profile, and Public Profile, set the firewall state to off.
3. Open Microsoft Management Console (click Start > Run and enter services.msc) and start the Remote Registry service. When installing the OfficeScan client, use the built-in administrator account and password. If Trend Micro or third-party endpoint security programs are installed on the computer, check if OfficeScan can automatically uninstall the software and replace it with the OfficeScan client. For a list of endpoint security software that OfficeScan automatically uninstalls, open the following files in {installationdirectory}\PCCSRV\Admin. You can open these files using a text editor such as Notepad.
tmuninst.ptn tmuninst_as.ptn
If the software on the target computer is not included in the list, manually uninstall it first. Depending on the uninstallation process of the software, the computer may or may not need to restart after uninstallation. Finally, before starting the installation process, record the logon credentials for each computer you plan to deploy the client to. OfficeScan will prompt you to specify the logon credentials during installation.
Important: You cannot use this method to update the OfficeScan client. If an earlier OfficeScan
client version is already installed on a computer and you click Install, the installation will be skipped and the client will not be updated to this version.
To install the OfficeScan client from the Security Compliance page: 1. Click Install on top of the Client Tree. 2. Specify the administrator logon account for each computer and click Log on. OfficeScan starts installing the client on the target computer.
237
Student Textbook
The operating system runs fewer services and requires fewer resources during startup.
The OfficeScan client supports Server Core. This section contains information on the extent of support for Server Core. The OfficeScan server does not support Server Core.
on the Server Core. Run the tool from the OfficeScan server or another computer.
pccntmon -h
238
Administrator Track
Check files, services, processes, and registries Check the installation log Verify the client status icon appears in the system tray
NOTE you need instructions on how to check the files, services, processes or registry keys, If see Chapter 4: OfficeScan Server Installation on page 63.
(default)
239
Student Textbook
6.3.3 Verify the Client Status Icon Appears in the System Tray
If the client software has been properly installed, a status icon appears in your system tray.
NOTE 3.4.13 Normal and Roaming Client Operation Modes on page 55 for depictions of See client-status icons for normal and roaming modes.
To verify client installation using Vulnerability Scanner: 1. On the OfficeScan server computer, launch %ProgramFiles%\OfficeScan\PCCSRV \Admin\Utility\TMVS\TMVS.exe. The Trend Micro Vulnerability Scanner console appears. 2. Click Settings. 3. Under Product query, select the OfficeScan Corporate Edition/Security Server checkbox and specify the port that the server uses to communicate with clients. 4. Select whether to use Normal or Quick retrieval. Normal retrieval is more accurate, but it takes longer to complete. If you select Normal retrieval, you can set Vulnerability Scanner to try to retrieve computer descriptions, if available, by selecting Retrieve computer descriptions when available. 5. To automatically send the results to yourself or to other administrators in your organization, select Email results to the system administrator. Then, click Configure to specify your email settings.
In To, type the email address of the recipient In From, type your email address. If you are sending it to other administrators in your
organization, this will let the recipients know who sent the message
In SMTP server, type the address of your SMTP server. For example, type smtp.company.com. The SMTP server information is required
6. In Subject, type a new subject for the message or accept the default subject. 7. Click OK to save your settings. 8. To display an alert on unprotected computers, click Display notification on unprotected computers. Then, click Customize to set the alert message. The Alert Message page appears. Type a new alert message in the text box or accept the default message, and then click OK.
240
Administrator Track
9. To save the results as a comma-separated value (CSV) data file, select Automatically save the results to a CSV file. By default, Vulnerability Scanner saves CSV data files to the TMVS folder. If you want to change the default CSV folder, click Browse, select a target folder on your computer or on the network, and then click OK. 10. Under Ping settings, specify how Vulnerability Scanner will send packets to the computers and wait for replies. Accept the default settings or type new values in the Packet size and Timeout fields. 11. Click OK. The Vulnerability Scanner console appears. 12. To run a manual vulnerability scan on a range of IP addresses, do the following: 12.1. In Manual Scan, type the IP address range of computers that you want to check for installed antivirus solutions. 12.2. Click Start to begin checking the computers on your network. 13. To run a manual vulnerability scan on computers requesting IP addresses from a DHCP server: 13.1. Click the DHCP Scan tab in the Results box. The Start button appears. 13.2. Click Start. Vulnerability scanner begins listening for DHCP requests and performing vulnerability checks on computers as they log on to the network. Vulnerability Scanner checks your network and displays the results in the Results table. Verify that all desktop and notebook computers have the client installed. If Vulnerability Scanner finds any unprotected desktop and notebook computers, install the client on them using your preferred client installation method.
6.4 > Post-Installation Considerations for Servers and x64 Desktop Platforms
Beginning with OfficeScan 10 Service Pack 1, OfficeScan automatically disables some features on server platforms to avoid performance issues. The table below summarizes the features that are disabled and the platforms affected.
Disabled Features on x86 Platforms
Device Control Behavior Monitoring Client Self-protection for: o Registry keys o Processes OfficeScan Firewall
Operating System
Windows Server 2003 Windows Server 2008
N/A
Table 6.3: Summary of Disabled Features on OfficeScan Server and x64 Workstation Clients
241
Student Textbook
NOTE Context-specific notices within the user interface of the management console call attention to the default configuration for servers when the default is different than for normal clients. Each notice also provides a link to online information for enabling these services, similar to the instructions provided below.
Important: Before enabling these features on server platforms, carefully consider the potential
impact on critical applications. If you encounter performance issues after enabling these features, contact Technical Support to obtain and run the Trend Micro Performance Tool (TMPerfTool).
To enable these disabled features: 1. Identify any critical applications that should not be at risk of interruption or stoppage due to behavior monitoring and add them to the list of approved programs.
See Configuring Exception Lists for Behavior Monitoring on page 162 for more information.
DWORDvalue(REG_DWORD) DoNotDisableFuncOnServerPlatform
2 3
242
Administrator Track
Review Questions
1. Which deployment method allows you to install the Mail Scan and Check Point SecureClient Support with the client software? a) Notify install option b) Vulnerability Scanner tool c) Login script setup utility d) Client Packager tool 2. Which deployment method requires using third-party tools? a) Image setup utility b) Remote install option c) Login script setup utility d) Vulnerability Scanner tool 3. Which two deployment methods are accessible from the OfficeScan management console? a) Image setup utility and notify install option b) Notify install option and remote install option c) Vulnerability Scanner tool and Client Packager tool d) Login script setup utility and image setup utility 4. Which deployment methods enforce automatic installation of client software? a) Login script setup utility and Vulnerability Scanner tool b) Client Packager tool and login script setup utility c) Remote install option and image setup utility d) Notify install option and Client Packager tool
243
Administrator Track
245
Student Textbook
Component
Smart Scan virus pattern (server) Smart Scan agent pattern Virus pattern file Spyware pattern file Spyware active-monitoring pattern Virus scan engine Spyware scan engine Root-kit scan engine
File Name
not updated on client icrc$oth.<3-digit version extension> Lpt$vpn.<3-digit version extension> ssapiptn.da5 Ssaptn.<3-digit version number> vsapint.sys ssapi32.dll tmcomm.sys tsc.ptn tsc.exe tmf<version>.ptn tm_cfw.sys tmufeng.dll TMTD.ptn Tml<version>.ptn tmcomm.sys, tmevtmgr.sys, tmactmon.sys tmblack.<3-digit extension> tmwhite.<3-digit extension>
Damage Cleanup
Firewall
URL filtering engine BM detection pattern Firewall trusted application pattern Behavior Monitoring driver IntelliTrap pattern file IntelliTrap exception file
NOTE Compressed component files are stored at <Install path}\PCCSRV\Download on the OfficeScan server and at {install path}\ActiveUpdate on OfficeScan clients that are update agents.
246
Administrator Track
Chapter 7: Updates
A Smart Scan server hosts the Smart Scan virus pattern, which is updated hourly (or optionally, ever 15 minutes) and contains the majority of virus pattern definitions. Smart Scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the server. The OfficeScan server hosts the Smart Scan agent pattern, which is updated daily and contains the pattern definitions not found in the Smart Scan virus pattern. Clients download this pattern from the OfficeScan server using the same method used for downloading other OfficeScan components. The OfficeScan client, using the Smart Scan agent pattern and advanced filtering technology, can verify whether a file is infected without sending scan queries to the Smart Scan server. The Smart Scan client first scans the local computer using only its local resources. If the client cannot determine the risk of the file during the scan, the client verifies the risk by sending a scan query to a Smart Scan Server. This saves bandwidth. When queries are made, the client caches the query result and will not need to send the same scan query to the Smart Scan Server for subsequent detections of the same type. If a client cannot verify a files risk using its local resources and is unable after several attempts to connect to a Smart Scan Server, the client will
Flag the file for verification. Allow temporary access to the file.
When a subsequent connection to a Smart Scan Server is made, flagged files are re-scanned. The appropriate scan action is then performed on those that are confirmed to be infected.
To help reduce the bandwidth used when updating the virus pattern file, OfficeScan performs incremental updates. Rather than downloading the entire virus pattern file every time it is updated, OfficeScan downloads only the new virus patterns that were added to the virus pattern file. The new patterns are then merged with the older virus pattern file. Incremental updates greatly reduce both download time and deployment time, thus decreasing network utilization.
NOTE recently released Trend Micro products use a new multi-digit format for displaying All the numbers of pattern files.
SPYWARE PATTERN FILE OfficeScan clients use spyware/grayware pattern files to identify spyware, adware, hacker tools, and other threats. Trend Micro updates the spyware/grayware scan pattern regularly. Like virus pattern files, spyware/grayware scan patterns are updated incrementally.
247
Student Textbook
Scan Engine
At the heart of all Trend Micro products lies the scan engine. Originally developed in response to early file-based computer viruses, todays scan engines are highly sophisticated and capable of detecting Internet worms, mass-mailers, Trojan horse threats, spyware, and network exploits as well as viruses. The scan engine detects in the wild or actively circulating threats, and in the zoo threats, which are controlled viruses not in circulation but developed and used for research. Rather than scanning every byte of every file, the engine and pattern file work together to identify not only tell-tale characteristics of the virus code, but the precise location within a file that the virus would hide. OfficeScan removes virus/malware upon detection and restores the integrity of the file. International computer security organizations, including ICSA (International Computer Security Association), certify the Trend Micro scan engine annually. By storing the most time-sensitive virus/malware information in the virus patterns, Trend Micro is able to minimize the number of scan engine updates while at the same time keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new scan engine versions available. Trend Micro releases new engines under the following circumstances:
New types of viruses are discovered that the scan engine cannot handle. Trend Micro engineers enhance the performance and detection rates of the scan engine. The updated scan engine supports virus detection of additional file formats, scripting
248
Administrator Track
Chapter 7: Updates
To reduce network traffic generated when downloading the latest pattern, OfficeScan servers and update agents can download incremental patterns to avoid downloading information that they already have in their local copy of the full pattern. After downloading incremental patterns, OfficeScan servers update their own latest-version of the pattern file by merging it with the appropriate incremental update. Likewise, before a client downloads a pattern, it will compare its current pattern version with the available patterns on the update server/agent and download a smaller, incremental pattern. OfficeScan clients download incremental patterns as long as they are less than 14 versions behind. Otherwise, they download the full the pattern file. Component duplication applies to these components: Virus pattern Smart Scan agent pattern Spyware pattern Spyware active-monitoring pattern Virus cleanup template IntelliTrap exception pattern
249
Student T Textbook
The Smart Scan server to which a client connects d o depends on the clients locat e tion. Internal Smart ts S while external S Smart Scan cli ients connect to Scan client connect to a local Smart Scan server, w the Trend Micro Global Smart Scan Server. The tab below com M S ble mpares the two servers: o
Basis of Comparison
Availability y
Purpose
Server adm ministrator Pattern up pdate source Client conn nection protocols
Table 7.2: Comparison Be C etween Local and the Trend Micro Global Smart Scan Servers a
2 250
Administrator Track
Chapter 7: Updates
You can configure the OfficeScan server to download from as many as ten different update sources, including an internal update server, if you have configured one. However, in most situations, at least one OfficeScan server downloads updates directly from the Trend Micro ActiveUpdate server. Before downloading the updates, the OfficeScan server checks the values in its ofcscan.ini file and compares them with the server.ini file on the Trend Micro ActiveUpdate server. Server.ini contains the versions of the components that need to be updated. If the version that OfficeScan currently has is lower than that of the ActiveUpdate servers version, the OfficeScan server downloads that particular component; otherwise, the OfficeScan server will skip it (see the figure below). Server.ini also contains a checksum value for the files. When the server downloads updates, it first checks the checksum to see if the downloaded updates are corrupted or not. After the server downloads the updates, they can then be deployed to all OfficeScan update agents and clients. Like the OfficeScan server, the update agents and clients use the checksum to determine if new updates from the server have been corrupted. The OfficeScan architecture is designed to maximize the bandwidth of your companys Internet connection and to provide better security. For example, if your network includes two thousand workstations and servers, OfficeScan downloads the updates only once from the Internet. In addition, other servers are not directly exposed to the dangers of the Internet (such as hackers).
251
Student Textbook
Server.ini is compared.
Downloaded components and server.ini are saved in \ PCCSR download V\ on the OfficeScan server.
Upda te Agent Clients OfficeSca n Server
Update agents also offload the burden of deploying updates from the OfficeScan server. Rather than deploying updates to tens of thousands of clients, the OfficeScan server deploys the updates to update agents, which then deploy updates to the masses. This frees up resources on the OfficeScan server. In addition to reducing the workload on the OfficeScan server, update agents also reduce network and WAN traffic. For example, you can install update agents at branch offices so that updates are downloaded only once across your companys WAN link. All the clients at the branch office then download the updates from the local update agent. You can also install update agents at each LAN segment to reduce network traffic. Again, the updates are downloaded only once to the LAN segment. The clients on the LAN segment then download the updates from the update agent. The OfficeScan update architecture is extremely flexible. You can configure some clients to download the updates from the OfficeScan server, and you can configure other clients to download the updates from an update agent. The OfficeScan server then notifies update agents and update clients that the updates are available. Depending on your configuration, the clients then download the updates from the OfficeScan server or from an update agent. By studying your network configuration, you can determine the stress points on your network. You can identify areas where network traffic is heavy and deploy update agents to reduce update traffic in those areas.
252
Administrato Track or
Chapter 7: Updates r
For each co omponent, yo can view its current versiion and the lat available v ou s version from test Trend Micr You can al view client with out-of ro. lso ts f-date compon nents by clicki the numbe ing er link. You can manually update clients with out-of-d componen c u date nts
253
Student T Textbook
On the Ser Scheduled Update page select the E rver d e, Enable schedu update of the OfficeSc uled f can server che eckbox. Then, navigate the expandable an collapsible component s , nd e sections and select the components you wan to be updat nt ted:
Smart Scan agent pa attern p Virus pattern IntelliT Trap pattern IntelliT Trap exception pattern n Virus scan engine (32- or 64-bit) s Spyware pattern Spyware active-monitoring pattern n e Spyware scan engine (32- or 64-bit) Virus cleanup tem plate s Virus cleanup engi (32- or 64s ine -bit) Com mon firewall p pattern Beha avior Monitorin detection p ng pattern Beha avior Monitorin driver ng Beha avior Monitorin core service ng Beha avior Monitorin configuration pattern ng Digit signature p tal pattern Polic enforcemen pattern cy nt
You can th configure the schedule of the update.. You can defi the update based on hourly, hen o ine e daily, week or monthly interval. If you select weekly, you must specify the da of the week the kly, y y t k, ay time of day and the leng of the upd y, gth date. If you sellect monthly, you must spec the day of the cify f month.
NOTE Update sched dules for the Smart Scan viru pattern are managed at S us e Smart Scan >
Integrate Server for the integrated Smart Scan s ed t d server (see Ch apter 5) or thr rough individu ual server consoles on stan ndalone server (see Append H). rs dix
2 254
Administrato Track or
Chapter 7: Updates r
man nagement con nsole. The Ser Manual U rver Update page di isplays a list of components s, their version num mbers, and the last time the were update You can se e ey ed. elect individua al mponents to update or easil update all co u ly omponents. com
Figure 7.6: Starting an On-demand Upd date for Office eScan Server C Components
Clicking Update at the bottom of the page starts th manual upd b e he date, and the O OfficeScan server ly e ces have specified and determin which nes immediatel contacts the update sourc that you h components are out of date and need to be updated Once these components are identified, the d d. ents OfficeScan server begins to download the compone and repo the progre n s d orts ess.
Figure 7.7: Manual Updat Progress as Reported by the Managem ent Console te s
When the components have been dow c h wnloaded, they will be store in the {Inst y ed tallation Directory} }\PCCSRV\Dow wnloadfolder on the Office eScan server.
255
Student T Textbook
NOTE Update sources for the Sma Scan virus pattern are m art managed at Sm mart Scan >
Integrate Server for the integrated Smart Scan s ed t d server (see Ch apter 5) or thr rough individu ual server consoles on stan ndalone server (see Append H). rs dix
For instruct tions, see Sect tion 5.5.7 Upda Agent Setti ate tings on page 14 49.
If you crea software in ate nstallation pack kages using th Client Pack he kager, you hav the option t ve to designate all clients insta a alled with that particular pac ckage to be up pdate agents.
For more in nformation, see Section 6.2.4 Deploy Client Software Usin the Client P e 4 t ng Packager Tool o on page 228.
2 256
Administrato Track or
Chapter 7: Updates r
Figure 7.8: Automatic Up pdate Configur ration Page fo r Client Updat tes
You can co onfigure event t-triggered dep ployment, or y can specif a deployme schedule. you fy ent
etworked Com mputers > Cl lient Manage ement > Sett tings > Privil leges and Oth her Ne Set ttings > Privi ileges tab > Component U C Update Privi ilege.
257
Student Textbook
When you grant the privilege, the default setting is to enable scheduled update. If the
client user disables scheduled update from the client console, updating will not proceed on the update date and time you specified.
To automatically enable scheduled update without client user intervention, go to
Networked Computers > Client Management > Settings > Privileges and Other Settings > Other Settings tab > Update Settings. To update networked computer components automatically: 1. Click Updates > Networked Computers > Automatic Update. 2. Select conditions for event-triggered updates.
Optionally include roaming clients if you select clients to update immediately after the
3. Select how often clients with scheduled update privilege will perform updates
If you select Minute(s) or Hour(s), you have the option to Update client configurations
only once per day. If you do not select this option, the OfficeScan client retrieves both the updated components and any updated configuration files available on the server at the interval specified. If you select this checkbox, OfficeScan updates only the components at the interval specified, and the configuration files once per day.
Tip Trend Micro often updates components; however, your OfficeScan configuration
settings probably change less frequently. Updating the configuration files with the components requires more bandwidth and increases the time OfficeScan takes to complete the update. For this reason, Trend Micro recommends selecting updating client
If you select Daily or Weekly, specify the time of the update and the time period the
OfficeScan server will notify clients to update components. For example, if your start time is 12 p.m. and the time period is 2 hours, OfficeScan will randomly notify all online clients to update components from 12 p.m. until 2 p.m. This setting prevents too many simultaneous connections to the server at the start time, significantly reducing the amount of traffic directed to the server.
Offline clients will not be notified. Offline clients that come online after the time period
expires can still update components if you selected Let clients initiate component update when they restart. Otherwise, they update components on the next schedule or if you initiate manual update. 4. Click Save.
258
Administrato Track or
Chapter 7: Updates r
You cannot selec individual components to update. A m u ct c o manual update for clients alw ways
che all compo ecks onents to mak sure they ar all up to dat ke re te.
You must select the target clie u ents to which u update notific cations will be sent.
To manual deploy upd lly dates, click Up pdates > Netw worked Com mputers > Ma anual Update e.
The Manua Update pag shows all th component versions and the last date a time a al ge he and component was updated to the server Clients will u d r. update their components to the versions o shown. Of fficeScan clien will also up nts pdate their con nfiguration file during man update, if any es nual f are out of date. d To update networked co omputer comp ponents manu ually: t nts n 1. View the componen versions on top of the page. 2. Choose the target cl lients. You can update only those clients with outdated components or n d s manua select any number/combination of O ally n OfficeScan dom mains and indi ividual clients.
Choosi to manuall select clien ing ly nts
When sellecting this op ption, the Ini itiate Update bu utton at the bo ottom of the page is replace with a Sele button. C p ed ect Click Select to o ch hoose clients/d domains from the client tre After select the client you want to m ee. ting ts up pdate, go Back to the Manu Update pag and click In k ual ge nitiate Update.
The server starts the pro ocess of notify each clien to download updated com ying nt d mponents.
NOTE Once updates have been de s eployed to clie nts, the comp onents are sto ored in the
C:\Progra Files\Trend Micro\OfficeS am d Scan Client dir rectory.
259
Student T Textbook
Cus stomized update sources ca include an u an update agent o the Trend M or Micro
Tip Trend Micro recommends using update agents and ad o s e dding them to the Customized
upda source list. By configurin clients to re ate . ng eceive updates from the age s ents rather tha an from the OfficeSca server, you can distribute the task of d eploying comp m an e ponents. This helps ensure that your clients re eceive compon nent updates i n a timely man nner without cting a signific cant amount of network traf fic to your Off f ficeScan serve er. direc
2. If you choose to upd from customized upda sources, co date ate onfigure the cu ustomized update source list. 2.1. To add an up pdate source, click Add. In t page that displays, enter a range of cl c the lient IP addresses that will receiv updates fro this source and then select an update ve om e, e a a cific using its URL) Click Save. ). source, such as an update agent or a spec source (u Edit an updat source by clicking the IP range link. M te Modify the sett tings in the pa age that displays and click Save a e. To remove an update source from the list, select the c n checkbox and click Delete. . w. To move an update source click the up or down arrow You may m u e, move only one e source at a tim me.
NOTE may add as many as 1,024 sourc to the upda You a ces ate-source list.
2 260
Administrator Track
Chapter 7: Updates
Update components from the OfficeScan server if all customized sources are not available or not found If enabled, the client updates from the OfficeScan server.
If the option is disabled, the client then tries connecting directly to the Trend Micro ActiveUpdate server if any of the following is true:
In Networked Computers > Client Management > Settings > Privileges and
Other Settings > Other Settings tab > Update Settings, the option Clients download updates from the Trend Micro ActiveUpdate Server is enabled.
The ActiveUpdate server (http://osce10-p.activeupdate.trendmicro.com/
4. If unable to update from all possible sources, the client quits the update process.
NOTE Trend Micro recommends using the ActiveUpdate server as the backup source. Forcing all clients to continually update from the Internet-located ActiveUpdate server as the first choice could consume significant network bandwidth. Trend Micro recommends this option only if you cannot update from the OfficeScan server or Update Agents.
261
Student T Textbook
NOTE Update agent cannot automatically be ro ts olled back. To roll back an update agent, y you
will have to manually ro back the pattern file or sc engine and restart the client service. t oll can d
To roll bac the Smart Scan agent pat ck S ttern, virus pat ttern, or virus scan engine: 1. Click Synchronize with Server for the compo S w f onent you wan to roll back. nt . 1.1. 1.2. Use the client tree viewer that subsequen appears to select the cli t t ntly o ients that will roll back the com mponent. Click Roll ba on the too bar of the cllient-tree view You can c ack ol wer. click Back at the bottom of the page to return to the Rolllback page. e
Figure 7.12: Selecting Rollback Tar g rgets and Initia ating the Rollb back
2. If an older version pattern file exi on the serv you can r back the p o p ists rver, roll pattern file for both r the clie and the server by clickin Rollback S ent ng Server and Cl lient Version ns. 3. The Ro ollback Status page informs you that Th OfficeScan server has no s he n otified the OfficeScan clients in nstalled on the selected com e mputers to roll back components. On th l his page yo can click View Update Logs or click Back. Clicki back ret ou V k ing turns you to th he main Rollback page. R .
Lab Exercise 9: Upda and Dep OfficeS ate ploy Scan Compo onents
2 262
Administrator Track
Chapter 7: Updates
Review Questions
1. For which of the following was the update architecture designed? a) To maximize throughput b) To optimize use of bandwidth c) To use minimum mass storage d) To put ease of installation before throughput considerations 2. In which of the following ways can you create an update agent? a) Edit the servers ofcscan.ini file b) Use the OfficeScan management console to designate an update agent c) Use the setup wizard to install an update agent d) Configure an update agent on the client machine 3. When can the server be configured to automatically deploy updates to clients? a) After a scan b) After a cleanup c) When Manual Outbreak Prevention is stopped d) When it downloads a new component
263
Administrator Track
265
Student T Textbook
As the adm ministrator, you may also gra extra priviileges to users to allow them to perform u ant s m additional tasks, such as: t :
Con nfigure real-tim manual, and scheduled scan settings me, a d Sca POP3 emai (also Micros an il soft Outlook e email on Wind dows XP) Ma anually update components Ena able and disab firewall and ble d/or behavior r-monitoring features and c configure them m Ena able and disab notification messages ble n Install support fo Check Poin SecureClien or nt nt
Figure 8.1: Client-Console Menus and Tabs Available When All Priv e T vileges Are Ass signed
This chapte explains all the options available to a c er a client that has been granted full privileges The d s. availability of client func ctions to end users is contin u ngent on the p policy settings that the tor gured through the managem ment console. administrat has config
To configur client privile re eges, see Sectio 5.5.8 Client Privileges and Other Setting on page 150 on t d gs 0.
2 266
Administrato Track or
Clients that have been gi iven sufficient privileges can manually un t n nload (stop) th client by rig he ghte s on ng fficeScan. Th OfficeScan he clicking the OfficeScan system-tray ico and clickin Unload Of service will be stopped and the system l a m-tray icon willl disappear.
NOTE client privile If eges in the ma anagement con nsole have bee set to require a password en d,
then you will be prompt for a passw ted word before yo can turn of f the client. ou
Figure 8.2: Launching the Client Conso Using the Ic in the Sys e ole con stem Tray
NOTE Double-clickin the OfficeSc system-tra icon launch the OfficeS ng can ay hes Scan Client RealTime Mon nitor. For more information, see 8.9 >Offic eScan Client R e Real-Time Mon nitor on page 2 284.
Privileges to change scan settings appe under 5.5. 8 Client Privil t n ear leges and Oth Settings on page her n 150 on Ne etworked Com mputers > Cl lient Manage ement page.
See Section 5.5.8 Client Privileges and Other Settings on page 150 f more inform n P O s for mation.
If you give configuration privileges to the client for manual, real e o r l-time, and/or scheduled r scanning, settings that us make usin the local cli s sers ng lient console w override a group setti will any ings you specify in the manag y gement console.
267
Student T Textbook
Figure 8.3: Manual Scan Settings for Virus/Malware and Spyware/ V /Grayware Eng gines
There are two types of manual scannin that you m configure from this pag They are t m ng may ge. selectable using the drop u p-down menu of the tabbed Manual Scan form. d n
Vir rus/Malware Scan S Spy yware/Graywa Scan are
NOTE On-demand scanning canno be initiated from this dialo box. These are just the ot og
settings that will be use when you do start a scan by selecting t ed target drives/f folders and clicking S Scan on the tabbed, Manua Scan page o n the main vie of client console. t al ew
2 268
Administrato Track or
IntelliScan is a method of identifying files to scan. F executable files (for exa o f For e ample, .ZIP an nd e d e cutable files (f for .EXE), the true file type is determined based on the file content. For non-exec example, .T TXT), the true file type is de e etermined bas on the file header. sed e You can ch hoose to exclu specific di ude irectories, files or file exten s, nsions from th scan by ena he abling the exclusio list. on 1. Click the Edit butto to specify which director t on w ries, files, or ex xtensions you want to exclu u ude. 2. Select Enable Intel lliTrap to scan for bots. n
The Active eAction dialog box displays the default se g ettings for Act tiveAction. Yo can change the ou e defaults by using the dro y op-down menu If at any tiime you want to reset the d us. defaults for ActiveAction, click Defa Actions. ault If you wan all types of malware to be treated identiically, select th Use the sa nt m e he ame action fo all or virus/mal lware types ch heckbox, and configure the single item la e abeled All typ pes. Choose the action you wish to perfo from the drop-down m orm d menu. The actions you may sele from inclu Clean, Qu ect ude: uarantine, Del lete, Rename, and Pass.
269
Student Textbook
NOTE all malware can be cleaned. In fact, cleaning can damage some files, even though Not it is the recommended action. Trend Micro recommends backing up any file before cleaning it. To save a copy of the file before it is cleaned, select the Back up files before cleaning checkbox. If you select Clean for any malware, you will also need to select an alternative action.
You may select one of two actions to perform in the event that a file is identified as a spyware/grayware threat:
Clean Cleans Pass Action
is limited to recording the incident in the spyware/grayware logs for later assessment.
270
Administrato Track or
Again, you can create an exclusion list and include s n t scanning for s spyware/grayw by marki ware ing the checkb boxes accompa anying the opt tions.
271
Student T Textbook
the detected spywa d are/grayware b terminating processes an by g nd/or deleting g reg gistry entries, files, cookies and shortcuts that are assoc s ciated with th threat. he actions ar not taken b threat-relat system operations are h re but ted halted.
You may also select to display a notifi d ication messag when spyw ge ware/grayware is detected.
2 272
Administrato Track or
Figure 8.7: Scheduled Scan TabVirus Scan and Spy yware/Graywar Scan Option re ns
When the scheduled scan begins, the client icon in the system tra becomes an s n c ay nimated.
After select this optio specify the ting on, e po ostpone durati Scheduled Scan can on be postpon once. ion. d nly ned
Skip th Scheduled Scan. The nex Scheduled Scan runs on {date} at {tim his xt me}.
If you do not have these two privilege your only o n e es, option is Run the scan as scheduled. n
273
Student T Textbook
If Schedule Scan is alre ed eady in progress, right-click the OfficeSca client icon on the system tray an m and select Scheduled Sc Advanced Settings. O the notifica S can On ation window that displays, select one of the followin options: o ng
Stop scanning. Rest tart the scan after __ hours and __ minut a s tes
After sele ecting this opt tion, specify the amount of time th should elap before sca hat pse anning restarts When scann s. ning starts, all prev viously scanned files are scan d nned again. Sc cheduled Scan can be stopp n ped res an then restart only once. nd ted
OfficeScan notifies you of any security risk detected before the scan was stopp You can also n y d ped. check the logs for securi risks detect during Sch l ity ted heduled Scan.
Figure 8.9: On-demand Scanning Using Drag-n-Drop onto the Clien Console S g nt
If the optio is enabled, users can also right-click an file and sel Scan with OfficeScan on o ny lect h Client from the context menu to imm m mediately scan a file.
2 274
Administrato Track or
vileges. priv
Settings configur for Manua Scan in the m red al management console will b used if the c be client
doe not have pr es rivileges. How long the scan will take depends on the numbe and size of files you chos to scan and on t o er se ware s. sage setting (H or Low) w also affec the scan tim High will ct me. your hardw resources The CPU us Scanning progress for manual scan is similar to that shown above for drag-and p m t e d-drop scannin ng. For virus/m malware scans you have the option to pa s e ause or stop th scan. For sp he pyware/grayw ware scans, you have the optio to stop the scan only. on e
275
Student T Textbook
Infected Files
A list of infected files is generated at the bottom of the page. You can choose to perform th t f u hese a additional actions:
Virus Info Clean Delete e Renam me
Gives you access to Trend Micros online Virus Encyclop e pedia, where you can learn more u e about a virus. Removes the virus from a file. Removes the infected file altogether. e Changes the extension of the infected fil e to .vir (or sub t f bsequently, .vi0 or .vi1 and so on if n there ar more than one) to prevent it from being ope ned. re
Finally, wh you are do applying re hen one esolution actio you can c ons, clear the list.
NOTE Even if you do not clear the list, the infor o e rmation display on the Sca Results tab is yed an
deleted when you close the console. w e
2 276
Administrato Track or
The network card list shows the IP address of alll network card on the clien To edit an ds nt. OfficeScan firewall polic select the policy from th list and click Edit. n cy, p he k
NOTE edit a polic and its exce To cy eption list, the user must ha ve been assigned the e
associate privileges in the OfficeSca firewall pro file settings o n the OfficeSc manageme ed n an can ent console. In other words the client mu fit the crite s, ust eria of an exist ting profile and that profile ge. nformation, se Chapter 9: O ee OfficeScan Fir rewall on page must assign the privileg For more in 287.
277
Student T Textbook
The securit level specifi which traff will be bloc ty ies fic cked. The thr levels you c choose fro ree can om low, mediu and high delineate in the chart below: um, are ed t
Security Level L Low Medium High Incoming Traffic
Allow Block Block
Outgoing Traffic
Allow Allow Block
For more information on firewall secu i n urity levels, see Chapter 9: O OfficeScan Fir rewall on page 287. e The except rule list al tion llows users to make exceptiions to the firewall policy b allowing or by blocking sp pecific types of traffic. Selec the exceptio you wish to modify then click the but o ct on o n tton for the acti you wish to perform. You may also c ion t Y change the ord in which e der exceptions are listed. Exce eptions are rea top-down. Action is take on the first match. ad en t If you choo to edit an exception, the Exception R dialog bo appears. ose e Rule ox
Define exc ceptions by ch hoosing to allo or block tra ow affic based on these criteria n a:
Dir rection of traf (incoming or outgoing) ffic Pro otocol (TCP, UDP, ICMP, TCP/UDP, o all) U T or Por (allowed po range is be rts ort etween 1 and 65535) Com mputers (iden ntified by host name or IP a address)
Traffic is matched to the exception lis first (top-tom e st n rity -bottom), then to the secur level.
NOTE you are run If nning Trend Mi icro Control M anager on you network, yo should add ur ou
an except tion to the list allowing the ports for Vulne p erability Asses ssment and DC (ports CS 20901 and 137-139) to remain open.
2 278
Administrato Track or
Off ficeScan clean infected file in email messages and pe ns es erforms the alt ternative actio if on an infected file is uncleanable. i s
Sele ecting Clean also allows yo to select Cl a ou lean infected compressed files. If you select d d
this option, Offic s ceScan also cl leans an infect compresse file first and then perform ted ed d ms the alternative ac ction if the com mpressed file is uncleanable If you do not select this e. tion, OfficeScan performs the alternative action on inf t e fected compre essed files. opt
If you select Del y lete, OfficeScan automatica deletes inf ally fected files in email message es,
incl luding infected compressed files. In place of a deleted file is a file na d e amed "Tm mWarn.txt" th provides in hat nformation ab bout the delete file. ed
If you select Pas OfficeScan does not per y ss, n rform any actio on infected files in emai on d il
279
Student T Textbook
To configu Microsoft Outlook mail scan: ure 1. Click Install/Upgra I ade. In the co onfirmation pa that appea click Yes. The client age ars, . connec to the serv and downlo cts ver oads the mod dule. 2. After installation, th Scan Now button becom active and the Outlook Mail Scan con he mes d nsole appear (shown in th figure below rs he w). 3. Your system is autom s matically conf figured to scan incoming O n Outlook messag ges.
WARNING Outlook Mail Scan does no use the sam scan engine as the rest of the OfficeScan G! ot me e
client. To ensure that the mail scan eng e gine is up-to-d date, you must periodically c t check for upda ates by clicking the Install/Up pgrade button on the Mail Sc tab (show n in the figure above) or by can e clicking on Update Virus Scan Engine button on Out tlook Mail Scan console (see the figure below). n e
To scan yo Outlook fo our olders: 1. On the Mail Scan tab (see the figu above), cliick Scan Now The Outloo Mail Scan e ure w. ok consol appears, the program logs into your ma account, an then displa your mail le e s ail nd ays folders as depicted in the figure below. s
2. Select the folders that you want to scan by click the check o king kboxes next to the folder na o ames. The Sc Now butto becomes active. can on a 3. Under Scan action, select an act to perfor in the even a threat is d , tion rm nt detected. eScan cannot not quarantin infected me ne essages and att tachments.) (Office 4. You may update you scan engine before scann to increas the detectio rate of the m ur e ning se on engine. 4.1. 4.2. 4.3. Click Update Virus Scan Engine. e If you use a proxy server to connect to t Internet, select the Use a proxy server p o the checkbox and enter your proxy informat d p tion. Click Update Now. The client connects to the server and checks f scan engin e c s r for ne updates. If an update is ava n ailable, Outloo Mail Scan w automatic ok will cally download it. d
2 280
Administrato Track or
5. Click Scan Now. When scan is co S W omplete, a pag appears, di ge isplaying the n number of messag scanned an the numbe of threats de ges nd er etected.
This tabbed page display your lists of approved an blocked pro d ys f nd ograms. Progr rams in the approved-p programs list can be started even if they a c d attempt to ma monitored system chang ake d ges. Programs in the blocked i d-programs list can never be started. e Users can add a maximu of 100 app a um proved and 10 0 blocked ent tries.
Figure 8.17: The Client Co onsole Behavio Monitoring Tab & Approv Programs List or ved
To add or remove a prog gram from eit ther list, click the correspon nding Approv Programs or ved s P tton on the Be ehavior Monit toring tab. The use the ad en, dd-and-remove e Blocked Programs but dialog to en the full path to the targ program(s) (or browse t them) and a them to th nter get ) to add he selected list. Listed prog grams may be removed one at a time by s e selecting a pro ogram from th list-display area he and clickin Remove. ng When the notification pe n ermission is en nabled by an a administrator using the man nagement con nsole, the OfficeS Scan client dis splays a notific cation when b behavior moni itoring halts or blocks progr rams.
Figure 8.18 Client Notific 8: cation Message of an Event Blocked by Be ehavior Monito oring
281
Student T Textbook
To obtain a report, first select whethe you want to view virus or firewall logs. Next, specify the er o r y start and en dates. Fina click the View Logs bu nd ally, V utton. A log page displays th informatio his on:
Log Ty ype Date and Time Virus Name N Scan Type n Resu ult Deta ail
NOTE alert will appear if there are no logs fo the dates yo specify. An a e or ou
To conserv disk space, you can confi ve igure OfficeSc to automa can atically delete old logs. Just specify the number of da (1 to 15 fo virus logs o 1 to 7 for fir ays or or rewall logs) af which you want fter u t port nables you to configure the automatic e the report to be deleted. The Log Rep tab also en deletion of log files throu the Optio page. f ugh ons
NOTE logs will be deleted automatically aft the maximu time period has passed. You The b ter um d
also have the option to delete log files on demand.
2 282
Administrato Track or
283
Student T Textbook
If you have the proper privileges, you can disable a scheduled up e p pdate. Right-cl the client icon lick and select Disable Sche D eduled Updat This optio acts as a tog te. on ggle, so to rea activate the up pdate, right-click the client icon and select Enable Schedu n E duled Update e.
incl luding the last files scanned and the last t t d threats found
Sca statistics, in an ncluding the to number o files scanned and the num otal of d mber infected Sch heduled scan settings, includ when it is scheduled to run s ding s o
2 284
Administrato Track or
Lab Exercise 10: Con nfigure Setti ings on the Client Cons sole
285
Student Textbook
Review Questions
1. What does the client mail scan utility scan? a) Netscape Messenger folders b) Eudora Pro folders c) Outlook Express folders d) Email in real-time 2. When will manual scan settings configured in the OfficeScan management console override client console settings? a) During a virus outbreak b) When CPU usage is set to High c) Whenever a setting conflicts d) When the client does not have the privilege to configure manual scans 3. If you run a DCS cleanup, which of the following does it NOT clean? a) Unwanted registry entries created by worms or Trojans b) Memory resident worms or Trojans c) Garbage and viral file drops by worms or Trojans d) Viruses discovered in the Program Files directory
286
Administrator Track
287
Student Textbook
New starting from OfficeScan 10.5, the OfficeScan firewall is also integrated with the Unauthorized Change Prevention Service module to provide application-lookup services that, when enabled, determine whether an application attempting to send or receive data is on the local approved-applications list or (optionally) on a global approved-applications list maintained directly by Trend Micro. When the OfficeScan firewall detects that an approved-application filtering list rule is relevant to the inspection of a connection attempt, the firewall calls on the Unauthorized Change Prevention Service to query the local list and then (if configured) the global list. Local exceptions take priority over global exceptions.
288
Administrator Track
289
Student Textbook
Firewall Policies
The firewall policies are those you define using the OfficeScan management console (including separate policies for Outbreak Prevention), the OfficeScan client console, or the Trend Micro Control Manager management console (Outbreak Prevention policies apply). Firewall policies allow you to block incoming or outgoing traffic entirely. You can also create exception lists to allow specific types of traffic through the firewall based on
Direction (inbound/outbound) Transport-layer protocol (TCP/UDP/ICMP) Port number Source/destination IP address Application
Profile definitions allow you specify the clients to which a policy should be applied.
Application Filtering
Introduced as a new feature in OfficeScan 10.5, application filtering allows you to add application criteria to firewall exception rules. Application information can be used by the OfficeScan firewall in three different forms.
Individualized exception rule Reference to the local approved-applications list Reference to the Trend Micro global approved-applications list
Application-level firewall control is important for providing security in what some people refer to as an everything over HTTP world where unwanted and dangerous applications alike are specifically designed to communicate using standard protocol-port combinations so that their packet-header profiles are indistinguishable from legitimate traffic. Restricting network communication to approved applications, in addition to traditional portprotocol rules, tightens network traffic control considerably. It provides you with an extra layer of criteria by which you can establish granular control over your network security posture. You can, for example, create a policy that permits specified network traffic (say FTP traffic) from one kind of application, but prohibit that same type of traffic from all other applications. Conversely, you can create rules that prohibit traffic only if the application is specified. You can also choose whether to filter traffic based on the local-network version of the approved-applications list. You can additionally enable clients that have Internet access to check the global Firewall Approved Applications list, which is dynamically updated and maintained directly by Trend Micro. When the OfficeScan firewall detects that an approved-application filtering list rule is relevant to the inspection of a connection attempt, the firewall calls on the Unauthorized Change Prevention Service to query the local list and then (if configured) the global list. Local exceptions take priority over global exceptions.
290
Administrator Track
Ping of Death
ICMP
Conflicted ARP
Syn Flood
TCP
Teardrop
UDP
IP
Fragmented IGMP
IGMP
LAND Attack
TCP/UDP
291
Student T Textbook
You can en nable or disabl IDS withou disabling th OfficeScan firewall. The IDS rules are not le ut he user-defina able. However updates to th r hose rules are made by Tren ndLabs and ar embedded i the re in common fi irewall driver. You can update the comm firewall dr mon river from the Trend Micro e o ActiveUpd server. date
Incoming Traffic g
Incoming data first unde d ergoes scannin via the Intr ng rusion Detecti (IDS); if it does not meet the ion t set criteria, it is blocked; otherwise, it proceeds to F , Firewall Policie and, if it pa es, asses that scru utiny, it moves to the last step, Network Vir Scanning. I the data pac o , rus If ckets are clean the client ca n, an accept the data.
Outgoing Traffic g
When data is leaving the client, the pr a e rocess chronollogy is slightly different. Fir it must pass y rst, IDS, then the Firewall Policies, and fin t P nally the Netw work Virus Sc canning. As wi incoming d ith data, the packets can be block at any of these stages if they do not m the criter s ked meet ria.
2 292
Administrator Track
NOTE only action OfficeScan firewall components can take is to block packets and log The the event. Blocked packets are dropped.
Client console settings are described in Chapter 8: OfficeScan Client User Interface on page 265.
To configure the OfficeScan firewall, you specify settings for policies and profiles. Policies define rules and settings, while profiles determine to whom the policies apply. In addition to setting policies and profiles, you can:
Create an exception list template Configure Firewall Outbreak Monitor
If the personal firewall module cannot read any policy (if, for example, a policy is corrupt or the policy file is missing or cant be read), it uses the default settings shown below.
Firewall Setting
Security Level Enable Firewall IDS Alert Message Approved-applications list Exception List
Status
Low Enabled (which also enables Network Virus Scanning) Disabled Disabled Disabled Disabled
293
Student T Textbook
Click Add to create a ne policy (show in the figu below); or to edit an exi ew wn ure isting policy, e ick choose the policy and cli Edit.
To create a policy, perfo these basic procedures: orm 1. Enter a policy name e 2. Select a security leve el e/disable the firewall, IDS, and/or alert m f message optio ons 3. Enable 4. Enable e/disable appl lication filterin based on th approved-a ng he applications lis st 5. Config the excep gure ption list
Security Level y
The securit level specifi which traff will be bloc ty ies fic cked. The tab below iden ble ntifies the three e levels you can choose fro low, medium, and high c om: h.
2 294
Administrator Track
Security Level
Low Medium High
Incoming Traffic
Allow Block Block
Outgoing Traffic
Allow Allow Block
NOTE the medium setting, the firewall allows both incoming and outgoing trace-route On (ping) echo-request packets, unless you set an exception that blocks incoming ICMP traffic.
Even on the high security level, two ports will remain open:
The DHCP Port At startup, the client uses port 67 to request an IP address from a DHCP server; port 68 receives the answer. The firewall leaves an opening for these two ports to enable the performance of network functions. This port must be left open since the client receives commands from the server via this port.
NOTE you enable Outbreak Prevention from the management console and select to block If the trusted port, client communication will be blocked for the duration of Outbreak Prevention.
295
Student T Textbook
Important Only clients that have enab the Unauth t: t bled thorized Chang Prevention S ge Service, Office eScan
Firewall Ser rvice, and Cert tified Safe Soft tware Services will be able to use the globa firewall appr s o al rovedapplications list. s
Exceptio Lists on
The securit level setting can be over ty gs rridden by the exception list To add exce e t. eptions to a policy, click Add under the Ex u xception in th policy edito he or. Define exc ceptions by ch hoosing to allo or block tra ow affic based on the following criteria: n g
Application Dir rection of traf (incoming or outgoing) ffic Pro otocol (TCP, UDP, ICMP, TCP/UDP, o all) U T or Por (allowed po range is be rts ort etween 1 and 65535) Com mputers (iden ntified by host name or IP a address)
es In evaluatin traffic, the OfficeScan fi ng irewall checks packet profile against the exception list t entries first (in a top-dow flow) and then against th security lev t wn he vel.
NOTE you are run If nning Trend Mi icro Control M anager, you sh hould add an e exception that t
allows the ports for Vul e lnerability Assessment and D Damage Clean Services (D nup DCS) (ports 20 0901 and 137-13 to remain open. 39)
2 296
Administrato Track or
Clicking Ad or choosin an exceptio and clicking Edit opens the Edit Exce dd ng on g eption page, sh hown above. Savi the setting on that pag adds the exc ing gs ge ception to the list or update the exceptio e es on that you ch hose.
Default Policies P
The policie below, whic detailed in accompanying tables, are cr es ch g reated when O OfficeScan is installed.
All-Acc cess PolicyYou Y
can use th policy if yo want to pro his ou ovide all client with unrestr ts ricted acc to the network. cess
Policy Detail P
Security Level S Enable Firewall E ID DS Approved Applications A Exceptions E
Setting
Low (all traff allowed) fic Enabled Disabled Disabled None
NOTE you do not change the firewall policy, the Off If ficeScan firewa will use the all e
All-Access Polic by default. cy
297
Student Textbook
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound UDP port 21862 traffic for all clients
Table 9.5: Cisco Trust Agent for Cisco NAC Policy Settings Communication Ports for Trend Micro Control ManagerYou
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound TCP/UDP port 80 traffic for all clients
Table 9.6: Communication Ports for Control Manager Policy Settings ScanMail for Microsoft Exchange ConsoleYou
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound TCP port 16372 traffic for all clients
Table 9.7: ScanMail Console Policy Settings InterScan Messaging Security Suite InstallationYou
Setting
Low (all traffic allowed) Enabled Disabled Disabled Allow in/outbound TCP/UDP port 80 traffic for all clients
298
Administrato Track or
Settings
All-access policy Unspecifie ed
Adding a Profile
To edit a profile or defin a new one using the OffiiceScan manag p ne u gement conso click ole, Networke Computers > Firewall > Policies in the navigatio column. ed s n on
Click Add to create a ne profile, or choose an exis ew c and t sting profile a click Edit to modify it.
Tip Ad dministrators with full management permi w issions can opt tionally enable the option to e o
Overwrite client secur level excep rity ption list. Sel ecting this opt tion replaces a customize any ed ofile settings with the server settings. w r client pro
299
Student T Textbook
You may also limit the scope of user privileges by s p selecting whet ther to allow e users the a end ability to change (that is overrid the securit level establiished or edit th exception l as defined by ( de) ty he list d the associa policy. ated
3 300
Administrato Track or
Figure 9.10: Firewall Alte ernate Referen Server List Page nce t
The Refere ence Server Li is used only when (a) it is enabled, and (b) the client cannot ist y s d t communicate with the OfficeScan serv If the Of O ver. fficeScan clien cannot cont either the nt tact n e nate nly an OfficeScan server or one of the altern servers, on then does the OfficeSca firewall implement its offline policy. p To manage the alternate server list: e 1. On the toolbar of th Networked Computers > Firewall > Profiles pag click Edit e he d s ge, Refere ence Server List. L 2. Select the Enable th Alternate Server list op he S ption, or verify that it is sele y ected. 3. To add a computer to the list, clic Add. d t ck
4. Enter the IP address NetBIOS name, or fully q t s, qualified dom name (FQ main QDN) of the alterna server. ate 5. Type the port throug which clien communic with this computer. gh nts cate 6. Click Save. S To edit an alternate serv on the list, click the com ver mputer name. M Modify the co omputer name or e c port; then click Save.
To remove an alternate server s
from th list, select t checkbox next to the co he the omputer name e; of refer rence servers, click Assign to Clients.
301
Student T Textbook
You can se separate crit et teria for the nu umber of IDS logs, OfficeS S Scan firewall logs, and Netw work Virus Scanning logs. Eac individual log represents a violation of policy. Choo a time in h ch l s f ose hours and a numb of logs for each compo ber r onent that you want to be co u onsidered an o outbreak.
Figure 9.13: Outbreak Notification Conf figuration for Firewall Violat tions
You can co onfigure the cr riteria that det termine an ou utbreak. You a configure who will rece also eive notification and how. ns
NOTE actual messages, the var In riable %A is re eplaced by the alerts name f from the logs; %T
is replace by the numb of hours, and %C is repla ed ber a umber of logs. See Appendix A: . x aced by the nu Notification Tokens for a list of token that can be used in notific ns cation messages.
3 302
Administrator Track
For more information about OfficeScan firewall logs, see Chapter 11: Logs on page 329.
NOTE the log count exceeds 50,000, OfficeScan will no longer write additional log content If or count logs.
303
Student Textbook
Review Questions
1. Which two modules combine to create the OfficeScan firewall? a) Policy and procedure modules b) Personal firewall and common firewall modules c) Security and exception modules d) Incoming and outgoing traffic modules 2. Which of the following CANNOT be configured? a) Alert message b) Firewall policies c) Network virus scan d) Firewall profiles 3. Which of the following correctly associates the data flow type with its correct sequence of checks? a) Incoming: firewall policies, IDS, Network Virus Scanning b) Incoming: IDS, Network Virus Scanning, firewall policies c) Outgoing: firewall policies, IDS, Network Virus Scanning d) Outgoing: Network Virus Scanning, IDS, firewall policies 4. Which of the following is a profile NOT based on? a) Security level b) IP address c) Platform d) User ID
304
Administrator Track
5. Which of the following is NOT a way to configure changes in the OfficeScan firewall? a) From the OfficeScan Management Console b) From the Outbreak Prevention Policy module in TMCM c) From the Client Console d) From the Rule Set Generator 6. Which of the following security levels is correctly associated with incoming and outgoing traffic? a) Low security: incoming blocked; outgoing blocked b) Medium security: incoming allowed, outgoing blocked c) Medium security: incoming blocked, outgoing allowed d) High: incoming allowed; outgoing allowed
305
Administrator Track
307
Student Textbook
NOTE Some tools available in previous versions of OfficeScan are no longer distributed. If you require these tools, contact technical support.
Client Tools
Client Packager (ClnPack.exe) Creates a self-extracting file containing the OfficeScan client software and components Image Setup Utility (imgsetup.exe) Helps you use hard drive imaging technology to deploy the client Restore Encrypted Virus (VSEncode.exe) Opens infected files that the OfficeScan client has encrypted Client Mover (IpXfer.exe) Moves client membership from one server to another. Touch Tool (TmTouch.exe) Changes the time stamp on a hot fix to automatically redeploy it ServerProtect Normal Server Migration (SPNSXfr.exe) Detect installed ServerProtect Normal Servers and migrate them to OfficeScan client Trend Micro Performance Tuning Tool Prevent performance issues with OfficeScan features by using the Trend Micro Performance Tuning Tool to indentify system-intensive applications for inclusion in the Behavior Monitoring Exception list
NOTE cannot run these tools from the management console. For instructions on how to You run the tools, see the sections below.
To view a descriptive list of these tools in the management console, click Tools > Administrative Tools or Tools > Client Tools in the navigation column of the management console.
308
Administrato Track or
The links on these pages open help fil that explain how to use the tools. The tools themse o s les n e elves are located in the %Progr d ramFiles%\TrendMicro\O OfficeScan\PC CCSRV\Admin n\Utility fold der on the Off ficeScan server You cannot launch these tools directly using manage r. t y ement console e.
This chapte describes how to use: er h Vulner rability Scanne er Server Tuner tool re V Restor Encrypted Virus tool Client Mover I tool Touch Tool h ServerP Protect Norm Server Mig mal gration tool The other tools listed (namely the Log Script Setu the Client Packager, and the Image Se t gin up, d etup tools) are described in Chapter 6: Client Software D d C Deployment on page 219. T chapter w This will also describ the Schedu Update Configuration t be uled tool, which th pages show above do no list he wn ot and which is used for up pdate-agent de eployments pr repared using the Client Pac ckager.
309
Student Textbook
To determine if a computer is protected with antivirus software, Vulnerability Scanner connects to ports that are normally used by antivirus solutions. Vulnerability Scanner can perform these functions:
Listen for DHCP requests and scan computers as they come onto the network Ping computers on your network to check their status and retrieve their computer names,
Microsoft Exchange, InterScan products, PortalProtect, PC-cillin, and HouseCall Pro real-time scanner
Third-party antivirus solutions such as Norton AntiVirus Corporate Edition 7.5 and
2003/2008
It cannot install the OfficeScan client remotely on computers running Windows XP
Home, Windows Vista/7 Home Basic, and Windows Vista/7 Home Premium, or on computers with other antivirus products installed.
Vulnerability Scanner does not install OfficeScan clients on a computer already
310
Administrato Track or
NOTE can use Vulnerability Scanner on ma You V S achines runnin g Windows NT software; but not T t
if Termina Server is run al nning.
10 0.2.2 Co onfiguring the Sett g tings for Vulnerab bility Scan nner
To configu what you want the Vuln ure w nerability Scann to search for, click Sett ner tings. The Set ttings page appea ars.
311
Student T Textbook
want the Vulnerability Sc V canner to dete PC-cillin a well as other antivirus pro ect as oducts, you m must disable ping and verify th the port se hat ettings are cor rrect for your other antiviru products. T us The Vulnerabili Scanner alw checks fo PC-cillin in the UDP tra ity ways or n affic on port 40116. ServerProtect and the McAfee VirusScan ePolicy O M Orchestrator al use hard-c lso coded port numbers. To change the port num mbers of the ot ther products,, either type th port number in the field or, he for Norton AntiVirus Co n orporate Editi and Trend Micro InterS ion d Scan products click the Set s, ttings button nex to that prod name. Th Settings bu xt duct he utton brings up a dialog box that enables you p x to verify th port numbe that Vulnerability Scanne will check fo each produ To enter he er er or uct. multiple po numbers, separate the port numbers w a comma ort s with a.
NOTE must hav an SMTP ma server for t he Vulnerabili ty Scanner to send email ale You ve ail erts.
3 312
Administrato Track or
If you selec Display ale on unprote ct ert ected comput ters, you can click the Customize butto to on define an alert message for unprotecte computers.. a f ed
313
Student T Textbook
If you wan to send a log to the Office nt g eScan server, select the Re eport log to O OfficeScan serv ver checkbox.
You can ex xport the scan results to a .csv file by clic n cking the Exp button. port
3 314
Administrato Track or
The config guration settings in this dialo are mostly self-explanato Under Ta Name, ent a og ory. ask ter name for th task you ar creating. Un he re nder IP Addre Range, ent the IP addr range tha you ess ter ress at want to che for installed antivirus so eck olutions and u unprotected co omputers. Under Task Schedule, de k efine a start tim using the 24-hour form Then select a frequency for me, mat. y the task you are creating gDaily, Wee ekly, or Month hly. tings, select U current se Use ettings to use your existing settings, or se e g elect Modify y Under Sett settings if you want to change the co f c onfiguration. If you select M f Modify setting click the gs, Settings button to chan the configu nge uration. The S Settings windo appears. A ow After you modi ify s, ask x. the settings click OK to return to the Scheduled Ta dialog box The task ap ppears under Scheduled Tas in the maiin Vulnerabilit Scanner win S sks ty ndow.
adNumSilent Threa
To modify these settings complete th steps: s, hese 1. Use a text editor to open the TMVS t S.ini file. 2. To ena the debug log, change the value from Debug=0toDebug=1. able g t m
315
Student Textbook
3. To set the number of computers that the Vulnerability Scanner simultaneously pings, change the value for EchoNum. Specify a value between 1 and 64. For example, EchoNum=64 allows the Vulnerability Scanner to ping 64 computers at the same time. 4. To set the number of computers that the Vulnerability Scanner simultaneously checks for antivirus software, change the value for ThreadNumManual. Specify a value between 8 and 64. For example, ThreadNumManual=50 allows the Vulnerability Scanner to check 50 computers at the same time. 5. To set the number of computers that the Vulnerability Scanner simultaneously checks for antivirus software when running scheduled tasks, change the value for ThreadNumSchedule, Specify a value between 8 and 64 for. For example, type ThreadNumSchedule=58 if you want the Vulnerability Scanner to simultaneously check 58 computers whenever it runs a scheduled task. 6. To set the number of computers that the Vulnerability Scanner simultaneously checks for antivirus software when running the tool at the command prompt, change the value for ThreadNumSilent. Specify a value between 8 and 64. For example, type ThreadNumSilent=60 if you want the Vulnerability Scanner to check 60 computers at the same time when run from the command prompt. 7. Save and close the TMVS.ini file.
If you type an incorrect IP address range, the Vulnerability Scanner will not display an error message. However, if the debug log is enabled, OfficeScan will record the error in the debug log (TMVS debug). (For more information about enabling the debug log, see Chapter 12: Troubleshooting on page 341.) Save the file with a .txt extension in the {installationpath}\PCCSRV\Admin\Utility\TMVS folder. For example, you can save the text file as IPadd.txt. Open a command prompt and then go to the TMVS folder. Type the following command:
316
Administrato Track or
The Vulner rability Scanner checks com mputers with t IP address you specifi The result are the ses ied. ts saved in Re esults.csv file which is cre e, eated in the TM folder. MVS
Under Dow wnload, you can modify th following se c he ettings based o your netwo traffic: on ork
Timeou for clients specifies ut Timeou for update agent ut a Retry Count specif C fies
the length of tim the OfficeS e me Scan server wil wait for the client ll to acknowledge that the upda was succes ate ssful specif the length of time the O fies h OfficeScan ser will wait f rver for the update agen to acknowle e nt edge that the u update was suc ccessful how many times the ser y rver will try to update a clie o ent the num mber of minute that the Of es fficeScan serve will wait be er efore ch hecking the up pdate queue
Under Buf ffer, you can modify the fol m llowing setting based on yo network tr gs our raffic:
Event Buffer t Log Buffer B Used in reportin client status U ng s Used in reportin detected vir U ng ruses
317
Student Textbook
If a large number of clients are reporting to the OfficeScan server, you may want to increase the size of the buffers. However, before you increase buffer settings, you should ensure that the OfficeScan server has enough memory to handle the new settings. Under Network Traffic, you specify the number of clients that the server will notify about updates at the same time. However, before any of these clients are notified, the update agents receive their updates. Set the Timeout for update agent setting with enough time for all your update agents to receive their updates before clients are notified. The default setting is 10 minutes. You may need to increase that setting if your network is very large. Define normal, off-peak, and peak hours (see the figure above). For example, peak hours for your company may be between 10 a.m. and 2 p.m. There are two separate Maximum Connections settings for normal, off-peak, and peak hours: one for clients that receive their updates from Other Update Source (OUS) and one for clients that receive their updates from the server. OUS include update agents, the Trend Micro ActiveUpdate Server, and internal update web pages. Configure the maximum number of OUS and server connections for each of the three time periods. The server notifies clients that updates are available. The clients then attempt to update from their designated update sourcewhether that is the server or an OUS. OUS clients and server clients will try to update from their various update sources simultaneously. The number of clients in your network and your network resources will determine the best Timeout for client setting. The Timeout for client, Retry count, and Retry interval settings would work together with the Maximum Connections settings as follows (if the defaults shown in Figure 10.9 are used as an example):
The server will wait up to 30 minutes for all the clients it notified in a group to complete
their updates.
After the 30 minute timeout, if even one client has not reported back successfully, the
server will then retry with that client, before notifying the next group of clients.
The server will wait 15 minutes before attempting to update the client again. If the client
still has a problem, the server will retry up to 5 times, in 15-minute intervals, to update the client before notifying the next group of clients.
Under the default settings then, if a single client has difficulty updating, it could delay the
notification of the next group of clients for as long as an hour and a half. In large networks, you may want to experiment with smaller Maximum Connections settings, shorter timeouts, and fewer retries to find the settings that update your clients as securely and rapidly as possible.
318
Administrato Track or
To use Gat teway Settings Importer: s 1. Prepar a file containing the list of gateway sett re o tings. On each line, type an IP address an h nd option nally type a MA address. Se AC eparate IP add dresses and M MAC addresses by a comma The s a. maxim mum number of entries is 40 o 096. For example:
10.1.1 111.222,00:17 7:31:06:e6:e e7 10.1.1 111.223 10.1.1 111.224,00:17 7:31:06:e6:e e7
2. On the server comp e puter, go to {installpath} }\PCCSRV\Adm min\ Utilit ty\GatewaySet ttingsImport launch GSI ter Importer.exe.
NOTE cannot ru the Gateway Settings Imp You un porter tool fro Terminal Se om ervices.
3. On the Gateway Set e ttings Importe page, brows to the file c er se created in Step 1 and click p Impor rt. 4. Click OK. The gatew settings display on the Computer Lo O way d ocation page and the OfficeScan server deploys the se ettings to clien nts. 5. To delete all entries, click Clear All. If you only need to dele a particular entry, remov it , A y ete r ve from th Computer Location pag he ge. 6. To exp the settings to a file, cli Export Al and then specify the file n port ick ll name and type e.
319
Student T Textbook
Although encrypting infe e fected files is a good safety p precaution, so ometimes you may need to o open an infected file. For exam d mple, if a virus infects an im mportant docu ument, you ma need to retr ay rieve information from the do n ocument. You can use the R Restore Encry ypted Virus too to decrypt a ol an infected file so that you can open it.
WARNING Decrypting an infected file can spread t virus to oth files. Trend Micro G! a e the her
recommend that you iso ds olate the comp puter on which the infected file resides. Unplug the com h mputer from the ne etwork and back up important files on tha t computer to another locat o tion.
To decrypt files in the Su t uspect folder, open Window Explorer o the client w ws on where you wan to nt decrypt an infected file. Browse to the %ProgramFi B e iles%\TrendM Micro\Office eScan\PCCSRV \Admin\Uti ility\VSEncr ryptfolder on the OfficeSc server. Co the entire VSEncrypt fol n can opy lder to the clien computer. nt
NOTE not copy /VSEncrypt int the OfficeSc folder. The Vsapi32.dll file of Restore Do / to can e
Encrypted Virus will con d nflict with the original Vsapi i32.dll.
Open a com mmand prom and go to the location w mpt t where you copi the VSEncr ied rypt folder. R Run Restore Encrypted Vir using the following para rus f ameters:
no parameter -d -debug /o /f {file ename} /nr /u
Encrypt files in the Suspect fol lder Decrypt files in the Suspect fol lder Create debug lo and save it in the root folder of the client og n r Overwrite encrypted or decryp pted file if it alre eady exists Encrypt or decr rypt a single file e Do not restore original file nam me hical user interf face Launch in graph
For examp you can typ VSEncode [-d] [-debu to decrypt files in the Su ple, pe e ug] t uspect folder a and create a deb log. When you decrypt or encrypt a file, the decry bug n t ypted or encry ypted file is cre eated in the same folder. e
3 320
Administrator Track
NOTE may not be able to encrypt or decrypt files that are locked. You
To encrypt or decrypt files in other locations, create a text file and then type the full path of the files you want to encrypt or decrypt. For example, if you want to encrypt or decrypt files in C:\MyDocuments\Reports, typeC:\MyDocuments\Reports\*.* in the text file. Next, save the text file with an .ini or .txtextension; for example, you could save a file as ForEncryption.ini on the C: drive. At the command prompt, run Restore Encrypted Virus by typing the following command:
VSEncode.exedipathofthe.inior.txtfile
For example, the path of the .inior .txt file you created might be C:\ForEncryption.ini. Restore Encrypted Virus provides these logs:
VSEncrypt.log
Contains the encryption or decryption details. This file is created automatically in the root system drive (typically, the C:\ drive). Contains debug details and is created automatically in the root system drive if you run VSEncode.exe with the -debug parameter.
VSEncDbg.log
To confirm the client now reports to the other server, do the following: 1. On the client computer, right-click the OfficeScan client program icon in the system tray. 2. Select OfficeScan Console.
321
Student Textbook
3. Click Help in the menu and select About. 4. Check the OfficeScan server that the client reports to in the Server name/port field.
NOTE function of the Client Mover tool can also be performed using the Move link on the The client tree screen (see Chapter 5: OfficeScan Management Console on page 95).
NOTE you do not specify a source filename, the destination file will be set to the system If time. You can use the wildcard character (*) for the destination file, but not for the source file name.
4. To verify if the time stamp changed, type dir in the command prompt, or check the files properties from Windows Explorer
322
Administrato Track or
Figure 10.12 The Server Protect Norma Server Migr 2: al ration Tool
The Server rProtect Norm Server Mig mal gration Tool a migrates S also ServerProtect exception list to ts the scan se ettings of the OCSE. O
Ser rverProtect Set Scan Optio is migrated to the Offic on d ceScan Netwo orked Comput ters
Ma anual Scan Sett tings, Real-tim Scan Settin Scheduled Scan Settings, and Scan N me ngs, d Now sett tings.
Ser rver Protect S Scan Exclusion List: Directo ories and files is migrated to the OfficeS s Scan
The execut table file for th tool and a companion . ini file are in his nstalled on the OfficeScan server e in {installationpath} }\Admin\Utili ity\SPNSXfr. You canno run the exec ot cutable from this directory. To use the to copy both SPNSXfr.exe and t ool, h e SPNSX.ini to the {insta allationpath h}\Admin\ dir rectory. After doing so, you can double-c u click SPNSXfr.ex to launch the tool. xe
Tip o access client computers, re To t emember that you must use a local/doma administrat t e ain tor
account to migrate fro ServerProtect successful If you use a account wit insufficient om lly. an th privileges, such as "Gu uest" or "Norm user," you w not be abl e to perform installation. mal will
Tip o enable the to to automat To ool tically find the OfficeScan se e erver the next time you open
the tool, select Auto fi OfficeScan server in th e upper left of the interface (selected by ind f e default).
To use the ServerProtect Normal Serv Migration tool: ver 1. On the OfficeScan server, open {Installation e s npath}\PCCS SRV\Admin\Ut tility\SPNSX Xfr and co the files SP opy PNSXfr.exe an SPNSX.ini to {Installationpath}\P nd PCCSRV\Admin\
323
Student Textbook
2. Double click the SPNSXfr.exe file to open the tool. The Server Protect Normal Server Migration Tool console opens 3. Select the OfficeScan server. The path of the OfficeScan server appears under OfficeScan server path. If it is incorrect, click Browse and select the PCCSRV folder. 4. To enable the tool to automatically find the OfficeScan server again the next time you open the tool, select the Auto Find Server Path checkbox (selected by default) 5. Select the computers running ServerProtect Normal Server on which to perform the migration by clicking one of the following under Target computer. (For more information, see the Target Computer Search section that follows.) 6. Select to include computers running Windows Server 2003 in the search 7. Select to restart computers running Windows Server 2003. For the migration to complete successfully on these computers, the computer must restart. Selecting this checkbox ensures that it automatically restarts. If you do not select the Restart after installation checkbox, restart the computer manually after migration 8. Click Search. The search results appear under ServerProtect Normal Servers 9. Click the computers on which to perform the migration
To select all computers, click Select All To deselect all computers, click Unselect All To export the list to a comma-separated value (CSV) file, click Export to CSV
10. If logging on to the target computers requires a user name and password, do the following: 10.1. Select the Use group account/password checkbox. 10.2. Click Set Logon Account. The Enter Administration Information window appears. 10.3. Type the user name and password.
NOTE the local/domain administrator account to log on to the target computer. If Use you log on with insufficient privileges, such as "Guest" or "Normal user", you will not be able to perform installation.
10.4. Click OK. 10.5. Click Ask again if logon is unsuccessful to be able to type the user name and password again during the migration process if you are unable to log on 11. Click Migrate. 12. If the computer runs Windows Server 2003, restart the computer to complete the migration OfficeScan Server. In the field for OfficeScan Server Path, the migration tool needs the path to the Ofcscan.ini file on the server. The Auto Find Server Path checkbox is enabled by default, and in most cases the tool will automatically find the Ofcscan.ini file. If it does not, use the Browse button to direct the tool to this file.
324
Administrator Track
IP Range Search
NOTE a DNS server on your network does not respond when searching for clients, the If search will hang. Wait for the search to timeout. NOTE include Windows 2003 computers in your search, you should enable this option To under ServerProtect Normal Server before conducting your searches. This option is not enabled by default.
325
Student T Textbook
the migrati to complete successfully on Windows 2003 compu ion y s uters, the com mputer must re eboot. If you do not select the Reboot Wind n dows 2003 aft installation checkbox, y must resta ter n you art the compu manually after migration uter a n.
NOTE ServerProtect Normal Serv Migration T ver Tool does not u uninstall the C Control Manage er
agent for ServerProtect. For instructions on how to uninstall the agent, refer t your o to ServerPro otect or Control Manager do ocumentation.
To open th Scheduled Update Config he U guration tool,, find the SUC CTool.exe file on the update e agent and double-click it Scheduled updates are ena d t. u abled by defau You can s ult. select an hourl ly, daily, or we eekly update schedule. If yo select a dailly or weekly u s ou update schedul you can als le, so configure how long the update agent will spend atte h u w empting to de eploy updates to the clients that report to it (up to 24 hou t urs).
3 326
Administrator Track
Review Questions
1. Which of the following can the Vulnerability Scanner do? a) Determine if an antivirus solution is installed on a computer b) Determine whether Windows service packs are up-to-date c) Determine whether users are browsing high-risk Internet sites d) Determine whether spyware is on your network 2. What does Trend Micro recommend doing before using the Restore Encrypted Virus tool? a) Isolating the computer where the infected file resides b) Unplugging the computer from the network c) Backing up important files on the computer where the infected file resides d) All of the above 3. Which of the following does the ServerProtect Normal Server Migration Tool do? a) Uninstall ServerProtect Information Server and install the OfficeScan client software b) Migrate ServerProtect Normal server settings to OfficeScan client settings c) Uninstall ServerProtect Normal Server and install the OfficeScan client software d) Uninstall the Control Manager agent for ServerProtect
327
Administrator Track
329
Student T Textbook
Figure 11.1: Accessing OfficeScan Logs Using the Web b-based Manag gement Conso ole
For client event logs rela to securit e ated ty-risk detectio OfficeScan allows you t select target on, n to t client/clien nt-domains using the client tree, and prov vides a search tool so that y can find e h you exactly the information you wan OfficeScan logs and lognt. n -management utilities allow you to monit w tor virus event component update event system eve nts, and other security-relat events fro a ts, t ts, r ted om single cons sole. Log data enables the OfficeScan serv to provide summary rep O rver e ports and grap phs. OfficeScan client logs ar organized in two groups, those related to security-ris detection a n re n sk and response an those relat to program maintenance These logs i nd ted m e. include: The virus logs, update lo system ev logs, and v l ogs, vent verify-connec ction logs are s stored in the {installat tionpath}\P PCCSRV\Logfo older. The Off ficeScan firew logs are sto wall ored on the OfficeScan clients and ar sent to the server only if you configur the OfficeSc global sett n re f re can tings to do so, or when you el to notify the clients to s lect t send the logs to the OfficeS Scan server.
Securit ty-risk-related Logs Virus/m malware Spyware/grayware Firewall Prog gram Maintena ance Logs Com ponent-update e Conn nection-verific cation Spyw ware/grayware restore e
3 330
Administrator Track
about virus/malware events about startup, shutdown, scan initiations about manual, real-time, and scheduled scans, as well
information about program behavior, system configuration changes, and device access attempts.
Sometimes, the logs may not be transferred to the server successfully. In this case, the client uses a retry mechanism (a back-off algorithm) to attempt to resent log files. If retries are not successful, the virus log will be stored on the client until the program restarts, and the client will then discard the local configuration log and the client-status/event log. If the log entry is not formatted correctly (for example, a power failure corrupts a log-writing process), the client will not resend the data. On the other hand, if the log format is correct but the server fails to write the data to the database, the client will resend the information. If the client sends a common gateway interface (CGI) command to the server and receives an error code, the database is corrupt. The client then resends the data the next time a virus is found; the client resends the data in background mode.
331
Student T Textbook
must enabl the feature under Virus Bandwidth Set le u B ttings on the G Global Client Settings page (see Chapter 5: OfficeScan Mana O agement Console on page 95). e If you have enabled this setting, the OfficeScan clie keeps redu e O ent undant occurre ences of the same virus in a queue, recordin the viruss name, full file path, and the date and tim for each q ng e e me occurrence of the virus in the same log. If the maxiimum number of occurrenc is exceeded e i r ces d within an hour, the first occurrence is deleted from the log. You can set the m h maximum number in the ofcscan.ini file. Th default valu is five occur he ue rrences, but yo can set it to as high as 20. ou
The Virus Log page con L ntains this info ormation abou the viruses t OfficeSca detects: ut that an
Date and time of the sc d can Virus nam me Nam and IP addre of client me ess Infec ction source
3 332
Administrato Track or
Scan type n
If you click the View link for a particu entry, you can view add k k ular u ditional inform mation:
Date and time of the sc d can Domain Platform m Infection source n Path of the infected file t Scan result Clien nts Logi n name Virus name s Infec cted file name Scan type n
Deleting Logs g
You can pe eriodically dele your logs to prevent the log files from becoming to large. ete t e m oo To delete logs, select Lo > Delete Logs from th menu in the sidebar. The Delete Logs ogs he e e s dialog box will appear. hoose the logs types to dele and specify whether you want to delet all logs or o s ete y u te only You can ch those that are older than a certain num a n mber of days.
333
Student T Textbook
To view th client updat log, select Logs > Netw he te L worked Comp puter Logs > Component Update fro the manag om gement consol sidebar. Th Client Upda Logs page appears. le he ate
The Client Update Logs page shows the time and d of the upd and the co t day date omponents th hat were updat By clickin the View lin in the Prog ted. ng nk gress column, you can view how long the w e update event took and how many clien were upda h nts ated in 15-min incremen nute nts.
NOTE informati on the Clie Update Pro The ion ent ogress screen is extremely u useful when try ying
to set opt timal settings using the Serv Tuner tool (see Chapter 10: OfficeScan Tools on page ver n 307).
From the Client Update Logs page, yo can also cliick the View li under the Detail colum to C ou ink mn view the fo ollowing inform mation:
Com mputer name Date and time th update was completed he No otifications sen or received nt Update source
3 334
Administrato Track or
server is ru unning smooth and that th services nec hly he cessary for Of fficeScan to w work on your network ar running (see the figure be re e elow).
To view th system even logs, click Logs > System Event Log in the navig he nt L m gs gation column of n the manage ement console sidebar. e
335
Student T Textbook
firewall not tifies the serve hourly of it log count an sends a log summary. Th allows you to er ts nd g his u manage bandwidth and server resourc You can m s ces. manually force an upload at any time. e t To ensure that you are notified immed n diately if a crit tical security e event occurs such as a hac cker o O ewallyou us the Firewall Outbreak M se l Monitor. You that tries to bypass the OfficeScan fire configure a threshold for security even and Offic r nts, ceScan notifies you if that th s hreshold is exceeded. (For more info ( formation abou Firewall Ou ut utbreak Moni itor, see Chapt 9: OfficeScan ter n Firewall on page 287.) To manual upload log information from clients, s elect Logs > Security Risks > View Lo lly f ogs > Firewall Logs > Clie Notificati in the man l ent ion nsole sidebar. Select the clie ents nagement con that you wa to upload OfficeScan fi ant irewall logs to the OfficeSca server and click Notify an Clients. It may take a fe minutes to send the logs . ew After the tr ransmission is completed, click Display Logs in the F s c Firewall Log C Criteria window to w view the up ploaded log da ata.
If you wan to view upda to the Of nt ates fficeScan firew logs, you m once aga notify the wall must ain appropriate clients to up e pload these log gs.
3 336
Administrato Track or
Target, which is the process that was accesse t ed Po olicy name of th event monit he toring rule
To view be ehavior monitoring logs: 1. Click Logs > Netw L worked Comp puter Logs > Security Ris > View L sks Logs > Behav vior Monit toring Logs or Networked Computers > Client Ma o d s anagement > Logs > Behav Monitori Logs. vior ing
2. Specify log criteria and click Disp Logs. y a play 3. View lo ogs. To configu the Behavi Monitoring log sending schedule: ure ior g 1. Naviga the local fi ate ilesystem to: <Serverinsta allationfol lder>\PCCSRV. 2. Open the ofcscan.i file using a text editor s t ini such as Notepa ad. 2.1. 2.2. 2.3. 3.1. Search for the string Send e dBMLogPerio d and then c check the valu next to it. T ue The default value is 3600 secon and the str appears as SendBMLogPe nds ring eriod=3600. Specify the va in second For examp to change the log period to 2 hours, alue ds. ple, d change the va to 7200. alue Save the file. Click Save wi ithout changin any setting ng gs.
k ent 3. In the management console, click Networked Computers > Global Clie Settings. 4. Restart the client. t
337
Student Textbook
2. Specify log criteria and click Display Logs. 3. View logs containing this information:
Date/Time unauthorized access was detected Computer where external device is connected or where network resource is mapped Device type or network resource accessed Target, which is the item on the device or network resource that was accessed Accessed by, which specifies where access was initiated Permissions set for the target
338
Administrato Track or
339
Student Textbook
Review Questions
1. What is the maximum number of virus logs the server can store? a) 1,000 b) 5,000 c) 10,000 d) 50,000 2. What is the default number of logs held in the memory queue if you enable the consolidation of virus logs under Virus Bandwidth Settings? a) 5 b) 10 c) 15 d) 20 3. What type of file can you export logs to? a) A .txt file b) A .sql file c) A .gif file d) A .csv file
340
Administrator Track
Act tiveUpdate, Damage Cleanu Service (D CS), and Vuln D up nerability Asse essment
341
Student Textbook
342
Administrator Track
To correct this error, use an account that has Domain Administrator privileges.
Windows XP/Vista/7/2003 Computers Are Not Displayed in the Remote Install Page
Some Windows NT computers might not appear in the Remote Install page, even if they are online. These computers and the server must be on the same subnet and File and Print Sharing must be enabled in the Network Connection properties. Adjust the settings of the client to meet these requirements and retry performing Windows NT Remote Install.
If you do not find all or some of these files, copy them from Output\_wgroup\Download in the setup directory. Then restart the OfficeScan master service.
343
Student T Textbook
On the clie check if th OfficeScan roaming clien icon appear as ent, he n nt rs tray. If it does, this mean that client has switched t roaming mo ns h to ode.
s If you have limited bandwidth check if it ca y h, auses timeouts between the server and th e he clie ent.
If you have a pro server in between client and server, make sure you settings are y oxy b ts ur e
cor rrect.
Op a web brow on the cl pen wser lient, type
htt tp://<Servername>/Offic ceScan/cgi/c cgionstart.e exe
in the address tex box and pre ENTER. I the next pag shows -2, this means th t xt ess If age he es clie can communicate with the server. Thiis also indicate that the pro ent t oblem might b in be the server databa it might not have a reco on the clie ase; ord ent.
Che if the user modified file or registry v eck r es values but forg to restart t OfficeSca NT got the an
List tener service on the client for Windows X o f XP/Vista/7. I users do no have the pri If ot ivilege to unload OfficeScan, they nee to restart th computer t restart the m program u ed he to main m.
Che if the clien has two or more Networ Interface C eck nt rk Cards (NICs). I a client has two If
NIC it will also have two IP addresses. Th server migh not be able to communic Cs, o he ht cate
3 344
Administrator Track
with the client because it does not know which IP address to use. You might be able to install the client, but might not be able to update it.
client.
Directory/User
PCCSRV
Administrator
Full Control
All Users
Read, Execute
User
N/A
System
Full Control
Check if the {installation path}\PCCSRV folder on the server is shared and if all users
have been granted appropriate privileges. After the installation of OfficeScan, the following privileges will be given to each user.
If you are using a proxy server for client-server communication, check if the proxy
the address text box and press ENTER. If the next page shows -2, this means the client can communicate with the server. This also indicates that the problem might be in the server database; it might not have a record on the client.
NOTE this does not help you find the real cause of the issue, gather the Ofcdebug.log from If both the server and client.
Update Failed
If a pattern file merge failure appears in the ActiveUpdate debug log, choose either of the following steps to solve the problem:
Remove v_aaa.bbb in {installation path}\PCCSRV\ download\pattern (where, aaa =
If there are any problems when updating new modules from the ActiveUpdate server, check the debug logs, which are located at:
{installationpath}\PCCSRV\aubin\patch.ini {installationpath}\PCCSRV\aubin\patchdmp.txt {installationpath}\PCCSRV\aubin\patchdll.ini
345
Student Textbook
{installationpath}\PCCSRV\web\cgi\temp\tmudump.txt
pattern update.) These files will be created automatically when you update through the ActiveUpdate server. You also need to turn on the server debug log. If the clients did not update from the server, turn on the server debug log. Then, update the clients using the console. Next, see if the clients are listed in the update queue. (To view the update queue, click Updates in the sidebar of the OfficeScan management console.) If the clients are not queued, it may be because they do not have a connection to the server. The server will notify the clients about the new update when the connection is restored.
3. Execute the following command in a command prompt. This will reset privileges for directories you specify during the installation process.
svrsvcsetupsetprivilege
If you are using Apache, check your product documentation to determine how to add a web share \PCCSRV\web with alias /officescan.
346
Administrato Track or
Tur product an specific mo rns nd odule debug s status on and o according to problem off
cate egory
Mo onitors specific process statu information such as CPU load and m c us n, memory usage U Ret trieves problem m-related files and compres them into a password-p s sses o protected ZIP file P
(password is tre end) As of the release of this document, CD supports t following Windows pla r DT the atforms: Windo 98 Second Edition ows d Windo 2000 Prof ows fessional/Serv Edition ver Windo XP Profes ows ssional Edition n Windo 2003 Serv Edition ows ver
NOTE the time of this documen release, Win At f nt ndows Vista is not supported by CDT. d
Select I ac ccept the term of this licen agreement and click St ms nse tart. The CDT will detect T existing Trend Micro pro oducts on the current comp puter. Once co omplete, you will be display yed end oducts found on the compu o uter. with all Tre Micro pro
347
Student T Textbook
Select the product for which you wou like to gath debug info p w uld her ormation. Nex click the V xt, View Events link on the right side of the wi k indow. This w display all possible even for which C will nts CDT can gather information.
r There are numerous eve that can be gathered for both the Of n ents b fficeScan Server and Client:
OfficeSca Server an
Basic produ information uct ActiveUpda (Server patt ate tern, engine and program download failed) d ActiveUpda (Server patt ate tern, engine and program deployme to clients failed) ent Master setup failed System has triggered Dr. Watson window s Problem re elated to manage ement console Communica ation error (serv and client) ver Database is ssues Performanc issues ce Spyware cleanup issues IIS/Apache log collection e
3 348
Administrato Track or
Table 12.1: CDT Data for OfficeScan Ser C O rver and Office eScan Client
Select the specific events you would li to include in your diagn s s ike nostic informat tion or click th All he Events che eckbox and cl Next. lick In Step 2 of the process, debug mode is enabled for the selected modules. Wh you click the o , r hen Start Debu Mode button, CDT will automatically enable debu for the mod ug l y ug dules you selec cted on the prev vious page. This will cause a number of D T DOS window to appear w ws while each component debug is ena abled. You wil also see text which says D ll t Debug mode is changing .
NOTE Click Skip to go to the Gene erate Diagnos tic Data scree n, Figure 12.5, if you do not
want to re eproduce the problem at this time or if yo have alread y turned the d p ou debug mode on n, reproduce the problem and turned the debug mo de off. ed m,
Once debu mode is ena ug abled, change to the produc console or d ct dialog and try to reproduce the y e problem. After reproduc the problem, click Stop Debug Mo A cing p ode. This resto the produ ores uct and modul original de les ebug settings and allows you to proceed t the next ste by clicking a u to ep Next. he ows pecify where th diagnostic i he information should be save for ed Step 3 of th process allo you to sp analysis.
Select the folder where the informatio should be s f t on saved and whi log files to collect. Also you ich o o, must provi a detailed explanation of the issue you experienced This descrip ide e u d. ption will be included with all debug information when sent to T w i w Trend Micro T Technical Supp port. Click Ne to ext have CDT begin generat the diagno ting ostic data.
349
Student T Textbook
When CDT has finished generating th data, it will compress and save the file in the locatio T d he d on specified, and display the Diagnosis completed m a e c message on the Generate dia e agnostic data p page. The text fie displays th path name of the compre eld he o essed diagnost data file (Z format). C tic ZIP Click Open Fold to open th folder wher the ZIP file is located, or click Finish to exit CDT. der he re e r h Once all di iagnostic data has been gath hered, contact your local Tr t rend Micro Te echnical Suppo ort representat to begin the analysis of your data. tive t f
3 350
Administrato Track or
Select the Enable debug log checkbox an select Debu from the D E g nd ug Debug Level pu down menu ull u. Although you can choos five levels, there are only three levels o debug infor y se t of rmation:
Debug g Error Warning mation Inform Fatal This level inclu udes the most d detailed inform mation. Tracing and ch heckpoints are filtered out fro the log. Trac om cing and checkpoints ar detailed step or procedure that the mod re ps es dule performs. Only fatal erro are recorde d in the log. ors
The default setting for th Debug Level is Debug. Pllease always ch he l hoose Debug unless other level g is specified by Trend Mi d icro Support Engineer. E You can also configure the name and location of th debug file. T default na is t he The ame ofcdebug.l log, which is created in the {installati e ionpath}\PCCSRV\Private e\LogServer f folder. After confi iguring the op ptions for debu mode, click Save. Office ug k eScan creates the ofcdebug.ini file in the above folder. This file actua launches th debug proc a T ally he cess. After you enable the deb mode, rec e bug create the prob blem you enco ountered and make a copy o the of debug log. Then, reopen the Debug Log Setting pag uncheck th Enable deb log checkb n L ge, he bug box can e and click Save. OfficeSc deletes the ofcdebug.inii file. You can also use a text editor to manu e ually create th ofcdebug.in file in the {installation he ni CSRV\Private e\LogServer folder. You mu include th first three fo f ust he ollowing entri ies; path}\PCC the last three entries are optional:
[Debug] debugleve el=9 debuglog= ={installation npath}\ PCCSRV\ \Private\ofcde ebug.log debugLeve el_new=D debugSpli itSize=1048576 60 debugSpli itPeriod=12 debugRemo oveAfterSplit= =1
Execute Lo ogServer.exe in the {instal llationpath }\PCCSRV\Pri ivate\LogServ folder. ver Recreate th problem an save the deb log. Stop LogServer.ex and delete ofcdebug.in . he nd bug xe e ni
351
Student Textbook
1. Use a text editor to manually create the ofcdebug.ini file in the C:\ folder. You must include the first three following entries; the last three entries are optional:
[Debug] debuglevel=9 debugLog=C:\ofcdebug.log debugLevel_new=D debugSplitSize=10485760 debugSplitPeriod=12 debugRemoveAfterSplit=1
2. Restart OfficeScan client, which will automatically create Logserver.exe in C drive 3. Recreate the problem you had and save the debug log To stop debugging: 1. Delete the ofcdebug.ini file 2. Restart the computer. This will stop debugging and remove Logserver.exe on the C drive.
WARNING! Make sure to stop debugging after the problem has been recreated. Otherwise, the
client will continuously create debug logs even after the client is restarted.
352
Administrator Track
NOTE Level 45 debug information is generated by Trend Micro support staff. The TSCDebug.log is created in the C:\Program Files\Trend Micro \OfficeScan\Client\debug folder.
353
Student Textbook
354
Administrator Track
4. Save and close the file. 5. Replicate the issue you encountered. 6. Send the C:\CMAgent_debug.log to Trend Micro Technical Support.
NOTE disable debug mode, open the product.ini file then remove the lines you added in To
step 3.
355
Student Textbook
If no ofcservice.exe, proceed to A.
Update W orking? No
Yes
Problem solved.
Start W W W service. Default W ebsite and OfficeScan Master Update W orking? No Yes
Perform update via MC. Ensure that the MC has the correct entries for the Internet Proxy. If there are no entries, define the proxy server and account that will be used at the Internet Proxy page of the OSCE MC. Perform update via MC.
Update W orking? No
Yes
Check for entry at ofscan.ini. Ensure Master_Pattern_URL and Master_Program_URL entries have the value http:/ / officescan-t.activeupdate.trendmicro.com/ activeupdate/ server.ini Perform update via MC.
Update W orking? No
Yes
For HTTP based: PCCSRV/Web/cgi/temp folder - Manual update PCCSRV/Web/service/temp folder - Auto update For File based: PCCSRV/Admin/temp folder - Manual update * delete all items below the Temp folder except the tmudump.txt log. * If there is a proxty server, delete the cached items on the proxy server. Yes
Update W orking? No
356
Administrator Track
Manage OfficeScan Realtime Scan settings: Disable/ Set Compressed File Scan to: " 1" Set to scan only specific extensions. Exclude database directories. Disable Realtime Scan during backup activity.
Yes
Yes
Yes
Problem Resolved? No
Disable " realtime" scan to isolate the source, if the product or scan engine causes the problem.
Yes
Problem solved.
357
Student Textbook
To speed the resolution of a problem, provide the Trend Micro support staff with: Product activation code Version numbers of the program, scan engine, and pattern file Operating system and version Type of Internet connection Exact text of the error message, if any Steps to reproduce the problem
USA/Canada
358
Administrator Track
359
Student Textbook
NOTE OfficeScan out-of-the-box has a Device Control feature that regulates access to commonly used devices such as USB storage devices. Device Control that is part of the Data Protection module expands the range of monitored devices.
Digital Asset Control and Device Control are native OfficeScan features but are licensed separately. After you install the OfficeScan server, these features are available but are not functional and cannot be deployed to clients. Installing Data Protection means downloading a file from the ActiveUpdate server or a custom update source, if one has been set up. When the file has been incorporated into the OfficeScan server, you can activate the Data Protection license to enable the full functionality of its features. Installation and activation are performed from Plug-in Manager.
Important: You do not need to install the Data Protection module if the Trend Micro Data Loss
Prevention software is already installed and running on endpoints.
Important: The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However,
only Device Control feature can be deployed to pure IPv6 clients. Digital Asset Control does not work on pure IPv6 clients.
1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Download. The size of the file to be downloaded displays beside the Download button. Plug-in Manager stores the downloaded file to <Server installation folder>\PCCSRV\Download\Product.
360
Administrato Track or
NOTE Plug-in Man If nager is unable to download the file, it aut e tomatically re-downloads aft ter
24 hours. To manually trigger Plug-in Manager to d . t n download the f file, restart the OfficeScan P e Plugin Manage service from the Microsof Managemen Console. er m ft nt
3. Monito the downlo progress. You can navig away from the screen d or oad Y gate m during the downlo If you en oad. ncounter probl lems downloa ading the file, check the serv update log on ver gs the Of fficeScan web console. On the main men click Logs > Server Up t nu, pdate Logs. A After Plug-in Manager dow n wnloads the file, OfficeScan Data Protec fi n ction displays in a new scree en. 4. To inst OfficeScan Data Protec tall n ction immedia ately, click Ins stall Now. 4.1. To install at a later time: 4.1.1. Click Install Later. I 4.1.2. Open the Plug-in Ma anager screen. n 4.1.3. Go to the OfficeScan Data Protection section and click Install. 5. Read th license agreement and ac he ccept the term by clicking Agree. The in ms nstallation sta arts. 6. Monito the installat or tion progress. After the inst tallation, the O OfficeScan D Data Protection version displays.
Figure B.1: Plug-in Manag > OfficeSca Data Protec ger an ction Screen
361
Student T Textbook
1. Open the OfficeScan web console and click Pl t e lug-in Manag in the mai menu. ger in 2. On the Plug-in Manag screen, go to the OfficeS e ager Scan Data Pr rotection secti and click ion Manage Program. V e n. 3. Click View License Information 4. View li icense details in the screen that opens. The Data Protection License Detail section pro P L ls ovides the follo owing information:
Sta atus: Displays either "Activ vated", "Not A Activated" or " "Expired". Version: Display either "Full or "Evaluati ys l" tion" version. If you have both full and
disp plays. For exa ample, if the lic cense expiratiion dates are 1 12/31/2011 an 06/30/201 nd 11, 12/ /31/2011 disp plays.
Sea Displays how many Of ats: h fficeScan clien can install t Data Prot nts the tection module e Act tivation code Displays the Activation C e: e Code Reminde about an expiring license ers e
The full version license enters a grace period after it expir e l d res.
NOTE duration of the grace period varies b region. Plea se verify the g The p by grace period w with
your Tren Micro representative. nd
If you have an evaluation version licen a reminde displays wh the license expires. Ther is e n nse, er hen e re no grace pe eriod for an ev valuation vers sion license. If you do not r f renew the licen Digital Asset nse, Control an Device Con nd ntrol still work but you will no longer be eligible for tec k chnical suppo ort. formation abo your license on the Tren 1. Click View detailed license onli to view inf V d ine out nd Micro website.
3 362
2011 Trend Micro Inc. d
Administrator Track
2. To update the screen with the latest license information, click Update Information.
Important: Only Device Control can be deployed to pure IPv6 clients. Digital Asset Control does not
work on pure IPv6 clients.
Online clients will install the Data Protection module immediately. Offline and roaming clients install the module when they become online. If the Trend Micro Data Loss Prevention software already exists on the endpoint, OfficeScan will not replace it with the Data Protection module. In order to finish installing the Digital Asset Control driver, users must restart their computers.
Tip Trend Micro recommends enabling debug logging to help you troubleshoot deployment issues.
compliance regulations
Lead to lost business opportunities and revenue when intellectual property is stolen
With the prevalence and damaging effects of data breaches, organizations now see digital asset protection as a critical component of their security infrastructure. Digital Asset Control safeguards an organizations digital assets against accidental or deliberate leakage. Digital Asset Control allows you to:
363
Student Textbook
Identify the digital assets to protect Create policies that limit or prevent the transmission of digital assets through common
Policy Configuration
Define Digital Asset Control policies by configuring the following items:
ITEM DESCRIPTION
Adigitalassettemplatecombinesdigitalassetdefinitionsand logicaloperators(And,Or,Except)toformcondition statements.Onlyfilesordatathatsatisfyacertaincondition statementwillbesubjecttoaDigitalAssetControlpolicy. OfficeScancomeswithasetofpredefinedtemplatesand allowsuserstocreatecustomizedtemplates. ADigitalAssetControlpolicycancontainoneorseveral templates.Ifafileordatamatchesthedefinitiononmorethan onetemplate,thehigherprioritytemplateapplies. Channelsareentitiesthattransmitdigitalassets. OfficeScanperformsoneorseveralactionswhenitdetectsan attempttotransmitdigitalassetsthroughanyofthechannels. Anexceptionoverridestheactionconfiguredforapolicy.For example,apolicymayblockthetransmissionofdigitalassets throughemail,exceptthosethataretransmittedtothe organizationsemaildomains.
Execution
364
Administrato Track or
Expressi ions
An express is data tha has a certain structure. For example, c sion at n credit card num mbers typically y have 16 dig and appea in the forma "nnnn-nnnn gits ar at n-nnnn-nnnn", making them suitable for m r expression-based detecti ions. se ns. o You can us predefined and customized expression For details please refer to the Administra ation Guide th contains fu description of predefined expressions hat ull n d
TO VIEW SETTINGS FOR PREDEFINED EXPRESSIO : S R D ONS
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select E Expressions. . 2. Click the expression name. t n 3. View settings in the screen that op s pens.
365
Student Textbook
expression must satisfy your chosen criteria before OfficeScan subjects it to a Digital Asset Control policy. Choose one of the following criteria for each expression:
Criteria
None
Rule
None
Example
Americanpeoplesnames
Expression:
[^\w]([AZ][az]{1,12}(\s?,\s?|[\s] |\s([A] Specific characters An expression must include the characters you have specified. In addition, the number of characters in the expression must be within the minimum and maximum limits.
ABAroutingnumber
Expression:
Suffix
Suffix refers to the last segment of an expression. A suffix must include the characters you have specified and contain a certain number of characters. In addition, the number of characters in the expression must be within the minimum and maximum limits.
Homeaddress,withzipcodeasthe suffix
Expression:
Suffix characters: 0123456789Number of characters: 5 Minimum characters in the expression: 25 Maximum characters in the expression: 80
366
Administrator Track
An expression must have two segments separated by a character. The character must be 1 byte in length. In addition, the number of characters left of the separator must be within the minimum and maximum limits. The number of characters right of the separator must not exceed the maximum limit.
Emailaddress Expression:
[^\w.]([\w\.]{1,20}@[az09]{2,20 }[\.][az]{2,5}[az\.]{0,10})[^\w.]
Separator: @ Minimum characters to the left: 3 Maximum characters to the left: 15 Maximum characters to the right: 30
TO ADD AN EXPRESSION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Click Add. A new screen displays. 3. Type a name for the expression. The name must not exceed 100 bytes in length and cannot contain the following characters: 4. > < * ^ | & ? \ / 5. Type a description that does not exceed 256 bytes in length. 6. Type the expression and specify whether it is case-sensitive. 7. Type the displayed data. For example, if you are creating an expression for ID numbers, type a sample ID number. This data is used for reference purposes only and will not appear elsewhere in the product. 8. Choose one of the following criteria and configure additional settings for the chosen criteria:
None Specific characters Suffix Single-character separator
9. Test the expression against an actual data. For example, if the expression is for a national ID, type a valid ID number in the Test data text box, click Test, and then check the results. 10. Click Save if you are satisfied with the results. The screen closes. 11. Back in the Digital Asset Definitions screen, click Assign to Clients.
367
Student T Textbook
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select E Expressions. . 2. Select a customized expression an then click C nd Copy. A new screen appear rs. 3. Type a unique name for the expre e ession. The na must not exceed 100 bytes in length and ame cannot contain the following char t f racters:
<*^|&?\/
4. Accept or modify th other settin t he ngs. 5. Click Save. The scre closes. S een 6. Back in the Digital Asset Definitio screen, cliick Assign to Clients. n A ons o
TO ADD EX XPRESSIONS USING THE "IMPORT" OPT TION:
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select E Expressions. . 2. Click Import and th locate the .dat file conta I hen aining the exp pressions. 3. Click Open. A mess O sage appears, informing you if the import was successf If an expre i u t ful. ession to be im mported alrea exists in th list, it will b skipped. ady he be 4. Click Assign to Clients. A
3 368
Administrator Track
TO MODIFY AN EXPRESSION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Click the name of the expression that you want to modify. A new screen appears. 3. Modify the settings. 4. Click Save. The screen closes. 5. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO EXPORT EXPRESSIONS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Click Export. 3. Save the resulting .dat file to your preferred location.
TO DELETE EXPRESSIONS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Expressions. 2. Select the expressions that you want to delete and click Delete. 3. Click Assign to Clients.
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click Add. A new screen displays. 3. Type a name for the file attribute list. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
369
Student T Textbook
4. Type a description that does not exceed 256 by in length. e ytes 5. Choose a file type sc cope.
Sel lected file typ The file types that you will select in the next step are digital assets. pes: t u Non-selected fil types: The file types that you will not select in the n le next step are d digital t
ets. asse 6. Depen nding on the option you cho in the prev o ose vious step, you can select fi types or lea u ile ave file typ unselected pes d. 7. If a file type you wan to include is not listed, y can type th file types e e nt i you he extension und der Other rs.
Sep parate file exte ensions by sem micolons. You can add the wildcard char u racter (*) befo the file ext ore tension. For ex xample, typing g
*.fm adds the ext m tensions .fm, .fme, .fml, and .fmp to the list. d 8. Type the minimum and maximum file sizes in b m bytes. Both fil sizes must b whole num le be mbers larger than zero. t 9. Click Save. The scre closes. S een 10. Back in the Digital Asset Definitions screen, click Assign to Cl n A s lients.
3 370
Administrator Track
1. On the dropdown box on top of the Digital Asset Definitions screen, select FileAttributes. 2. Select the name of a file attribute list and then click Copy. A new screen appears. 3. Type a unique name for the file attribute list. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
4. Accept or modify the other settings. 5. Click Save. The screen closes. 6. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO ADD FILE ATTRIBUTE LISTS USING THE "IMPORT" OPTION:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click Import and then locate the .dat file containing the file attribute lists. 3. Click Open. A message appears, informing you if the import was successful. If a file attribute list to be imported already exists, it will be skipped. 4. Click Assign to Clients.
TO MODIFY A FILE ATTRIBUTE LIST:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click the name of the file attribute list that you want to modify. A new screen appears. 3. Modify the settings. 4. Click Save. The screen closes. 5. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO EXPORT FILE ATTRIBUTE LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Click Export. 3. Save the resulting .dat file to your preferred location.
TO DELETE FILE ATTRIBUTE LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select File Attributes. 2. Select the file attribute lists that you want to delete and click Delete. 3. Click Assign to Clients.
B.3.5 Keywords
Keywords are special words or phrases. You can add related keywords to a keyword list to identify specific types of data. For example, "prognosis", "blood type", "vaccination", and "physician" are keywords that may appear in a medical certificate. If you want to prevent the transmission of medical certificate files, you can use these keywords in a Digital Asset Control policy and then configure OfficeScan to block files containing these keywords.
2011 Trend Micro Inc.
371
Student T Textbook
Commonly used words can be combin to form m y c ned meaningful key ywords. For e example, "end", "read", "if" and "at" can be combined to form keyw ", n d words found i source code such as "E in es, ENDIF", "END D-READ", and "AT END". d You can us predefined and customized keyword liists. se
NOTE the full list of Predefined Keywor Lists, pleas refer to th OfficeScan For rd se he
1. On the dropdown box on top of the Digital As Definition screen, sele Keywords e b sset ns ect s. 2. Click the keyword list name. t 3. View settings in the screen that op s pens. 4. To exp keywords port s:
Clic Export. ck Sav the resulting .csv file to your preferred location. ve g y d
3 372
Administrator Track
CRITERIA
Any keyword All keywords All keywords within <x> characters
RULE
A file must contain at least one keyword in the keyword list. A file must contain all the keywords in the keyword list. A file must contain all the keywords in the keyword list. In addition, each keyword pair must be within <x> characters of each other. For example, your 3 keywords are ABCDE, FGHIJ, and WXYZ and the number of characters you specified is 20. If OfficeScan detects all keywords in the order FGHIJ, ABCDE, and WXYZ, the number of characters from F to A and from A to W must be 20 characters at most. The following data matches the criteria: FGHIJ####ABCDE############WXYZ
The following data does not match the criteria:
FGHIJ*******************ABCDE****WXYZ
When deciding on the number of characters, remember that a small number, such as 10, will usually result in faster scanning time but will only cover a relatively small area. This may reduce the likelihood of detecting sensitive data, especially in large files. As the number increases, the area covered also increases but scanning time might be slower
A file must contain one or more keywords in the keyword list. If only one keyword was detected, its score must be larger than the threshold. If there are several keywords, their combined score must be larger than the threshold. Assign each keyword a score of 1 to 10. A highly confidential word or phrase, such as "salary increase" for the Human Resources department, should have a relatively high score. Words or phrases that, by themselves, do not carry much weight can have lower scores. Consider the scores that you assigned to the keywords when configuring the threshold. For example, if you have five keywords and three of those keywords are high priority, the threshold can be equal to or lower than the combined score of the three high priority keywords. This means that the detection of these three keywords is enough to treat the file as sensitive.
1. On the dropdown box on top of the Digital Asset Definitions screen, select Keywords. 2. Click Add. A new screen displays. 3. Type a name for the keyword list. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
373
Student Textbook
5. Choose one of the following criteria and configure additional settings for the chosen criteria:
Any keyword All keywords All keywords within <x> characters Combined score for keywords exceeds threshold
6. To manually add keywords to the list: 6.1. 6.2. 7.1. 7.2. Type a keyword that is 3 to 40 bytes in length and specify whether it is case-sensitive. Click Add. Click Import and then locate the .csv file containing the keywords. Click Open. A message appears, informing you if the import was successful. If a keyword to be imported already exists in the list, it will be skipped.
8. To delete keywords, select the keywords and click Delete. 9. To export keywords: 9.1. 9.2. Click Export. Save the resulting .csv file to your preferred location
NOTE the "export" feature to back up the keywords or to import them to another Use OfficeScan server. All keywords in the keyword list will be exported. It is not possible to export individual keywords.
10. Click Save. The screen closes. 11. Back in the Digital Asset Definitions screen, click Assign to Clients.
374
Administrato Track or
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select K Keywords. 2. Select the name of a customized keyword list an then click Copy. A new screen appea k nd w ars. 3. Type a unique name for the keyw e word list. The n name must no exceed 100 bytes in lengt and ot th cannot contain the following char t f racters:
<*^|&?\/
4. Accept or modify th other settin t he ngs. 5. Click Save. The scre closes. S een 6. Back in the Digital Asset Definitions screen, click Assign to Cl n A s lients.
TO ADD KE EYWORD LIST USING THE "IMPORT" O TS E OPTION:
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select K Keywords. 2. Click Import and th locate the .dat file conta I hen aining the key yword lists. 3. Click Open. A mess O sage appears, informing you if the import was successf If a keywo i u t ful. ord list to be imported already exists, it will be skipp b a ped. 4. Click Assign to Clients. A
TO MODIFY A KEYWORD LIST: Y D
1. On the dropdown box on top of the Digital Ass Definitions s e b sset screen, select K Keywords. 2. Click the name of th keyword lis that you wan to modify. A new screen appears. t he st nt n 3. Modify the settings. y
375
Student Textbook
4. Click Save. The screen closes. 5. Back in the Digital Asset Definitions screen, click Assign to Clients.
TO EXPORT KEYWORD LISTS:
1. On the dropdown box on top of the Digital Asset Definitions screen, select Keywords. 2. Click Export. 3. Save the resulting .dat file to your preferred location.
1. On the dropdown box on top of the Digital Asset Definitions screen, select Keywords. 2. Select the keyword lists that you want to delete and click Delete. 3. Click Assign to Clients.
Please refer to the OfficeScan Administration Guide for a detailed list of predefined Digital Asset Templates.
376
Administrator Track
At least one of the following must be true: A file must satisfy [Definition 1] and [Definition 2] A file must satisfy [Definition 3] and [Definition 4] For example: A file must be [an Adobe PDF document] and must contain [3 keywords with a combined score of 10]. OR A file must be [a Microsoft Word document] and must contain [all of the keywords in the keyword list].
Except [Definition 1]
A file must not satisfy [Definition 1] For example: A file must not be [a multimedia file]
TO ADD A TEMPLATE:
1. Click Add. A new screen displays. 2. Type a name for the template. The name must not exceed 100 bytes in length and cannot contain the following characters:
<*^|&?\/
3. Type a description that does not exceed 256 bytes in length. 4. Select digital asset definitions and then click the Add icon. When selecting definitions:
Select multiple entries by pressing and holding the CTRL key and then selecting the
definitions.
377
Student T Textbook
Use the search fe e eature if you have a specific definition in mind. You ca type the ful or h c an ll
4.1.
To create def finitions: 4.1.1. Click the icon next to Available definitions a select from the followin t t and m ng option ns: Add ne expression ew n Add ne file attribu ew ute Add ne keyword ew
4.2.
In the screen that appears, configure sett definition. tings for the d
5. If you selected an ex xpression, type the number of occurrence which is th number of times e es, he an expression must occur before OfficeScan su O ubjects it to a D Digital Asset Control policy y. 6. Choose a logical ope erator for each definition. h 7. To rem move a definiti from the list of selected definitions, c ion l d click the trash bin icon h 8. Click Save. The scre closes. S een 9. Back in the Digital Asset Templates screen, click A n A Assign to Cli ients.
3 378
Administrator Track
1. Select a customized template and then click Copy. A new screen appears. 2. Type a unique name for the template. The name must not exceed 100 bytes in length and cannot contain the following characters: 3. < * ^ | & ? \ / 4. Accept or modify the other settings. 5. Click Save. The screen closes. 6. Back in the Digital Asset Templates screen, click Assign to Clients.
TO ADD TEMPLATES USING THE "IMPORT" OPTION:
1. Click Import and then locate the .dat file containing the templates. 2. Click Open. A message appears, informing you if the import was successful. If a template to be imported already exists, it will be skipped. 3. Click Assign to Clients.
TO MODIFY A TEMPLATE: 1. Click the name of the template that you want to modify. A new screen appears.
2. Modify the settings. 3. Click Save. The screen closes. 4. Back in the Digital Asset Templates screen, click Assign to Clients.
TO EXPORT TEMPLATES:
1. Click Export. 2. Save the resulting .dat file to your preferred location.
TO DELETE TEMPLATES:
1. Select the templates that you want to delete and click Delete. 2. Click Assign to Clients.
379
Student Textbook
Printer Removable storage SMB protocol Synchronization software (ActiveSync) Webmail Windows clipboard
When OfficeScan detects a "burn" command initiated on any of these devices or software and the action is "Pass", data recording proceeds. If the action is "Block", OfficeScan checks if any of the files to be recorded is or contains a digital asset. If OfficeScan detects at least one digital asset, all files - including those that are not, or do not contain, digital assets - will not be recorded. OfficeScan may also prevent the CD or DVD from ejecting. If this issue occurs, instruct users to restart the software process or reset the device. OfficeScan implements additional CD/DVD recording rules:
To reduce false positives, OfficeScan does not monitor the following files: .bud .dll .gif .gpd .htm .ico .ini .jpg .lnk .sys .ttf .url .xml Two file types used by Roxio data recorders (*.png and *.skn) are not monitored to
increase performance.
OfficeScan does not monitor files in the following directories:
*:\autoexec.bat*:\Windows ..\ApplicationData..\Cookies ..\LocalSettings..\ProgramData ..\ProgramFiles..\Users\*\AppData ..\WINNT
ISO images created by the devices and software are not monitored.
B.5.2 FTP
When OfficeScan detects that an FTP client is attempting to upload files to an FTP server, it checks for the presence of digital assets in the files. No file has been uploaded at this point. Depending on the Digital Asset Control policy, OfficeScan will allow or block the upload. When you configure a policy that blocks file uploads, remember the following:
When OfficeScan blocks an upload, some FTP clients will try to re-upload the files. In
this case, OfficeScan terminates the FTP client to prevent the re-upload. Users do not receive a notification after the FTP client terminates. Inform them of this situation when you roll out your Digital Asset Control policies.
380
Administrator Track
If a file to be uploaded will overwrite a file on the FTP server, the file on the FTP server
may be deleted.
B.5.4 IM Applications
OfficeScan monitors messages and files that users send through instant messaging (IM) applications. Messages and files that users receive are not monitored. When OfficeScan blocks a message or file sent through AOL Instant Messenger, MSN, Windows Messenger, or Windows Live Messenger, it also terminates the application. If OfficeScan does not do this, the application will become unresponsive and users will be forced to terminate the application anyway. Users do not receive a notification after the application terminates. Inform them of this situation when you roll out your Digital Asset Control policies.
B.5.7 Printer
OfficeScan monitors printer operations initiated from various applications. OfficeScan does not block printer operations on new files that have not been saved because printing information has only been stored in the memory at this point.
When a file to be transmitted contains a digital asset, OfficeScan either blocks or allows the transmission.
381
Student Textbook
NOTE Device Control action has a higher priority than the Digital Asset Control action. The For example, If Device Control does not allow copying of files to a removable storage device, transmission of digital assets will not proceed even if Digital Asset Control allows it. NOTE Additional configurations on the OfficeScan server are required to enable the monitoring of data transmissions on embedded floppy disk drives. Contact your support provider for configuration instructions.
The handling of file transmission to a removable storage device is a straight forward process. For example, a user who creates a file from Microsoft Word may want to save the file to an SD card (it does not matter which file type the user saves the file as). If the file contains a digital asset that should not be transmitted, OfficeScan prevents the file from being saved. For file transmission within the device, OfficeScan first backs up the file (if its size is 75MB or less) to %WINDIR%\system32\dgagent\temp before processing it. OfficeScan removes the backup file if it allowed the file transmission. If OfficeScan blocked the transmission, it is possible that the file may have been deleted in the process. In this case, OfficeScan will copy the backup file to the folder containing the original file.
IP address of 127.0.0.1 and is sent through either port 990 or 5678 (the ports used for synchronization), OfficeScan checks if the data is a digital asset before allowing or blocking its transmission.
382
Administrator Track
B.5.12 Webmail
Web-based email services transmit data through HTTP. If OfficeScan detects outgoing data from supported services, it checks the data for the presence of digital assets.
DESCRIPTION
OfficeScan performs an action if the endpoint transmits digital assets to private and external networks. Tip: Trend Micro recommends choosing this scope for external clients.
383
Student Textbook
OfficeScan performs an action only if the endpoint transmits digital assets to external networks. Digital assets transmitted to private networks are not monitored. Hosts on private networks have the following IP addresses: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 However, if a private IP address is defined in the Digital Asset Control exception, OfficeScan will perform the action for the exception. For example, if the IP address is in the list of blocked transmission targets, OfficeScan will block the transmission to the host that uses the IP address. Tip: Trend Micro recommends choosing this scope for internal clients
B.6.2 Actions
The following table lists the Digital Asset Control actions.
ACTION
Primary Actions Pass Block Additional Actions Notify the client user
DESCRIPTION
OfficeScan allows the transmission OfficeScan blocks the transmission OfficeScan displays a notification message to inform the user of the data transmission and whether it was passed or blocked. You can modify the message from Notifications > Client User Notifications > Digital Asset Transmissions tab.
Capture data
Regardless of the primary action, OfficeScan will save a copy of the data to <Client installation folder>\DLPLite\Forensic. Select this action to evaluate data that is being flagged by Digital Asset Control. Clients do not send the data to the server.
384
Administrator Track
file is not scanned if it has more than the specified number of embedded layers
Total number of files in compressed file exceeds __ (1-2000): The entire compressed file
is not scanned if it contains more than the specified number of files A compressed file is scanned if it is not password-protected or does not exceed any of the decompression limits. The detection of at least one digital asset triggers an action on the entire compressed file. Depending on the action, the entire file will be passed (transmitted) or blocked.
385
Student Textbook
EXCEPTION
Approved or blocked transmission targets
AFFECTED CHANNEL
HTTP HTTPS FTP SMB protocol Printer IM application (for file transfers)
DESCRIPTION
OfficeScan allows or blocks the transmission of digital assets to the specified targets if the transmission is through the affected channels and the specified ports. Identify a target by its: IP address Host name FQDN Network address and subnet mask, such as 10.1.1.1/32
EXAMPLE
10.1.1.1:5-20 host:5-20 host.domain.com:20 10.1.1.1/32:20
Email clients
OfficeScan allows or blocks the transmission of email to the internal email domains.
xyz.com
Removable storage
OfficeScan allows or blocks the transmission of data to or within the removable storage devices.
2. Click Settings > Digital Asset Control Settings. 3. Click the External Clients tab to configure a policy for external clients or the Internal Clients tab to configure a policy for internal clients. 4. Select Enable Digital Asset Control.
386
Administrato Track or
6. If you selected doma ain(s) or client(s) in the clie tree, click S ent Save. If you c clicked the roo ot domain icon, choose from the fol n e llowing option ns:
Ap pply to All Cl lients: Applies settings to a existing clie and to any new client a all ents y added
to an existing/fu a uture domain. Future domaiins are domain not yet crea at the tim ns ated me you configured th settings. u he
Ap pply to Futur Domains Only: Applies settings only to clients add to future re O ded
dom mains. This op ption will not apply settings to new client added to an existing dom s ts n main.
Figure B.9: Digital Asset Control Settin > Template screen ngs e
TEMPLATE SETTINGS E
1. Click the Template tab. t e 2. If you are on the Ex xternal Clien tab, you ca apply templ settings to internal clien by nts an late o nts selectin Apply sett ng tings to inter rnal clients. I you are on the Internal Clients tab, y If you can apply template settings to exte s ernal clients b selecting Ap by pply settings to internal s clients s. 3. Select templates from the Availab template list and then click Add. W m ble es n When selecting g ates: templa
387
Student Textbook
Select multiple entries by pressing and holding the CTRL key and then selecting the
templates.
Use the search feature if you have a specific template in mind. You can type the full or
partial name of the template. 4. If no template exists or if a template is not found in the Available templates list, you can perform any of the following tasks:
Create a new template by clicking the icon next to Available templates. The Digital
Asset Templates screen displays. After creating the template, select it and then click Add.
Import a list of templates by clicking Import under Selected templates and then
locating the .csv file containing the templates. 5. To move a template up or down the Selected templates list, select a template and then click Up or Down until the template is in its correct position. It is not possible to move several templates at a time. 6. To export your chosen templates, click Export and then save the resulting .csv file to your preferred location.
CHANNEL SETTINGS
1. Click the Channel tab. 2. If you are on the External Clients tab, you can apply channel settings to internal clients by selecting Apply settings to internal clients. If you are on the Internal Clients tab, you can apply channel settings to external clients by selecting Apply settings to internal clients. 3. Select the channels for the policy.
388
Administrato Track or
ACTION SETTINGS
1. Click the Action tab t b. 2. If you are on the Ex xternal Clien tab, you ca apply action settings to in nts an n nternal clients by selectin Apply sett ng tings to inter rnal clients. I you are on t Internal C If the Clients tab, y you can apply action sett tings to extern clients by s nal selecting App settings to internal clie ply o ents. 3. Select the transmissi scope. ion 4. Select a primary acti and any ad ion dditional actio ons. 5. Specify decompressi settings. y ion
389
Student T Textbook
Figure B.11: Add Digital Control Settings > Action scre een
EXCEPTION SETTINGS
1. Click the Exception tab. t n 2. If you are on the Ex xternal Clien tab, you ca apply the ex nts an xceptions to in nternal clients by s selectin Apply sett ng tings to inter rnal clients. I you are on t Internal C If the Clients tab, y you can apply the except tions to extern clients by s nal selecting App settings to internal clients. ply o gure oved and block lists ked 3. Config the appro 3.1. 3.2. 3.3. Add transmis ssion targets. Separate targe ts by commas S s. Add internal email domain Separate do ns. omains by com mmas. Add a removable storage device identifie by its vend The device model and s d ed dor. serial nal. ore ID are option To add mo devices, cllick the icon.
3 390
Administrato Track or
TO RUN TH DEVICE LIST TOOL: HE I 1. On the OfficeScan server comput navigate to <Server installation e s ter, o folder> >\PCCSRV\A Admin\Utility y\ListDeviceI Info.
2. Copy listDeviceInf l fo.exe to the target endpoin nt. 3. On the endpoint, do e ouble-click list tDeviceInfo.e exe. 4. View device informa d ation the brow window t displays. D wser that Digital Asset Control and Device Control use the following information: e
Ven ndor (required d) Mo odel (optional) ) Ser ID (option rial nal)
391
Student Textbook
1. In the Criteria tab: 2. Go to the Digital Asset Transmissions section. 3. Specify whether to send notifications when transmission of digital assets is detected (the action can be blocked or passed) or only when the transmission is blocked. 4. In the Email tab: 4.1. 4.2. 4.3. Go to the Digital Asset Transmissions section. Select Enable notification via email. Select Send notifications to users with client tree domain permissions. You can use Role-based Administration to grant client tree domain permissions to users. If transmission occurs on a client belonging to a specific domain, the email will be sent to the email addresses of the users with domain permissions.
If an OfficeScan client belonging to Domain A detects a digital asset transmission, the email will be sent to mary@xyz.com, john@xyz.com, and chris@xyz.com. If a client belonging to Domain B detects the transmission, the email will be sent to mary@xyz.com and jane@xyz.com. 4.4. 4.5. Select Send notifications to the following email address(es) and then type the email addresses.
392
Administrato Track or
4.6.
Accept or mo odify the defau subject and message. Yo can use tok variables t ult d ou ken to represent data in the Subject and Messag fields. a ge Go to the Dig Asset Tran gital nsmissions sectiion. Select Enable notification via pager. e n Type the mes ssage. Go to the Dig Asset Tran gital nsmissions sectiion. Select Enable notification via SNMP trap. e n Accept or mo odify the defau message. Y can use to ult You oken variables to represent data s in the Messag field. ge Go to the Dig Asset Tran gital nsmissions sectiion. Select Enable notification via NT Eve Log. e n ent
393
Student T Textbook
B.9.3 Dig Asse Control Notifica B gital et ations for Client Users r
OfficeScan can display notification me n n essages on clie computers immediately after it allows or ent y blocks the transmission of digital assets. To notify u users that digi asset trans ital smission was ct N ient user whe you create a Digital Asse en et blocked or allowed, selec the option Notify the cli olicy. Control po
TO CONFIG GURE DIGITAL ASSET CON L NTROL NOTIFI ICATIONS FOR CLIENT USE : ERS 1. Click the Digital Asset Transmission tab. t ns
2. Click Logs > Digita Asset Cont Logs or V L al trol View Logs > Digital Asse Control Lo et ogs. 3. Specify the log criter and then cl Display L y ria lick Logs. 4. View lo Logs con ogs. ntain the follow informat wing tion:
Date/Time digita asset transm al mission was de etected Com mputer where transmission was detected e n d Do omain of the computer IP address of the computer e The process that facilitated the transmission of a digital a e t e n asset. The proc depends on cess
the channel.
Cha annel through which the dig asset was transmitted h gital s
3 394
Administrato Track or
Act tion on the tra ansmission Tem mplate that tri iggered the de etection Use name logge on to the co er ed omputer Description, whi includes ad ich dditional detaiils about the t transmission
ve ed V) xport to CSV Open the fi or V. ile 5. To sav logs to a comma-separate value (CSV file, click Ex save it to a specific location. l
You can re einstall the Da Protection module anytim After rein ata me. nstallation, act tivate the licen nse using a vali Activation Code. id C
395
Student Textbook
1. Open the OfficeScan web console and click Plug-in Manager in the main menu. 2. On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Uninstall. 3. Monitor the uninstallation progress. You can navigate away from the screen during the uninstallation. 4. Refresh the Plug-in Manager screen after the uninstallation. OfficeScan Data Protection is again available for installation.
to all USB storage devices, except those added to the exception list. For devices in the exception list, you can grant full control to these devices or limit the level of access.
Allow access to USB storage devices, CD/DVD, floppy disks, and network drives. You
can grant full control to these devices or limit the level of access. The scanning function in OfficeScan complements and may override the device permissions. For example, if the permission allows a file to be opened but OfficeScan detects that the file is infected with malware, a specific scan action will be performed on the file to eliminate the malware. If the scan action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is deleted.
1. In the client tree, click the root domain icon to include all clients or select specific domains or clients. 2. Click Settings > Device Control Settings.
396
Administrato Track or
Figure B.14 Device Contr Settings > Internal Client screen 4: rol I ts
3. Click the External Clients tab to configure se t C o ettings for exte ernal clients or the Interna al Client tab to confi ts igure settings for internal cliients. f 4. Select Enable Device Control. xternal Clients tab, you can apply setting to internal c s n gs clients by selec cting 5. If you are on the Ex y nts. nal b, ply Apply settings to internal clien If you are on the Intern Clients tab you can app setting to external clients by selec gs c cting apply se ettings to internal clients. 6. Config the permi gure ission for USB storage deviices. B
All low Access: Grants access to the device.. You can con G nfigure the lev of access (f vel for
Exp plorer). 7. Config the permi gure ission for CD/DVD, flopp disks, and n py network drives For CD/DV s. VD and flo oppy disks, you can choose "Allow Acces or "Block Access". For network drive the ss" es, permis ssion is always "Allow Acce s ess".
397
Student T Textbook
All low Access: Grants access to the device.. You can con G nfigure the lev of access (f vel for
Exp plorer) and no notification displays. o 8. Config the permi gure ission for COM and LPT p ports, IEEE 13 interface, imaging devic 394 ces, infrare devices, mo ed odems, PCMC card, and print screen k CIA key.
All low Access: Grants full acc to the dev G cess vice Blo Access: The device wil not be visibl to the user (for example, from Window ock T ll le ws
Exp plorer) and no notification displays. o 9. If you selected doma ain(s) or client(s) in the clie tree, click S ent Save. If you c clicked the roo ot n e llowing option ns: domain icon, choose from the fol
Ap pply to All Cl lients: Applies settings to a existing clie and to any new client a all ents y added
to an existing/fu a uture domain. Future domaiins are domain not yet crea at the tim ns ated me you configured th settings. u he
Ap pply to Futur Domains Only: Applies settings only to clients add to future re O ded
dom mains. This op ption will not apply settings to new client added to an existing dom s ts n main.
2. Modify the default messages in th text box pro y m he ovided. 3. Click Save. S
3 398
Administrato Track or
1. In the client tree, click the root do omain icon to include all cli ients or select specific domains nts. or clien 2. Click Logs > Device Control Lo or View L L ogs Logs > Devic Control Lo ce ogs.
3. Specify the log criter and then cl Display L y ria lick Logs. 4. View lo Logs con ogs. ntain the follow informat wing tion:
Date/Time unau uthorized acce was detecte ess ed Com mputer where external devi is connecte or where n e ice ed network resource is mapped d Com mputer domai where exter device is connected or where network resource is in rnal
map pped
Dev type or network resour accessed vice n rce Tar rget, which is the item on th device or n he network resour that was a rce accessed Acc cessed by, whi specifies where access w initiated ich w was Per rmissions set for the target f
5. To sav logs to a comma-separate value (CSV file, click Ex ve ed V) xport to CSV Open the fi or V. ile save it to a specific location. l
399
Student T Textbook
4 400
Administrator Track
Appen ndix C: Virtual De op V eskto Infrastruc e (VD S I cture DI) Support PlugP -in
Trend Micr Virtual Des ro sktop Support is a plug-in t t tool that optim mizes virtual d desktop protec ction by regulatin the activity of OfficeSca clients to de ng y an ecrease resour consumpti required f rce ion for on-demand and schedule scanning ac d ed ctivities and u updates. Additionall this plug-in includes the VDI Pre-Scan Template G ly, n n Generation Tool to remove GUIDs fro golden im om mages and to optimize scan nning so that the base comp ponents of the golden tem mplate image are scanned over and over again for each instance of t image, allo o h the owing OfficeScan to check only the parts tha have change This tool s n y at ed. supports Offi iceScan 10.5 c clients and above.
401
Student Textbook
patches, and standard applications. Deploying new virtualized desktops is as easy as creating a copy of the base image and starting it up a new instance of the core VM framework on the VDI host system.
Controls mandated by regulations can be implemented and enforced to virtualized endpoints in a repeatable, streamlined fashion with the management infrastructure in immediate and complete control over the total hardware environment. In a VDI environment the backup data never leaves the high-performance infrastructure inside the datacenter. The entire process of backing up becomes easy, fast, and painless.
Data Protection
In a VDI environment, data resides on a central server cluster and never leaves the secure boundaries of the corporate datacenter where the physical security of data is inherently easier to implement and enforce.
Adding or replacing memory, hard-disk capacity, and other resources can occur without interruption. The benefits of fault-tolerance and redundancy are instantly available to all uses. Controlling the state of endpoints for the deployment of patches and new applications is also easier.
402
Administrato Track or
Appendix C: Virtual Des x sktop Infrastruc cture (VDI) Supp port Plug-in
Figure C.1: Simultane eous Scanning Activity Drive CPU Usage Up on All VMs Simultaneou es s usly ystem Scans Full Sy
when full-sys stem scans are scheduled to take place at a certain time and e o t e, all virtualized de esktops reside on the same underlying ha e ardware, the re esulting demand for simultaneou disk access will slow dow not only oth application but the sca r us w wn her ns anning process itself. A VDI-aware endpoint secur solution m serialize full scans for all e rity must stems on the same VDI host. s sys Larger clien updates pre nt esent challeng similar to f ges full-system sca ans an must be treated in a simil fashion in order to lesse demand and on the unde nd lar en d erlying ho storage an network re osts nd esources. Load balancing fo data transfer must also be d or e ad ddressed with VDI-aware en V ndpoint securiity.
OfficeS Scan will allow only one w vir rtualized endp point at a time to perform a full system sc With this serialized can. approach, the ov verall impact on performan is low, yet all systems w be scanned nce will d on after the oth ne her. Similar to th serialization of full scans he n s, Of fficeScan man nagement will only update a many as thr virtualized desktops per VDI as ree ser at the sam time. rver me
403
Student T Textbook
Figure C.2: Sequence Scanning Activity Signific ed A cantly Improves Global Perf formance Pre-Sc canning and Whitelisting of Base Images W
Most virtual desktops wil be created u al ll using the same base im e mage. Administrators can p pre-scan and w whitelist the ele ements of tha base at im mage. The resu is that in ea instance of virtual deskt ult ach f top, OfficeSca will only sc an can for deviations fr r rom the base image. This elliminates most extraneous s i scanning, resu ulting in much shorter scan times which ultimatelly contribute t lower perfo r w to ormance impa act nd roductivity. an increased pr
C.3 > Usin the Virtual Deskto Supp Plu 3 ng V op port ug-in
When the VDI-support plug-in is inst V talled, OfficeS Scan servers ca communicate with VMw an ware vCenter or Citrix XenServers servers to retrieve inf r t formation abo which Offi out ficeScan clients are on the sam physical ser me rver, and then modify their behavior acco ordingly.
Figure C.3: The VDI-Supp port Plug-in as it Appears in the Plug-in Manager of the OfficeScan Co s onsole
Using the VDI-support plug-in is relatively simple. All you need to do is enter your VMware V r vCenter or Citrix XenServer connectio settings to the plug-ins single configu r on uration page.
Installation of the VDI-sup pport plug-in is similar to the installation of other OfficeScan plug-ins. F s f For n ager and instal lling plug-ins, s 5.14 > Plug Manager on see g-in guidance on the use of the Plug-in Mana page 212.
To add serv connectio follow the steps: ver ons, ese 1. Launch the plug-in interface by cl h i licking Plug-i Manager > Trend Micr Virtual in ro Desktop Support > Manage Pr rogram.
4 404
Administrato Track or
Appendix C: Virtual Des x sktop Infrastruc cture (VDI) Supp port Plug-in
2. Specify which server setting to use: VMware vC y r Center or Citri XenServers rix s 3. Select Enable this connection to the server. c o 3.1. 3.2. Specify the se erver name or IP address an logon passw nd word. Optionally en nable proxy co onnection.
Specify th proxy server name or IP address and p he port. If the prox server requ xy uires authentic cation, specify the user nam and passwo y me ord. Click Test connection to verify that the OfficeSc server can successfully n t can
o connect to the server. 4. Click Save. S To add ano other server co onnection: 1. Click Add new vCe A enter/XenSer rver connecti ion. 2. Repeat the steps to provide the pr t p roper server in nformation 3. Click Save. S
405
Administrator Track
Policy Enforcement
Policy Creation
Figure D.1: The Components of an Offic ceScan Networ Using Cisco NAC rk o
407
Student Textbook
The NAD is a Cisco-manufactured router with network access control functionality built in to it. When a client attempts to access the network, the router initiates the antivirus and other security checks that are the foundation of Cisco NAC. The Cisco ACS is responsible for the creation of the policies on how to handle devices attempting to access the network. The Trend Micro Policy Server validates the antivirus credentials for an OfficeScan client. The ACS communicates with the CTA on the client to find out what kind of antivirus components the client has. The ACS passes the information to the Policy Server, which checks the clients antivirus components against the list of the latest antivirus components. (The Policy Server has this list through regular synchronization with the OfficeScan server.) The Policy Server communicates the status of the clients antivirus components back to the Cisco ACS. The Cisco ACS, in turn, communicates the client status back to the router so the router can enable or block the clients access to the network.
Model
Cisco ASA 5500 series, Cisco VPN 3000 series
Wireless Platforms
Cisco Catalyst 6500 WLSM, Cisco Aeronet access point, Cisco Aeronet lightweight access point, Cisco Wireless LAN Controller
The updated Cisco Trust Agent (CTA) supports most current Windows operating systems and some Linux platforms (see the table below). The new CTA also enables NAC2 to expand admission control coverage to unmanaged or agentless devices, including guest laptops. It does not support x64 platforms.
Operating System
Red Hat Linux Windows NT Windows 2000 Windows XP Windows 2003
Version
Enterprise Linux 3.0 4.0 (with Service Pack 6) Professional and Server (with Service Pack 4) Professional (up to Service Pack 2) Server and Enterprise Server
You can deploy the NAC2 CTA to new computers, or upgrade CTA version 1 clients to CTA version 2. When you view the network tree shown in the Cisco NAC Agent Deployment
408
Administrato Track or
window, yo can check the current CT version of your clients. You can upda any clients that ou t TA f ate s are current running CT version 1 to CTA versio 2 or deploy to new client using the C tly TA t on y ts Cisco NAC > Ag gent Deploym ment compon nent.
Cisco ACS S
409
Student Textbook
PEAP Session
In order to proceed with the posture validation process, a Protected Extensible Authentication Protocol (PEAP) session must be set up between the client and the ACS. (see the figure below) Extensible Authentication Protocol (EAP) is a protocol that can encapsulate other authentication protocols such as Transport Layer Security (TLS) or MD5. PEAP uses TLS to encapsulate EAP yet again for an added layer of security. The router uses EAP over UDP to relay the request to the ACS. The ACS begins negotiation of the TLS encryption method by sending its public certificate to the client. If the client returns the proper encrypted session key and the ACS and client can negotiate a TLS encryption method that both can understand, then the PEAP session is established.
410
Administrator Track
EAPoUDP
EAPoRadius
Public Certificate Encrypted Session Key TLS Encryption Method N egotiated Encrypted PEAP Session O SCE Client + CTA ACS
NOTE communication between the OfficeScan client and the ACS flows through the NAD. All
The policies defined by the ACS and the Policy Server determine which of the above credentials the Posture Plug-In retrieves from the client.
queries the OfficeScan client. The OfficeScan client sends the required information to TMabPP.dll. TMabPP.dll sends the information to the CTA, which forwards it through the NAD to the ACS. (See the figure below.)
TMabPP.dll. When the CTA receives a query from the ACS, it queries TMabPP.dll, which
The portion of the Posture Plug-In that is responsible for retrieving credentials from the client is
411
Student Textbook
O SCE Client
TM a bPP.dll
TM a bPPa ct.ex e
Posture Plug-in
Posture Credentials to N AD
ACS
Figure D.5: Communication between the ACS and the Policy Server
Policy Server
Host Credential Authorization Protocol (HCAP) is used to secure communications between the ACS and the Policy Server. Setting up an HCAP session involves encapsulating HCAP in HTTP messages and transmitting them over SSL. Once the SSL tunnel is created, the ACS issues an HTTP post command to the Policy Server and the Policy Server uses HTTP digest authentication to authenticate to the ACS.
412
Administrator Track
When the ACS and the Policy Server have a properly authenticated HCAP session, the ACS sends the clients credentials to the Policy Server. The Policy Server checks those credentials against its policies and responds to the ACS with one of the following five tokens:
Healthy Checkup Quarantine Infected Unknown
The names of the tokens are defined by Cisco and cannot be changed. However, the tokens mean nothing in and of themselvesyou define the credentials that will result in a specific type of token. You also define the actions that will be taken for each type of token by defining Access Control Lists (ACLs) and associating them with tokens. The ACS forwards the token and the ACL to the NAD. The NAD then enforces the action.
NOTE NAD stores the ACL for the client until it times out. This prevents posture The validation from having to be performed for every packet coming from a particular client.
D.3.3 Remediation
Based on the token it receives and its associated actions, the NAD can either grant the client full access, grant it partial access, or block it entirely. However, the NAD also forwards the token to the client where additional remediation actions can be performed. These remediation actions can bring a client into conformance with your policies, allowing you to protect your network and also allowing the client to attempt to access the network again. To communicate the remediation action to the OfficeScan client, the CTA must once again communicate with the OfficeScan client through the Posture Plug-In. For this communication, traffic flows through TMabPPact.exe (see the figure below).
413
Student Textbook
O SCE Client
TM a bPP.dll
TM a bPPa ct.ex e
Posture Plug-in 2
Enable real-time scan Scan Now Cleanup Now Client pop-up message
NOTE can define what this alert message will say. You
414
Administrato Track or
In addition you must co n, onfigure the Cisco ACS and the NAD. C d
For instruct tions on how to do so, see Ap o ppendix E: Con nfiguring the Ci Cisco ACS and N NAD on page 425.
In the Policy Server Add dress field, ent the name a port numb of the Pol Server. 43 is ter and ber licy 343 the default port, but this port is set up during installlation of the P s p Policy Server a may have been and e changed. The password was also defin during ins T ned stallation.
NOTE you install Policy Server with the Office If P w eScan server, t OfficeScan setup wizard the n d
automatic cally creates the link to the Policy Server f you. P for
Deploy CTA C
Once youv imported th certificate, you can deplo the CTA. T CTA can be installed on ve he oy The n Windows 2000/2003 or XP Pro client For instruc 2 ts. ctions on how to do so, see Appendix E: w Configurin the Cisco ACS and NAD on page 425.. ng A D
415
Student T Textbook
NOTE Like the certificate, the age can also be installed on t server at s ent e the server installat tion,
see Office eScan Server Installation.
Use the Of fficeScan man nagement cons to deploy the agent by clicking on C sole y Cisco NAC on the n sidebar, sel lecting the clie from the browser tree t which you want to deplo the CTA, a ents oy and to clicking on Agent Deplo n oyment on th sidebar. Th Agent Installl/Uninstall dial box comes up he he log (see the fig below). gure
You can in nstall, upgrade, or uninstall the CTA from this page. Yo can also ch t m ou hoose whether you r want the CTA to be auto C omatically uninstalled when the OfficeSc client is un n can ninstalled.
NOTE you upgrade a client certificate, you wi ll need to man If nually uninstall then reinstall the
CTA.
Preserve exis Cisco Trust Agent status means you don want an in sting t m nt nstallation to o overwrite the C CTA if one is alr ready installed Unless you are upgrading or certain you have never i d. a g u installed the C CTA on any of the clients you selected, you may want to check this rad button, ot t u u dio therwise the se erver will reinstall the CTA an your setting will be lost. nd gs x Click Save and the Set In nstall CTA con nfirmation box appears.
To verify th the CTA has been prop hat h perly deployed check the CT program v d, TA version on the e management consoles browser tree. b
4 416
Administrato Track or
The certific can be im cate mported for OfficeScan by u using the Offi iceScan manag gement conso To ole. do this, clic Cisco NAC > Client Certificate on the sidebar. ck C
NOTE is also possible to import this certificat e for OfficeScan during serv installation To It ver n.
review this process, see Chapter 4: OfficeScan Serv Installation on page 63. e ver n
You must enter the path and filename for the certif e h e ficate. It must be installed o a local drive on on e the server. Then click Im mport.
Tre Micro Po end olicy Server for Cisco NA > Policy S f AC Server Consol le.
Fro a web brow om wser. Use this URL: https:/ s //<servernam me>:<portnum mber>/antibo ody.
NOTE default po number is 4343. The ort
Fro the OfficeScan managem om ment console by clicking Ci isco NAC > Policy Server on r
the sidebar, then selecting the link you creat when you added the Po n ted olicy Server to ficeScan. Off
Summar Page ry
The summ page gives you information about the configuratio of your Pol Server, mary s e on licy including how many Off h ficeScan serve are register with the P ers red Policy Server a the numbe of and er rules and policies in effect on the Poli Server (see the figure be p icy e elow). You can export rules, n policies, an server lists to be used on another Polic Server by c nd n cy clicking Expor then impor rt, rt those rules, policies, and server lists by clicking Imp d y port. In additi ion, you can v view the current log es een n rent log of machine that have be validated by clicking on the View curr validation lo link. The list of registered Of fficeScan serve shows you all the Office ers u eScan servers registered to t the ver her utbreak mode. A link is also provided that you t Policy Serv and wheth they are in normal or ou can use to manually sync chronize an OfficeScan serv with the P O ver Policy Server.
417
Student T Textbook
To add a se erver, you mu enter an Of ust fficeScan serv address. Yo may enter an IP address a ver ou s, our hostname, or a Fully Qu ualified Domai Name (FQD in DN). You mu also enter t port for yo ust the n d or OfficeScan server. The default port fo OfficeScan is 8080. You must also choose th policies tha Policy Serve will use for the server in n a he at er normal or in outbreak mode. Normal mode is the every day oper m l e ration of your network. Ou r utbreak Mode occurs whe a network administrator deploys a man outbreak prevention p en a nual k policy to their OfficeScan clients. Typic n cally, this is in response to a new threat, b before a p n but pattern file or scan engine is av vailable to pro otect the organ nization.
4 418
Administrato Track or
Outbreak mode policies are normally much stricter , and if even a single client connected to the m server has a manual outb break preventi policy dep ion ployed, the Po olicy Server wi see OfficeScan ill as being in outbreak mode and will ch hange the toke it sends th ACS accord ens he dingly. Therefo ore, you may want to exercise tighter contr over who iis allowed to d w rol deploy outbre prevention eak n when using Cisco NAC. g
Synchro onization
In order fo the Policy Server to provi current va or S ide alidation inform mation to the ACS, it needs to e have inform mation from the OfficeScan server about the most upt n t -to-date patter files and sc rn can engine vers sions. You con nfigure how often the Polic Server will synchronize w the OfficeScan o cy with servers regi gistered to it. You can select a time from e Y t every three m minutes to ever 24 hours. T ry To configure this option, cli Administr t ick ration > Sche eduled Synch hronization a enter the t and time interval (in minutes) whe you want sy n en ynchronizatio to occur. on
NOTE you do not want to wait for the next sc heduled synch If hronization cycle, you can
always pe erform a manu synchroniza ual ation by clickin the Synchr onize with Off ng ficeScan link on the Summ mary screen.
Rules
Rules defin which antiv ne virus settings the Policy Serv will check and the respo t ver k onse it will tak if ke the criteria are met. Afte defining rule you will use them in a Po er es e olicy. You can nnot delete a r rule that is in us by a policy unless you de se elete it from p policy first. To manage rules click o s Configura ations > Rule es.
From the rules page, you can select ru to add, ed or delete. T following default rules are r u ules dit, The already set up for you:
419
Student T Textbook
Check kup
The checkup rules checks the patt tern file versio n. If it is 1 to 4 versions older than c n, n ken e the current version the Policy Se rver will return a Checkup tok to ACS. The rule also specifies that the event must be logged the pattern file must be t d, ated, a cleanup must be perfo ormed, and the client must be notified. upda The quarantine rule also checks t he pattern file version. If it is 5 or more vers e sions ver oken to ACS. Th rule specifie all he es old, the Policy Serv will return a Quarantine to s the ule. the same remediation actions as t Checkup ru In addition, it will order that the client be scanned for viruses. c This rule checks that real-time sca is disabled. If it is, the Polic Server retur an cy rns an In nfected token to ACS. Remediiation actions s specified are: lo the event, og enab real-time sc ble canning, and no otify the client. The healthy rule ch hecks whether r ether the scan real-time scan is enabled, whe a version is current. If the client engine is current, and whether th e pattern file v c lthy turned to ACS. No remediation meets all of these criteria, a Healt token is ret on d. actio is performed
Quara antine
NOTE action taken by the NAD for any toke is complete ly customizable by configuring The en
ACLs and redirect URLs in ACS. s
To create your own rules, click Add. The New Rule p y T page appears (see the figure below). e
4 420
Administrato Track or
To create a new rule, you need simply name it, chec all the crite that must match in orde to u y ck eria er return a po ositive result fo the rule, then select the a or actions you wa taken if th rule criteria are he a ant matched.
NOTE you select multiple criteri all must ma If m ia, atch in order to match the ru o ule.
Policies
A policy is the set of rule against whi client cred es ich dentials are che ecked. Each O OfficeScan ser rver can be con nfigured with only two polic one for n o cies: normal mode a one for ou and utbreak mode e, although yo can have different polici sets for dif ou d ies fferent OfficeS Scan servers. You can creat te new policie but you wil have to mak a policy eith the norma mode policy or the outbreak es, ll ke her al y mode polic in order for Policy Server to use it. Yo can also edi the existing normal and cy r r ou it outbreak mode policies by changing which rules the use. Click C m b w ey Configuration > Policies to ns s bring up th Policies page he e.
Rules are read in a top-d down order an if the criteriia for a rule is matched, Pol Server wil nd s licy ll o ng eria y here f respond to ACS accordin to the crite defined by the rule. If th is no match for any of the rules, the policy will defi a no-match response an return it to ACS. No-mat response p ine h nd tch criteria for the default po olicies are set up as shown iin the table be elow.
Rules in Use
Not d Protected Quarantin n e Checkup p
Notif fy
Normal Mode
Healthy
Outbreak Mode
Healthy
Infected
Table D.3: No-match Response Criteria for the Defau Policies N a ult
421
Student T Textbook
To define your own poli you must first name it. Y may then select which of the curren y icy, You n h ntly defined rul you want to apply to the policy. Use th up and dow arrows at t right of th les o e he wn the he Rules in us field to dete se ermine the ord rules will b read in. Fin der be nally, define th actions you want he u to be taken if no rules re n eturn a match. .
NOTE default re The esponse if no rule matches m r maps back to t token that ACS will retur to the rn
the NAD.
4 422
Administrator Track
D.5.1 CTA
DEFAULT INSTALL DIRECTORY C:\Program Files\Cisco Systems\CiscoTrustAgent SERVICES Cisco TrustAgent
Cisco TrustAgentLogging Service
PROCESSES ctad.exe
ctalogd.exe
REGISTRY HKLM\Software\CiscoSystems\CTA
NOTE CTA uses port 21862. An outbreak prevention policy can disrupt CTA The communication with the router if you block port 21862, which could prevent the client from being able to access the network.
423
Administrator Track
To navigate in ACS, you should be fam u miliar with the sidebar men pictured in Figure C.1. e nu
425
Student T Textbook
Input the lo ocation of the certificate fil the private key file, and a private key p e le, password. To install the client certi t ificate, click Sy ystem Config guration > A Certificat Setup > ACS ACS te Certificati Authority Setup. The page has a fielld for the CA certificate file Enter the cl ion y p e. lient certificates full path. s Once youv installed the client certifi ve icate, you mus tell the ACS to trust it. Cl System st S lick Configura ation > ACS Certificate Se C etup > Edit C Certificate Tr rust List. A c checklist of ins stalled certificates appears. Click in the check k kboxes next to the name of the client certificate you ju o f ust installed. After instal lling both cert tificates, you will need to re w estart ACS. Select System C Configuration > n Service Co ontrol > Rest tart.
4 426
Administrato Track or
You can se elect your man ndatory creden ntials by moviing them from the available credentials list on m e the left to the selected cr t redentials list on the right. T Trend Micro O OfficeScan so oftware will be e listed as Tr rend AV.
NOTE can confi You igure exceptio to the man ons ndatory creden ntials on either the router or the r r
ACS. This chapter expla ains under NAD Configuratio how to conf D on figure exceptio on the rou ons uter.
To set up ACS to use the Trend Micro Policy Serve click Exter A o er, rnal User Da atabases > Database Configuratio then under Credential V on r Validation Pol licies, click th External he utton. Policies bu
You must enter the URL of the Policy Server in eith CGI or IS e L y her SAPI format. T URL tell This ls ACS where to send the HCAP requests for validatio Trend Mic has done i e H on. cro internal testin and ng found ISAP to have mu better per PI uch rformance, esp pecially on Ap pache Web ser rvers. On Apa ache servers, ISA performe 280 responses per second On IIS serv API ed d. vers, ISAPI pe erformed 150 responses per second. CGI, on the oth hand, perf p her formed 100 re esponses per s second on Ap pache and less tha 100 respon per secon on IIS. an nses nd The URLs should be ent tered as follow ws:
CGI ISAPI I https://<pol lsrv>:<port#>/an ntibody/cgi-bin n/PostureReque est.exe https://<pol lsrv>:<port#>/an ntibody/cgi-bin n/PostureReque est.dll?Posture eRequest
You must also enter the Username an Password y specified w a nd you when you insta alled the Polic cy Server. warding Credent Types, spec the creden tial cify ntials you want to forward t the Policy S to Server Under Forw for validati Because th is a Trend Micro Policy Server, it will validate only Trend AV. ion. his y l y
427
Student T Textbook
To create an ACL, click Shared Profile Component > Downloa a e ts adable IP ACL then click th Ls he Add button n.
You use sta andard Cisco IOS paramete to define t action that should be tak You can ers the t ken. specify eith permit or deny. any is a wildcard indiicating the sou of a pack with an IP her urce ket address ran from 0.0.0 to 255.255.255.255. nge 0.0 Once youv defined an action by crea ve ating an ACL,, you must ass sociate that ac ction with a particular token by editin the groups that are name for the tok t ng ed kens. To do th click Group his, p Setup, selec the proper group name fr ct g rom the drop-down menu, t then click Ed Settings. dit
There are a large numbe of configura settings fo groups. Th course desc er able or his cribes only two: Assigning an ACL to a group and assi a g igning a URL to which a de enied client can be redirecte ed. To assign an ACL to the group, under Downloadable ACLs, enable the Assign IP ACL: check a e r e P kbox. e Choose the name of the ACL you created and wish to associate w the group e h with p.
To assign a redirect URL under Cisco IOS/PIX RA L, ADIUS Attribu enable the checkbox ne to utes, e ext [009/001] cisco-av-pair. Ty in the UR you wish to redirect the c ype RL o client to. You can also spec u cify f ill rection by usin the postur ng retoken= com mmand. the type of token that wi trigger redir
4 428
Administrator Track
CNAC
You can cause a message to appear on the client machine every time the posture validation process is initialized by typing one into the field next to Cisco client initial message: This message would appear every five minutes on the client and would probably be disruptive, so you would want to have a good reason to enable it. The ACS allows caching of PEAP credentials so that a session can resume after a client is disconnected, then reconnects before the session times out. This improves performance, but it is a potential security risk. Setting the parameter to zero disables this feature. Enable Fast Reconnect is a feature that allows clients to resume communication without setting up a new PEAP tunnel. This is a security risk. The feature is enabled by default; Trend Micro recommends unchecking the checkbox to disable this feature.
Services
CSAdmin CSDbSync CSMon CSTacacs CSAuth CSLog CSRadius
Processes
CSAdmin.exe CSAuth.exe CSDbSync.exe CSLog.exe CSMon.exe CSRadius.exe CSTacacs.exe
Registry
HKLM\Software\Cisco\CiscoAAAv3.3
429
Student Textbook
NOTE When no activity occurs after this time expires, revalidation starts over. The inactivity timer default is 10 minutes.
430
Administrator Track
radiusserverkey{7string|string}
ipradiussourceinterface{interface}
In this example, the permitipanyany statement allows unvalidated traffic to access other areas of the network, including the internet. Some customers may not want any network access at all until clients are validated so denyipanyany may be more appropriate. You must also configure an ACL to specify what will be subject to posturing. Packets that match this intercept ACL are intercepted.
accesslist{accessnum}denyipanyhost{routerIPaddress}
Notice the intercept ACL mirrors the interface ACL, except that traffic denied by the intercept ACL is specifically permitted by the interface ACL. Doing this subjects the traffic to the posture validation process. You must assign your intercept ACL to the clients you want to be subject to posture validation using the following command:
ipadmissionname{rulename}eapoudplist{stdaccesslistnum}
The std-access-list-num is the same as the access-num that you assigned to your intercept ACL in the previous command.
The abbreviation eou is for EAP over UDP. Define a username and password for your clientless users. You may define an ACL for them on the router or in the ACS.
431
Student Textbook
EOU Commands
eouinitializeall eouinitializeipx.x.x.x eourevalidateall eourevalidateipx.x.x.x
Clear Commands
clearipadmissioncacheeapoudp cleareou[all]|[ipx.x.x.x]
432
Administrator Track
Debug Commands
debugeouall debugeap debugipadmissioneapoudp
433
Administrator Track
Appen ndix F: Trend Mic S rt T d cro Smar Prote on Ne ork (S ) P ectio etwo SPN)
Because co onventional se ecurity solution no longer a ns adequately pro otect against the evolving se of et Web threat users need a new approa Trend Mic delivers th approach w the Trend ts, ach. cro hat with d Micro Smart Protection Net rt twork (SPN).
Figure F.1: The Trend Mic Smart Prot T cro tection Netwo rk (SPN)
435
Student T Textbook
The proces in the figur below, is ve straightforw ss, re ery ward. Howeve with the am er, mount of malw ware being seen in the security industry, kee y eping up with the volume is a challenge. The question h raised on th customers end, then, is How many u he s updates per da will be acce ay eptable? This is s critical in li of the fac that not all computers willl receive the u ight ct c update in time to protect th e hem well, for many reasons. With this in mind, protectin individual d m W m ng devices and sy ystems is impo ortant, but it is on a first step. nly
The Trend Micro Smart Protection Network (SPN) is a next-gen N ) neration cloud d-client conten nt security inf frastructure th delivers sec hat curity that is s smarter than c conventional a approaches by y blocking th latest threat before they reach a users PC or a com he ts s mpanys netwo Leveraged ork. d across Tren Micros sol nd lutions and se ervices, the Tr rend Micro Sm Protection Network mart n combines unique Interne u et-basedor in-the-cloud d technolog with light gies ter-weight clie ents. By checkin URLs, emai and files ag ng ils, gainst continu uously updated and correlat threat data d ted abases in the cloud customers always have im d, a mmediate acce to the lates Trend Micr protection ess st ro wherever th connect to the Internet hey o t.
Figure F.3: Moving content security int the cloud ke to eeps up with t he threat popu ulation.
4 436
Administrator Track
By moving the largest portion of patterns or signatures into the cloud, it is possible to:
Significantly reduce endpoint memory consumption Protect our customers in real time Reduce the need for pattern updates to our customers Reduce bandwidth consumption on corporate networks Increase awareness of threats affecting our customers Solve the pattern file download volume problem
The Trend Micro Smart Protection Network (SPN) is security made smarter for many reasons. Key characteristics of this innovative security solution model include:
New Threats, New Defense Extensive cloud-based threat protection network, correlated processing, immediate and automatic protection Light-weight clients communicate with cloud-based threat protection network, reducing resource requirements on the endpoint Communication with cloud network upon each connection, always providing access to the latest protection, on network or off Threat protection across Web, messaging and endpoints in on-site or hosted solutions Protection against all types of threatsmalicious files, spam, phishing, Web threats, DoS, Web vulnerabilities, data leakage Neighborhood Watch approach to security
Multi-Layered Protection
Comprehensive Security
20 years of Internet content security leadership, 1,000 security experts worldwide, 24/7
The Trend Micro Secure Protection Network (SPN) incorporates a complete end-to-end security solution, based on the high level of threats and growing malware numbers, increased cyber crime, and expanding threat landscape. This model includes Protection, Enforcement, Review and Education, as shown in the figure below.
437
Student T Textbook
Figure F.4: Trend Micro Smart Protection Network w S with Complete End-to-end Se ecurity Solutio ons.
The Trend Micro Smart Protection Network (SPN) is composed of the follow compone N ) d wing ents:
We reputation technology eb t Em reputation technology mail n File reputation te e echnology Cor rrelation techn nology with behavior analys sis Fee edback loops Thr intelligenc (threat collection, threat analysis) reat ce
Websit age tes Histori location changes ical c Other factors that might indicate suspicious be m ehavior
The techno ology then adv vances this ass sessment thro ough malware behavior anal lysis, monitori ing network tra affic to identif any malwar activity orig fy re ginating from a domain. Tre Micro We end eb reputation technology al performs website conten crawling an scanning to complement this lso w nt nd o t analysis wit a block list of known bad or infected s th d sites. Access t malicious W pages is th to Web hen
4 438
Administrator Track
blocked based on domain reputation ratings. To reduce false positives and increase accuracy, Trend Micros Web reputation technology assigns reputations to specific pages or links, rather than an entire site, as sometimes only portions of a legitimate site are hacked.
439
Student Textbook
correlated to identify suspicious combinations of activities (e.g. an email with a URL link to several recipients and an HTTP executable file download from the linked Web page). Information learned in the behavior analysis function at the gateway is looped back to provide the Web reputation technology and database with site-threat correlation data and to update the email reputation database of known bad IPs and domains. Similarly, information acquired at the endpoint is looped back to the file scanning capability at the gateway, network servers, and the Web reputation capability in the cloud. Both feed-through and loop-back techniques are needed to ensure real-time, Web threat protection across the entire network. By correlating different threat components and continuously updating its threat databases, Trend Micro has the distinct advantage of responding in real time, providing immediate and automatic protection from email and Web threats.
Feedback Loops
Additionally, because Trend Micro solutions act as a single, cohesive security platform, built-in feedback loops provide continuous communication between Trend Micro products and Trend Micros threat research centers and technologies in a two-way update stream to ensure rapid and optimal protection against the latest threats. Functioning like the "neighborhood watch" approach occurring in many communities, Trend Micros extensive global feedback loop system contributes to a comprehensive, up-to-date threat index that enables real-time detection and immediate, smarter together protection. Each new threat identified via a single customers routine reputation check, for example, automatically updates all Trend Micros threat databases around the world, blocking any subsequent customer encounters of a given threat. Because the threat information gathered is based on the reputation of the communication source, not on the content of the specific communication, latency is not an issue, and the privacy of a customers personal or business information is always protected.
Threat Intelligence
Trend Micro supplements user feedback and submissions with internal research culled from researchers in the United States, the Philippines, Japan, France, Germany, and China. Multilingual staff members at TrendLabsTrend Micros global network of research, service and support centersrespond in real time, providing 24/7 threat surveillance and attack prevention to detect, pre-empt, and eliminate attacks. Using a combination of technologies and data collection methodsincluding Honey Pots, Web crawlers, customer and partner submissions, feedback loops, and TrendLabs threat research Trend Micro proactively gains intelligence about the latest threats. This threat data is analyzed and correlated in real time via queries of Trend Micros malware knowledge databases in the Internet cloud and by TrendLabs research, service, and support centers.
440
Administrato Track or
F.2 > A Multilaye 2 ered Fra amewor for E rk Enterpr rise-Wid de Prote ection
Keeping IT resources, data, and users secure is a co T omplex proposition in today threat ys landscape, when an infec ction can quic occur. Wh the antivir vendor get samples fro ckly hile rus ts om sources, su as infected customers, HoneyPots, in uch d H ndustry submis ssions, and cra awling activities, it takes time to analyze the samples, add the samples t a master pa e d to attern databas and deploy the se, y e mer pens before yo systems ca be our an pattern in a batch update to the custom database. All this happ updated. That is why a multilayered fr T m ramework with protection a many levels is important. h at Trend Micr uses a mult ro tilayered framework, such a that in the f as figure below. I contains It solutions th span mess hat saging, Web, endpoint, and network secu e urity.
441
Administrator Track
Appen ndix G: Stand ne Sm t S dalon mart Scan Ser S n rver Deplo ent & D oyme Mana ment M agem
Although the Smart Scan Server can be installed on your OfficeS t n b n Scan Server, yo can also in ou nstall standalone servers. Mult tiple installatio are recomm ons mended for fa ailover purpos This appe ses. endix h a mart er. describes how to install and manage a standone Sm Scan Serve
equ uivalent
512 MB of RAM 2 M 10 GB of availab disk space ble Mo onitor that sup pports 800 x 600 resolution with 256 colo or higher 6 ors
NOTE Smart Scan Server automat tically partitio ns the detecte disk space a required. ed as
443
Student Textbook
Server 2.0
Red Hat Enterprise Linux 4 64-bit for VMware ESX 3.0 512 MB RAM 2.0 GHz processor 10 GB available disk space 1 network device
NOTE Install VMware Tools after successfully installing Smart Scan Server.
Browser Requirements
Microsoft Internet Explorer 6.0 or later (for access to the Web product console)
resources increases the number of simultaneous client connections handled. For standalone servers, the number of processors allocated to the virtual machine will affect the performance of the server.
Additional memory might be required if there is a large number of concurrent
computer, the computers performance may reduce significantly during peak traffic for the two servers. Consider using standalone Smart Scan Servers as the primary Smart Scan source for clients and the integrated server as a backup server to reduce the traffic directed to the OfficeScan server computer.
If you install the integrated Smart Scan server, consider disabling the OfficeScan firewall.
The OfficeScan firewall is intended for client computer use and may affect performance when enabled on server computers. See the Administrators Guide for information on disabling the OfficeScan firewall.
NOTE Consider the effects of disabling the firewall and ensure that it adheres to your security plans.
444
Administrato Track or
RUNNING THE INSTALL T LATION PROGRAM After prepa aring the requ uirements for installation, ru the installat i un tion program to begin installation n. TO INSTAL THE STAND LL DALONE SERV : VER 1. Create a virtual mach on your VMware ESX server and sp hine V X pecify the virt machine t tual to boot fr rom the Smart Scan Server ISO.
2. Power on the virtual machine. Th Installation Menu display with the fol l he ys llowing option ns:
Install Smart Scan Se erver System Memory Test m t Exit Ins stallation Select this option to i install Smart S can Server to t new virtual the ne. machin perform memo diagnostic tests to rule out Select this option to p ory t emory issues. any me Select this option to e the installa exit ation process and to boot from m m other media.
3. Select Install Smar Scan Serve The license acceptance p rt er. e page appears.
NOTE From this scre on, you ca access the r een an readme from a button in the lower left hand e
corner of the installatio screen. on
A ntinue. The Ke eyboard Selec ction page app pears. 4. Click Accept to con
445
Student T Textbook
5. Select the keyboard language and click Next to continue. Th Hardware C he Components ears. Summary page appe The in nstallation prog gram perform a scan to de ms etermine if the system speci e ifications have been e met an displays the results. If the hardware co nd e e ontains compo onents that do not meet the o e system requirements the installati program h m s, ion highlights thos component and installation se ts can pro oceed as long as there is a hard drive and network dev h d vice. If there is no hard driv and s ve no netw work device, installation cannot continue i e.
Figure G.3: Hardware Components Summary and Network Set e s d ttings Configuration
6. Click Next to contin The Netw N nue. work Settings page appears.. If there are multiple netw e work devices, configure sett tings for all de evices. (Only one device can be active on boot.) b
NOTE change the active on boot device afte r installation, log on to the C To e Command Line e
Interface (CLI).
ous f the e miscellaneo settings. If you specify t host name manually, the miscellaneo settings ar also configu ous re urable.
Click Next to continue. The Time Zo page appears. t one
4 446
Administrato Track or
8. Specify the time zon and click Next to continu The Authe y ne N ue. entication pag appears. ge 9. Specify passwords fo the "root" and "admin" a y or accounts. Sma Scan Serve uses two art er different levels of ad dministrator ty ypes to secure the server. e
Tip
For best secur rity, create a highly unique p h password know only to you Use both upp wn u. per and lower case alpha characters, num merals, and sp pecial characte The passw ers. word must be a minimum of 6 characte and a maximum of 32 ch aracters. m ers
account is used to gain access to th operating sy he ystem shell an has nd n all rights to the server. This ac ccount includ the most p des privileges.
Ad dmin account This accoun is the defau account use to access Sm nt ult ed mart Scan Ser rver Web and CLI pr W roduct consol This accou includes a rights to the Smart Scan les. unt all e Server applicatio but does not include acc rights to the operating system shell. on, n cess g
10. Confir the summa information. rm ary Review the summary information on this page. If any of the information o this page w y n on require a different configuration, click Back. O es c , Otherwise, cli Next to co ick ontinue and cl lick Contin at the con nue nfirmation me essage. The In nstallation Pro ogress page app pears
447
Student T Textbook
NOTE Continuing with the installa ation formats a partitions the necessary disk space an and y nd
installs th operating sy he ystem and app plication. If the is any data on the hard d ere a disk that canno be ot erased, ca ancel the insta allation and ba up the info ack ormation befor proceeding. re
11. A message appears when the insta w allation is com mplete. The installation log i saved in the is e /root/ /install.log file for refere ence.
12. Click Reboot to restart the virtua machine. Th initial Comm R al he mand Line In nterface (CLI) logon page ap ppears and dis splays the Sma Scan Serve URL and th Web produ console UR art er he uct RL.
NOTE Trend Micro recommends disconnecting t CD ROM de r d the evice from the virtual machine e
after Sma Scan Serve is installed. art er
13. Use "a admin" to log on to the CLI or the Web p I product conso to manage Smart Scan S ole Server. Log on to the Web product conso to perform post installat n p ole m tion tasks such as configuri h ing proxy settings. Log on to the CLI shell if you n o I need to perfor additional c rm configuration, , eshooting, or housekeeping tasks. g trouble
4 448
Administrato Track or
POST-INST TALLATION The follow are recom wing mmended post t-installation ta asks:
Aft successfully installing Sm Scan Serv install VM ter y mart ver, Mware Tool Refer to ls.
Pro Settings in G.2.2 Upd oxy i dating Compo onents on pa 451. age
LOGGING ON TO THE STANDALONE SERVER Once Smar Scan Server has restarted, log on using the CLI or W product c rt r g Web console.
To log on to the CLI console, type the adm ministrator user name (admin and passwo r n) ord.
e l C ou rform addition configurat nal tion, Use "admin" to log on to the CLI shell if yo need to per trou ubleshooting, or housekeep tasks. ping
To log on to the Web product console, ope a Web brow t en wser and type the URL indicated
I g eb nsole to perfo ormpost instal llation on the initial CLI banner. Log on to the We product con ks nfiguring prox settings. xy task such as con
NOTE Smart Sc Server URL is used for co The can L onfiguring Off ficeScan Serve Smart Scan er
Source se ettings as a part of the Smar Scan Server solution. rt r
View su ummary inform mation, comp onent status, configure sett tings, update co omponents, or collect diagno r ostic informat tion.
449
Student T Textbook
Provides the Smart Scan Se erver Health, UR and component RL, status. Provides opti ions for configu uring scheduled updates, prox d xy server setti ings, and manu program upd ual dates. Provides valu uable informati on about logge activities ed Provides an option to collec and download diagnostic o ct d information for troublesho n ooting.
Support
The server address(es) in the Client Connection sec n ction lists URL used for co Ls onfiguring the n n can nagement con nsole. Clients u this list to use Smart Scan server list on the OfficeSc server man determine the Smart Sca servers to connect and se scan queri to. an c end ies
4 450
Administrato Track or
Smart Scan servers supp HTTP and HTTPS pro n port d otocols. HTTP allows for a more secure PS e connection but it does use more CPU resources to establish each connection. The URLs fo n, u U o h . or both proto ocols display on the Summary page. o
To configu manual updates: ure 1. Click Updates > Pa U attern from th main menu he u. 2. The Co omponent pag appears. ge 3. Click Update Now. U .
451
Student T Textbook
To configu scheduled updates: ure 1. Click Update > Pat U ttern. The Co omponent pag appears. ge 2. Select Enable sched duled update es. 3. Select either hourly or 15 minute updates. S 4. Click Save.
To configu an update source: ure 1. Click Updates > Co U omponent. The Compone page appears. T ent ect 2. Select Trend Micro ActiveUpdate Server or sele Other up T A e pdate source and type a UR RL. 3. Click Save. S
Administrato Track or
To configu proxy setti ure ings: 1. Click Administration > Proxy Settings from the main me The Com A S m enu. mponent page appear rs. 2. Select the Use a pro server fo updates ch oxy or heckbox. 2.1. 2.2. 2.3. 2.4. Select HTTP or SOCKS4 for the Prox protocol. P 4 xy Type the Ser rver name or IP address. Type the Por number. rt If your proxy server requires credentials,, type the Use ID and Pas y er ssword.
S 3. Click Save.
453
Student T Textbook
To update the program: U ogram from the main menu The Progra page appea t u. am ars. 1. Click Update > Pro 2. Click Browse... to lo B ocate the prog gram file. 3. Locate the file and click Open. e c 4. Click Update. U
To downlo diagnostic information: oad 1. Log on to the Web product conso n p ole. 2. Click Support from the main me The Supp page appe S m enu. port ears. 3. Click Start. The dow S wnload progress page appe ears.
4 454
Administrator Track
4. Click Save when the prompt for the downloaded file appears. 5. Specify the location and file name. 6. Click Save.
To change the product console password using the CLI: 1. Log on to the CLI console with the admin account. 2. Type the following to enable administrative commands:
enable
SYNTAX
configure date <date> <time>
DESCRIPTION
Configure date and save to CMOS date DATE_FIELD [DATE_FIELD} time TIME_FIELD [TIME_FIELD] Configure DNS settings dns1 IP_ADDR Primary DNS server dns2 IP_ADDR Secondary DNS server []
configure dns
455
Student Textbook
COMMAND
configure hostname
SYNTAX
configure hostname <hostname>
DESCRIPTION
Configure the hostname hostname HOSTNAME Hostname or FQDN Configure the default Ethernet interface to use DHCP vlan VLAN_ID VLan ID [1-4094], default none VLan: [0] Configure the default Ethernet interface to use the static IP configuration Configure account password user USER The user name for which you want to change the password. The user could be admin, 'root', or any user in the Smart Scan Server's Administrator group. Configure the default server settings. Disable the sshd daemon Enable administrative commands Enable the sshd daemon Exit the session Display an overview of the CLI syntax Display the current session's command line history Reboot this machine after a specified delay or immediately time UNIT Time in minutes to reboot this machine [0] Display current date/time Display network hostname Display network interface information Display network address. Display network DNS servers. Display network gateway Display network routing table Display network timezone Display current system uptime Display Web product console URL Display Smart Scan Server URL
configure ip dhcp
configure ip static
Configure password
configure service disable ssh Enable enable ssh Exit Help History Reboot
configure service interface <ifname> disable ssh enable enable ssh exit help history [limit] reboot [time]
show date show hostname show interfaces show ip address show ip dns show ip gateway show ip route show timezone show uptime show url management show url scanservice
show date show hostname show interfaces show ip address show ip dns show ip gateway show ip route show timezone show uptime show url management show url scanservice
456
Administrator Track
COMMAND
shutdown
SYNTAX
shutdown [time]
DESCRIPTION
Shut down this machine after a specified delay or immediately time UNIT Time in minutes to shutdown this machine [0] Valid region + zones are: Europe Amsterdam Europe Athens Europe Belgrade Europe Berlin Europe Brussels Europe Bucharest Europe Dublin Europe Moscow Europe Paris Pacific Auckland Pacific Fiji Pacific Guam Pacific Honolulu Pacific Kwajalein Pacific Midway US Alaska US Arizona US Central US East Indiana US Eastern US Hawaii US Mountain US Pacific
Configure timezone Africa Cairo Africa Harare Africa Nairobi America Anchorage America Bogota America Buenos_Aires America Caracas America Chicago America Chihuahua America Denver America Godthab America Lima America Los_Angeles America Mexico_City America New_York America Noronha America Phoenix America Santiago America St_Johns America Tegucigalpa Asia Almaty Asia Baghdad Asia Baku Asia Bangkok Asia Calcutta Asia Colombo
configure timezone <region> <zone> Asia Dhaka Asia Hong_Kong Asia Irkutsk Asia Jerusalem Asia Kabul Asia Karachi Asia Katmandu Asia Krasnoyarsk Asia Kuala_Lumpur Asia Kuwait Asia Magadan Asia Manila Asia Muscat Asia Rangoon Asia Seoul Asia Shanghai Asia Singapore Asia Taipei Asia Tehran Asia Tokyo Asia Yakutsk Atlantic Azores Australia Adelaide Australia Brisbane Australia Darwin Australia Hobart Australia Melbourne Australia Perth
Table G.2: Command-Line Reference Table for Standalone Smart Scan Servers
457
Student Textbook
Windows Server 2003, because this operating system only supports IPv6 addressing partially.
The server must use an IIS web server. Apache web server does not support IPv6
addressing.
If the server will manage IPv4 and IPv6 clients, it must have both IPv4 and IPv6
addresses and must be identified by its host name. If a server is identified by its IPv4 address, IPv6 clients cannot connect to the server. The same issue occurs if pure IPv4 clients connect to a server identified by its IPv6 address.
If the server will manage only IPv6 clients, the minimum requirement is an IPv6 address.
The server can be identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server cannot translate a host name to its corresponding IPv6 address.
NOTE FQDN can only be specified when performing a local installation of the server. It is The not supported on remote installations.
458
Administrator Track
It cannot be installed on Windows Server 2003 and Windows XP, because these operating systems only support IPv6 addressing partially. It is preferable for a client to have both IPv4 and IPv6 addresses, as some of the entities to which it connects only support IPv4 addressing.
2. A pure IPv6 server cannot update from pure IPv4 update sources, such as:
Trend Micro ActiveUpdate Server Control Manager 5.5 Control Manager 5.0 Any pure IPv4 custom update source
NOTE IPv6 support for Control Manager starts in version 5.5 SP1.
3. A pure IPv6 server cannot connect to the Trend Micro Online Registration Server to register the product, obtain the license, and activate/renew the license. 4. A pure IPv6 server cannot connect through a pure IPv4 proxy server. 5. A pure IPv6 server will have Plug-in Manager, but will not be able to deploy any of the plugin solutions to:
Pure IPv4 OfficeScan clients or pure IPv4 hosts (because of the absence of a direct
connection)
Pure IPv6 OfficeScan clients or pure IPv6 hosts because none of the plug-in solutions
support IPv6 Most of these limitations can be overcome by setting up a dual-stack proxy server that can convert between IPv4 and IPv6 addresses (such as DeleGate). Position the proxy server between the OfficeScan server and the entities to which it connects or the entities that it serves.
459
Student Textbook
2. A pure IPv6 client cannot send queries to smart protection sources, such as:
Smart Protection Server 2.0 (integrated or standalone) Trend Micro Smart Protection Network (also for SmartFeedback)
NOTE IPv6 support for Smart Protection Server starts inversion 2.5.
3. Pure IPv6 clients cannot connect to the Trend Micro-hosted Certified Safe Software Service. 4. Pure IPv6 clients cannot install plug-in solutions, because none of the plug-in solutions support IPv6. 5. Pure IPv6 clients cannot install the following programs, because they do not support IPv6:
Cisco Trust Agent Check Point SecureClient Support
6. A pure IPv6 client cannot connect through a pure IPv4 proxy server. Most of these limitations can be overcome by setting up a dual-stack proxy server that can convert between IPv4 and IPv6 addresses (such as DeleGate). Position the proxy server between the OfficeScan clients and the entities to which they connect.
NOTE Exercise caution when specifying a link-local IPv6 address because, even though OfficeScan can accept the address, it might not work as expected under certain circumstances. For example, clients cannot update from an update source if the source is on another network segment and is identified by its link-local IPv6 address.
3. When the IPv6 address is part of a URL, enclose the address in parentheses. 4. For IPv6 address ranges, a prefix and prefix length are usually required. For configurations that require the server to query IP addresses, prefix length restrictions apply to prevent performance issues that may occur when the server queries a significant number of IP addresses. For example, for the Outside Server Management feature, the prefix length can only be between 112 (65,536 IP addresses) and 128 (2 IP addresses).
460
Administrator Track
5. Some settings that involve IPv6 addresses or address ranges will be deployed to clients but clients will ignore them. For example, if you configured the smart protection source list and included a Smart Protection Server identified by its IPv6 address, pure IPv4 clients will ignore the server and connect to the other smart protection sources.
When you export client tree settings to a file, the IPv6 addresses also display in the exported file.
461
Student Textbook
5.5 IPv4
5.0 IPv4
IPv4
IPv4
IPv4
IPv6
Not supported
Not supported
Dual-stack client
The IP address used when the client registered to the OfficeScan server
The IP address used when the client registered to the OfficeScan server
The IP address used when the client registered to the OfficeScan server
IPv4
IPv4
IPv4
IPv6
IPv6
IPv6
462
Administrator Track
463
Student Textbook
Chapter 3
1. What is one of the main functions of the server component of OfficeScan? a) Protect the network from malware b) Protect the server from malware c) Download updates and distribute them to clients d) Scan for malware 2. What is one of the major reasons for increased performance in OfficeScan, since version 7.0? a) Simultaneous processing of CGI requests b) The storing of client information in a database c) OfficeScan now supports SQL d) The OfficeScan Master Service processes CGIs faster 3. What does the High Security setting for clients do? a) Enables the OfficeScan firewall b) Locks the .exe and .dll files in the OfficeScan client directory c) Increases the number of files that the client scans for malware d) Changes the rights to the directories and registries on the client
Chapter 4
1. Which of the following areas is not scanned during the pre-scan? a) The boot area and boot directory b) The Windows folder c) The program files folder d) Memory 2. Which of the following does the server pre-scan not scan for? a) Boot viruses b) Adware c) Worms d) Trojan horses
464
Administrator Track
3. Which of the following components cannot be installed using the setup wizard? a) Trend Micro Policy Server for Cisco NAC b) Outlook mail scanning c) OfficeScan client software d) The CTA 4. How does the setup wizard assign the port that will be used for OfficeScan client-server communication? a) It scans ports and selects one that is not being used. b) It does not assign one; you must input one manually. c) It reads the port assignment from Control Manager configurations. d) It randomly assigns a high-numbered port.
Chapter 5
1. In which of the following ways can Manual Outbreak Prevention protect your network? a) It can block access to shared folders. b) It can block ports from being used. c) It can deny all access to files and folders. d) All of the above 2. What is IntelliScan? a) A method of identifying files to scan by looking at their headers b) A method of identifying files to scan based on the file content c) A method of scanning files based on their extensions d) All of the above 3. What is ActiveAction? a) A specialized cleaning action b) An action that protects the desktop in the most efficient way c) A set of preconfigured scan actions for viruses and other types of malware d) None of the above 4. Which tab can you not prevent from appearing in the client console? a) Firewall tab b) Toolbox tab c) Mail Scan tab d) Scan tab
465
Student Textbook
Chapter 6
1. Which deployment method allows you to install the Mail Scan and Check Point SecureClient Support with the client software? a) Notify install option b) Vulnerability Scanner tool c) Login script setup utility d) Client Packager tool 2. Which deployment method requires using third-party tools? a) Image setup utility b) Remote install option c) Login script setup utility d) Vulnerability Scanner tool 3. Which two deployment methods are accessible from the OfficeScan management console? a) Image setup utility and notify install option b) Notify install option and remote install option c) Vulnerability Scanner tool and Client Packager tool d) Login script setup utility and image setup utility 4. Which deployment methods enforce automatic installation of client software? a) Login script setup utility and Vulnerability Scanner tool b) Client Packager tool and login script setup utility c) Remote install option and image setup utility d) Notify install option and Client Packager tool
Chapter 7
1. For which of the following was the update architecture designed? a) To maximize throughput b) To optimize use of bandwidth c) To use minimum mass storage d) To put ease of installation before throughput considerations
466
Administrator Track
2. In which of the following ways can you create an update agent? a) Edit the servers ofcscan.ini file b) Use the OfficeScan management console to designate an update agent c) Use the setup wizard to install an update agent d) Configure an update agent on the client machine 3. When can the server be configured to automatically deploy updates to clients? a) After a scan b) After a cleanup c) When Manual Outbreak Prevention is stopped d) When it downloads a new component
Chapter 8
1. What does the client mail scan utility scan? a) Netscape Messenger folders b) Eudora Pro folders c) Outlook Express folders d) Email in real-time 2. If you run a DCS cleanup, which of the following does it not clean? a) Unwanted registry entries created by worms or Trojans b) Memory resident worms or Trojans c) Garbage and viral file drops by worms or Trojans d) Viruses discovered in the Program Files directory
Chapter 9
1. Which two modules combine to create the OfficeScan firewall? a) Policy and procedure modules b) Personal firewall and common firewall modules c) Security and exception modules d) Incoming and outgoing traffic modules 2. Which of the following cannot be configured? a) Alert message b) Firewall policies c) Network virus scan d) Firewall profiles
467
Student Textbook
3. Which of the following correctly associates the data flow type with its correct sequence of checks? a) Incoming: firewall policies, IDS, Network Virus Scanning b) Incoming: IDS, firewall policies, Network Virus Scanning c) Outgoing: firewall policies, IDS, Network Virus Scanning d) Outgoing: Network Virus Scanning, IDS, firewall policies 4. Which of the following is a profile not based on? a) Security level b) IP address c) Platform d) User ID 5. Which of the following is not a way to configure changes in the OfficeScan firewall? a) From the OfficeScan Management Console b) From the Outbreak Prevention Policy module in TMCM c) From the Client Console d) From the Rule Set Generator 6. Which of the following security levels is correctly associated with incoming and outgoing traffic? a) Low security: incoming blocked; outgoing blocked b) Medium security: incoming allowed, outgoing blocked c) Medium security: incoming blocked, outgoing allowed d) High: incoming allowed; outgoing allowed
Chapter 10
1. Which of the following can the Vulnerability Scanner do? a) Determine if an antivirus solution is installed on a computer b) Determine whether Windows service packs are up-to-date c) Determine whether users are browsing high-risk Internet sites d) Determine whether spyware is on your network 2. What does Trend Micro recommend doing before using the Restore Encrypted Virus tool? a) Isolating the computer where the infected file resides b) Unplugging the computer from the network c) Backing up important files on the computer where the infected file resides d) All of the above
468
Administrator Track
3. Which of the following does the ServerProtect Normal Server Migration Tool do? a) Uninstall ServerProtect Information Server and install the OfficeScan client software b) Migrate ServerProtect Normal server settings to OfficeScan client settings c) Uninstall ServerProtect Normal Server and install the OfficeScan client software d) Uninstall the Control Manager agent for ServerProtect
Chapter 11
1. What is the maximum number of virus logs the server can store? a) 1,000 b) 5,000 c) 10,000 d) 50,000 2. What is the default number of logs held in the memory queue if you enable the consolidation of redundant virus logs under Virus Bandwidth Settings? a) 5 b) 10 c) 15 d) 2
469