Copyright 2015 Trend Micro Incorporated. All rights reserved.

Transcription

1

2 Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2015 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Released: September 2015

3

4

5 There are four major OSCE environment components that should be identified when designing the deployment. Each component is described below. OfficeScan Server: A server that provides the OSCE management console and stores information in a local CodeBase database, or a local or remote SQL. It uses standard HTTP or HTTPS protocols for communication and for managed agent updates. The three basic functions of an OfficeScan server are: Agent configuration (Privileges and Policy settings) Program, scan engine, and virus pattern file update provider Centralized logs, report, and quarantine functionality OfficeScan Agent: A host reporting to a particular OSCE server. It can be configured to get update information from an OfficeScan server, an update agent, or directly from the internet via Trend Micro ActiveUpdate server. Moreover, the OfficeScan agent has the function to protect the system where it is installed. It can be configured to use a standalone or Integrated Smart Protection Server for Smart Scan instead of conventional scan. Through cloud technology, this method minimizes the total amount of pattern download. Update Agent: A regular OfficeScan agent that is designated to copy update information from an OfficeScan server to distribute these information to other OfficeScan agents. Any OfficeScan agent can be configured as an update agent using the OfficeScan server management console. OfficeScan agent IP address ranges are then assigned to get update information from specific update agents. Update agents can push component updates, setting updates, and program/hotfix updates to agents. Older agent versions can receive program upgrades from OSCE 11.0 update agents as long as they report to the OSCE 11.0 update agents. Smart Protection Server (SPS): The Smart Protection Server provides the file reputation and web reputation through a local cloud service. When users opt to employ Smart Scan technology, agents send a query to SPS in their scanning files. When they use web reputation protection, agents send URLs to SPS. Thus, SPS works as a local file reputation server and as a local web rating server as well. These are the two types of Smart Protection Server: Integrated Smart Protection Server: Installed as part of the OfficeScan server, Integrated Smart Protection Server is managed through OfficeScan management console. Standalone Smart Protection Server: This server is installed on a VMware or Hyper-V host.

6 The following sections show the recommended software and hardware specifications for an OfficeScan environment. For the full list of minimum system requirements, refer to the Installation and Deployment Guide or OfficeScan Readme. For the recommended set up based on number of agents, check the sizing section in Chapter 3. The OfficeScan agent with the best available resources at a particular site should be designated as an update agent. Since this agent will serve updates to the other agents in the remote office, it must be reliable. This can be a domain controller on the site, a file server, print server, or any type of server that is always online. To serve its function, this agent should have an additional 700 MB of free disk space for engines and patterns storage, an additional 160 MB for programs/hot fix updates, and an additional 20 KB for every domain setting updates. Minimum requirements for update agents should follow the minimum hardware requirements of OfficeScan agents.

7 The minimum hardware specifications for this server are the same as the recommended requirements for the OfficeScan server. The minimum hardware specifications for standalone Smart Protection Server: Dual 2.0 GHz Intel Core 2 Duo 64-bit processor supporting Intel Virtualization Technology, or equivalent 2 GB of RAM 30 GB for virtualization requirements (35 GB recommended)

8 Microsoft Windows Server 2003 (Standard, Enterprise, and Datacenter Editions) with Service Pack 2 or later, 32-bit and 64-bit versions Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter Editions) with Service Pack 2 or later, 32-bit and 64-bit versions Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup Editions) with Service Pack 2, 32-bit and 64-bit versions Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup Editions) with Service Pack 2, 32-bit and 64-bit versions Microsoft Windows Compute Cluster Server 2003 Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, and Web Editions) with Service Pack 1 or 2, 32-bit and 64-bit versions Windows Server 2008 R2 (Standard, Enterprise, Datacenter, and Web Editions), 64-bit version Windows Storage Server 2008 (Basic, Standard and Enterprise Edition), 32-bit version Windows Storage Server 2008 (Basic, Standard, Enterprise and Workgroup Edition), 64-bit version Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64- bit version Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions Microsoft Windows HPC Server 2008 R2, 64-bit version Windows MultiPoint Server 2010, 64-bit version Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit version Windows Server 2012 (Standard and Datacenter Editions), 64-bit version Windows Server 2012 R2 (Standard and Datacenter Editions), 64-bit version Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit version Windows Storage Server 2012 (Standard and Workgroup Editions), 64-bit version

9 OfficeScan supports server installation on guest operating systems hosted on the following virtualization applications: ESX/ESXi Server (Server Edition) 3.5, 4.0, 4.1, 5.0, 5.15.x Server (Server Edition) 1.0.3, 2 Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0 vcentertm 4, 4.1, 5.0, 5.1,5.5 ViewTM 4.5, 5.0, 5.1 XenDesktop 5.0, 5.5, 5.6, 7.0 XenServer 5.5, 5.6, 6.0, 6.1, 6.2 XenApp 4.5, 5.0, 6.0, 6.5 XenClient 2.1 VDI-in-a-Box 5.1 Windows Server bit Hyper-V Windows Server 2008 R2 64-bit Hyper-V Hyper-V Server bit Hyper-V Server 2008 R2 64-bit Windows 8 Pro/Enterprise 64-bit Hyper-V Windows 8.1 Pro/Enterprise 64-bit Hyper-V Windows Server bit Hyper-V Windows Server 2012 R2 64-bit Hyper-V

10 Microsoft Windows XP (Home, Professional, Professional for Embedded Systems Editions, and Tablet PC) with Service Pack 3, 32-bit version Microsoft Windows XP Professional with Service Pack 2, 64-bit version Microsoft Windows Vista (Business, Enterprise, Ultimate, Home Premium, Home Basic, Business for Embedded Systems, and Ultimate for Embedded Systems) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions Microsoft Windows 7 (Home Basic, Home Premium, Ultimate, Professional, Enterprise, Professional for Embedded Systems, and Ultimate for Embedded Systems) with or without Service Pack 1, 32-bit and 64-bit versions Microsoft Windows Embedded POSReady 2009, 32-bit version Microsoft Windows Embedded POSReady 7, 32-bit and 64-bit versions Microsoft Windows 8 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions Microsoft Windows 8.1 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter, and Web Editions) with Service Pack 2, 32-bit and 64-bit version Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter) with Service Pack 2, 32-bit and 64-bit versions Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup) with Service Pack 2, 32-bit and 64-bit versions Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise, and Workgroup) with Service Pack 2, 32-bit and 64-bit versions Microsoft Windows Compute Cluster Server 2003 (Active/Passive), 32-bit and 64-bit versions Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, Web Editions, and Server Core) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions Microsoft Windows Storage Server 2008 (Basic Edition), 32-bit and 64-bit versions Microsoft Windows Storage Server 2008 (Standard, Enterprise, and Workgroup Editions) with or without Service Pack 1, 64-bit version Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter, Web Editions, and Server Core), 64-bit version Microsoft Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64-bit version Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions Microsoft Windows HPC Server 2008 R2, 64-bit version Microsoft Windows Server 2008 Failover Clusters (Active/Passive), 32-bit and 64-bit versions

11 Microsoft Windows Server 2008 R2 Failover Clusters (Active/Passive), 64-bit version Microsoft Windows MultiPoint Server 2010, 64-bit version Microsoft Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit version Microsoft Windows Server 2012 (Standard, Datacenter, and Server Core Editions), 64-bit version Microsoft Windows Storage Server 2012 (Workgroup and Standard Editions), 64-bit version Microsoft Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit version Microsoft Windows Server 2012 Failover Clusters, 64-bit version Microsoft Windows Server 2012 R2 (Standard, Datacenter, and Server Core Editions), 64- bit version The administrator will not be able to remotely install OfficeScan agent to Windows 7 x86 platforms without enabling the default administrator account. Use the systematic guide below to resolve this issue: 1. Enable the Remote Registry service on the Windows 7 machine. By default, Windows 7 machines disable this feature. 2. Use the domain administrator account to remotely install OfficeScan 10.6 Service Pack 1 agents into Windows 7 computers. As another option, use the default administrator account: a. Type the net user administrator/active: yes command on the command console to enable the default administrator account. b. Use the default administrator account to remotely install the OfficeScan agent into the Windows 7 machine. Smart Protection Server has the following virtualization platform requirements: VMware ESX 4.1 Update 1 VMware ESX 4.0 Update 3 VMware ESX 3.5 Update 4 VMware ESXi 5.5

12 VMware ESXi 5.1 Update 1 VMware ESXi 5.0 Update 3 VMware ESXi 4.1 Update 1 VMware ESXi 4.0 Update 3 Microsoft Windows Server 2008 R2 with Hyper-V Microsoft Windows Server 2012 with Hyper-V Citrix XenServer 6.2, 6.0, 5.6 The following requirements are recommended for Trend Micro Smart Protection Server as a virtual machine: If you are using VMware, use CentOS 5 64-bit (Guest Operating System). If you are using a VMware version, such as 3.5 and 4.0, that does not support CentOS, use Red Hat Enterprise Linux 5 64-bit. If you are using Citrix XenServer, create a new virtual machine using the Other install media template. If you are using Hyper-V, create a new virtual machine and add a Legacy Network Adapter. Allocate at least 2 GB RAM and two (2) virtual processors for the virtual machine. Create a new virtual disk image that will be sufficient for the logging requirements (specify at least 30 GB of disk space). Allocate one (1) physical network card for the virtual switch where Trend Micro Smart Protection Server is connected.

13 Account Administrator or domain admin account to log-in to target hosts for installation Ports NetBIOS (445, 137,138,139) for NT Remote Install OfficeScan agent port, which is defined during OfficeScan server installation and is saved under Client_LocalServer_Port parameter on Ofcscan.ini OfficeScan virtual directory port as defined in Apache or IIS. This value needs to be consistent with what is defined in the OfficeScan management console under Administration > Settings > Agent Connection Settings > Port Bandwidth Others Approximately 50 MB, which may vary depending on current virus pattern file size Remote Registry service is enabled on target host System partition of the target host is administratively shared (C$) Windows XP Simple File Sharing must be disabled on the agent machines. SFS is a Microsoft feature that forces all network connections to login as guest even if alternative credentials are provided. When SFS is enabled, OSCE cannot login to the machine using the credentials specified, so the installation fails. SFS can be disabled via GPO or a registry hack. It can be individually disabled in the target machines under My Computer > Tools > Folder Options > View > Use Simple File Sharing (Recommended) option. The OfficeScan server may receive and establish multiple HTTP sessions to communicate with its agents. The TCP properties of Windows can be modified to prevent delays and slowdowns caused by TCP time-wait accumulation and port exhaustion. Add or modify the following registry keys to improve TCP performance: Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort Data type: REG_DWORD Default value: 5000 Range: 5,000-65,534 (port number) Purpose: Determines the highest port number TCP can assign when an application requests an available user port from the system Trend Recommendation: 65,534

14 Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Data type: REG_DWORD Default value: 0xF0 (240 seconds = 4 minutes) Range: 0x1E 0x12C ( seconds) Purpose: Determines the time that must elapse before TCP can release a closed connection and reuse its resources Trend Recommendation: 30 The OfficeScan server uses either Apache or Windows IIS to communicate with its agents. The application s CGI timeout can be increased to allow more time for the server and agent communication. The Remote Install deployment method is dependent on this timeout as well. Copying the installation files over a slow link may cause installation failures. To modify IIS CGI settings, download and install MetaEdit or Metabase Explorer depending on the version of IIS in use. For Microsoft IIS 6 1. Download the Metabase Explorer from ade629c89499&displaylang=en. 2. Install MetaEdit or Metabase Explorer. 3. For MetaEdit, navigate to Start > All Programs > Administrative Tools > MetaEdit. For Metabase Explorer, go to Start > All Programs > IIS Resources > Metabase Explorer. 4. In the MetaEdit or Metabase Explorer console, locate the key [ LM W3SVC 6033 ]. This corresponds to the CGITimeout key. 5. Double-click the 6033 key to edit its properties. 6. Set the data parameter to Click OK to save changes. 8. Restart the World Wide Web Publishing Service.

15 For Microsoft IIS 7 on Windows Download and install the Microsoft Administration Pack for IIS 7.0 using this link: As an option, use the default IIS Manager that comes with IIS Open the IIS Manager. 3. In Connections view, select the server and select the OfficeScan site. 4. In Features view, double-click CGI. 5. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply. For Microsoft IIS 7.5, 8.0, Open the IIS Manager. 2. In the Connections view, select the server and select the OfficeScan site. 3. In Features view, double-click CGI. 4. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply. Apache Follow the procedure below to modify the Apache s CGI timeout: 1. Open <drive>: \Program Files\Trend Micro\OfficeScan\PCCSRV\apache2\conf \httpd.conf configuration file. 2. Set Timeout 300 to Timeout Restart the Apache service.

16 The following are recommended permission settings to the OfficeScan folders and files. These are already set as default during installation: There are times when the permission might have been changed accidentally. To reset the permissions back to default: 1. Open the command prompt. 2. Browse to the OfficeScan Server s PCCSRV folder (i.e drive:\program Files\Trend Micro\OfficeScan\PCCSRV). 3. Run the following command: SVRSVCSETUP.EXE setprivilege

17 OfficeScan 11.0 enhances the server-agent communications by authenticating the notifications and data sent in order to protect against man-in-the-middle attacks. Authentication is implemented using a public-key infrastructure (PKI) where the agent only accepts commands from a trusted server. To perform authentication, OfficeScan server signs its data using a private key while the OfficeScan agent decrypts this data using a public key. These keys are uniquely generated during the installation or upgrade of any OfficeScan server. If for some reason, the OfficeScan server and agents have mismatched keys, agents will reject the notification from this server. This may happen if the OfficeScan server had an irrecoverable crash and needs to be replaced. To simplify the management of keys regarding OfficeScan encrypted communication: When managing multiple OfficeScan servers, it is recommended to use one key for all to simplify and lessen the complexity in management. On the original OfficeScan server, keep a secure copy of the key (C:\Program Files\Trend Micro\OfficeScan\AuthCertBackup\OfficeScanAuth.dat). Whenever you upgrade or install an OfficeScan 11.0 server, import the same file. For more details on generating and restoring certificates, refer to OfficeScan 11.0 Admin Guide:

18 OfficeScan 11.0 has new features that will assist the user in migration or upgrade. Hot Fix Detection: When upgrading from a previous OfficeScan server version, installation process will check and prompt you for hot fixes that are currently installed, but are not merged to OfficeScan If you see the pop-up message above, review the hotfix list under...\pccsrv\temp\rollbackhotfix.txt. If you have important hotfixes in the list, you can consider delaying the upgrade, or requesting for an OfficeScan 11.0 equivalent hot fix(es) before proceeding. Patch Availability Notifications: OfficeScan 11.0 will prompt new updates that are available. It is advisable to update to the latest patch or service pack once available on the management console.

19 The recommendations below can be used as a guideline to determine the location and number of OfficeScan servers needed to effectively manage the LAN or WAN. A single OfficeScan server can manage up to 30,000 agents depending on the machine specifications. Below is a quick summary. Recommended Setups All in one Server CPU: 4 Cores RAM: 8 GB CPU: 8 Cores RAM: 16 GB CPU: 12 Cores* RAM: 32 GB 10,000 15,000 15,000 (OSCE+iSPS+CodeBase) (2 Servers) 15,000 20,000 20,000 OSCE with isps + SQL(standalone) (3 Servers) 15,000 20,000 30,000 OSCE + TMSPS + SQL(standalone)

20 Another point for consideration is the database size. Depending on the number of logs generated, disk space usage increases as well. Here is a quick reference for SQL database size given the certain number of logs and agent counts: The table above helps to determine the initial database size of OfficeScan. These estimates are based on following assumptions: Default log maintenance is applied while the log deletion is performed on 7-day older logs on a weekly basis. Behavior Monitoring and DLP features are enabled. The above log types are generally major contributors in terms of the log count and data sizes. OfficeScan servers that manage agents across the WAN is recommended to be installed on sites with the healthiest bandwidth, which are typically datacenters or head offices. Consider installing a local OfficeScan server for sites with approximately 500 or more agents. This is highly recommended if the WAN bandwidth is limited for a particular site.

21 An update agent is a regular OfficeScan agent that is designated to replicate update information from an OfficeScan server for the purpose of distributing the update information to other OfficeScan agents. Here is a reference on the number of agents that an update agent can handle:

22 This table can be used as a template to scope the different sites and generate architecture proposal:

23 Smart Protection Servers are placed in the local network, making them available to users who have access to their local corporate network. These servers are designed to localize operations within the corporate network to optimize efficiency. This network-based solution hosts majority of the malware pattern definitions and web reputation scores. The Smart Protection Server makes these definitions available to other endpoints on the network for verifying potential threats. Queries are only sent to Smart Protection Servers if the risk of the file or URL cannot be determined at the endpoint. Endpoints leverage file reputation and web reputation technology to query the Smart Protection Servers and Trend Micro Smart Protection Network as part of their regular system protection activities. In this solution, agents only send identification details determined by Trend Micro technology to Smart Protection Servers. Agents never send the entire file when using file reputation technology. Risk is determined using the file identification details only. The integrated Smart Protection Server can be pre-installed in the OfficeScan server if the user included it during the OfficeScan server installation. These are the main reasons to install a Standalone Smart Protection Server: If the number of smart agents is more than 20,000 If they don t want to use Integrated Smart Protection Server Load can be distributed by adding more Standalone Smart Protection Servers. Check the load balancing section below for more details:

24 If the latency is huge between the branch office and the main office, it is recommended to install a Standalone Smart Protection Server on the branch office. If the Standalone Smart Protection Server cannot be installed, or there is no available hardware, it is best to switch the agents to conventional scan. Below are the hardware specifications used to install virtualization platforms and the guest virtual machine resource allocation for the Standalone Smart Protection Server:

25 The following table and graph show the number of agents handled by an individual Standalone Smart Protection Server meeting these performance criteria: Average latency time is less than 100 ms (0.1 second) Total HTTP request failed rate is under 0.05% Total mean value of CPU usage is under 80% The amount of endpoints shows the maximum supported icrc v2.0 agents for one (1) TMSPS, taking into consideration that there are two (2) other TMSPS with the same load running within the same virtualized host. The transaction rate is the sum of the FRS transaction rate and the WRS transaction rate per second.

26 The performance of TMSPS 3.0 has improved dramatically compared to the previous version. TMSPS 3.0 has increased the scalability by reducing the traffic between agents and TMSPS. Under the same test scenario, with three (3) TMSPS running on the same host, it could support more than twice the number of agents compared to the previous release, TMSPS 2.5. For organizations desiring the maximum transaction rate from FRS and WRS and can accept 100% of CPU usage, the CPU capability becomes the bottleneck. Disk I/O speed is another important factor. Currently, the pattern updates will cause a lot of disk I/O operations. Therefore, if the customer s environment uses external storage and shares the disk I/O bandwidth with many other VMs (or the disk I/O bandwidth is poor), the overall performance may suffer. The disk could be monitored using performance counter provided by virtualization platform. The ESXi Server provides the following disk-related performance counters: Kernel Latency: 0-1 ms is ideal. If > 4 ms, check the CPU usage and queue latency Device Latency: If > 15 ms, check for a storage array problem Queue Latency: 0 ms is ideal. If > 0 ms, check the storage array

27 If the TMSPS virtual machine shares resources with many other VMs on the same VM host, then TMSPS must compete with other VMs for disk I/O, network traffic, CPU, and memory. TMSPS performance will suffer as a result. Despite the competition for resources, hypervisors from different vendors can deliver different performance. This might be caused by emulated device drivers that are required to provide an interface between the physical hardware and the virtual machine. Generally speaking, TMSPS running on ESXi server has the best performance, compared to Xen Server and Hyper-V. Smart Protection Servers can be setup in order to achieve load balancing. Load balancing will help ensure that HTTP requests are distributed among the Smart Protection Servers. There are two (2) ways to achieve load balancing using the OfficeScan web console: Random OfficeScan agent randomly chooses a Smart Protection Server from the Smart Protection Server list. Based on IP range OfficeScan agent connects to its assigned server from the Smart Protection Server list.

28 Smart Protection Servers should always be installed in redundant pairs to avoid WAN saturation during a hardware failure. Initial scans require more requests to the Smart Protection Server. Agents should set their first scheduled scan in phases, especially when their Smart Protection Server is centrally located. Running scheduled scans in batches will increase capacity and normalize icrc network utilization. Use this table as a guideline to determine how many Smart Protection Server you need inside your environment. Even when one (1) Smart Protection Server is more than enough to cater to all agents, it is still a best practice to install at least two (2) standalone Smart Protection Server for redundancy and load balancing purposes. One of the new features in OfficeScan 11.0 is the ability to migrate an existing database (CodeBase) to an SQL server database. This is done using the SQL Server Migration tool. The migration tool currently supports three (3) types of migrations: OfficeScan CodeBase database to new SQL Server express database OfficeScan CodeBase database to a pre-existing SQL server database OfficeScan SQL database (previously migrated) that was moved to another location

29 When you choose to migrate to a new SQL server express database, note that OfficeScan will install SQL Server 2008 R2 SP2 Express. This is required to be installed in a Windows 2003 or Windows 2008 SP2 server. Installing it on a Windows 2003 SP1 server would result in failure. Refer to this Microsoft article for more details: OfficeScan 11.0 supports both SQL 2008 and SQL For SQL 2008, note that Microsoft.NET Framework 3.5 SP1 is required and that Microsoft.NET Framework 4.0 is not compatible with SQL Server Microsoft SQL server cannot be installed on Domain Controller machines. Consider this before choosing the server to install the database or OfficeScan. For more information, refer to this link: User Account Control needs to be turned off before running the SQL migration tool on Windows Server 2008 or later, when using Windows Authentication credentials. Refer to this article for more details on disabling this option: Make sure that the OfficeScan Master Service is not running using the same domain user account used to log on to the SQL server. This could cause the service to fail in starting after the migration. Back up the existing OfficeScan CodeBase database for recovery in case there are problems encountered during the migration. Refer to this article for more details: OfficeScan automatically creates the new database on the SQL server, there is no need to precreate a blank database. Make sure to click the Test Connection option on the SQL migration tool before proceeding. This confirms that the settings entered are correct and verifies that the connection is possible. When using the Windows Account to log on to the server: For a default domain administrator account User name format: domain_name\administrator The account requires the following: Groups: Administrators Group User roles: Log on as a service and Log on as a batch job Database roles: dbcreator, bulkadmin, and db_owner

30 For a domain user account User name format: domain_name\user_name The account requires the following: Groups: Administrators Group and Domain Admins User roles: Log on as a service and Log on as a batch job Database roles: dbcreator, bulkadmin, and db_owner To verify the type of database used, check the ofcserver.ini file under the OfficeScan server s Private directory (Program Files (x86)\trend Micro\OfficeScan\PCCSRV\Private). Look for [INI_DBE_ENGINE_SECTION] and note the value defined for DBE_ENGINE. DBE_ENGINE=1001 DBE_ENGINE=1002 ; CodeBase ; SQL Server When opting to use the Integrated Smart Protection Server, make sure that it is actually installed and running. If the Integrated Smart Protection Server is not properly installed, Smart Scan agents disconnect and cannot utilize the cloud technology properly. The integrated server is intended for mid-scale deployments of OfficeScan, in which the number of agents does not exceed 20,000. For larger deployments, the standalone Smart Protection Server is recommended. In OfficeScan11.0, the Integrated Smart Protection Server (ISPS) ports have changed. Note the new ports used below:

31 Make sure the setting Do not save encrypted pages to disk is not enabled in IE in order to check for whether Integrated Smart Protection Server is running or not. After checking the setting above, type the URL below into your browser: You should see the following pop-up window, which will confirm that the Integrated Smart Protection Server is running.

32 Ensure that OfficeScan agents can query at least two (2) scan servers. This prevents having a single point of failure in the event that the Smart Protection Server is unreachable. In order to take full advantage of the cloud technology, all agents must be online and connected to a Smart Protection Server. To add Smart Protection Servers: 1. Go to Administration > Smart Protection > Smart Protection Sources. 2. Choose Internal Agents tab and select the standard list or custom list based on IP address. 3. Click Notify All Agents to push this setting. Because the integrated server and the OfficeScan server run on the same computer, the computer s performance may reduce significantly during peak traffic. When possible, consider using a standalone Smart Protection Server as the primary source for agents and the integrated server as a backup. Do not use Smart Scan as the default scanning method at the root level. Always use Conventional Scan as the root level scanning method. When selecting OfficeScan agents to use Smart Scan, always choose a regular domain instead of a root level. If the root level is defined to use the Smart Scan method, and if it is placed in a domain where it uses Conventional Scan, it will download Conventional Scan components. Make sure Computer Location settings have correct settings defined. Computer Location setting can be reached under Agents > Endpoint Location. The default setting is Agent connection status. This means that OfficeScan agents use the reference server list defined to determine if it is an external or internal agent. An agent that can connect to the OfficeScan server or any of the reference servers listed, is recognized as internal agent. Therefore, this agent connects to the Smart Protection Server defined under Internal Agents for Smart Protection Sources. If a connection cannot be established, the agent is classified as an external agent. This agent uses the settings set under External Agents for Smart Protection Sources. By default, external agent uses the global Smart Protection Network ( If Gateway IP address setting is applied, and the client computer s gateway IP address matches any of the gateway IP addresses specified on the Endpoint Location screen, the computer s location will be classified as internal. Otherwise, the computer s location is external.

33 Optimize the performance of Smart Protection Servers by doing the following: Avoid performing Manual Scans and Scheduled Scans simultaneously. Stagger the scans in groups. Avoid configuring all endpoints from performing Scan Now simultaneously. Customize Smart Protection Servers for slower network connections, about 512Kbps, by making changes to the ptngrowth.ini file. 1. Open the ptngrowth.ini file in <Server installation folder>\pccsrv\wss\. 2. Modify the ptngrowth.ini file using the recommended values below: [COOLDOWN] ENABLE=1 MAX_UPDATE_CONNECTION=1 UPDATE_WAIT_SECOND= Save the ptngrowth.ini file. 4. Restart the Trend Micro Smart Protection Server service. Majority of the product default configurations provide substantial security with a consideration on server or network performance. The information noted below are different recommendations, and can be used as an additional reference to either enhance security or achieve better performance. The following notifications in the UI shows these features are turned off by default.

34 To turn on these features, administrators should go to Agents > Agent Management > Settings > Additional Service Settings and enable the service for the feature they intend to use.

35 Administrators can enable the Unauthorized Change Prevention Service on a single server platform through Additional Service Settings. Administrators can also enable or disable the Unauthorized Change Prevention Service on workstations by selecting a root/domain/single agent/multi-select agent. To turn on this feature: 1. Enable the Unauthorized Change Prevention Service (TMBMSRV.EXE) to monitor the process launch. Path: Agents> Agent Management > Settings > Additional service settings > Unauthorized Change Prevention Service. 2. Enable the Web Reputation (tmproxy.exe) to monitor the file download. Path: Agents > Agent Management > Settings > Web Reputation Settings Meerkat is used to prevent zero-day attack from a software program. It pops out a notification or alert if a user downloads a zero-day program through HTTP channel or applications and then executes the program within 24 hours. To enable the Meerkat function: 1. Go to Agent Management > Global Agent Settings > Behavior Monitoring Settings. 2. Check the option Prompt users before executing newly encountered programs downloaded through HTTP or applications and click Save.

36 Defer scan improves the performance of file copy operations. This feature is integrated with VSAPI or higher version. Originally, OfficeScan s scan engine performs two (2) scans during a file copy operations. The defer scan option adds one file scanning into the scan queue, and defer the other file scanning. File copy performance will improve by enabling this. To enable defer scan function: 1. Navigate to Agent Management > Global Agent Setting > Scan Settings. 2. Select the option Enable deferred scanning on file operations. 3. Click Save. SECURITY COMPLIANCE Manual Report Scheduled Report Select an OfficeScan domain to run compliance report on the agents to see which agents are incompatible with server. In Scan Compliance view, specify one or both of the following: Number of days a agent has not performed Scan Now or Scheduled Scan Number of hours the remote or scheduled scan task has been running Report can show status of OfficeScan agent services, components, scan compliance, and settings to find incompliant agents. This can be run on daily basis if needed. Trend Micro recommends enabling on-demand assessment to perform real-time queries for more accurate results. You can also disable on-demand assessment wherein OfficeScan queries the database instead of each agent. This option may be quicker but produces less accurate results.

37 SECURITY COMPLIANCE Scheduled Report The SMTP setting in notification page is needed for sending the scheduled compliance report to user. Go to Notification > Administrator Notifications > General Settings page, fill out the fields SMTP server, Port number, and From in Notification section and click Save. Scan Compliance view uses the configuration that are used to do manual assessment last time. Define Scope Active Directory Scope IP Address Scope Select OU s containing less than 1000 account of computers for performance baseline, then increase and decrease the number of computers according to performance. Choose an IP range to scan for unmanaged endpoints. UNMANAGED ENDPOINTS Advanced Settings Specify Ports Declare a computer unreachable by checking port Make sure to add all OfficeScan server communication ports. Port 135 Another port can be chosen but make sure it is a common port that will be available on all the computers. Settings Enable scheduled query for once a week to find out agents that do not have OfficeScan agent. SCAN METHOD Conventional Scan Smart Scan Conventional Scan leverages anti-malware and anti-spyware components stored locally on endpoints. Smart Scan now is default at the ROOT domain level. Smart Scan method should be selected at the Domain level so this way if a user installs a agent it is easier to move from conventional scan to Smart scan. Smart Scan leverages anti-malware and anti-spyware signatures stored in-the-cloud.

38 Files to scan: All Scannable Scan Hidden Folders Scan Network Drive Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning. This function is not needed if the remote PC already has antivirus protection. Enabling this may cause redundant scanning and performance issues. Scan Settings Scan compressed files Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted. MANUAL SCAN SETTINGS Scan OLE objects Detect exploit code in OLE files Virus/Malware Settings only Scan Boot Area CPU Usage Medium Enable Scan Exclusion Scanning 3 layers is reasonable. This setting heuristically identifies malware by checking Microsoft Office files for exploit code. Minimizes the slowdown of PCs when a scan is initiated. It is not recommended to run manual scan during working hours due to high CPU usage. Scan Exclusions Apply scan exclusion settings to all scan types Exclude directories where Trend Micro products are installed Disabled

39 Use Active Action This setting will utilize the Trend Micro recommended settings for each type of virus/malware. Virus/ Malware Customize action for probable virus/malware Select Quarantine to have the ability to restore any files that are needed. MANUAL SCAN SETTINGS Damage Cleanup Services Back up files before cleaning Advanced cleanup Run cleanup when probable virus/malware is detected Spyware/Grayware Clean REAL- TIME SCAN SETTING Enable virus / malware scan Enable spyware / grayware scan User Activity on Files Scan files being created/modified and retrieved Files to scan File types scanned by Intelliscan Created/modified and retrieved In cases where the system is heavily accessed such as File servers, it may be advisable to select Scan files being created / modified but only use this option if the server performance is affected. Selecting Intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

40 Scan floppy disk during system shutdown Disabled Scan Settings Scan Network Drive Scan Compressed Files Scan OLE Objects Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted. Scanning 3 layers is reasonable. REAL- TIME SCAN SETTING Detect exploit code in OLE files Virus/Malware Scan Settings Only Enable Intellitrap Enable Scan Exclusion This setting heuristically identifies malware by checking Microsoft Office files for exploit code. Turn off this setting on special cases if users regularly exchange/access compressed executable files in real-time. Scan Exclusion Apply scan exclusion settings to all scan types Exclude directories where Trend Micro products are installed Disabled

41 Virus/ Malware Use Active Action Customize action for probable virus/malware Display a notification message on the agent computer when virus/malware is detected This setting will utilize the Trend Micro recommended settings for each type of virus/malware. Select Quarantine to be able to restore any files that are needed Disabled Turn off this setting to avoid end users to see popup messages, which can generate helpdesk calls. REAL- TIME SCAN SETTING Display a notification message on the agent computer when probable virus/malware is detected Disabled Turn off this setting to avoid end users to see popup messages, which can generate helpdesk calls. Back up files before cleaning Damage Cleanup Services Run Cleanup when probable virus/malware is detected Clean Spyware/ Grayware Display a notification message on the agent computer when virus/malware is detected Disabled Turn off this setting to avoid end users to see popup messages, which can generate helpdesk calls.

42 Enable Virus / Malware Scan Enable spyware/grayware scan Schedule Weekly on Friday 12pm Turn on Scheduled scan-to-scan systems on a regular basis. Turn on Scheduled scan to scan systems on a regular basis Suggested to scan during lunch time or after office hours if machine remain turned on. SCHEDULED SCAN SETTINGS Files to scan All Scannable Files Scan compressed files Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning. Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted. Scan settings Scan OLE objects Detect exploit code in OLE files Scanning 3 layers is reasonable. This setting heuristically identifies malware by checking Microsoft Office files for exploit code. Virus/Malware Settings Only Scan Boot Area CPU Usage Medium Prevent slowdown of PCs when a scheduled scan kicks off. Scan will finish longer if the setting is set to Low.

43 Enable Scan Exclusion Scan Exclusions Apply scan exclusion settings to all scan types Exclude directories where Trend Micro products are installed Disabled Use Active Action This setting will utilize the Trend Micro recommended settings for each type of virus/malware. Customize action for probable virus/malware Select Quarantine to be able to restore any files that are needed SCHEDULED SCAN SETTINGS Virus/ Malware Display a notification message on the agent computer when virus/malware is detected Disabled Turn off this setting to avoid end users to see pop-up messages which can generate help desk calls. Display a notification message on the agent computer when probable virus/malware is detected Disabled Turn off this setting to avoid end users to see pop-up messages which can generate help desk calls. Back up files before cleaning Advanced cleanup Damage Cleanup Services Run cleanup when probable virus/malware is detected

44 Clean SCHEDULED SCAN SETTINGS Spyware/ Grayware Display a notification message on the agent computer when virus/malware is detected Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls. Enable Virus / Malware Scan Enable Spyware/Grayware Scan Files to Scan File Type scanned by Intelliscan Selecting Intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning. Scan compressed files Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in realtime when extracted. SCAN NOW SETTINGS Scan Settings Scan OLE objects Scanning 3 layers is reasonable Detect exploit code in OLE files This setting heuristically identifies malware by checking Microsoft Office files for exploit code. Virus/Malware Settings Only Scan Boot Area CPU Usage Medium Minimizes the slowdown of PCs when a scan is initiated. It is not recommended to run manual scan during working hours due to high CPU usage.

45 Enable Scan Exclusion Scan Exclusion Apply scan exclusion settings to all scan types Disabled Exclude directories where Trend Micro products are installed SCAN NOW SETTINGS Virus/ Malware Use Active Action Customize action for probable virus/malware This setting will utilize the Trend Micro recommended settings for each type of virus/malware. Select Quarantine to be able to restore any files that are needed Damage Cleanup Services Advanced Cleanup Run cleanup when probable virus/malware is detected UPDATE AGENT SETTINGS Spyware/Grayware Clean OfficeScan agents can act as Update Agent Component Updates Domain Settings OfficeScan agent programs and hot fixes Component Updates, Domain Settings, and Agent programs and hotfixes should be selected to take full advantage of Update Agents to save bandwidth and to speed up deployment.

46 Disabled Roaming Enable Scan Exclusion Enable Roaming mode Configure Manual Scan Settings It is highly recommended to disable this function as it will allow users to stop communication between OfficeScan Server and agent. This Roaming privilege allows users to isolate their systems to avoid getting notified by the server for scans or updates. This function has nothing to do with the ability to update when the machine is off the network, such as taking a laptop home. Disabled Enable this to allow users to configure their own scan setting. PRIVILEGES AND OTHER SETTINGS Scans Scheduled Scans Firewall (if you have firewall activated) Configure Real-time Scan Settings Configure Scheduled Scan Settings Postpone Scheduled Scan Skip and stop scheduled Scan Display the Firewall tab on the Agent console Allow users to enable/disable the firewall, Intrusion Detection System, and the firewall violation notification message Allow agents to send firewall logs to the OfficeScan Server Disabled Enable this to allow users to configure their own scan setting. Disabled Enable this to allow users to configure their own scan setting. Disabled Enable this to allow users to stop the Scheduled scan when it is triggered. Disabled Enable this to allow users to stop the Scheduled scan when it is triggered. Disabled Enable this to allow users to configure their own firewall settings other than what is set on the OfficeScan server. Disabled Keep this disabled unless necessary as it increases traffic between the server and agents.

47 Behavior Monitoring Display the Behavior Monitoring tab on the agent console. Disabled Disabled PRIVILEGES AND OTHER SETTINGS Mail Scan Display the Mail Scan tab on the agent console Toolbox Display the Toolbox tab on the agent console and allow users to install Check Point Secure Agent Support Proxy Settings Allow the Agent user to Configure proxy Settings Since most enterprises do not use POP3, this tab can be hidden to users to avoid confusion. If this setting is allowed then users can install this tool using OSCE agent GUI. Disabled Unless Checkpoint Secure Agent is used, this should be turned off to avoid confusion to users. Enable this to allow users to configure proxy to update from internet; otherwise this can be turned off. Component Updates Perform Update Now Enable Scheduled Update to Allow users to initiate an update manually by right clicking on the OSCE icon on their system tray. Disabled Leave this option disabled so users cannot turn off scheduled update. This will keep users upto-date with the latest signature. Unloading Unloading the OfficeScan agent and unlocking advanced agent settings Uninstallation Uninstalling the OfficeScan agent Enable this to prevent users from unloading OfficeScan agent from their system. Enable this to prevent users from uninstalling OfficeScan agent from their system.

48 Update Settings OfficeScan agents download updates from the Trend Micro ActiveUpdate Server Enable Scheduled Updates on OfficeScan agents Enable this function to allow agents to update from Trend Micro Active Update servers whenever the OfficeScan agent cannot contact the OfficeScan server or the Update Agents. This is especially helpful for users who travel with their laptop or bring their laptops home, keeping them up-to-date all the time. Aside from notification from the OfficeScan Server for updates, this function is used to allow OfficeScan to check for updates on scheduled basis. Update checking is done in the background and no user intervention is required. PRIVILEGES AND OTHER SETTINGS OfficeScan agents can update components but not upgrade the agent program or deploy hot fixes Web Reputation Settings Display a Notification when a web site is blocked Behavior Monitoring Settings Display a notification when a program is blocked C&C Contact Alert Settings Display a notification when a C&C callback is detected Central Quarantine Restore Alert Settings Display a notification when a quarantine file is Restored Disabled Enable this function in environments where bandwidth is limited. This allows agent to update their regular signatures and engines and avoid downloading hotfixes or program updates from the OfficeScan Server. Turn this off to avoid getting popups when websites are blocked. Enable this function to avoid confusion on the users as to why a certain program won t run. Enable this function to receive notifications on C&C callbacks Disabled Enable this function to get notifications when quarantined files are restored.

49 OfficeScan agent Selfprotection Protect OfficeScan agent services Protect files in the OfficeScan agent installation folder Protect OfficeScan agent registry keys Protect OfficeScan agent processes Scheduled Scan Settings Display a notification before a scheduled scan occurs Disabled PRIVILEGES AND OTHER SETTINGS Cache Settings for Scans Enable the digital signature cache and set to 28 days. Disabled Enable the ondemand scan cache If the on-demand scans seldom run, then enabling this is not necessary since the console settings are satisfactory. If you want to enable this, extend the expiration would be better option. OfficeScan agent Security Settings High: Restrict users from accessing OfficeScan agent files and registries Setting this option to high prevents regular users from deleting OfficeScan files and registry entries. Disabled POP3 Scan Settings Scan POP3 Enable this only when using POP3 mail in the network. When selected, this setting enabled POP3 mail scan on the agent console. Note that this setting only applies to agents with the mail scan privileges.

50 PRIVILEGES AND OTHER SETTINGS OfficeScan Agent Console Access Restriction Do not allow users to access the agent console from the system tray or Windows Start menu Restart Notification Display a notification message if the agent computer needs to restart to finish cleaning infected files. Unauthorized Change Prevention Service Disabled In some environment where any user changes are prohibited, this function allows administrators to restrict users from accessing the OfficeScan agent console. Unauthorized Chang Prevention Service regulates application behavior and verifies program trustworthiness. Behavior Monitoring, Device Control, Certified Safe Software Service, and Agent Self-protection all require this service. If an Administrator wants to allow this service on a server then a single server must be chosen to view the option to enable this service. ADDITIONAL SERVICES Firewall Service Suspicious Connection Service This setting will turn on the firewall service on the OfficeScan agents. WARNING: Enabling this service will temporarily disconnect the OfficeScan agent from the network. The Suspicious Connection Service provides advanced protection against Command & Control callbacks through the following features: User-defined IP Approved and Blocked lists Global C&C IP List Malware network fingerprinting Advanced Protection Service Advanced Protection Service facilitates advanced scanning and protection features. Behavior Monitoring and Browser Exploit Prevention require this service.

51 Enable Web Reputation Policy on the following operating systems Enable this feature to protect agents from web threats when they are not connected to the internal network. Enabling this will provide them protection from accessing malicious sites. External Agents Tab Enable assessment Check HTTPS URLs Disabled Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action. Disabled WEB REPUTATION SETTINGS Security Level Medium Scan common HTTP ports only Untested URLs Block pages that have not been tested by Trend Micro When disabled, WRS will scan all HTTP URLs regardless of their port information. If enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned. Note that any website that has not been tested by Trend Micro will be blocked if it s enabled. Browser Exploit Prevention Block pages containing malicious script Agent Log Allow agents to Send Logs to the OfficeScan Server Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.

52 Internal Agents Tab Enable Web Reputation Policy on the operating systems Enable assessment Check HTTPS URL Scan common HTTP ports only If there is already a web security on the gateway, this may be turned off. Disabled Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action. Disabled When disabled, WRS will scan all HTTP URLs regardless of their port information. If enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned. WEB REPUTATION SETTINGS Send queries to Smart Protection Servers Security Level Low Untested URLs Block pages that have not been tested by Trend Micro Browser Exploit Prevention Block pages containing malicious script Approved/Blocked URL List Allow agents to Send Logs to the OfficeScan Server Agent Log Allow agents to Send Logs to the OfficeScan Server Agents will send queries to Smart Protection Servers. Make sure they are available. If this option is disabled then agents will need internet access to reach Trend Micro Smart Protection Network, if agent does not have web access then it will use approved/blocked web site list as the only web reputation date. Internet traffic usage is lowest and browsing info is kept in house. When combine with Use only Smart Protection Servers, do not send queries to Smart Protection Network checked, Security level is always Low. Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.

53 Log network connections made to addresses in the Global C&C IP list Log and allow access to User-defined Blocked IP list addresses Disabled Enable this feature to perform assessment of the violations first, and then set to Disable. Log connections using malware network fingerprinting Clean suspicious connections when a C&C callback is detected OfficeScan performs pattern matching on packet headers. OfficeScan logs all connections made by packets with headers that match known malware threats using the Relevance Rule pattern. OfficeScan uses GeneriClean to clean the malware threat and terminate the connection to the C&C server. Enable Malware Behavior Blocking for known and potential threats Known Threats Enable this setting to protect your agents from specific threats, threat types and threat families through behavior analysis. Enable Event Monitoring Exceptions (Approve/Block) Policies (Under Event Monitoring if ) Enable this to monitor system events to filter potentially malicious actions. Refer to list below for recommended settings if this is enabled. Enter the full path of programs you would want to exempt from Behavior Monitoring or directly Block. The Assess action will log events that violate the policy but will not take action. To avoid interfering with normal activity, it is recommended that administrators start with this action set for all policies. This would help them define the proper action they need to take once data is available.

54 Duplicated System File Hosts File Modification Suspicious Behavior New Internet Explorer Plugin Internet Explorer Setting Modification Security Policy Modification Program Library Injection Shell Modification New Service System File Modification Firewall Policy Modification System Process Modification New Startup Program Assess Assess Assess Assess Assess Assess Assess Assess Assess Assess Assess Assess Assess External Agents Tab Device Control Apply all settings to internal agents Block auto-run function on USB storage devices CD/DVD Enable this setting to take advantage of the Block auto-run function on USB devices but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention. Disabled Enable this to prevent the potential threat auto-run can cause. Full Access Storage Devices Floppy Disks Network Drives USB storage devices Full Access Full Access Full Access

55 External Agents Tab Internal Agents Tab Program Lists Programs with read and write access to storage devices Programs on storage devices that are allowed to execute Notification Display a notification message on the agent computer when OfficeScan detects unauthorized event Device Control Apply all settings to external agents Block auto-run function on USB storage devices Storage Devices Program Lists CD/DVD Floppy Disks Network Drives USB storage devices Programs with read and write access to storage devices Programs on storage devices that are allowed to execute Notification Display a notification message on the agent computer when OfficeScan detects unauthorized event Enter the full path of programs to allow write access to storage devices. Enter the full path of programs to allow execution. Enable this when Device Control Access is not set to Full Access to avoid causing confusion to users as to why they cannot access their drives fully. Enable this setting to take advantage of the Block auto-run function on USB devices but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention. Disabled Enable this to prevent the potential threat auto-run can cause. Full Access Full Access Full Access Full Access Enter the full path of programs to allow write access to storage devices. Enter the full path of programs to allow execution. Enable this when Device Control Access is not set to Full Access to avoid causing confusion to users as to why they cannot access their drives fully.

56 Below are the available Agent Grouping: NetBIOS domain (only used during agent installation) Active Directory domain DNS domain Custom agent groups (can be used anytime to group the agents) o o Automatic Agent Grouping Schedule Domain Creation In Automatic Agent Grouping, administrators can create agent grouping according to Active Directory or IP. On the other hand, performing scheduled domain creation creates a domain in the agent tree. This may take a long time to complete, especially if the scope is broad. However, this does not move existing agents to this domain. Custom agent grouping must be used. To move the agents, refer to manual sort agent or OfficeScan can automatically move agents when the following events occur: Agent installation Agent reload Change of agent s IP addresses Agent enabling or disabling roaming mode Scan Settings Add Manual Scan to the Windows shortcut menu on agent computers Exclude the OfficeScan server database folder from Real-time Scan Exclude Microsoft Exchange server folders from scanning deferred scanning on file operations Disabled Enable this function to allow users to right-click on files or folders to perform a manual scan. Prevent OfficeScan database from getting corrupted. Prevent OfficeScan from interfering with the mails being processed by the Exchange server and the antivirus that scans the mail traffic. Disabled This option can be enabled to help improve performance of file copy operation.

57 Configure scan settings for large compressed files This option will skip files within the compressed files from being scanned to improve on performance. Real-time scan Do not Scan files (in a compressed file) if size exceeds In a compressed file, scan only the first X files 2 MB 10 files Scan Settings for Large Compressed Files Manual Scan/ Scheduled Scan/ Scan Now Do not Scan files (in a compressed file) if size exceeds In a compressed file, scan only the first X files Virus/Malware Scan Settings only Clean/Delete infected files within compressed files Spyware/Grayware Scan Settings Only Enable Assessment Mode 30 MB 100 files Turn this on with a recommended of at least 3 weeks to allow administrator to assess the detection of spyware in the network. Any detection will not have any action taken on them. This allows admin to monitor and verify if there is any false positive detection especially on home grown applications. Scan for Cookies Count Cookie into spyware log Turn on to allow cookie scanning and cleaning. Disabled Turn this off to prevent logs generated from cookie detection to overpopulate the virus log database.

58 10 minutes before it runs Remind users of the Scheduled Scan This setting only applies to users who have the privilege to control Scheduled Scans. Scheduled Scan Settings Postpone Scheduled Scan for up to Automatically stop Scheduled Scan when scanning lasts more than Skip Scheduled Scan when a wireless computer s battery life is less than Resume a missed scheduled scan 1 hour ***This setting only applies to users who have the privilege to control Scheduled scans. Disabled Enable this setting to 20 percent when there are a number of laptop users in your environment to save battery life. Virus/Malware Log Bandwidth Settings Enable OfficeScan agents to consolidate network virus logs and send them to the OfficeScan Server hourly This allows agents to send only a single log to a server about multiple detections of viruses detected on the same location and same virus for a period of time. 4 hours Firewall Settings (If you have firewall activated) Send firewall logs to the server every Update the OfficeScan firewall driver only after a system reboot Send firewall log information to the OfficeScan Server hourly to determine the possibility of a firewall outbreak. If it is really needed, set this to Daily or every 4 to 8 hours to prevent agents from saturating the network by sending logs at short intervals regularly. This setting will let agents update the firewall driver settings during reboot. This way, there will be no loss of network connectivity. This setting applies only to updates/upgrades done through OfficeScan server.

59 Automatically allow program if agent does not respond within X seconds. 30 If the timeout is reached, BM will allow the program. Behavior Monitoring Settings Prompt users before executing newly encountered programs downloaded through HTTP or applications (Server platforms excluded) Certified Safe Software Service Settings Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans Help prevent zero-day attack by monitoring applications that are downloaded through HTTP channel/ . Administrators should enable Unauthorized Change Prevention Service and Web Reputation to have this feature. Disabled When enabled, the OfficeScan agent will query the Trend Micro back-end servers via Internet to reduce BM false alarms. C&C Contact Alert Settings Define customized Approved and Blocked IP lists used to detect C&C callbacks Updates Download only the pattern files from the Active Update server when performing updates Reserved Disk Space Reserve 60 MB of disk space for updates Unreachable Network Server Polling Define approved or blocked IP, IP range or subnets for C&C callback Disabled Administrators can use this setting to let OfficeScan agents to update only patterns from the Trend Micro Active Update site. Select the IP range of unreachable network and how often the agents should poll to the server. Heartbeat Allow agents to send heartbeat to the server Agent send heartbeat every 10 Only agents in the unreachable network should send heartbeats since other agents would be connected to the server. The agent is offline if there is no heartbeat after X minutes 60

60 Alert Settings OfficeScan Service Restart Proxy Configuration Endpoint Location Connection Verification Show the alert icon on the Windows taskbar if the virus pattern file is not updated after X days Display a notification message if the agent computer needs to restart to load a kernel mode driver Automatically restart an OfficeScan agent service if the service terminates unexpectedly Restart the service after If the first attempt to restart the service fails, retry Reset the restart failure count after Automatically detect settings Preferred IP Address Agents with IPv4 and IPv6 addresses register to the server using Agent Connection status (edit reference server list) Gateway IP address Mac address Scheduled Verification Enable Scheduled Verification Only agents in the unreachable network should send heartbeats since other agents would be connected to the server. When firewall is enabled, it is suggested to have this turned on so that whenever the firewall driver is updated, the agent may be notified to reboot for the update to take effect, otherwise, without reboots, the firewall may not function properly with the updated component. 1 minute 6 times 1 hour To allow auto detection of proxy for updates, this can be enabled. IPv4 first then IPv6 Disabled Gateway addresses can be entered instead of reference list to determine whether OfficeScan agents are online or offline. Optional Daily at 10:30am This allows the server to recheck the status of the agents that are in the network, it is ideal to set it to run on a schedule where most agents are already online.

61 Enable Log Maintenance Updates Server Enable Scheduled Deletion Logs to Delete Log Deletion Schedule Enable scheduled update of the OfficeScan server Update Schedule Enable this to maintain a manageable size of log and prevent performance issue on the OSCE server when retrieving logs. If Control Manager is used the logs are also sent to Control Manager, hence there is no need to keep 2 copies of logs. You can get reports from Control Manager. Ensure all Log types are selected. Logs older than 7 days Delete old logs to keep the log database small enough for efficiency. Daily at 2 AM It is advisable to have this checked every day. The time suggested is 2 AM so that the traffic to server is low and can be purged before the system backup kicks off. OfficeScan server automatically does database maintenance during midnight, so avoid scheduling during this time. Hourly It is best to check on a more regular basis to get the latest updates. Updates Agents Agent Automatic Updates Initiate component update on agents immediately after the OfficeScan Server downloads a new component Include roaming agent(s) Let agents initiate component update when they restart and connect to the OfficeScan Server (roaming agents are excluded) Disabled It is unnecessary if the agents are offline and unreachable. There are instances where the agents are offline when the server updated from the internet. This function will allow agents to get their updates from the server when they are back online.

62 Perform Scan Now after update (excluding roaming agents) Disabled It is not extremely necessary to do a full scan right after performing an update. The scheduled scan is normally sufficient. Schedule-based Update Depending on the number of agents that the server manages, you can set this from 2 hours to every 4 hours. This is the setting to configure agents on how often they will check for updates from the OfficeScan Server, the Update Agent or the Internet. Updates Agents Agent Update Source Standard Update Source Customized Update Source Update Agents update components, domain settings, and agent programs and hot fixes, only from the OfficeScan server Components Enable this if No Update Agents will be used. Administrators can allow agents to get updates from OfficeScan Servers if Update Agents are not available. Enable this to have Update Agents always update from the OfficeScan server. Disabled To allow OfficeScan agents to strictly update from Update Agents for pattern and engine updates. Domain Settings Domain settings are small enough to allow agents to go to OfficeScan Server to get updates from as long as Update Agents are not available. OfficeScan agent programs and hot fixes Disabled This setting should not be turned on unless OfficeScan agents are allowed to upgrade from OfficeScan server. This might cause bandwidth problems depending on the network.

63 Standard Notifications Virus/Malware Send notifications only when the action on the virus/malware is unsuccessful Spyware/Grayware Send notifications only when the action on the virus/malware is unsuccessful Enable Enable this to only notify when an action failed on the virus/malware. Enable Enable this to only notify when an action failed on the spyware/grayware. Outbreak Notifications Virus/ Malware Spyware/ Grayware Firewall Violations Unique Sources 1 Detections 100 Time Period Unique Sources 1 24 hrs. Detections 100 Time Period Monitor Firewall violations on networked computers 24 hrs. IDS Logs 100 Firewall Logs 100 Enable this to alert administrators when there are suspicious firewall violations. Shared Folder Session Network Virus Logs Time Period Monitor Shared Folder session on your network Shared Folder Sessions Time Period hr. Enable this to alert administrators of suspicious network sessions being generated min

64 User Accounts are used to logon to OfficeScan web console. These accounts are assigned privileges as deemed appropriate. Use this section to add custom accounts or Active Directory accounts. User Roles define a list of operations that a user can perform. These operations are roughly tied to the navigation menu. Use this section to assign/create/modify roles for a user or a windows group. This would give the account permission to perform operations defined in that group. Internal Agents Use standard list (for all Internal Agents) Use customer lists based on agent IP address Use standard list if customer list becomes unavailable The settings configure the agents to check the Scan Servers in the order specified on the list. Integrated Smart Protection Server will always be the last. Use this setting to customize which Smart Protection Server the agents will use. It is recommended that each sub site has its own Smart Protection Server. To help ensure full redundancy in situations where the customer Smart Protection Server list is unavailable, the agent should check the standard list. Integrated Server Enable File Reputation Service Use HTTP for scan queries Enable Web Reputation Service Enable scheduled updates Check box should be enabled if the Integrated Smart Protection Server will be used. The Integrated Smart Protection Server should not be used to support more than 20,000 agents in a primary role. If more than 20,000 agents need to be supported a Standalone Smart Protection Server should be installed in the environment and the Integrated Smart Protection Server should be used for backup purposes only.

65 Update Settings Enable scheduled updates Smart Feedback Smart Protection Network When enabled, Smart Feedback shares threat details with the Smart Protection Network, allowing Trend Micro to rapidly identify and address new threats. Disabled Active Directory Integration Active Directory Domains Encrypt Active Directory Credentials Add Active Directory domains OfficeScan will associate with the agent tree. Specify an encryption key and file path to ensure an additional layer of protection for your Active Directory credentials. Scheduled Synchronization Enable Scheduled Active Directory synchronization Administrators can set the scheduled synchronization daily. Internal Proxy Settings Agent Connection with the OfficeScan server computer Use the following proxy settings when agents connect to the OfficeScan Server and the Integrated Smart Protection Server. Agent Connection with the Local Smart Protection Servers Use the following proxy settings when agents connect to the local Smart Protection Servers. Disabled This should be disabled all the time unless the OfficeScan agents require connection to an intranet proxy to communicate with the OfficeScan server. Disabled This should be disabled all the time unless the OfficeScan agents require connection to an intranet proxy to communicate with the local Smart Protection Server.

66 External Proxy Settings Inactive Agents Quarantine Manager Web Console Settings Database Backup OfficeScan Server Computer Updates Use a proxy server for pattern, engine, and license updates Agent Connection with Trend Micro Servers Specify proxy server authentication credentials the agent will use to connect to the Trend Micro Global Smart Protection Server and Web reputation servers. Enable automatic removal of inactive agents Automatically remove a agent if inactive for X days Quarantine folder capacity Maximum size for a single file Auto Refresh Settings Enable Auto Refresh Timeout Settings Enable Timeout Setting Enable Scheduled Database Backup Enable this option and fill out the fields when a proxy server is required to download updates from the internet. Fill this out if the proxy server used requires authentication credentials. Enable this function to allow OfficeScan to remove old agents that are inactive for X days. Whenever these agents come back online, they will automatically be added and show up in the console. 7 days MB Note that the Quarantine folder on the OfficeScan server does not cleanup by itself. It is important to clean the folder up on a regular basis. 5 MB Set it for 30 seconds. Set it for 30 minutes. Daily at 3 AM OfficeScan server does database maintenance usually at midnight, and it is best not to interfere with the maintenance. Therefore, it is recommended either to set the time few hours before or few hours after midnight after log purging.

67 OfcScan.ini Add/Change value to 1 to disable the Damage Cleanup Service from executing whenever the OfficeScan Real-Time Scan starts up. This is helpful for systems with low resource to speed up the bootup/startup time. Enable this feature to allow Update Agents to download only one incremental file from the OfficeScan server and allow it to automatically generate full pattern and the rest of the incremental files. This will help minimize bandwidth usage. If the remote PC does not have an antivirus, this function enables scheduled scans for network drives. This function is not needed if the remote PC already has antivirus function. Enabling this may cause redundant scheduled scanning and performance issues. If this function is turned on by setting the value to 1, USB will be scanned by Real-Time Scan. If this function is turned on by setting the value to 1, USB will give a pop-up message asking the users if they want to scan the device. Device Control Settings take higher priority than USB scan insertion. Manual scan supports switching to Intensive Scan which is a higher detecting mode once the detected virus number is over a certain threshold. To enable, set a value. For a sample value, 5 means using 5 as the intensive threshold. Ideal threshold value should be 100. This setting enables admin to select multiple servers at once when enabling WRS function on server platforms.

68 Enable this option to resolve IP from FQDN. If this is set to 0, OfficeScan resolves IP from NetBIOS first and then resolves IP from FQDN. If this is set to 1, OfficeScan resolves IP from FQDN first and then resolves IP from NetBIOS. When this option is set to 1, it allows Active Directory Integration to query all objects including containers. The parameters below can be added or edited to further improve the performance of the OSCE server. This OfficeScan server parameter controls the number of threads responsible for receiving agent communications. Default value is 20. Add the parameter under [INI_SERVER_SECTION] of ofcscan.ini to modify default setting. Recommended value is 20 multiplied by the number of CPUs. NOTE: The word Maxium is intentionally misspelled. Increase the server database cache to improve performance. Recommended value is at 10% of available memory. Increase the number of Command Handler threads 1. Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini. 2. Add the parameter Command_Handler_Maximum_Thread_Number= under [INI_SERVER_SECTION] and set its value to 20 x Number of CPUs. 3. Restart the OfficeScan Master Service. Increase Database Cache to improve performance 1. Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini. 2. Locate the entry DB_MEM_OPT_MAX = and set its value to at least 10% of available memory. 3. Restart the OfficeScan Master Service. 4. Verify the Connection Thread Count Parameter. 5. Go to [INISERVER_SECTION] and look for the VerifyConnectionThreadCount=16 parameter. This value is dependent on the network capacity. If you have a 100 MBPS intranet, entering a value of 64 or 128 is acceptable.

69 The following sections only apply to OfficeScan itself. This does not include plug-ins and Integrated Scan Server backup. Customers who have OfficeScan with Integrated Scan Server should not follow these steps. The OfficeScan server can be set to automatically back up the agent database information. This is configurable via web-based management console under Administration > Database Backup section. This process copies all database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ] to either a local or remote location. It is recommended to do a daily back up especially during agent deployment. The schedule can be changed to weekly after the deployment is complete. It is also recommended to configure the back up to start at 2:00 AM when agent interaction is minimal and the process does not coincide with other OfficeScan scheduled tasks. It is recommended to use the OfficeScan built-in backup function to back up the database. Using third-party application to back up the database may cause system instability or database corruption. It is also recommended to manually back up the OfficeScan server configuration files which can be used to recover from a server disaster. 1. Stop the OfficeScan Master Service. 2. Manually Back up the OfficeScan server and Firewall configuration files: \ PCCSRV \ Ofcscan.ini Server configuration information \ PCCSRV \ Private \ Ofcserver.ini Server and Update Source configuration \ PCCSRV \ Ous.ini Agent update source configuration

70 \ PCCSRV \ Private \ PFW folder Firewall profiles / policies \ Private \ SortingRuleStore \ SortingRule.xml \ Private \ AuthorStore folder RBA User Profile \ Private \ vdi.ini vdi settings 3. Start the OfficeScan Master Service. 4. Run the Certificate Manager tool to back up the certificate used for OfficeScan communication with its agents. 5. Open cmd prompt with administrator privileges and go to [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ADMIN \ UTILITY \ CERTIFICATE MANAGER ] folder. 6. Run the following commands to back up the certificate: CertificateManager.exe b [Password] [Certificate Path] For example, CertificateManager.exe b mypassword c:\certificate.zip 7. Make a backup copy of c:\certificate.zip along with other OfficeScan server configurations. In an event of server corruption, the OfficeScan server settings can be restored by following the procedure below. This procedure assumes that the OfficeScan server is being restored to the same host, using the same FQDN and IP address. 1. Stop the OfficeScan Master Service and WWW Publishing Service. 2. Restore the backup database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ]. 3. Restore the OfficeScan server and Firewall policy configurations: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ofcscan.ini \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ Ofcserver.ini \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ous.ini \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ PFW directory \ Private \ SortingRuleStore \ SortingRule.xml \ Private \ AuthorStore folder RBA User Profile \ Private \ vdi.ini 4. On the command prompt, go to \Program Files\Trend Micro\ OfficeScan folder and run the command srvsvcsetup.exe setprivilege. 5. Restart the OfficeScan Master Service and WWW Publishing Service. Restore OfficeScan certificate by importing it during installation. In the example above, certificate.zip is the file that needs to be selected to import the certificates.

71 Saving the Agent Configuration Settings 1. Log on to the OfficeScan management console. 2. Go to Networked Computers > Agent Management. 3. To save the Global Domain settings, highlight the OfficeScan server domain. To save just the domain level setting, highlight only the subdomain. To save only a specific agent s setting, highlight the agent. 4. Once highlighted, select Settings > Export Settings. 5. Click the Export button and save the file. Restoring the Agent Configuration Settings 1. Log on to the OfficeScan management console. 2. Go to Networked Computers > Agent Management. 3. To restore the Global Domain settings, highlight the OfficeScan server domain. To restore just the domain level setting, highlight only the subdomain. To restore only a specific agent s setting, highlight the agent. 4. Once highlighted, select Settings > Import Settings. 5. Browse to the DAT file saved previously that you want to restore, then click Import. 6. Check the option Apply to all Domains or Apply to all computers belonging to the selected domain(s). 7. Click the Apply to Target button.

72 Trend Micro OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. Behavior Monitoring and Device Control are some of the new OfficeScan features that proactively aim to prevent malware attacks. This document aims to increase knowledge about Behavior Monitoring and Device Control and help readers avoid potential issues during deployment. Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or installed software. Behavior Monitoring is composed of the following sub-features: Malware Behavior Blocking Event Monitoring Malware Behavior Blocking provides a necessary layer of additional threat protection from programs that exhibit malicious behavior. It observes system events over a period of time and as programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats. A new option, Known and potential threats, provides a more aggressive scan mode to detect malwares which has higher detection rate. Under this mode, system will query DCE and Census. The product calls DCE to perform memory scan and decides the scan action. It also queries the Census backend server and then feedbacks the action.

73 Path: \PC-cillinNTCorp\CurrentVersion\AEGIS Key: EnableTDC (Value: 1-Aggressive; 0-Normal) Event Monitoring provides a more generic approach in protecting against unauthorized software and malware attacks. It uses a policy-based approach where system areas are monitored for certain changes, allowing administrators to regulate programs that cause such changes. If attempts to change the system are made, Event Monitoring will: Refer to the Event Monitoring policies and perform the configured action Notify the user or administrator Use the Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking

74 Administrators can choose to perform one of the following actions to respond to monitored events: Assess: Always allow processes associated with an event but record this action in the logs for assessment Allow: Always allow processes associated with an event. Ask When Necessary: Prompts users to allow or deny processes that may have violated Behavior Monitoring policies. If selected, a prompt asking users to allow or deny the process and add to the Allowed Programs or Blocked Programs appears. If users do not respond within the time period specified in the Behavior Monitoring settings screen, OfficeScan automatically allows the process to continue. Deny: Always block processes associated with an event and record this action in the logs. Here is s a sample log while Shell Modification event was violated by a process: 2012/2/12 12:31 ComputerName Shell Modification Assess Process Low C:\kh\notes\nlnotes.exe Create HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

75 The BM function works depending on the options below: Settings/Behavior Monitoring Settings/ Enable Malware Behavior Blocking or Enable Event Monitoring Additional Service /Enable Unauthorized Change Prevention Service Enabling the Malware Behavior Blocking setting 1. Go to Agent > Agent Management > Settings > Behaviors Monitoring Settings. 2. Select the following options to enable Malware Behavior Blocking or Event Monitoring: Enable Malware Behavior Blocking for known and potential threats (workstation default: on; server default: off ) Known threats, default option as provided by previous OfficeScan versions Known and potential threats, a more aggressive scan mode Enable Event Monitoring (workstation default: on; server default: off) 3. Behavior Monitoring settings can be applied to specific entities in the client tree or all entities (root). If you are applying settings to the root, select one of the following options: Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain (domains not yet created during configuration). Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain. Enabling Unauthorized Change Prevention Service 1. Go to Agent > Agent Management > Settings > Additional Services Settings. 2. Under Unauthorized Change Prevention Service section, tick the option Enable service on the following operating systems.

76 To enable this feature on a server computer, select an individual server and go to Agent > Agent Management > Settings > Additional Services Settings. In OfficeScan 11.0, AEGIS provides an enhancement called Light-Weight Solution which focuses on all agents self-protection including agent s services, processes and registry keys. The protection is enabled on OfficeScan 11.0 server by default.

77 Device Control regulates access to external storage devices and network resources. Device Control helps prevent the propagation of malware on removable drives and network shares. As combined with file scanning, it helps guard against security risks. Notification messages are displayed on the endpoints when device control violations occur. Administrators can modify the default notification message. In OfficeScan 11.0, Device Control function integrates both AEGIS feature and DLP feature to control storage devices. AEGIS device control and DLP device control play different roles. For instance, different privileges can be set on USB storage devices. AEGIS device control handles the following privileges: Modify, Read and execute, Read, and List device content only. The block privilege is handled by DLP Device Control. Furthermore, DLP Device Control supports one more device type: mobile devices. This includes smartphones and pads, sync app such as itunes and htcsync.

78 Device Control supports several kinds of devices, here takes USB as sample to introduce how it works in the following environments: Only Aegis Device Control enabled Aegis +DLP Device Control Only DLP Device control enabled To activate this feature, user must enable the Unauthorized Change Prevention Service (Agents > Agent Management > Ssettings > Additional Service Settings) and Device Control (Settings > Device Control Settings) for the OfficeScan agent. OfficeScan only monitors USB storage devices when DLP module is not activated. Here are what Device Control can do with an USB device: Block the auto-run function on USB storage devices option could let OfficeScan prohibits USB storage auto-run. It does not permit USB storage to execute autorun.inf and pop the content of the storage. Some virus could use autorun.inf to infect the system. Select the permission for accessing USB storage devices, Device Control only provides Full access, Modify, Read and execute, Read and List device content only access permissions to choose. For detailed information about the action of different permission, refer to Permissions for storage devices in OfficeScan Online Help.

79 Use Program List to exempt the permission to some specified programs and certificate providers. Put local programs on storage devices into Programs with read and write access to storage devices to give them read and write access permission. For example, add c:\windows\system32\notepad.exe into Programs with read and write access to storage devices list so users could open and modify it. For detailed usage of this functionality and how users could add the file path, refer to Advanced Permissions for Storage Devices Parent topic and Specifying a Program Path and Name in OfficeScan Online Help. Put programs on storage devices into Programs on storage devices that are allowed to execute so that users or the system can execute. Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon, choose from the following options: Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings. Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.

80 To enable this feature, user must install OfficeScan Data Protection plug-in and activate it, then enable the Unauthorized Change Prevention Service and Device Control for the OfficScan agent. The UI of Device Control Settings is different from the previous one. Block permission is activated by idlp. This sector focuses on the function that idlp has added to Device Control Settings for USB devices. With Data Protection (idlp) installed, OfficeScan offers more functionality for USB access. Besides keeping the function of Device Control, idlp add the following items. Allow or block access to mobile devices. It means that idlp adds one control item for smartphone and pad. The major purpose of adding mobile device is to allow idlp to disable the access when people use sync app (or not use any sync tools) to connect smartphone or pad. 豌 豆 荚, For detailed support mobile device list, refer to Device Control Settings console and click the Supported Device Models > Data Protection List.

81 Allow or block access to non-storage devices that UI lists. Permissions for USB storage devices allows to block the access to USB Storage devices. However, two permissions in this list, the Read and Block permissions, are controlled by idlp. Since idlp takes the control of these two permissions, users can add whitelist into them. Select Read permission and click Advanced permissions and notifications. It provides the user a way to add a specified device by using its vendor, model, and serial ID from the system device management to idlp whitelist. If the device is in the whitelist, all the access action for this device will be allowed.

82 Trend Micro also provides a tool called listdeviceinfo.exe containing the parameters for a USB storage device. It shows the device information on a pop-up web page. Users can find the listdeviceinfo.exe on the server folder..\pccsrv\admin\utility. To add the specified device, vendor parameter is required on the page. However, if the system cannot read the device s vendor information, add * and other parameter that listdeviceinfo provides. It also helps to put the device in the whitelist. If users choose the Block permission, users can add specified USB storage devices into whitelist by clicking Approved devices on the right side. Users can configure the permission (except Full access) they want for a device by clicking Advanced permissions and notifications. It also has Program lists function for the devices.

83 When the Unauthorized Change Prevention Service is disabled while the Device Control is enabled, only the functionality of idlp will work. For USB storage devices, the following permissions in the list work: Full access, Read, and Block. The Advanced permissions and notifications of the Read permission will all work properly. The Approved devices of Block permission will partly work. It means that users can add the specified device to whitelist (vendor, model, and serial ID). However, user cannot assign other permissions to this device except Full access. Since other permissions are controlled by Unauthorized Change Prevention Service, Program list under Advanced permissions and notifications cannot also work.

84 If OfficeScan encounters a violation of USB access and Display a notification on endpoints when OfficeScan detects unauthorized device access is checked, OfficeScan agent will pop an alert for this access action. The alert message looks similar to the following image: Logs of the USB access violation will appear similar to the image below:

85 The Behavior Monitoring and Device Control features both use the Trend Micro Unauthorized Change Prevention Service (running under the process name TMBMSRV.EXE). These features use TMBMSRV.EXE to monitor for system events and check these events against rules to determine whether certain application activities are unwanted. TMBMSRV.EXE delivers highly beneficial behavior-based security functionality, particularly the capability to check applications for suspicious behavior (Behavior Monitoring) and control access to storage devices (Device Control). Its monitoring mechanism, however, can strain system resources, especially when the computer is running applications that cause numerous system events. To prevent impacting system performance, Trend Micro recommends configuring OfficeScan so that these system-intensive applications are not monitored by TMBMSRV.EXE. Running TMBMSRV.EXE and system-intensive applications on the same computer can affect system performance and disrupt critical applications. Thus, a properly managed deployment of Behavior Monitoring and Device Control is recommended. To ensure smooth deployment of OfficeScan with Behavior Monitoring and Device Control: Set up and deploy a pilot environment. Identify system-intensive applications. Add system-intensive applications to the Behavior Monitoring exception list. Before performing a full-scale deployment, conduct a pilot deployment in a controlled environment. A pilot deployment provides opportunity to determine how features work and, most importantly, how Behavior Monitoring and Device Control can affect your endpoints. The pilot process should result in: Better understanding of the implications of deploying the new Behavior Monitoring and Device Control features Better understanding of applications that may conflict with these features List of applications that can be added to the Behavior Monitoring exception list When setting up the pilot environment, prepare an environment that matches the production environment as closely as possible.

86 Ensure that the following are included in the pilot environment: Business applications Custom applications All network applications used by groups or individuals (such as payroll, inventory, accounting, and database applications) Deploy the OfficeScan agents into the pilot environment with the features intended to be enabled. For example, Behavior Monitoring and Device Control may both be enabled. Allow the pilot environment to run for a reasonable amount of time (give sufficient soak time ) with the standard applications running and with average daily use. Trend Micro provides a standalone performance tuning tool to help identify applications that could potentially cause a performance impact. The TMPerfTool tool, available from Trend Micro Technical Support, should run on a standard workstation image and/or a few target workstations during the pilot process to preempt performance issues in the actual deployment of Behavioral Monitoring and Device Control. To identify system intensive applications: 1. Unzip the TMPerfTool.zip file. 2. Place the TMPerfTool.exe file in the OfficeScan default installation folder (%ProgramDir%/Trend Micro/OfficeScan agent) or in the same folder as the TMBMCLI.dll file. 3. Double-click TMPerfTool.exe. 4. Click Analyze when the system or applications start to slow down. If a red highlighted row appears, it means that the TMPerfTool found the system-intensive process. 5. Select the highlighted row and click Exclude. 6. After excluding the process, verify if the system or application performance improves. If the performance improves, select the process row again and click Include. 7. If the performance drops again, it means you found a system-intensive application. Perform the following: a) Note the name of the application. b) Click Stop. c) Click Report and save the.xml file in your specified folder. d) Review the applications that have been identified as conflicting and add the applications to the Behavior Monitoring exception list.

87 The Behavior Monitoring exception list is a user-configurable list of approved and blocked programs that are not monitored by Behavior Monitoring and Device Control. These features automatically allow approved programs to continue. Approved programs are still checked by other OfficeScan features. Blocked programs are never allowed to run. Trend Micro strongly recommends adding system-intensive applications to the Behavior Monitoring exception list to reduce the likelihood of performance issues from occurring. Systemintensive applications can cause TMBMSRV.EXE to consume very high amounts of CPU resources and disrupt critical applications. To add programs to the exception list: 1. Go to Agents > Agent Management > Settings > Behavior Monitoring Settings. 2. Type the full path of the program under Exceptions. 3. Click Approved Programs or Blocked Programs. 4. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon, choose from the following options: Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings. Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.

88 To prevent TMBMSRV.EXE from affecting performance, disable the service itself or disable both Behavior Monitoring and Device Control. 1. Go to Agents > Agent Management > Settings > Behavior Monitoring Settings. 2. Deselect the following options: Enable Malware Behavior Blocking for known and potential threats. Enable Event Monitoring 3. If you selected domains or clients on the client tree, click Save to apply settings to those. If you selected the root icon, choose from the following options: Apply to All Clients Apply to Future Domains Only 1. Go to Agents > Agent Management > Settings > Device Control. 2. Deselect Enable Device Control. 3. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon, choose from the following options: Apply to All Clients Apply to Future Domains Only Disable Behavior Monitoring and Device Control by stopping the Trend Micro Unauthorized Change Prevention Service (TMBMSRV.EXE). Perform this task directly on each endpoint.

89 DLP agents should be deployed without any policies enabled. Proper testing of policies is suggested before pushing it out to production environment. Poorly configured and tested policies may lead to disruption of daily work routine and might end up in computers flooding OfficeScan server with large numbers of false positives. To determine the amount of disk space needed for the server, you must decide if there is a need to capture the files when a policy violation occurs. The files captured during the violation are referred as forensic data. The benefit of capturing forensic data allows you to identify quickly why the alert occurred and if it was a false positive. While the forensic data function is helpful when tuning policies, user can still gather this information by reviewing the alerts. The alerts contain the path to the file that triggered it.

90 The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However, only the Device Control feature can be deployed to pure IPv6 agents. The Data Loss Prevention feature does not work on pure IPv6 agents. To download and install the Data Protection using Plug-in Manager: 1. On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Download. 2. Once downloaded, click Install Now, or to install at a later time.

91 3. On the Plug-in Manager screen, go to the plug-in program section and click Manage Program. The Product License New Activation Code screen appears. Activating the OfficeScan Data Protection License is required right after the installation. 1. Go to Agents > Agent Management. 2. Select a domain or a specified agent and click Settings. 3. Deploy the module in two different ways: Click Settings > DLP Settings. Click Settings > Device Control Settings. 4. A message displays, indicating the number of agents that have not installed the module. Click Yes to start the deployment. OfficeScan agents start to download the module.

92 By default, the module is disabled on Windows Server 2003, Windows Server 2008, and Windows Server 2012 to prevent affecting the performance of the host machine. Data Protection now supports x64 environment. Online agents install the Data Protection module immediately. Offline and roaming agents install the module when they become online. Users must restart their computers to finish installing Data Loss Prevention drivers. Inform users about the restart ahead of time. In the agent tree, select a domain or an agent, check the Data Protection Status column. The deployment status should be "Running". Exercise 1: On the OfficeScan client, open CMD with an administrator privilege and run the command "sc query dsasvc", the state should be "Running".

93 Configure data identifiers first, then define your own Templates. Navigate to Agents > Agent Management > Select the targets > Settings > DLP settings. Data identifiers include the following: Expressions are predefined regular expressions, like credit card number. File Attributes include File Type and File Size. For File Type, use true file type recognition or define extension. For File Size, it supports up to 2 GB; minimum must be over 0 bytes. Keywords can be added or imported. Choose a data identifier or use a pre-defined data identifier. Afterwards, OfficeScan can import or export templates by doing any of the following: Go to Agents > Agent Management > Select the targets > DLP settings > Templates > Add > Add Template. Go Agents > Data Loss Prevention > DLP Templates > Add. DLP policy is based on Templates, which is defined in the previous section. 1. Navigate to Agents > Agent Management > Select the targets > Settings > DLP settings > Policies. 2. Take the actions: Add a policy select your template > Choose Channel. 3. Define an action for a policy. Policy Block/Pass Logical. Given target may meet multiple policies conditions, during the scan if any policy with Block action defined, target is blocked even if it meets other policies with Pass action defined. Policy Additional Action. Each defined policy has respective Additional Action applied by administrator. If a target document meets n number of policy criteria, all respective n Additional Action will be applied on the target. 4. Click Save and Apply the settings to Agents button.

94 To investigate the forensic data blocked by OfficeScan, a Control Manager 6.0 server is required. Only users who have appropriate permission in Control Manager server have access to forensic data. Follow the Control Manager Administrator s Guide to setup a Control Manager server. 1. Register OfficeScan 11.0 to Control Manager server via Administration > Settings > Control Manager. A successful OfficeScan registration should show a page similar to the following: 2. In Control Manager, go to Direcotry > Products. 3. Expand the Local Folder > New Entity. The registered OfficeScan server should be displayed under the product tree: 4. Allow OfficeScan to record forensic data. a. Create a DLP policy by following the OfficeScan Online Help section about Creating a Data Loss Prevention Policy. b. Under Action tab, make sure Record data option is checked.

95 5. Check the forensic data. 6. Assign users who will have access to the DLP data by enabling the option Monitor, review, and investigate DLP incidents triggered by all users. In Active Directory, refer to the following to create user accounts: 1/dlp_investigation_abt/dlp_inv_admin_tasks/dlp_roles_abt.aspx 7. Log on with an account with DLP review permission to check the forensic data. Forensic data in OfficeScan server is encrypted and placed in the folder..\pccsrv\private\dlpforensicdata. The data will also be uploaded in DLP Incident Investigation tab on Control Manager Dashboard. 8. Widgets show a number of incidents detected. Click the number to see the details. 9. Click Edit on the Incident Information pop-up that you want to investigate.

96 You can view the details of the incidents and download the blocked file: 10. Click the Incident Information link, which leads to the detailed logs of the incidents.

97

98 IPv6 support for OfficeScan starts in this version. Previous OfficeScan versions do not support IPv6 addressing. IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and agents that satisfy the IPv6 requirements. The IPv6 requirements for the OfficeScan Server are as follows: The server must be installed on Windows Server 2008 or higher. It cannot be installed on Windows Server 2003 because this operating system only supports IPv6 addressing partially. The server must use an IIS web server. Apache web server does not support IPv6 addressing. If the server will manage IPv4 and IPv6 agents, it must have both IPv4 and IPv6 addresses and must be identified by its host name. If a server is identified by its IPv4 address, IPv6 agents cannot connect to the server. The same issue occurs if pure IPv4 agents connect to a server identified by its IPv6 address. If the server will manage only IPv6 agents, the minimum requirement is an IPv6 address. The server can be identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server cannot translate a host name to its corresponding IPv6 address. The agent must be installed on: Windows 7, Windows 8 or 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Vista. It cannot be installed on Windows Server 2003 and Windows XP because these operating systems only support IPv6 addressing partially.

99 The process starts with the OfficeScan server downloading update packages. The server can be configured to get updates from several locations: Trend Micro Active Update Server (Internet) This is the default method. It uses standard HTTP GET request to download update packages from the Internet. This only requires the HTTP port (80) to be open from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly, Daily, Weekly, or Monthly). Recommended setting is Hourly. Trend Micro Control Manager (TMCM) server Control Manager notifies the OfficeScan server when an update is available for download. OfficeScan will then check its Update Source (Updates > Server Update > Update Source ) setting to know where it should download the package via HTTP. By default, the Update Source is set to the Internet (Trend Micro Active Update server). This can be pointed to the Control Manager server if desired (i.e. fqdn or ip address>/tvcsdownload/activeupdate). Custom Update Source (Other update source). This is similar to the Internet update method, except that the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP location (i.e. fqdn or ip address>/activeupdate). Control Manager and peer OfficeScan servers can service such request. When the update package has been downloaded, the OfficeScan server notifies its Update Agents first that a new package is available. The Update Agents would then compare version information and download the package from its designated OfficeScan server as needed. The server waits for an acknowledgement command to verify or download/update process. If no acknowledgement is received, the OfficeScan server will wait to reach a timeout value before notifying the rest of its clients. Default timeout is 10 minutes and is configurable in Timeout for Update Agent parameter using SvrTune.exe. All communications are done through CGI commands via HTTP protocol. The OfficeScan server listens on its web server management port (typically 80 or 8080) while the Update Agents listen on its pre-configured port (randomly generated or manually defined during the OfficeScan Server installation).

100 Once the Update Agent notification process is completed, the OfficeScan Server notifies the rest of its clients. Notification process is done by batches. The number by batch is configurable in Maximum Client Connections using SvrTune.exe ( Tools Administrative Tools Server Tuner ) utility. Once notified, clients would check for updates in the following order: 1. Update Agent 2. OfficeScan server 3. Trend Micro Active Update Server (Internet) Privileges can be set to allow clients to update from the OfficeScan server when its Update Agent is unavailable. This setting is global and can be enabled under Updates > Client Deployment > Update Source > Update from OfficeScan server if all customized sources are not available or not found. SvrTune.exe only controls the number of clients notified by the OfficeScan server at a given time after the OfficeScan server completed an update. When OfficeScan agents are the ones who initiated the update, for example via Scheduled Update, the OfficeScan server handles the client update request and the ones it cannot is queued in IIS for later processing. IIS can process concurrently 256 CGI requests at a time, this is the default configuration. Individual or group of clients (OfficeScan domain) can also be given privileges to download updates directly from the Internet. Highlight the client or domain from the Clients main window and enable the option under Clients > Client Privileges/Settings > Update Settings > Download from the ActiveUpdate Server. Trend Micro Active Update Server (Internet) This is the default method. It uses standard HTTP GET request to download update packages from the Internet. This only requires the HTTP port (80) to be open from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly or every 15 minutes). Recommended setting is Hourly. Trend Micro Control Manager (TMCM) server Control Manager notifies the OfficeScan server when an update is available for download. OfficeScan will then check its Update Source setting to know where it should download the package via HTTP. By default, the Update Source is set to the Internet (Trend s Active Update server). This can be pointed to the Control Manager server if desired (i.e. fqdn or ip address>/tvcsdownload/activeupdate). Custom Update Source (Other update source) Similar to the Internet update method, except that the admin recreates an Active Update (web) server and sets the OfficeScan Server to point to the HTTP location (i.e. fqdn or ip address>/officescan/download).

101 OfficeScan generates network traffic when the server and client communicate with each other. Serverinitiated communications are mainly CGI commands sent through HTTP protocol and are only a few kilobytes in size. The clients, on the other hand, generate traffic as they upload information and pull component updates. Below is a summary of the different types of communications within OfficeScan. Notification on configuration changes Notification on component updates Client start-up information Uploading virus, event, firewall, and web reputation logs Infected files to be quarantined on the OfficeScan server (depends on quarantined file size) Downloading program and pattern file updates Probably, the most significant data transfer is when a client performs a pattern file update. To reduce network traffic generated during this process, OfficeScan uses a feature called incremental updates. Instead of downloading the full pattern every time, only the differences (deltas) are downloaded for up to 14 previous versions for virus definitions and 7 previous versions for spyware, network, and damage cleanup patterns. These new patterns are merged with the old pattern file as they are received by the OfficeScan agent. An incremental pattern may range from 1 kilobyte to several megabytes (i.e. 3 MB) depending on version increment or how far the delta is to the latest version. To further save WAN bandwidth, specific clients can be promoted as an Update Agent to service peer clients. This implies that each client won t have to individually pull incremental updates from the OfficeScan server. The Update Agent host replicates the complete engine and pattern packages (full version and increments). The engine and pattern packages are downloaded every time an update is available. To verify the latest size, simply log in to the OfficeScan server and view the size property of the folders below: <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Engine <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Pattern

102 The Engine and Pattern subfolders in the OfficeScan server are copied over to the Update Agent host under the <drive> : \ Program Files \ Trend Micro \ OfficeScan agent \ ActiveUpdate folder. For locations with limited bandwidth connectivity, ini flag (UADuplicationOptValue) can be enabled in the OfficeScan server to change the behavior of the Update Agent. Instead of downloading the complete engine and pattern packages, only the latest increment (one version older) is downloaded. The Update Agent then generates its own full pattern file as well as the 7 incremental files. 1. Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini. 2. Locate the parameter UADuplicationOptValue and set value to Save the changes on the INI file. 4. Go to OfficeScan management console > Clients > Global Client Settings. 5. Click Save. Given: Incremental update is 300 KB Full compressed pattern is 45 MB For an Update Agent using regular incremental updates, it downloads the full pattern file and 7 incremental files from the OfficeScan server. Total size downloaded = 7x(300kb incremental) + 45Mb full Pattern = 2.1MB + 45Mb = 47.1Mb For an Update Agent configured for Smart Duplicate, it downloads only one incremental the full pattern file and generates its own full pattern and incremental. Therefore, it saves 46.8 MB of transfer over the WAN link. Total size download = 300Kb

103 OfficeScan 10.6 supports three types of VDI environment: Citrix XenServer, VMWare VCenter Server, and Microsoft Hyper-V Platform. In OfficeScan 11.0, the following features have been added: VM Awareness This prevents all VM clients in the same physical machine to do on-demand scan or component update at the same time. Whitelist Cache Mechanism This reduces scan time of on-demand scan. When deploying VDI, the following tasks need to be completed on the Golden Image. 1. Copy the TcacheGen.exe utility to the Golden Image. 2. Use TcacheGen to create a whitelist of files and folders in the Golden Image. The tool scans the files and folders in the Golden Image and add them into the OfficeScan Whitelist to reduce scanning load on the machine. 3. Use TcacheGen to clear the GUID key found in the OfficeScan agent registry hive: HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\GUID. 4. Set the value of VDI=1 in OfficeScan registry hive: HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\MISC\. 5. Proceed to complete the Golden Image creation. 1. Open the OfficeScan console and click Plug-in Manager. 2. Download and install the VDI Support component.

104 3. Click the Manage Program button to configure VDI Support. 4. Choose between VMWare vcenter Server, Citrix XenServer, Microsoft Hyper-V Platform, or Other virtualization application. This will only simulate a virtual hypervisor. 5. Enter the server connection information. 6. Click the Save button. 7. Check the vdi_list.ini to confirm the setting is applied correctly. 8. Adjust the VDI parameters depending on the actual need. We can control every resource intensive actions from the OfficeScan agent namely On-Demand Scan and Component Updates.

105 VDI.ini parameter s description and their recommended values are:

106 To mitigate performance issue, comply with the best practices below when running OfficeScan 11.0 agents in VDI environment. Suggest to first set scan mode to Smart Scan, and then deploy OfficeScan agent to VDI. Do not switch between Conventional Scan and Smart Scan on VDI guest environment. This is because scan type change will trigger full pattern update immediately on the guest environment causing Disk I/O congestion if occurring on multiple VM images at the same time. When Smart Protection Server is offline, OfficeScan agents will add files into a queue list (suspicious list). When the Smart Protection Server comes back online, all the machines will perform a scan base on this list and can cause performance issue. Make sure to have a backup Smart Protection Server to ensure the Smart Scanning is available at all times. Pattern Update rollback is very Disk I/O intensive and should be done as seldom as possible. Take special caution deploying program updates or hotfix to VDI Agents. Deploy to few machines at a time to minimize performance impact. AEGIS should be disabled in VDI environment and this should be done when the golden image is prepared. This improves the performance in VDI environment. Enable/Disable firewall should not be performed on all agents at the same time, otherwise it will cause heavy disk I/O usage. If many agents are enabled to act as Update Agent at the same time, it will have heavy disk I/O and CPU, and will need a long time to enable. It is recommended to avoid enabling many agents to act as Update Agents at the same time. Newly installed agent might not appear in the server console agent tree because the GUID has a duplicate. To prevent this, log on to the OfficeScan console and perform Connection Verification under Networked Computers. Disable the Scheduled Scan because simultaneous scanning in several guest OS will cause the host machine performance drop. In the OfficeScan console, go to Tools > Administrative Tools and use Server Tuner to configure the allowed concurrent pattern Update Agents to a small number. The suitable value depends on the HDD speed. Trend Micro recommends setting this value to 3 and then increasing it if the I/O usage is low during pattern update.

107 Central Quarantine Restore triggers the restoration of the quarantined files from the OfficeScan server. Below are some considerations: The quarantined viruses need to be available in the \Suspect\Backup folder of the OSCE agent program folder. You have to determine the file name, security threat, or path of file from the virus logs. The following sample shows the mask for file name of several files to restore.

108 Central restore works from single machine up to domains/root level of the OfficeScan server. When selecting a file to restore, put the file in the exclusion list of the respective domain level. If you do NOT select this, the file will be restored properly but redetected at next trigger. Installing OfficeScan agent on Citrix server 1. Disable the Tray Icon. Many instances of the PccNTMon process will be created in the memory for each user logged in where the agent is installed. 2. On the OfficeScan management console, go to Agents > Agent Management. 3. Create a group for all Citrix Servers.

109 4. Click Manage Agent Tree > Add Domain. Move the Citrix servers to the group. 5. Select the group and click Settings > Privileges and other Settings > Other Settings tab. 6. Under Agent Access Restriction, select Do not allow users to access the agent console from the system tray or Windows Start menu. 7. Click Save. Setting up TmPreFilter to run in MiniFilter-Mode 1. Open the Registry Editor. 2. Go to HKLM\ SYSTEM\CurrentControlSet\Services\TmPreFilter\Parameters. 3. Change the value of the key "EnableMiniFilter" (REG_DWORD) key to "1". 4. Close the Registry Editor and then restart the computer. Changing the memory usage of the PagedPool 1. Open the Registry Editor. 2. Go to HKEY_LOCAL_MACNE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management. 3. Change the value of the "PagedPoolSize" (REG_DWORD) key to "FFFFFFFF". 4. Close the Registry Editor and then restart the computer. Excluding the files and folders Exclude the following file extensions from scanning on a Citrix or Terminal server: *.LOG *.DAT *.TMP *.POL *.PF

110 Excluding IIS and Citrix Receiver processes 1. Open the Registry Editor. 2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList. 3. Create a new key named "Citrix ICA". This is the Citrix ICA Client remote desktop tool. Under this new key, create: Type: String value Name: ProcessImageName Value: wfica32.exe 4. Create a new key named "IIS". Under this new key, create: Type: String value Name: ProcessImageName Value: w3wp.exe 5. Close the Registry Editor. 6. Restart the OfficeScan NT Listener service. To allow users to access the OfficeScan agent, publish the Citrix Server desktop through the Citrix Access Management Console (CMC). When published, users need to: 1. Launch the desktop from the Citrix client web interface. 2. In the Citrix desktop session, open the OfficeScan agent program from Start > Programs > Trend Micro OfficeScan Agent > OfficeScan Agent. 3. Launch the OfficeScan agent console from the system tray icon.

111 CSA installs drivers (Scan Engine, Firewall, TDI driver) and its services need to collaborate with these drivers. This means that some functions may appear to execute properly from the client console but may actually not run anything in the backend. This does not affect other programs published and streamed on Citrix server. A drive or folder on a computer running Windows 2003 contains a file infected with virus/malware and the drive or folder is mapped to the Citrix Server. When the infected file is opened during a Citrix client session, Real-time Scan may be unable to detect the virus/malware on the file if the mapped drive has the same drive name, for example (C:), in a multi-user environment. To resolve this issue: 1. Launch the desktop from the Citrix client Web interface. 2. Open the Registry Editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the following value: Type: Multi-string value (REG_MULTI_SZ) Name: DependOnService Value: Cdm 3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter\Parameters and add the following value: Type: DWORD value (REG_DWORD) Name: CitrixOn2003Support Value: Any number except zero 4. If you are using remote desktop, add the following value to the same key: Type: DWORD value (REG_DWORD) Name: MsRemoteDesktopSupport Value: Any number except zero 5. Restart the computer for the changes to take effect.

112 In a Citrix environment, when the OfficeScan agent detects a security risk during a particular user session, the notification message for the security risk displays on all active user sessions. Security risk can be any of the following: Virus/Malware Spyware/Grayware Firewall policy violation Web Reputation policy violation Unauthorized access to external devices Trend Micro recommends disabling Update Now privileges from the OfficeScan web console. This prevents users from manually starting an update. Make sure, however, that scheduled updates and event-triggered updates are still in place. To disable Update Now privileges, do the following: 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the group, go to Settings > Privileges and other Settings > Privileges tab. 3. Under Component Updates, uncheck Perform Update Now and click Save. Refer to section 7.6 Recommended Scan-Exclusion List for suggested files and directories to exclude. Refer to section 7.7 Some Server Common Ports for recommendations on Citrix ports to open.

113 The following are needed to be configured as recommended to support Cisco Callmanager: Configure Real-time Scan Settings 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings. 3. In the Target tab, under the Scan Settings, configure Scan compressed files > Maximum layers = In the Action tab, uncheck the following: Display a notification message on the client computer when virus/malware is detected Display a notification message on the client computer when spyware/grayware is detected 5. Click Save. Configure Client Privileges and Settings 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the Cisco Callmanager Agents, go to Settings > Privileges and Other Settings. 3. In the Privileges tab, uncheck the Display the Mail Scan tab on the client console and allow users to install/upgrade Outlook mail scan. 4. Click Save. Configure Scan Exclusions 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings. 3. In the Target tab, under the Scan Exclusion, enable the following: Enable scan exclusion Apply scan exclusion settings to all scan types 4. Add the following folders to the Scan Exclusion List (Directories) Drive:\Program Files\Call Manager Drive:\Program Files\Call Manager Serviceability 5. Click Save. Drive:\Program Files\Call Manager Attendant

114 Configure Update Settings 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the Cisco Callmanager Agents, go to Updates > Agents > Automatic Update. 3. Uncheck Perform Scan Now after update (roaming agents excluded). 4. Click Save. Turn off Scheduled Scan for Virus/Malware and Spyware/Grayware 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Scheduled Scan Settings. 3. Uncheck the following: Enable virus/malware scan 4. Click Save. Enable spyware/grayware scan Disable OfficeScan Firewall 1. On the OfficeScan management console, go to Agents > Agent Management. 2. Select the Cisco Callmanager Agents, go to Settings > Additional Service Settings. 3. Under Firewall Service, uncheck Enable service on the following operating systems and click Save. Delay the startup of Realtime Scan service by making it dependent on Call Manager service 1. Open the Registry Editor. 2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the follwing value: Type: Multi-string value (REG_MULTI_SZ) Name: DependOnService Value: <Type the name or names of the services that you prefer to start before this service with one entry for each line. The name of the service you would enter in the Data dialog box is the exact name of the service as it appears in the registry under the Services key.> 3. Restart the computer for the changes to take effect.

115 Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues. Below are exclusions to consider depending on the type of machine you are installing the OfficeScan agent on. Pagefile.sys *.pst %systemroot%\system32\spool (replace %systemroot% with actual directory) %systemroot%\softwaredistribution\datastore (replace %systemroot% with actual directory) %allusersprofile%\ntuser.pol %Systemroot%\system32\GroupPolicy\registry.pol Refer to the Knowledgebase article: Appian Enterprise slows down or hangs when installed with OfficeScan or ServerProtect ( Refer to the Acronis article: Acronis Backup & Recovery: Exclude Program Folders and Executables from Security Programs ( For more information, refer to the following ARCserver articles: Antivirus Process and Folder Exclusions for ARCserve Backup ( CA ARCserve RHA best practices with regards to Anti-virus exclusion ( How to exclude Arcserve RHA spool folder from the antivirus scans ( ARCserve D2D (

116 C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe C:\Program Files\Autodesk\AutoCAD 2013\acad.exe C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe C:\Program Files (x86)\autodesk\autodesk Design Review 2013\DesignReview.exe C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe For BlackBerry exlusions, refer to: Anti-virus exclusions for the BlackBerry Enterprise Server ( Anti-virus exclusions for BlackBerry Enterprise Service 10 ( Drive:\Program Files\Call Manager Drive:\Program Files\Call Manager Serviceability Drive:\Program Files\Call Manager Attendant On Citrix systems, the following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF. Below are the general Citrix exclusions: *\Users\*\ShareFile\ *\Citrix Resource Manager\LocalDB *\ICAClient\Cache *\SoftwareDistribution\Datastore

117 *\System32\Spool *\Users\*\ShareFile *\Program Files (x86)\citrix\deploy *\Program Files (x86)\citrix\independent Management Architecture *\Program Files (x86)\citrix\radecache *\Windows\System32\spool\PRINTERS For more information, refer to the Citrix articles: Citrix Guidelines for Antivirus Software Configuration ( Citrix Consolidated List of Antivirus Exclusions ( The data directory is used to store Domino messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored . Use virus scanning applications such as ScanMail for Domino to handle viruses. By default, the Domino data directory for a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data. Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle viruses. Installable File System (IFS) drive must also be excluded to prevent the corruption of the Exchange Information Store. Exchange 5.5 <drive>: \ EXCHSRVR \ IMCData <drive>: \ EXCHSRVR \ MDBData Exchange 2000 <drive>: \ EXCHSRVR \ MDBData <drive>: \ EXCHSRVR \ MTAData <drive>: \ EXCHSRVR \ Mailroot <drive>: \ EXCHSRVR \ SrsData <drive>: \ WINNT \ system32 \ InetSrv

118 Exchange 2003 <drive>: \ EXCHSRVR \ MDBData <drive>: \ EXCHSRVR \ MTAData <drive>: \ EXCHSRVR \ Mailroot <drive>: \ EXCHSRVR \ SrsData <drive>: \ WINNT \ system32 \ InetSrv <drive>: \ EXCHSRVR \ MdbDataUtility Exchange 2007 Refer to this Microsoft article: Exchange 2010 Refer to this Microsoft article: Exchange 2013 Refer to this Microsoft article: Refer to this Microsoft article: Review hardware and software requirements FAST Search Server 2010 for SharePoint ( This option is best disabled. If it is enabled, it creates unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user s experience. Consider disabling this function if all workstations have OfficeScan agent installed, and updated to the latest virus signature.

119 <drive>: \ WINNT \ SYSVOL <drive>: \ WINNT \ NTDS <drive>: \ WINNT \ ntfrs <drive>: \ WINNT \ system32 \ dhcp <drive> : \ WINNT \ system32 \ dns Web Server log files should be excluded from scanning. By default, IIS logs are saved in: <drive>: \ WINNT \ system32 \ LogFiles <drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files Web Server log files should be excluded from scanning. By default, IIS logs are saved in: <drive>:\inetpub\logs\ <drive>: \ Program Files \ Microsoft ISA Server \ ISALogs <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data Microsoft Lync 2010 Refer to this article: Specifying Antivirus Scanning Exclusions (

120 Microsoft Lync 2013 Antivirus Scanning Exclusions for Lync Server 2013 ( <drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft Operations Manager <drive>: \ Program Files \ Microsoft Operations Manager 2005 <drive>: \ Program Files \ SharePoint Portal Server <drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System <drive>: \ Windows \ Temp \ Frontpagetempdir M:\ Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions Drive:\Windows\Microsoft.NET\Framework64\v \Temporary ASP.NET Files Drive:\Users\ServiceAccount\AppData\Local\Temp Drive:\Users\Default\AppData\Local\Temp Drive:\Users\the account that the search service is running as\appdata\local\temp Drive:\WINDOWS\system32\LogFiles Drive:\Windows\Syswow64\LogFiles For more information, refer to this article:

121 Drive:\Program Files\Microsoft Office Servers Drive:\Program Files\Common Files\Microsoft Shared\Web Service Extensions Drive:\Windows\Microsoft.NET\Framework\v \Temporary ASP.NET Files Drive:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config Drive:\Windows\Temp\WebTempDir Drive:\Documents and Settings\the account that the search service is running as\local Settings\Temp\ Drive:\WINDOWS\system32\LogFiles Fore more information, refer to to Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours. <drive>:\ WINNT \ Cluster (if using SQL Clustering) <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data Q:\ (if using SQL Clustering) C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data File extensions to exclude:.mdf,.ldf,.ndf,.bak,.tm You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability. If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning: Q:\ (Quorum drive) C:\Windows\Cluster

122 %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe %ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

123 SMS \ Inboxes \ SMS_Executive Thread Name SMS_CCM \ ServiceData SMS \ Inboxes <drive:>\ WSUS <drive:>\ WsusDatabase <drive:>\mssql$wsus You can refer to the following Microsoft article for additional information: MySQL main directory - <Drive>:\mysql\ MySQL Temporary Files - Uses the Windows system default, which is usually C:\windows\temp\ C:\Program Files\Novell\Zenworks C:\Program Files\Novell\ZENworks\logs\ExternalStore C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache\metaData C:\Program Files\Novell\ZENworks\cache\zmd Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi, dluenf.dll, fileinfo.db, lcredmgr.dll, objinfo.db Exclude the following extensions:.appstate,.log,.tmp,.zc.dbf - Database file

124 .log - Online Redo Log.rdo - Online Redo Log.arc - Archive log.ctl - Control files C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-E C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO Software GmbH C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA- MICRO_Software_GmbH C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA-MICRO C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RA-MICRO SAP ABAP or Java installs: \usr\sap\ SAP Content Server Install: \SAPDB\ SAP Printer Server: SAPSprint.exe Servers where are SAPGui is installed: lsagent.exe During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and subdirectories:..\program Files\SAPinst_instdir\

125 ..\Smex\Temp..\Smex\Storage..\Smex\ShareResPool\ File Exclusions: java.exe notebook-express.exe C:\WINDOWS\Prefetch\NOTEBOOK-EXPRESS.EXE* C:\WINDOWS\Prefetch\JAVA.EXE* Folder Exclusions: *\smarttech *\notebook-express-server C:\Documents and Settings\*\Local Settings\Temp\Jetty* C:\Program Files\SMART Technologies ~\Symantec\Backup Exec\beremote.exe ~\Symantec\Backup Exec\beserver.exe ~\Symantec\Backup Exec\bengine.exe ~\Symantec\Backup Exec\benetns.exe ~\Symantec\Backup Exec\pvlsvr.exe ~\Symantec\Backup Exec\BkUpexec.exe

126 Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMware disk partition. Scanning VMware partitions while attempting to access them can affect session loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the directories that contain the virtual machines, or by excluding *.vmdk and *.vmem files. Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access. You can refer to the Knowledgebase article: Excluding Volume Shadow copies from OfficeScan agent realtime scans ( It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003 ( Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed" is enabled in WFBS s Exclusion List settings (Security Settings > Antivirus/Anti-spyware > Exclusions).

127