http://docs.trendmicro.com



Similar documents



Copyright 2012 Trend Micro Incorporated. All rights reserved.


Core Protection for Virtual Machines 1


Copyright 2013 Trend Micro Incorporated. All rights reserved.

Table of Contents. Chapter 1: Installing Endpoint Application Control. Chapter 2: Getting Support. Index

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.


Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Worry-FreeTM. Business Security Standard and Advanced Editions. Installation and Upgrade Guide. Administrator s Guide

System Administration Training Guide. S100 Installation and Site Management

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.



Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Installation Guide for Pulse on Windows Server 2012

Installation Guide for Pulse on Windows Server 2008R2

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Desktop Surveillance Help

Server Installation Guide ZENworks Patch Management 6.4 SP2


Server Installation Manual 4.4.1

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Table of Contents. Preface. Chapter 1: Getting Started with Endpoint Application Control. Chapter 2: Updating Components

Trend Micro Encryption Gateway 5

Installation Instruction STATISTICA Enterprise Server

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Installing and Configuring WhatsUp Gold

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Client Server Security3

DameWare Server. Administrator Guide

Installation and Deployment

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sophos for Microsoft SharePoint startup guide

Pearl Echo Installation Checklist


WhatsUp Gold v16.2 Installation and Configuration Guide

Trend ScanMail. for Microsoft Exchange. Quick Start Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

VERITAS Backup Exec TM 10.0 for Windows Servers

NETWRIX ACCOUNT LOCKOUT EXAMINER

Important. Please read this User s Manual carefully to familiarize yourself with safe and effective usage.

Client Server Messaging Security3

TANDBERG MANAGEMENT SUITE 10.0


K7 Business Lite User Manual

Symantec Backup Exec 12.5 for Windows Servers. Quick Installation Guide

Table of Contents. Contents

MARSHAL REPORTING CONSOLE VERSION 2.5 INSTALLATION GUIDE

Installation Notes for Outpost Network Security (ONS) version 3.2

WhatsUp Gold v16.1 Installation and Configuration Guide


Introduction to Mobile Access Gateway Installation

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Symantec Mail Security for Domino

Upgrading to Document Manager 2.7

Worry-Free TM Remote Manager

Symantec Backup Exec System Recovery Granular Restore Option User's Guide

How To Set Up A Thermal Cycler With Veritilink Remote Management Software

Ekran System Help File

Release Notes for Websense Security v7.2

NSi Mobile Installation Guide. Version 6.2

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

About This Manual. 2 About This Manual

NEFSIS DEDICATED SERVER


Kaseya Server Instal ation User Guide June 6, 2008

Configuration Guide. Websense Web Security Solutions Version 7.8.1

IM Security for Microsoft Office Communications Server 1 Instant Protection for Instant Messaging

PHD Virtual Backup for Hyper-V

Ajera 8 Installation Guide

Sage ERP MAS 90 Sage ERP MAS 200 Sage ERP MAS 200 SQL. Installation and System Administrator's Guide 4MASIN450-08


Sage HRMS 2014 Sage Employee Self Service

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

McAfee Endpoint Security Software

Citrix Access Gateway Plug-in for Windows User Guide

Installing CaseMap Server User Guide

NTP Software File Auditor for Windows Edition

PC-Duo Web Console Installation Guide

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

FileMaker Server 13. Getting Started Guide

Product Manual. Administration and Configuration Manual

FileMaker Server 10. Getting Started Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

FileMaker Server 11. Getting Started Guide

LifeSize Control Installation Guide

Synchronizer Installation

Symantec LiveUpdate Administrator. Getting Started Guide

StruxureWare Power Monitoring 7.0.1

SysPatrol - Server Security Monitor

Transcription:

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com Trend Micro, the Trend Micro t-ball logo, and Deep Discovery Endpoint Sensor are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 2014 Trend Micro Incorporated. All Rights Reserved. Document Part No.: APEM16387/140401 Release Date: May 2014 Protected by U.S. Patent No.: Patents pending.

This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx

Table of Contents Preface Preface... iii Documentation... iv Audience... v Document Conventions... v Terminology... vi Chapter 1: Installation Considerations Server Considerations... 1-2 Server Requirements... 1-2 Dedicated Windows 2008 Server... 1-3 Server Performance... 1-4 Database Requirements... 1-4 Server Installation Checklist... 1-5 Agent Considerations... 1-5 Agent Requirements... 1-6 Local Agent Installation Considerations... 1-6 Remote Agent Installation Considerations... 1-7 Agent Installation Checklist... 1-8 Other Security Software... 1-9 Typical Deployment Scenario... 1-10 Unsupported IPv6... 1-10 Chapter 2: Deep Discovery Endpoint Sensor Installation Deep Discovery Endpoint Sensor Server Installation... 2-2 Setup Flow... 2-4 Database Server... 2-10 Web Console... 2-13 Deep Discovery Endpoint Sensor Server Identification... 2-15 i

Deep Discovery Endpoint Sensor 1.0 Installation Guide Listening Ports for Agent Communication... 2-16 Listening Port for Server Communication... 2-17 About the Web Console Admin Account Password... 2-18 Local Agent Installation... 2-18 Remote Agent Installation... 2-19 Deep Discovery Endpoint Sensor Server Uninstallation... 2-21 Local Agent Uninstallation... 2-22 Remote Agent Uninstallation... 2-22 Chapter 3: Obtaining Technical Support Troubleshooting Resources... 3-2 Trend Community... 3-2 Using the Support Portal... 3-2 Security Intelligence Community... 3-3 Threat Encyclopedia... 3-3 Contacting Trend Micro... 3-3 Speeding Up the Support Call... 3-4 Sending Suspicious Content to Trend Micro... 3-5 File Reputation Services... 3-5 Email Reputation Services... 3-5 Web Reputation Services... 3-5 Other Resources... 3-5 TrendEdge... 3-6 Download Center... 3-6 TrendLabs... 3-6 Index Index... IN-1 ii

Preface Preface Welcome to the Trend Micro Deep Discovery Endpoint Sensor Installation Guide. This document provides details related to the server and agent installation. Note Refer to the Deep Discovery Endpoint Sensor Administrator's Guide or Online Help for product overview and configuration. Topics include: Documentation on page iv Audience on page v Document Conventions on page v Terminology on page vi iii

Deep Discovery Endpoint Sensor 1.0 Installation Guide Documentation The Deep Discovery Endpoint Sensor documentation includes the following: TABLE 1. Deep Discovery Endpoint Sensor Documentation DOCUMENTATION Online Help Installation Guide DESCRIPTION HTML files that provide "how to's", usage advice, and field-specific information. The Help is accessible from the Deep Discovery Endpoint Sensor web console. A PDF that discusses requirements and procedures for installing the Deep Discovery Endpoint Sensor server and agent. Note Check your PDF reader settings to enable or disable links in the Deep Discovery Endpoint Sensor Installation or Administrator's Guide. Administrator's Guide Readme file Support Portal A PDF that provides "how to's", getting started information, and Deep Discovery Endpoint Sensor server and agent management. A *.txt file that contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Online Help or printed documentation. An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com Check the latest version of the documentation at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-endpoint-sensor/ Evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx iv

Preface Audience Deep Discovery Endpoint Sensor documentation is intended for the following users: Deep Discovery Endpoint Sensor administrators: Responsible for Deep Discovery Endpoint Sensor management, including the Deep Discovery Endpoint Sensor agent installation and management. These users are expected to have advanced networking and server management knowledge. Incident responders or information security (InfoSec) engineers: Responsible for investigating computer-related crimes within an organization. The skill level of these individuals ranges from advanced to expert. Document Conventions The documentation uses the following conventions: TABLE 2. Document Conventions CONVENTION UPPER CASE Bold Italics Monospace Navigation > Path Note DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, and options References to other documents Sample command lines, program code, web URLs, file names, and program output The navigation path to reach a particular screen For example, File > Save means, click File and then click Save on the interface Configuration notes v

Deep Discovery Endpoint Sensor 1.0 Installation Guide Tip CONVENTION DESCRIPTION Recommendations or suggestions Important Information regarding required or default configuration settings and product limitations WARNING! Critical actions and configuration options Terminology The following table provides the official terminology used throughout the Deep Discovery Endpoint Sensor documentation: TABLE 3. Deep Discovery Endpoint Sensor Terminology TERMINOLOGY DESCRIPTION Server Server endpoint Administrator (or Deep Discovery Endpoint Sensor administrator) Web console The Deep Discovery Endpoint Sensor server program The host where the Deep Discovery Endpoint Sensor server is installed The person managing the Deep Discovery Endpoint Sensor server The user interface for configuring and managing Deep Discovery Endpoint Sensor server settings vi

Preface TERMINOLOGY Targeted attacks / advanced persistent threats (APTs) / advanced threats License activation Agent installation folder DESCRIPTION A category of threats that pertain to computer intrusions by attackers that aggressively pursue and compromise chosen targets. APTs are often conducted in campaigns a series of failed and successful attempts over time to get deeper and deeper into a target s network and are thus not isolated incidents. In addition, while malware are typically used as attack tools, the real threat is the involvement of human operators who will adapt, adjust, and improve their methods based on the victim s defenses. Includes the type of Deep Discovery Endpoint Sensor server installation and the allowed period of usage that you can use the application The folder on the host that contains the Deep Discovery Endpoint Sensor agent files. If you accept the default settings during installation, you will find the installation folder at the following location: C:\Program Files\Trend Micro\ESE Server installation folder The folder on the host that contains the Deep Discovery Endpoint Sensor server files. If you accept the default settings during installation, you will find the installation folder at the following location: C:\Program Files\Trend Micro\Deep Discovery Endpoint Sensor vii

Chapter 1 Installation Considerations This section provides an overview of the Deep Discovery Endpoint Sensor server and agent installation, including key considerations. Topics include: Server Considerations on page 1-2 Agent Considerations on page 1-5 Other Security Software on page 1-9 Unsupported IPv6 on page 1-10 1-1

Deep Discovery Endpoint Sensor 1.0 Installation Guide Server Considerations This section provides details about what you should consider before installing the Deep Discovery Endpoint Sensor server. Server Requirements TABLE 1-1. Required Hardware and Software Components for Server Installation REQUIRED HARDWARE/ SOFTWARE COMPONENT SPECIFICATIONS RAM 2 GB minimum 4 GB recommended Available disk space 10 GB minimum 20 GB recommended Operating system Microsoft Windows 2008 R2 (64-bit) 1-2

Installation Considerations REQUIRED HARDWARE/ SOFTWARE COMPONENT Web server SPECIFICATIONS Microsoft Internet Information Services (IIS) 7 with the following role services: Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection ASP.NET ASP CGI ISAPI Extensions ISAPI Filters Request Filtering IIS Management Console Web browser (for Deep Discovery Endpoint Sensor web console access) Microsoft Internet Explorer 9 or later The latest version of Google Chrome The latest version of Mozilla Firefox Dedicated Windows 2008 Server The Deep Discovery Endpoint Sensor server only supports Windows Server 2008. When selecting a target server, consider the following: The CPU load the server can handle Other functions that the server performs 1-3

Deep Discovery Endpoint Sensor 1.0 Installation Guide If the target server has other functions, choose another that does not run critical or resource-intensive applications. Server Performance Enterprise networks require servers with higher specifications than those required for small and medium-sized businesses. Tip Trend Micro recommends at least 2GHz dual processors and over 4GB of RAM for the Deep Discovery Endpoint Sensor server. The number of agents that a single Deep Discovery Endpoint Sensor server can manage depends on several factors, such as available server resources and network topology. Contact your Trend Micro representative for help in determining the number of agents that your Deep Discovery Endpoint Sensor server deployment can manage. Database Requirements Deep Discovery Endpoint Sensor data must be stored in a SQL database. When you install Deep Discovery Endpoint Sensor on a server that does not have access to a Microsoft SQL Server in your environment, Setup provides the option to install Microsoft SQL 2008 Express. However, due to the limitations of SQL Express, large networks require a SQL server. Tip Trend Micro highly recommends using Microsoft SQL Server Standard or Enterprise Edition. SQL Express is suitable for testing purposes but not for production environments. The default ID is sa. Deep Discovery Endpoint Sensor encrypts the password set during installation. For details, see Database Server on page 2-10. 1-4

Installation Considerations Server Installation Checklist Obtain the following from Trend Micro: Deep Discovery Endpoint Sensor server installer package Full or trial version Activation Code For details about the available Deep Discovery Endpoint Sensor versions, refer to the Online Help or Administrator's Guide available at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-endpointsensor/ Ensure that IIS 7 and all the necessary role services are installed. Check the required hardware and software specifications before installing the server. For details, see Server Requirements on page 1-2. Ensure that both IP address and DNS settings have been assigned to the target server. Agent Considerations This section provides details about what you should consider before installing the Deep Discovery Endpoint Sensor agent. 1-5

Deep Discovery Endpoint Sensor 1.0 Installation Guide Agent Requirements TABLE 1-2. Required Hardware and Software Components for Agent Installation REQUIRED HARDWARE/ SOFTWARE COMPONENT SPECIFICATION RAM 512 MB minimum for Windows XP 1 GB minimum for others Available disk space 350 MB minimum for Windows XP or Windows 7 1 GB minimum for Windows 2003 or 2008 Operating system Windows Vista SP1 (32- bit or 64-bit) Windows XP Service Pack 3 (SP3) (32-bit) Windows 7 (32-bit or 64-bit) Windows Server 2003 (32-bit or 64-bit) Windows Server 2003 R2 (32-bit or 64-bit) Windows Server 2008 (32-bit or 64-bit) Windows Server 2008 R2 (64-bit) Local Agent Installation Considerations To ensure that local installation can proceed: The agent installer, EndpointSensor.exe, found at <Deep Discovery Endpoint Sensor server installation path>\download\agent\, must be shared or copied to the target endpoint. Your firewall program must allow the port that agents will use to listen for server communications. The default port is 8081. Otherwise, use the value you have specified during installation. 1-6

Installation Considerations Remote Agent Installation Considerations Remote installation launches the agent Setup program from an endpoint while installing Deep Discovery Endpoint Sensor agent on another endpoint. When performing a remote installation, Setup checks if the target endpoint meets the requirements for agent installation. To ensure that remote installation can proceed: Record the endpoint's host name and logon credentials (user name and password with administrator access). Enable the administrative shares on target endpoints. \\<endpoint's host name or IP address>\admin$ should be accessible. For details, see Enabling Administrative Shares on page 1-8. Ensure that target endpoints have IPv4 addresses. Endpoints that are using IPv6 addresses must also have IPv4 addresses. Installing the Deep Discovery Endpoint Sensor agent on a pure IPv6 endpoint is not supported. Check that your firewall program allows the Deep Discovery Endpoint Sensor communication ports. The default server ports are 8002 (fast port) and 8003 (slow port). The default agent port is 8081. You can specify your own values during the server installation. For firewall-related configurations, check with your network administrator or refer to your firewall program documentation. Verify that target endpoints meet the Deep Discovery Endpoint Sensor agent system requirements. For details, see Agent Requirements on page 1-6. 1-7

Deep Discovery Endpoint Sensor 1.0 Installation Guide Enabling Administrative Shares Procedure Windows XP Change the local security policy from Network access: Sharing and security model for local accounts to Classic - local users authenticate as themselves. Windows 7 a. Enable File and Printer Sharing through Control Panel > Network and Internet > Network and Sharing Center. b. Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies \System. c. Add a new DWORD (32-bit) Value with the following settings: Name: LocalAccountTokenFilterPolicy Value data: 1 d. Restart the computer. Agent Installation Checklist Use the ping command to check whether the server can communicate with the agent. If there is no ping response, ensure that your firewall program allows network traffic between the server and agent. For details, check with your network administrator or refer to your firewall program documentation. The Deep Discovery Endpoint Sensor agent installer is available in the Deep Discovery Endpoint Sensor server installation folder (default is c:\program Files\Trend Micro\Deep Discovery Endpoint Sensor\Download \Agent\). 1-8

Installation Considerations Check the required hardware and software specifications prior to installing the agent. For details, see Agent Requirements on page 1-6. Using IIS Manager, check whether the listening port is correctly set for each channel created for Deep Discovery Endpoint Sensor server. For details about the default port numbers, see Listening Ports for Agent Communication on page 2-16. Depending on how you will install the Deep Discovery Endpoint Sensor agent, refer to the following guidelines to help ensure a successful installation: Local Agent Installation Considerations on page 1-6 Remote Agent Installation Considerations on page 1-7 Other Security Software Deep Discovery Endpoint Sensor is designed to be compatible with Trend Micro solutions with the exception of the following products: Important Setup does not check for these incompatibilities, and will continue with the installation. Side effects caused by the incompatible program may prevent Deep Discovery Endpoint Sensor from functioning properly. TABLE 1-3. Software Incompatibilities Server Agent DEEP DISCOVERY ENDPOINT SENSOR COMPONENT INCOMPATIBLE WITH: Trend Micro Safe Lock Trend Micro Deep Security and Trend Micro Titanium 1-9

Deep Discovery Endpoint Sensor 1.0 Installation Guide Typical Deployment Scenario The following diagram illustrates a typical Deep Discovery Endpoint Sensor deployment. Deep Discovery Endpoint Sensor 1.0 supports integration with Trend Micro Control Manager. Control Manager manages Trend Micro products and services at the gateway, mail server, file server and corporate desktop levels. The Control Manager web-based management console provides a single monitoring point for products and services throughout the network. Use Control Manager to manage several Deep Discovery Endpoint Sensor servers from a single location. For details, see the Control Manager documentation. Unsupported IPv6 The communication between Deep Discovery Endpoint Sensor server and agents is through IPv4. Deep Discovery Endpoint Sensor 1.0 does not support a pure IPv6 environment. The Deep Discovery Endpoint Sensor server uses host names to identify endpoints having both IPv4 and IPv6 addresses. Agents using IPv6 addresses cannot connect to the server. 1-10

Chapter 2 Deep Discovery Endpoint Sensor Installation This section provides details about the Deep Discovery Endpoint Sensor server and agent installation procedures. Topics include: Deep Discovery Endpoint Sensor Server Installation on page 2-2 Local Agent Installation on page 2-18 Remote Agent Installation on page 2-19 Local Agent Uninstallation on page 2-22 Remote Agent Uninstallation on page 2-22 2-1

Deep Discovery Endpoint Sensor 1.0 Installation Guide Deep Discovery Endpoint Sensor Server Installation Before you begin For details, see Server Installation Checklist on page 1-5. Procedure 1. On the target server, launch the Deep Discovery Endpoint Sensor server Setup program (EndpointSensorSetup.exe). The Setup program checks for existing components, and then displays the License Agreement screen. 2. Specify the location where the Deep Discovery Endpoint Sensor server program will be installed. The default server installation path is C:\Program Files\Trend Micro \Deep Discovery Endpoint Sensor\. Identify the new installation path or use the default path. If the path does not exist, Setup creates it automatically. 3. Type the full or trial Activation Code for Deep Discovery Endpoint Sensor. For details about the available Deep Discovery Endpoint Sensor versions, refer to the Online Help or Administrator's Guide available at: http://docs.trendmicro.com/en-us/enterprise/deep-discovery-endpoint-sensor/ 4. Specify the Deep Discovery Endpoint Sensor server settings. a. Configure the Database Server on page 2-10. b. Configure the Web Console on page 2-13. c. Configure the Deep Discovery Endpoint Sensor Server Identification on page 2-15. d. Set the Listening Ports for Agent Communication on page 2-16. 2-2

Deep Discovery Endpoint Sensor Installation e. Set the Listening Port for Server Communication on page 2-17. 5. Set the admin account password that you will use to log on to the web console. For details, see About the Web Console Admin Account Password on page 2-18. 6. Click Install. 7. Click Finish. Setup launches your default web browser, which allows you to access the Deep Discovery Endpoint Sensor web console. The web console shortcut becomes available on the desktop. FIGURE 2-1. Web Console Shortcut In addition, Setup displays the Deep Discovery Endpoint Sensor readme file. 2-3

Deep Discovery Endpoint Sensor 1.0 Installation Guide What to do next Check the IIS configuration to verify if the port is correctly set for each Deep Discovery Endpoint Sensor channel, and then install agents. For details, see Local Agent Installation Considerations on page 1-6. Setup Flow Setup prompts for the following information when installing the Deep Discovery Endpoint Sensor server. TABLE 2-1. Setup Flow and Required Information SEQUENCE NEEDED INFORMATION 1. None 2-4

Deep Discovery Endpoint Sensor Installation SEQUENCE NEEDED INFORMATION 2. None 3. The server's installation path. 2-5

Deep Discovery Endpoint Sensor 1.0 Installation Guide SEQUENCE NEEDED INFORMATION 4. The full or trial Activation Code for Deep Discovery Endpoint Sensor. 5. The database server settings, which Deep Discovery Endpoint Sensor uses to record investigations and agent information. For details, see Database Server on page 2-10. 2-6

Deep Discovery Endpoint Sensor Installation SEQUENCE NEEDED INFORMATION 6. The web server settings for the Deep Discovery Endpoint Sensor web console. For details, see Web Console on page 2-13. 7. The FQDN, host name, or IP address, which allows agents to identify the Deep Discovery Endpoint Sensor server. For details, see Deep Discovery Endpoint Sensor Server Identification on page 2-15. 2-7

Deep Discovery Endpoint Sensor 1.0 Installation Guide SEQUENCE NEEDED INFORMATION 8. The port numbers, which the Deep Discovery Endpoint Sensor server uses to communicate with agents. For details, see Listening Ports for Agent Communication on page 2-16. 9. The port number, which agents use to communicate with the Deep Discovery Endpoint Sensor server. For details, see Listening Port for Server Communication on page 2-17. 2-8

Deep Discovery Endpoint Sensor Installation SEQUENCE NEEDED INFORMATION 10. Set the password for the default admin account. The admin account is the account that you will use to log on to the Deep Discovery Endpoint Sensor web console. 11. None 2-9

Deep Discovery Endpoint Sensor 1.0 Installation Guide SEQUENCE NEEDED INFORMATION 12. None Database Server This screen defines how Deep Discovery Endpoint Sensor stores data used in investigations and agent configurations. The Deep Discovery Endpoint Sensor server installation establishes this connection as well as the user name and password for accessing the database. Select the type of database you have for your Deep Discovery Endpoint Sensor environment. 2-10

Deep Discovery Endpoint Sensor Installation FIGURE 2-2. Configuring the Database Server Procedure Install Microsoft SQL Express: If you do not have Microsoft SQL set up, the Setup program installs Microsoft SQL Server 2008 R2 SP2 - Express Edition. Tip SQL Server Express is suitable only for a small number of connections. Trend Micro recommends using a SQL server instance for large networks monitored by Deep Discovery Endpoint Sensor. Use this SQL Server instance: Type the SQL Server (\Instance) that you want to use. To specify another SQL server, identify the server using its FQDN, IPv4 address, or NetBIOS name. 2-11

Deep Discovery Endpoint Sensor 1.0 Installation Guide User name and Password: The default user name is sa. Set the password that Deep Discovery Endpoint Sensor uses to access the database. Tip Follow the guidelines below to select a secure password: Use a long password. Trend Micro recommends using a password of at least 10 characters, but longer passwords are preferred. Avoid names or words in dictionaries. Use a combination of mixed-case letters, numbers, and other characters. Avoid simple patterns such as 101010 or abcde. If you select Install Microsoft SQL Express, a screen similar to the following appears: 2-12

Deep Discovery Endpoint Sensor Installation FIGURE 2-3. Installing Microsoft SQL Server 2008 R2 SP2 - Express Edition Web Console Before you begin Install the required IIS server and role services. For details, see Server Installation Checklist on page 1-5. This screen defines how the network identifies your Deep Discovery Endpoint Sensor server connection. Accept the default settings or specify new settings. 2-13

Deep Discovery Endpoint Sensor 1.0 Installation Guide FIGURE 2-4. Configuring the Web Console Settings Procedure SSL port: Accept the default value (8000) or supply a new port number. Access the console using HTTP: Select to access the console using HTTP. By default, the Deep Discovery Endpoint Sensor web console can be accessed using HTTPS. If HTTP access is required, select this option. HTTP port: Accept the default value (8001) or supply a new port number. If changed, access the web console using that port. 2-14

Deep Discovery Endpoint Sensor Installation Deep Discovery Endpoint Sensor Server Identification This screen identifies how agents communicate with the Deep Discovery Endpoint Sensor server. FIGURE 2-5. Configuring the Server Identification Select a host address for agents to communicate with the server. Important The setting on this screen is irreversible. If there is a need to change the server ID at a later time, both the Deep Discovery Endpoint Sensor server and all registered agents must be reinstalled. 2-15

Deep Discovery Endpoint Sensor 1.0 Installation Guide Procedure Fully qualified domain name (FQDN) or host name: Type the FQDN or host name of the Deep Discovery Endpoint Sensor server. IP address: Select from the list of available IPv4 addresses. Listening Ports for Agent Communication This screen identifies the ports, which the Deep Discovery Endpoint Sensor server uses to listen for incoming agent communication. FIGURE 2-6. Setting the Agent Communication Ports Accept the default values or specify new ones. 2-16

Deep Discovery Endpoint Sensor Installation Procedure Fast port: Default is 8002. Slow port: Default is 8003. Listening Port for Server Communication This screen identifies the port that Deep Discovery Endpoint Sensor agents use to listen for incoming server communication. In addition, this screen also displays the default agent installation path. FIGURE 2-7. Setting the Server Communication Port 2-17

Deep Discovery Endpoint Sensor 1.0 Installation Guide Procedure $ProgramFiles\TrendMicro\ESE: Default agent installation path. Port: Accept the default value (8081), or type a new one. About the Web Console Admin Account Password Deep Discovery Endpoint Sensor supports the following password characteristics: Must be 8 to 64 characters long Must be a combination of alphanumeric characters or these symbols:!@#$ %^&*()_+=- Must not include any of these unsupported symbols: ><\" or space Record the user name and password for future reference. Tip Follow the guidelines below to select a secure password: Use a long password. Trend Micro recommends using a password of at least 10 characters, but longer passwords are preferred. Avoid names or words in dictionaries. Use a combination of mixed-case letters, numbers, and other characters. Avoid simple patterns such as 101010 or abcde. Local Agent Installation Before you begin For details, see Local Agent Installation Considerations on page 1-6. 2-18

Deep Discovery Endpoint Sensor Installation Procedure 1. On the target endpoint (for example, TMLS08R2-A ), run cmd.exe as an administrator. 2. Issue the following command: C:\>EndpointSensor.exe EndpointSensor.exe installs the agent program in the background. What to do next Log on to the Deep Discovery Endpoint Sensor web console, and verify whether the newly-installed agent is now listed in the Agents screen. The following example indicates that TMLS08R2-A has successfully registered to the Deep Discovery Endpoint Sensor server: Remote Agent Installation Before you begin For details, see Remote Agent Installation Considerations on page 1-7. Procedure 1. On the Deep Discovery Endpoint Sensor server, go to <Deep Discovery Endpoint Sensor server installation path>\cmdtool\remote Helper\, and then open the following files: 2-19

Deep Discovery Endpoint Sensor 1.0 Installation Guide PCList.csv TargetedPCs.csv Tip Backup these files to protect your configuration in case the original files are damaged or deleted. 2. Insert the following information: Target endpoint's IP address or host name User name and password for a user account that has administrative rights that can access the target endpoint Important Do not modify the first lines of PCList.csv and TargetedPCs.csv. FIGURE 2-8. Sample PCList.csv / TargetedPCs.csv Entry with 10.201.206.74 as a Target Endpoint 3. Launch command prompt (cmd.exe) using an administrator account, and then issue the following commands: C:\...\CmdTool\Remote Helper>RemoteHelper.exe TargetedPCs.csv..\..\Download\Agent\install.zip Results similar to the following appear: 2-20

Deep Discovery Endpoint Sensor Installation FIGURE 2-9. Installing the Deep Discovery Endpoint Sensor Agent on Endpoint 10.201.206.74 Check Deploy.log and Targetpc.csv to determine whether the installation is completed successfully. Based on the sample results above, an agent with the IP address of 10.201.206.74 is now listed in the Agents screen. Deep Discovery Endpoint Sensor Server Uninstallation Use the uninstallation program to safely remove the Deep Discovery Endpoint Sensor server from the computer. 2-21

Deep Discovery Endpoint Sensor 1.0 Installation Guide Procedure 1. On the server hosting Deep Discovery Endpoint Sensor, click Control Panel > Programs and Features. Locate and double-click Deep Discovery Endpoint Sensor. 2. Follow the on-screen instructions. The server uninstallation program starts removing the server files. A confirmation message appears. 3. Click Finish to close the uninstallation program. Local Agent Uninstallation Procedure 1. On the target agent, run cmd.exe as an administrator. 2. Issue the following command: C:\>EndpointSensor_Uninstall.exe The program uninstalls the agent program in the background. The web console Agents screen should no longer list the host name and other information related to the uninstalled agent. Remote Agent Uninstallation Procedure 1. On the Deep Discovery Endpoint Sensor server, navigate to <Deep Discovery Endpoint Sensor server installation path>\cmdtool\remote Helper\, and then open the following files: 2-22

Deep Discovery Endpoint Sensor Installation PCList.csv TargetedPCs.csv Tip Backup these files to protect your configuration in case the original files are damaged or deleted. 2. Insert the following information: Target agent's IP address or host name User name and password for a user account that has administrative rights that can access the target agent Important Do NOT modify the first lines of PCList.csv and TargetedPCs.csv. 3. Launch command prompt (cmd.exe) using an administrator account, and then issue the following commands: C:\...\Remote Helper>RemoteHelper.exe TargetedPCs.csv..\..\Download\Agent\uninstall.zip The web console Agents screen no longer lists the host name and other information related to the uninstalled agent. 2-23

Chapter 3 Obtaining Technical Support This chapter describes how to find solutions online, use the Support Portal, and contact Trend Micro. Topics include: Troubleshooting Resources on page 3-2 Contacting Trend Micro on page 3-3 Sending Suspicious Content to Trend Micro on page 3-5 Other Resources on page 3-5 3-1

Deep Discovery Endpoint Sensor 1.0 Installation Guide Troubleshooting Resources Before contacting technical support, consider visiting the following Trend Micro online resources. Trend Community To get help, share experiences, ask questions, and discuss security concerns with other users, enthusiasts, and security experts, go to: http://community.trendmicro.com/ Using the Support Portal The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems. Procedure 1. Go to http://esupport.trendmicro.com. 2. Select a product or service from the appropriate drop-down list and specify any other related information. The Technical Support product page appears. 3. Use the Search Support box to search for available solutions. 4. If no solution is found, click Submit a Support Case from the left navigation and add any relevant details, or submit a support case here: http://esupport.trendmicro.com/srf/srfmain.aspx A Trend Micro support engineer investigates the case and responds in 24 hours or less. 3-2

Obtaining Technical Support Security Intelligence Community Trend Micro cyber security experts are an elite security intelligence team specializing in threat detection and analysis, cloud and virtualization security, and data encryption. Go to http://www.trendmicro.com/us/security-intelligence/index.html to learn about: Trend Micro blogs, Twitter, Facebook, YouTube, and other social media Threat reports, research papers, and spotlight articles Solutions, podcasts, and newsletters from global security insiders Free tools, apps, and widgets. Threat Encyclopedia Most malware today consists of "blended threats" - two or more technologies combined to bypass computer security protocols. Trend Micro combats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities. Go to http://about-threats.trendmicro.com/us/threatencyclopedia#malware to learn more about: Malware and malicious mobile code currently active or "in the wild" Correlated threat information pages to form a complete web attack story Internet threat advisories about targeted attacks and security threats Web attack and online trend information Weekly malware reports. Contacting Trend Micro In the United States, Trend Micro representatives are available by phone, fax, or email: 3-3

Deep Discovery Endpoint Sensor 1.0 Installation Guide Address Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014 Phone Toll free: +1 (800) 228-5651 (sales) Voice: +1 (408) 257-1500 (main) Fax +1 (408) 257-2003 Website Email address http://www.trendmicro.com support@trendmicro.com Worldwide support offices: http://www.trendmicro.com/us/about-us/contact/index.html Trend Micro product documentation: http://docs.trendmicro.com Speeding Up the Support Call To improve problem resolution, have the following information available: Steps to reproduce the problem Appliance or network information Computer brand, model, and any additional hardware connected to the endpoint Amount of memory and free hard disk space Operating system and service pack version Endpoint agent version Serial number or activation code Detailed description of install environment Exact text of any error message received 3-4

Obtaining Technical Support Sending Suspicious Content to Trend Micro Several options are available for sending suspicious content to Trend Micro for further analysis. File Reputation Services Gather system information and submit suspicious file content to Trend Micro: http://esupport.trendmicro.com/solution/en-us/1059565.aspx Record the case number for tracking purposes. Email Reputation Services Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: https://ers.trendmicro.com/ Web Reputation Services Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): http://global.sitesafety.trendmicro.com/ If the assigned rating is incorrect, send a re-classification request to Trend Micro. Other Resources In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends. 3-5

Deep Discovery Endpoint Sensor 1.0 Installation Guide TrendEdge Find information about unsupported, innovative techniques, tools, and best practices for Trend Micro products and services. The TrendEdge database contains numerous documents covering a wide range of topics for Trend Micro partners, employees, and other interested parties. See the latest information added to TrendEdge at: http://trendedge.trendmicro.com/ Download Center From time to time, Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: http://www.trendmicro.com/download/ If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions. TrendLabs TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with customers through frequent virus pattern file updates and scan engine refinements. Learn more about TrendLabs at: 3-6

Obtaining Technical Support http://cloudsecurity.trendmicro.com/us/technology-innovation/experts/ index.html#trendlabs 3-7