Worry-Free TM Remote Manager TM 1

Worry-Free TM Remote Manager TM 1 for Small and Medium Business Getting Started Guide for Resellers

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes and the latest version of the applicable user docementation which are available from Trend Micro's Web site at: http://www.trendmicro.com/download/default.asp Trend Micro, the Trend Micro t-ball logo, TrendLabs, Trend Micro Damage Cleanup Services, TrendSecure, Worry-Free, Worry-Free Business Security Advanced, Worry-Free Business Security, OfficeScan, PC-cillin, and ScanMail are trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 1998-2008 Trend Micro Incorporated. All rights reserved. Document Part No.: WREM13656/80523 Release Date: June 2008

The Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro s Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp

Contents Chapter 1: Chapter 2: Chapter 3: Chapter 4: Introduction What Is Worry-Free Remote Manager... 1-2 Worry-Free Remote Manager Features... 1-2 Live Security Status... 1-2 Live System Status... 1-3 Security Event Monitoring... 1-3 Network Management... 1-3 Reporting... 1-3 What s New in this Release... 1-4 Overall Infrastructure... 1-4 About CS/CSM and WFBS/WFBS-A... 1-5 Key Terminology... 1-5 About this Getting Started Guide for Resellers... 1-6 Getting Started Accessing the Console... 2-2 Web Browser Requirements... 2-2 Adding the Console URL to Trusted Sites... 2-3 Getting Help While You Work... 2-4 Modifying Your Company Profile... 2-4 Modifying Your Account... 2-5 Coordinating with the Customer... 2-6 Preparing the Service Infrastructure Overview... 3-2 Adding Customers... 3-2 Agent GUID... 3-3 Adding Additional Domains... 3-3 Adding Contacts... 3-4 Installing the Agent... 3-4 Verifying Agent Installation... 3-6 Agent Service... 3-6 Start Menu Shortcuts... 3-6 System Tray Icon... 3-6 Verifying Agent/Server Connectivity... 3-7 Viewing Installation Errors... 3-7 Understanding the Dashboard Dashboard Overview... 4-2 Normal Status Information... 4-3 Threat Status... 4-4 System Status... 4-5 Security Indicators... 4-5 i

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Chapter 5: Chapter 6: Chapter 7: Chapter 8: Monitoring Threat Status Outbreak Defense Status... 5-2 Alert Status... 5-2 Vulnerable Computers... 5-3 Computers to Clean... 5-3 Antivirus Status... 5-4 Virus Threat Incidents... 5-4 Action Unsuccessful... 5-4 Real-time Scan Disabled... 5-5 Anti-spyware Status... 5-5 Spyware/Grayware Threat Incidents... 5-6 Computer Restart Required... 5-6 Anti-spam Status... 5-6 Web Reputation Status... 5-7 Behavior Monitoring Status... 5-7 Network Virus Status... 5-8 Monitoring System Status License Status... 6-2 Update Status... 6-2 System Status... 6-3 Understanding Security Indicators / Events Security Indicators... 7-2 Understanding Events... 7-2 Assessment Indexes... 7-3 System Events... 7-4 Viewing Events... 7-4 Searching Events... 7-4 Using Event Display Rules... 7-5 Handling Events... 7-5 Changing Event Status... 7-6 Sending Notifications Manually... 7-6 Adding Event Notes... 7-6 Customizing Assessment Settings... 7-7 Subscribing to Event Notifications... 7-8 Customizing Notification Content... 7-8 Attaching Reports... 7-8 Listing Computers in Vulnerability Notifications... 7-8 Viewing Assessment History... 7-9 Managing Networks Viewing Managed Networks... 8-2 Menu Bar... 8-2 Network Tree... 8-2 Information Pane... 8-3 Adding Customers... 8-4 ii

Removing Customers... 8-4 Understanding Network Commands... 8-4 Submitting Network Commands... 8-6 Chapter 9: Chapter 10: Chapter 11: Managing Agents Managing Agents from the Server... 9-2 Verifying Agent/Server Connectivity... 9-2 Agent Status Types... 9-2 Submitting Agent Commands... 9-3 Managing Agents from the Managed Server... 9-4 Agent Status Messages... 9-4 Changing the Agent GUID... 9-5 Agent Configuration... 9-5 Agent Configuration Menu... 9-6 Configuration Tool Main Dialog... 9-7 Configuration Tool General Panel... 9-7 Removing Agents... 9-8 Removing Agents Locally... 9-8 Removing Agents Remotely... 9-10 Managing Reports Understanding Operational Reports... 10-2 Supported Report Formats... 10-2 Generating and Exporting Reports... 10-3 Subscribing to Reports... 10-3 Troubleshooting and Technical Support Issues Dealing (largely) with the WFRM Console... 11-2 Domain Tree not Visible after Installing the Agent... 11-2 Node on tree Cannot Be Expanded... 11-2 Page Cannot be Displayed... 11-2 Unable to Receive Notifications... 11-3 Incorrect Information on the Dashboard... 11-3 Unable to Deploy Commands... 11-3 Agent Status Is Abnormal... 11-3 Issues Dealing (largely) with the Agent:... 11-4 Agent Does Not Match the CS/CSM Version... 11-4 Unable to Connect to the Server... 11-4 Unable to Register with the Remote Server... 11-5 Other Issues... 11-5 Resetting a Lost Password... 11-5 Backing Up and Restoring Agent Settings... 11-5 Finding the Agent Build Number... 11-6 Using Internet Explorer to View Reports... 11-7 Known Issues... 11-7 Contacting Technical Support... 11-9 iii

Chapter 1 Introduction Welcome to the Worry-Free Remote Manager Getting Started Guide for Resellers. Worry-Free Remote Manager (WFRM) is a monitoring and management console designed to work with the following products: Client Server Security (CS) versions 3.5 or 3.6 Client Server Messaging Security (CSM) versions 3.5 or 3.6 Worry-Free Business Security (WFBS) (formally CS) version 5.0 Worry-Free Business Security Advanced (WFBS-A) (formally CSM) version 5.0 Note: The above products will be collectively referred to as "managed server(s)" in this document. It enables you to monitor the health of multiple managed networks. It also lets you manage critical security aspects of these networks. This chapter, which will introduce you to Worry-Free Remote Manager, discusses the following topics: What Is Worry-Free Remote Manager on page 1-2 Worry-Free Remote Manager Features starting on page 1-2 What s New in this Release on page 1-4 Overall Infrastructure on page 1-4 About CS/CSM and WFBS/WFBS-A on page 1-5 Key Terminology on page 1-5 About this Getting Started Guide for Resellers on page 1-6 1-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers What Is Worry-Free Remote Manager Worry-Free Remote Manager provides infrastructure for centrally managing security in small- to medium-sized networks protected by CS/CSM and WFBS/WFBS-A. It is hosted on regional Trend Micro Data Center servers where resellers obtain an account. Resellers can use Worry-Free Remote Manager to establish customer accounts, monitor customer networks, and manage security using the WFRM console. Worry-Free Remote Manager has a monitoring dashboard that allows administrators to look into the following aspects of network security: Virus, network virus, and spyware/grayware incidents Spam and phishing incidents Unauthorized computer changes Outbreak situations License and update status of security products Disk usage on desktops, servers, and Exchange servers Key security indicators Worry-Free Remote Manager also offers a view of managed networks and allows reseller administrators to issue commands to manage critical aspects of network security. Worry-Free Remote Manager Features Worry-Free Remote Manager allows reseller administrators to monitor and manage multiple CS/CSM and WFBS/WFBS-A -protected networks from a single console by communicating with an Agent that runs on the managed servers. In addition, it offers event monitoring based on key security indicators. Worry-Free Remote Manager offers the following features: Live Security Status Live System Status Security Event Monitoring Network Management Reporting Live Security Status The Worry-Free Remote Manager dashboard provides the status of the following aspects of network security: Outbreak Defense Antivirus Anti-spyware Anti-spam Network Virus Protection Behavior Monitoring Web Reputation Services 1-2

Introduction Worry-Free Remote Manager also provides details about these aspects including statistical data such as the number of infected computers and virus/malware incidents. Reseller administrators can also check detailed information including the names of affected computers or the threats. Live System Status Reseller administrators can check the following system-related aspects of network security through the Worry-Free Remote Manager dashboard: License usage for security products Update status of security components Disk usage status on desktops, servers, and Exchange servers Security Event Monitoring Worry-Free Remote Manager supports events-based monitoring of the following key security indicators: Number of computers infected by virus/malware and spyware/grayware Number of computers found with the same virus which can indicate that an internal outbreak is in progress Percentage of computers with outdated security components Network Management Worry-Free Remote Manager offers a structured view of managed networks and allows reseller administrators to issue commands and manage the following critical aspects of network security: Component updates and updates to the managed server Vulnerability assessment Automatic outbreak response Damage cleanup Firewall and real-time scan settings Manual scans Reporting In addition to notifications for security events, Worry-Free Remote Manager can automatically generate and send reports at regular intervals. The Worry-Free Remote Manager operational report provides the following information: Summary of computers in the domain and their update status Assessment results distribution for infection and outbreak indicators Latest assessment results for component currency indexes Summary of virus, spyware/grayware, spam, and network virus incidents Malware distribution Major threats and affected files and computers 1-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers What s New in this Release Worry-Free Remote Manager version 1.6 includes the following new features: Worry-Free Remote Manager now utilizes High Availability (HA - secondary computers that take over immediately should the primary computers fail) on the servers for a more robust system. Worry-Free Remote Manager now has the ability to manage Behavior Monitoring for WFBS and WFBS-A. Behavior Monitoring protects desktop and portable computers and servers from unauthorized changes to the operating system, registry entries, other software, or files and folders. Worry-Free Remote Manager now has the ability to manage Location Awareness for desktop and portable computers when these are managed by WFBS/WFBS-A. With Location Awareness, administrators can control security settings depending on how the desktop or portable computer is connected to the network: In Office or Out of Office. Overall Infrastructure Worry-Free Remote Manager consists of three basic parts: The Reseller The Trend Micro Data Center The Customer Network Reseller Trend Micro Data Center Internet Reseller WFRM Web Console Customer Network Data Center Engineer WFRM Servers Managed Server with WFRM Agent Internet FIGURE 1-1 Worry-Free Remote Manager Overall Architecture The reseller connects remotely to the Trend Micro Data Center (currently on four different continents around the world) through the Worry-Free Remote Manager console via the Internet. No installation of the console is required by the reseller. From the console, the reseller can administer customer Networks. 1-4

Introduction Each customer needs to be added and configured on the console by the reseller, and each CS/CSM and WFBS/WFBS-A server and Exchange server has an Agent installed which allows communication to and from the Worry-Free Remote Manager servers. The Agent runs on the CS/CSM and WFBS/WFBS-A servers inside the customer s network. The Agent sends information to the Trend Micro Worry-Free Remote Manager server where you can access the data from your console 24/7 using an Internet connection Before you can start Worry-Free Remote Manager services, you must identify the computer where the managed server resides and install the Agent. This can be accomplished remotely from the WFRM console. About CS/CSM and WFBS/WFBS-A Client Server Security (CS) and Worry Free Business Security (WFBS) are comprehensive, centrally-managed solution for small- and medium-sized business. CS and WFBS provides client-side antivirus and firewall protection for desktops and servers. Client Server Messaging (CSM) and Worry Free Business Security Advanced (WFBS-A) includes the same features as CS and WFBS but provides an anti-spam solution for mail servers running Microsoft Exchange Server. Both CS/CSM and WFBS/WFBS-A include a server-side component for monitoring and managing client protection from a central location. Worry-Free Remote Manager monitors and manages CS/CSM and WFBS/WFBS-A -protected networks by communicating with an Agent that runs on the CS/CSM and WFBS/WFBS-A server(s). Note: Version 5.0 of Client Server Security (CS) and Client Server Messaging (CSM) have been renamed to Worry Free Business Security (WFBS) and Worry Free Business Security Advanced (WFBS-A). Key Terminology Knowing the following terms can help you work with this product more efficiently: Agent installed on CS/CSM and WFBS/WFBS-A servers, this small program allows the Worry-Free Remote Manager to monitor and manage customer networks through CS/CSM and WFBS/WFBS-A. New Agent types can allow the console to monitor and manage other security products. Assessment regular checks done on data collected from customer networks to determine the health of monitored networks; these checks use key indicators called assessment indexes. Assessment indexes the basis for security assessments; reseller administrators can customize these indexes individually to control assessment intervals, ranges, and notifications. Client/Server Security Agent (CSA) The Trend Micro Agent that reports to the CS/CSM and WFBS/WFBS-A server. The CSA sends event status information in real time. Agents report events such as threat detection, Agent startup, Agent shutdown, start of a scan, and completion of an update. The CSA provides three methods of scanning: Real-time Scan, Scheduled Scan, Manual Scan. Configure scan settings on Agents from the Web console. Dashboard the dashboard in Worry-Free Remote Manager is the leftmost, main page that displays a summary of each network aspect that the console monitors. Detection the discovery of a threat; a detection does not constitute a system infection, but simply indicates that malware has reached the computer. The detection of the same threat on different computers can constitute an outbreak. 1-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Domain a grouping defined for administrative purposes; currently, each domain is associated with a single Agent running on a CS/CSM and WFBS/WFBS-A server. Event the occurrence of a condition in a monitored domain; the results of assessments trigger events which can be customized. Reseller administrators can also configure the console to send notifications when certain events occur. Infection the condition in which a threat is able to run its payloads in a computer; Worry-Free Remote Manager considers an infection to have occurred whenever the antivirus scanner detects a virus/malware and is unable to clean, delete, or quarantine the threat. A spyware/grayware infection occurs when the computer cannot be completely cleaned unless it is restarted. Messaging Security Agent (MSA) The Trend Micro Agent that resides on Microsoft Exchange Servers and reports to CSM and WFBS-A servers. This Agent protects against virus/malware, Trojans, worms and other threats. It also provides spam blocking, content filtering, and attachment blocking. Plug-in a software program that installs on top of another software program to add functionality or customize the program for specific tasks; Worry-Free Remote Manager is a plug-in to Information Center. Providers generic term used in Information Center to refer to organizations that directly provide security monitoring and management services to customers; in Worry-Free Remote Manager; providers are referred to as resellers. Reseller administrators administrators in the reseller side that perform service-related tasks using Worry-Free Remote Manager. Trend Micro Data Center the Trend Micro monitoring and management center that hosts Worry-Free Remote Manager servers and provides support to reseller administrators. Security Server the CS/CSM and WFBS/WFBS-A server computer. Virus alert a state of vigilance that is declared by TrendLabs to prepare customer networks for a virus outbreak; TrendLabs alerts different Trend Micro products and delivers preventive solutions that IT administrators can implement as a first line of defense before a pattern becomes available. Virus outbreak the rapid propagation of a virus threat to different computers and networks; depending on the prevalence of the threat, an outbreak can be internal, regional, or global. About this Getting Started Guide for Resellers This manual guides the Worry-Free Remote Manager administrator when providing monitoring and management services for customers. This guide covers the following tasks: Setting up the service infrastructure Monitoring network security and system health Managing networks using supported commands Event tracking, configuration, and notifications management Report generation and subscription maintenance Trend Micro also provides the following documentation with this service: Online Help covers concepts, tasks, and interface items; accessible through the user interface Quick Start Card for Resellers quick overview of Worry-Free Remote Manager and reseller tasks Agent Installation Guide performing and troubleshooting Agent installation Agent Readme includes late breaking news, installation instructions, and known issues 1-6

Chapter 2 Getting Started Before you start using Worry-Free Remote Manager, ensure that you can access it without problems. Also, ensure that your customers understand the capabilities of the console and how you can use it to monitor and manage their networks. This chapter discusses the following topics: Accessing the Console on page 2-2 Getting Help While You Work on page 2-4 Modifying Your Company Profile on page 2-4 Modifying Your Account on page 2-5 Coordinating with the Customer on page 2-6 2-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Accessing the Console You access the Worry-Free Remote Manager console using a Web browser. The console URL varies between regions, but you can access all the regional consoles through a central landing page at: http://wfrm.trendmicro.com FIGURE 2-2 Worry-Free Remote Manager central landing page. After selecting the appropriate region, use the logon credentials that Trend Micro provides with the signing of a reseller agreement. Web Browser Requirements To access the console without problems, ensure that you have a supported and properly configured Web browser as follows: Your Web browser is Internet Explorer 6 SP1, 6 SP2, or 7. You have added the console URL to your list of trusted sites in Internet Explorer. See Adding the Console URL to Trusted Sites on page 2-3 for instructions. Your Internet Explorer security level for Trusted sites is set to Medium or a lower level. A more restrictive security level may prevent the console from displaying correctly. 2-2

Getting Started FIGURE 2-3 Internet Explorer 6.0 security settings Pop-up blockers on your Web browser have been disabled or set to allow pop-ups from the console URL. Pop-up blockers can prevent some of the console s pop-up windows from opening. Adding the Console URL to Trusted Sites Add the console URL to your list of trusted sites in Internet Explorer to ensure that you can access all the console screens and features properly. To add the console URL as a trusted site in Internet Explorer: 1. Open Internet Explorer. 2. Click Tools > Internet Options. 3. In the Internet Options window, click the Security tab. 4. Select the Trusted sites zone. 5. Click Sites. The Trusted Sites window opens. 6. In Add this Web site to the zone, type the console URL and click Add. FIGURE 2-4 Internet Explorer 6.0 Trusted sites 2-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers 7. Click OK to close the Trusted sites window. 8. Click OK in the Internet Options window. Getting Help While You Work Worry-Free Remote Manager provides two types of help general help and context-specific help. To get context-specific help on the current screen, click the blue screen help icon at the upper right corner below the menu bar. For general help, select Contents and Index from the drop-down list at the upper right corner above the menu bar. General help Screen help FIGURE 2-5 Different methods to access help in the console Modifying Your Company Profile You can modify your company s name, description and logo in Worry-Free Remote Manager. The console uses this information to customize customer-facing material which can include reports and notifications. Your company logo also replaces the default logo shown in the console banner beside the Trend Micro logo as shown below. 2-4

Getting Started FIGURE 2-6 Your Company Logo To modify your company profile: 1. Click Administration > Reseller Profile. 2. Modify the name and description. To change the logo, click the displayed logo image in the Reseller Profile tab. 3. In the pop-up window, type the path of the image file or click Browse to navigate local folders and select the image file. The logo image should be a.png,.jpg,.jpeg, or.bmp image with dimensions of 250x50 (width x height) pixels or less. Tip: To reset to the default logo, click Reset in the pop-up window. 4. Click Upload. 5. A message prompts you to log off to implement the logo change. Do either of the following: Click OK to log off. Click Cancel to stay logged on. The banner logo will update on your next logon. Modifying Your Account You can modify some details of your account, including changing your password, preferred interface language, and contact information. To modify the details of your account: 1. Click Administration. 2. Click My Account. 3. Modify the details as necessary. Tip: For information on the fields, click the screen-level help button. 4. Click Save. 2-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Coordinating with the Customer Monitoring and managing your customer s network through Worry-Free Remote Manager provides many benefits for your customer. However, just like other remote management activities, actions made on the console can drastically affect the managed network. Before you start providing services, make sure that you have your customer s consent to do the following remote management and monitoring activities: View the list of computers on their network View the following security information: Virus, spyware/grayware, and network virus detections Names and the number of infected computers File names of infected files Email addresses that have received infected files Patch information for known vulnerabilities License and system information on CS/CSM security products Send notifications to individuals within the customer organization Run the following actions: Deploying security components Starting Vulnerability Assessment scans Starting or stopping Damage Cleanup Services Starting or stopping manual scan Update the CS/CSM server Start or stop Outbreak Defense Configure the following settings: Automatic deployment of Outbreak Defense Real-time scan settings Firewall settings Location Awareness Behavior Monitoring Web Reputation 2-6

Chapter 3 Preparing the Service Infrastructure To provide Worry-Free Remote Manager services to customer networks, you need to prepare the service infrastructure. This chapter presents the following: Overview on page 3-2 Adding Customers on page 3-2 Agent GUID on page 3-3 Adding Additional Domains on page 3-3 Adding Contacts on page 3-4 Installing the Agent on page 3-4 Verifying Agent Installation on page 3-6 Verifying Agent/Server Connectivity on page 3-7 Viewing Installation Errors on page 3-7 3-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Overview In general, preparing the service infrastructure involves: 1. Adding a new customer to the WFRM console 2. Adding at least one domain to the customer (saving the unique GUID to be used by the Agent) 3. Adding at least one customer contact 4. Installing the Agent on the customer s server 5. Entering the GUID on the Agent Adding Customers To allow a customer to receive Worry-Free Remote Manager services, first add the customer to the WFRM console. You should identify basic customer information before you create the customer account. This includes: Customer name as it will appear on reports and notifications Customer description Domain of the CS/CSM or WFBS/WFBS-A server(s) where the Agent will be installed Note: Before you add a customer and install the Agent on the managed server, make sure you have written approval to perform tasks to access, monitor, and manage the customer's resources. See Coordinating with the Customer on page 2-6. To add a customer: 1. Click Customers. 2. Ensure that My Customers is selected in the left pane. 3. Click the All Customers tab in the right pane. FIGURE 3-7 All Customers tab 4. Click Add. 5. Type the name and a description of the customer. WARNING! Do not use the characters in the parentheses (< &? \). 3-2

Preparing the Service Infrastructure 6. Click Save. Worry-Free Remote Manager automatically creates a default domain for the new customer and opens the Domain Profile tab for the domain. Note: Save the globally unique identifier (GUID) from the Domain Profile tab. The GUID is required during the installation of the Agent on the managed server (This information is always available from the Agent section of the Domain Profile tab). See Installing the Agent on page 3-4. 7. On the Domain Profile tab, modify the domain information as necessary and click Save. Agent GUID To distinguish between WFRM Agents, WFRM assigns a globally unique identifier (GUID) to each Agent. The person who installs the Agent on the managed server must input the GUID during installation to allow the Agent to register to the console. This GUID is always available under Customers > My Customers > {customer} > {customer domain} (all on the tree on the left) > Domain Profile (on the right) Example of a WFRM Agent GUID: 4F6F0F8697C9-A1FFCF63-D833-84D9-1C35 Adding Additional Domains All managed networks contain at least one domain. When you add a customer, Worry-Free Remote Manager automatically creates a default domain for the customer. Additional domains can be added. Each domain contains a managed server and all the groups and computers managed by this server. Domains are the largest administrative divisions that can receive commands. To add a domain to a managed network: 1. Click Customers. 2. In the left pane, click (+) beside My Customers. The network tree expands. 3. In the expanded network tree, click the name of the customer. 4. In the right pane, click the Domains tab. FIGURE 3-8 Domains tab for the selected customer 5. Click Add. 6. Type a name and description for the domain. 7. Ensure that the Domain status is set to Enabled. 3-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers 8. Select the CS/CSM service (the only service currently provided through Worry-Free Remote Manager. CS/CSM in this context is also used for WFBS/WFBS-A). 9. Click Save. Adding Contacts To subscribe to event notifications and regular reports, users in your customer s organization need to be added as contacts (this step is not required to actually install the Agent). To add a contact: 1. Click Customers. 2. In the network tree in the left pane, click the (+) next to My Customers. 3. In the expanded network tree, select the name of the customer. 4. In the right pane, click the Contacts tab. 5. Click Add. 6. In New Contact, provide the requested information. For a user to receive notifications through a particular communication medium, such as email or MSN, you must provide contact information for the medium. 7. Click Save. Installing the Agent Note: Typically, the network administrator on the managed network handles the Agent installation. Provide these instructions to the network administrator with all the necessary information (This information is also included in the "Trend Micro Worry-Free Remote Manager Agent Installation Guide"). Worry-Free Remote Manager monitors and manages protected networks. It does this by communicating with an Agent that is installed on servers on the managed network. The performance of WFRM depends highly on the proper installation and health of the Agent. Before installing the Agent, you will need the following: The customer and domain must have already been registered on the WFRM server. Agent GUID (available on the Domain Profile under Customers > My Customers > {customer name} > {customer domain} on the WFRM console) Agent installer (WFRMAgentforCSM.exe) The fully qualified domain name (FQDN) of the Worry-Free Remote Manager communication server. The FQDN varies in each region as follows: Asia Pacific - wfrm-apaca.trendmicro.com Europe and the Middle East - wfrm-emeaa.trendmicro.com Latin America - wfrm-lara.trendmicro.com North America - wfrm-usa.trendmicro.com 3-4

Preparing the Service Infrastructure The managed server must meet the following requirements: CS/CSM 3.5/3.6 or WFBS/WFBS-A 5.0 Active Internet connection 50MB available hard disk space To install the Agent: 1. Copy the Agent installation file (WFRMAgentforCSM.exe) to the managed server (you should have received a link to this file when you signed up to use the WFRM service). 2. Open the installation file. 3. The InstallShield Wizard welcome screen opens. Click Next. 4. The License Agreement screen opens. Read the license agreement carefully. If you disagree with the terms of the license agreement, click Cancel to exit the installation. If you agree with the terms, click I accept the terms of the license agreement and click Next. 5. Provide your name and the name of your company and click Next. A pop-up opens informing you of the managed server version and the Agent version. Click OK. 6. The Installation Location screen opens. To use the default location, click Next. 7. Provide the FQDN of the Worry-Free Remote Manager server that corresponds to your region in the Server address field. 8. Select a communication protocol and port, either HTTP on port 80 or HTTPS on port 443. HTTPS is recommended (Do not click HTTP authentication; it is not being used at this time). Click Next. 9. If the managed server uses a proxy server to connect to the Internet, specify the necessary settings. Click Next. 10. Type the GUID (see Agent GUID on page 3-3). Click Next. 11. Review the installation settings and click Next. 12. Click Finish to close the wizard after installation completes. If the installation is successful and settings are correct, the Agent should automatically register to the Worry-Free Remote Manager server. The Agent should show as online on the WFRM console. See Verifying Agent Installation on page 3-6 and Verifying Agent/Server Connectivity on page 3-7 for installation issues. Note: For information on managing Agents, see the chapter Managing Agents starting on page 9-1. Note: To remove the Agent, see Removing Agents on page 9-8. 3-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Verifying Agent Installation There are three methods for verifying that the WFRM Agent has been installed correctly and is operating properly. Check: Agent service Start menu shortcuts System tray icon Agent Service Check if "Trend Micro Information Center for CSM" is started. 1. Click Start > Settings > Control Panel > Administrative Tools > Services. 2. Look for Trend Micro Worry-Free Remote Manager Agent. 3. Check if the Status is Started. Start Menu Shortcuts Check the Program Group in the Start Menu. 1. Click Start > All Programs > Information Center for CSM 2. Verify that the Program Group contains the following items: Agent Configuration Tool Readme Remove Worry-Free Remote Manager Agent for CSM System Tray Icon Check for the WFRM Agent icon in the system tray. If for any reason the icon is not visible, you can start it by clicking Start > Programs > Worry-Free Remote Manager Agent > Agent Configuration Tool. Exiting the tool does not stop the WFRM service. It only closes the Configuration Tool and removes the icon from the task bar. The tool can be restarted at any time. Suspend the mouse over the icon for status information (see Managing Agents from the Managed Server on page 9-4): ICON MEANING A green icon indicates that the Agent is connected to WFRM s communication server. A red icon indicates that the Agent isn t connected to WFRM s communication server or the version of the Agent is mismatched with the server and needs to be updated. An icon with a red arrow indicates that the Agent has logged off from WFRM 3-6

Preparing the Service Infrastructure Verifying Agent/Server Connectivity To ensure that the Worry-Free Remote Manager service is running smoothly, make sure that Agents are online. To view the status of Agents: 1. Log on to the WFRM console. 2. Click the Customers tab and ensure that My Customers is selected in the left pane. 3. Click the All Agents tab in the right pane. The tab lists the status of each Agent in the Status column. For details on each status, see Agent Status Types on page 9-2. Viewing Installation Errors The Agent installation logs cover Agent installation activities. Collect these logs and send them to your service support provider if you encounter problems during installation. The Agent installation logs can be obtained from the following location on the managed server: C:\TMICAgentForCSM_Install.log See Troubleshooting and Technical Support on page 11-1 for further information. 3-7

Chapter 4 Understanding the Dashboard The Dashboard is the primary monitoring window into a customer's security problems which are collectively referred to as events. Access the Dashboard using Microsoft Internet Explorer. Log onto the Trend Micro Worry-Free Remote Manage site at wfrm.trendmicro.com using your user name and password. There you can access the the correct URL for your region. The dashboard is a quick way to review the health of monitored networks. The dashboard displays a summary of each network aspect that Worry-Free Remote Manager monitors. This chapter gives a brief overview of the following (see chapters 5, 6 and 7 for more detailed information): Dashboard Overview on page 4-2 Threat Status on page 4-4 System Status on page 4-5 Security Indicators on page 4-5 4-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Dashboard Overview The dashboard contains three sections: Threat Status an overview of the threat and security status (page 4-4) System Status an overview of system-related risk situations (page 4-5) Security Indicators the status of key indicators (page 4-5) FIGURE 4-9 The dashboard The dashboard uses the three status icons in the table below to indicate any issues or potential issues. TABLE 4-1. Dashboard status icons STATUS ICON DESCRIPTION Normal; no action required for all customer domains. Warning; some action may be required for some customer domains. Immediate action required; you need to check affected domains immediately. 4-2

Understanding the Dashboard The dashboard lists only the domains that are not in normal status. To get threat and system status details for a listed domain, click the name of the domain. Note that the dashboard normally lists only up to 10 domains. To access the complete list of affected domains, click More at the bottom of the list. Normal Status Information The dashboard lists only the domains that are not in normal status. To get threat and system status details on any domain, including those that are not listed on the dashboard, go to the Customers tab and access the domain through the network tree. To use the network tree to get status details: 1. Click Customers. 2. In the network tree in the left pane, click (+) to expand My Customers. 3. Click (+) to expand the customer that owns the domain. 4. Select the domain. The right pane displays three tabs, including the Domain Status and the Products tab. FIGURE 4-10 Products tab for the selected domain 5. Click either of the following tabs: Products contains system status details Domain Status contains threat status details The Customers tab complements the dashboard as a simple method for viewing the list of managed domains and the details of their security and threat status. The figure below shows the Customers tab with a domain selected in the network tree and the threat status for that domain showing on the right. 4-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers FIGURE 4-11 Customer tab showing the threat status Threat Status The threat status section of the dashboard provides an overview of the threat and security status of domains. It includes the following sections: Outbreak defense indicates the current alert status Antivirus indicates the presence of a significant number of virus/malware threats and related potential risk situations Anti-spyware indicates the presence of a significant number of spyware/grayware threats and whether certain actions need to be taken to address spyware/grayware incidents Anti-spam warns of the increasing number of spam messages being processed on the Exchange server Web Reputation indicates the number of attempts to retrieve Web pages evaluated as a security risk Behavior Monitoring indicates the number of attempts against unauthorized changes to a computer Network viruses warns of any significant network virus activity Note: For details on how Worry-Free Remote Manager determines the status in each of the threat status sections, see Monitoring Threat Status on page 5-1. 4-4

Understanding the Dashboard System Status The system status section warns of any system-related risk situations and contains the following sections: License warns of potential risk situations due to license usage issues Updates warns of potential risk situations due to outdated security components System warns of potential risk situations due to inadequate disk space Note: For details on how Worry-Free Remote Manager determines the status in each of the system status sections, see Monitoring System Status on page 6-1. Security Indicators The security indicators section displays the status of the following key indicators: Internal virus outbreak number of computers where the same virus/malware is detected within a time range Virus infection number of computers infected with the same virus/malware within a time range (infection only occurs when a malware/virus is detected but is unable to be cleaned, deleted, or quarantined) Spyware infection number of computers infected with the same spyware/grayware within a time range (a spyware/grayware infection occurs when the computer cannot be completely cleaned unless it is restarted) Outdated virus pattern number of computers that do not have the latest virus pattern during assessment Outdated spyware pattern number of computers that do not have the latest spyware pattern during assessment The security indicators section is an overview of the results of security assessments conducted by Worry-Free Remote Manager. You can also monitor assessment results of events which can be set to trigger whenever an assessment result is a medium or critical risk. Note: For details on how Worry-Free Remote Manager determines the status of each of the security indicators, see Customizing Assessment Settings on page 7-7. 4-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers The events list in the Events tab basically shows the details of the security indicators status shown on the dashboard. The figure below shows the Events tab with the list of events. FIGURE 4-12 Events tab showing the list of events Compare the Event Type column on the events list to match the events against the security indicators on the dashboard. Tip: Go to Notifications on the Events tab to customize assessment indexes, determine what constitutes critical or medium risk results and specify which risk level triggers an event. For more information, see Customizing Assessment Settings on page 7-7. 4-6

Chapter 5 Monitoring Threat Status Worry-Free Remote Manager lets you monitor the threat status of customer networks by tracking the status of key security components as shown in the Threat Status section of the dashboard. FIGURE 5-13 Threat Status on the dashboard This chapter covers these seven components in the following sections: Outbreak Defense Status on page 5-2 Antivirus Status on page 5-4 Anti-spyware Status on page 5-5 Anti-spam Status on page 5-6 Web Reputation Status on page 5-7 Behavior Monitoring Status on page 5-7 Network Virus Status on page 5-8 5-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Outbreak Defense Status Outbreak Defense provides early warning of Internet threats and/or other world-wide outbreak conditions. Outbreak Defense automatically responds with preventative measures to keep computers and networks safe, followed by protective measures to identify the problem and repair the damage. While Outbreak Defense is protecting networks and clients, TrendLabs is creating a solution to the threat. As soon as TrendLabs finds a solution, they release updated components, and CS/CSM and WFBS/WFBS-A servers download and deploy the updated components to clients. Outbreak Defense then cleans any virus remnants and repairs files and directories that have been damaged by the threat. Outbreak Defense may take the following actions in the event of an outbreak: Block ports Write-protect certain files and directories Block certain attachments The dashboard indicates the outbreak defense status for managed networks. To determine this status, Worry-Free Remote Manager checks whether TrendLabs has declared a virus alert. The table below shows the possible outbreak defense icons on the dashboard. TABLE 5-1. Outbreak defense status icons STATUS ICON DESCRIPTION No virus alert TrendLabs has declared a Yellow Alert. TrendLabs has declared a Red Alert. The dashboard lists domains in alert condition. To get details, click the (+) icon next to Outbreak Defense and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For guidance on accessing details on domains that are not alert condition, see Normal Status Information on page 4-3. WFRM displays the following detailed information related to outbreak defense: Alert status (this section does not display when there is no alert) Vulnerable computers Computers to clean Alert Status Alert status information displays whenever there is a red or yellow alert. The console lists computers with Outbreak Defense enabled and disabled. Enable Outbreak Defense to ensure that preventive measures deploy automatically and protect the network before a pattern becomes available. When there are computers with Outbreak Defense disabled, clicking the value under Not Enabled will open the list of affected computers. 5-2

Monitoring Threat Status To enable Outbreak Defense or set Outbreak Defense to automatically deploy during alerts for all the computers in a domain, use OPS (Out Prevention Services) on the menu bar on the Customers tab. For detailed instructions, see Submitting Network Commands on page 8-6. Vulnerable Computers Vulnerable computers are computers that have not been patched for known software vulnerabilities. Because many viruses/malware make use of vulnerabilities to propagate, unpatched computers are more likely to get infected and become vectors for propagation. To handle vulnerable computers, contact the administrator of the affected domain and provide the names of the vulnerable computers and the vulnerabilities affecting them. To get this information, click the number of affected computers. Note: The number of affected computers only functions as a link to detailed information if there is at least one vulnerable computer. To ensure that the list of vulnerable computers is current, run a Vulnerability Assessment (VA) scan. For detailed instructions, see Submitting Network Commands on page 8-6. Computers to Clean Computers to clean are infected computers. Infected computers are those computers with a virus/malware that the security client did not successfully clean, delete, or quarantine upon detection. An infected computer likely contains a running copy of the virus/malware that has configured the computer to allow it to automatically start and stay running. To view a list of the infected computers and the names of the viruses, click the number of computers to clean. This number is clickable only when there is at least one infected computer. To address infected computers, deploy Damage Cleanup Services (DCS) to the domain. For detailed instructions, see Submitting Network Commands on page 8-6. 5-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Antivirus Status To show the antivirus status, the dashboard displays status icons indicating the presence of any significant virus/malware-related threats. The table below shows how the icons correspond to different threats. TABLE 5-2. Antivirus status icons STATUS ICON DESCRIPTION Normal. No significant virus/malware threats. This status icon displays if any of the following conditions occur: - There is a local outbreak. - The real-time scanner is disabled in at least one computer. This status icon displays if any of the following conditions occur: - The real-time scanner on the Exchange server is disabled. - A security client is unable to clean or quarantine a malware. To get details, click the (+) icon next to Antivirus and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing antivirus status details on domains that have normal status, see Normal Status Information on page 4-3. The console displays the following detailed information related to the antivirus status: Virus threat incidents Action unsuccessful Real-time scan disabled Virus Threat Incidents Virus threat incidents are the number of virus/malware detections in the domain. The console groups this statistical information into the following groups: Desktop/Servers virus/malware detected during manual scans or when files are accessed on desktop and server computers Exchange servers virus/malware detected in email messages that are processed by an Exchange server To view the list of affected computers, affected email addresses (for viruses found in email messages), and the names of the malware, click the number of incidents. This number is clickable only when there is at least one incident. To reset the current count, click Reset. WARNING! Do not click Reset unless you are sure that the incidents have been addressed and contained. To determine whether there are any unresolved incidents, see the Action Unsuccessful table discussed next. Action Unsuccessful Antivirus scanners perform actions typically clean, quarantine, and delete on files found with malware/virus. Typically, the scanner performs an initial action. If it is unable to perform this action, the scanner performs a 5-4

Monitoring Threat Status secondary action. The console logs incidents where both actions are unsuccessful or if the first action is unsuccessful and the scanner does not perform a secondary action. Unsuccessful actions can indicate that a malware/virus has successfully circumvented antivirus defenses and has infected the computer. As with CS/CSM and WFBS/WFBS-A, Worry-Free Remote Manager assumes that computers with an unsuccessfully cleaned, quarantined, or deleted virus/malware are infected. To view a list of the infected computers and the names of the viruses, click the number of incidents. This number is clickable only when there is at least one incident. To address computers that have been infected due to unsuccessful antivirus actions, deploy Damage Cleanup Services (DCS) to the domain. For detailed instructions, see Submitting Network Commands on page 8-6. Real-time Scan Disabled Computers with disabled real-time scanners cannot scan files in real time (scheduled scans will continue). These computers are highly susceptible to virus/malware infection and can be vectors for the spread of viruses. Exchange servers with real-time scanners disabled let all viruses in email messages pass leaving the customer network susceptible to mass-mailing worms. To view the list of computers with disabled real-time scanners, click the number of computers. This number is clickable only when there is at least one affected computer. To enable the real-time scanner on all computers and Exchange servers in the domain, click the corresponding Enable link. Anti-spyware Status To show the anti-spyware status, the dashboard displays status icons that indicate a relatively high spyware/grayware incident rate and the presence of computers that are infected with spyware/grayware. The table below shows how the icons indicate the anti-spyware status. TABLE 5-3. Anti-spyware status icons STATUS ICON DESCRIPTION Normal. Few spyware/grayware threats found. 15 or more spyware/grayware incidents have been found in the network. Action required. At least one computer needs to be restarted to completely remove a spyware/grayware infection. To get details, click the (+) icon next to Anti-spyware and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing anti-spyware status details on domains that are in normal status, see Normal Status Information on page 4-3. The console displays the following detailed information related to the anti-spyware status: Spyware/Grayware threat incidents Computer restart required 5-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Spyware/Grayware Threat Incidents Spyware/Grayware threat incidents are the number of spyware/grayware detections in the domain. The console displays the total number of incidents for all computers in the domain. To view the list of affected computers and the names of the spyware/grayware threats, click the number of incidents. This number is clickable only when there is at least one incident. To reset the current count, click Reset. WARNING! Do not click Reset unless you are sure that the incidents have been addressed and contained. To determine whether there are any unresolved incidents, see Computer Restart Required on page 5-6. Computer Restart Required Computers for restart are computers that have been found infected with spyware/grayware and that have been partially cleaned. These computers remain infected because the spyware/grayware affecting them cannot be removed completely until after a restart. To complete the cleanup process on these computers, contact an administrator on the customer s side to restart the computers manually. To view the list of affected computers and the names of the spyware/grayware threats, click the number of incomplete cleanup attempts. This number is clickable only when there is at least one incomplete attempt. To reset the current count, click Reset. Note: Do not click Reset unless you are sure that the affected computers have been restarted. Anti-spam Status The dashboard displays status icons to show whether the percentage of spam messages (out of all the messages processed by Exchange servers) has reached a certain threshold. The table below shows the relationship between the status icons and the spam percentage threshold. TABLE 5-4. Anti-spam status icons STATUS ICON DESCRIPTION Normal. Spam messages comprise less than 10% of the total messages processed by the Exchange server. Note that administrators can modify the 10% threshold on managed servers. Warning. Spam messages comprise 10% or more of the total messages processed by the Exchange server. Note that administrators can modify the 10% threshold on managed servers. This icon is not used to show the anti-spam status. To get details, click the (+) icon next to Anti-spam and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instructions on accessing anti-spam status details on domains that are in normal status, see Normal Status Information on page 4-3. The console displays a table with the total number and percentage of the following messages: 5-6

Monitoring Threat Status Spam messages unsolicited and usually unwanted email messages sent out in bulk to different email addresses. Phishing messages messages designed to feign a legitimate message in order to draw users into logging on to a copy of a legitimate site. This attack is designed to steal logon credentials for banking and other important sites. Web Reputation Status Web Reputation evaluates the potential security risk of requested Web pages before displaying them. Depending on the rating returned by the database and the security level configured, the Client/Server Security Agent located on computers managed by WFBS/WFBS-A will either block or approve the request. TABLE 5-5. Web Reputation status icons STATUS ICON DESCRIPTION No action required. The clients are reporting numerous or frequent URL violations. Starting from the 200th incident, the status icon changes to display the warning. The client is trying to access blocked URLs multiple times. Have the administrator of the managed server contact the user of the Client. If the user has not attempted to access the URLs, the computer could be infected. Run a full computer scan immediately. To get details, click the (+) icon next to Web Reputation and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing web reputation status details on domains that have normal status, see Normal Status Information on page 4-3. The console displays a table with the total number of the following: Blocked URLs Detected the number of blocked access attempts to URLs determined to be a security risk Behavior Monitoring Status Behavior Monitoring constantly monitors the Client for attempts to modify the operating system and other programs. When a Client/Server Security Agent located on computers managed by WFBS/WFBS-A detects an attempt, it notifies the user of the change and the user can Allow or Block the request. WFBS/WFBS-A administrators (or users) can create exception lists that allow certain programs to run while violating a monitored change or completely block certain programs. The console displays a table with the total number of the following: Policy Violations Detected the number of attempts against unauthorized changes to the computer 5-7

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Network Virus Status The dashboard displays status icons under Network Viruses to indicate whether network virus activity in customer domains has reached a certain threshold. TABLE 5-6. Network virus protection status icons STATUS ICON DESCRIPTION Normal. Few network virus threats found. Warning. Ten or more network virus threats have been found within 1 hour. The one-hour interval is the 60-minute period before the point of assessment. This icon is not used to show the network virus protection status. To get details, click the (+) icon next to Network Viruses and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing anti-spam status details on domains that are in normal status, see Normal Status Information on page 4-3. The console displays the number of network virus detections in the domain. To view the list of affected computers, IP addresses, and the names of the network virus threats, click the number of incidents. This number is clickable only when there is at least one incident. To address network virus incidents, contact the administrator from the customer network to ensure that the machine sending out the viruses is isolated and cleaned. Most network viruses can be removed by restarting the affected computer. To reset the current count, click Reset. WARNING! Do not click Reset unless you are sure that the incidents have been addressed and contained. 5-8

Chapter 6 Monitoring System Status By monitoring the system status of managed servers, you can ensure that customer networks are continuously protected. FIGURE 6-14 System Status on the dashboard Worry-Free Remote Manager provides the following information in real time: License Status on page 6-2 Update Status on page 6-2 System Status on page 6-3 6-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers License Status The dashboard displays icons to indicate potential security issues due to license usage. The table below shows license usage problems associated with the status icons. TABLE 6-1. License status icons STATUS ICON DESCRIPTION Normal Warning. This status icon appears if any of the following conditions occur: - Customer has exceeded 80% of the maximum seat count. - the managed product is running on a trial license that expires in 14 days. - the managed product is running on a full license that expires in 60 days. Action required. This status icon appears if either of the following conditions occurs: - Customer has exceeded the maximum seat count. - The managed product license has expired. To address license usage issues, you can do the following: Contact the administrator of the affected domain. Click the Renew License button to access the renewal page and renew the customer s license. The dashboard lists domains whose statuses are not normal. To get details, click the (+) icon next to each section and then click the name of the domain. For instruction on accessing details on domains that are in normal status, see Normal Status Information on page 4-3. Update Status The table below shows how the dashboard displays icons to indicate any update problems. TABLE 6-2. Update status icons STATUS ICON DESCRIPTION Normal Warning. This status icon appears if either of the following conditions occurs: - The managed product has not updated successfully for more than seven days. - The pattern and engine deploy rate on desktop and server computers is less than 90%. Action required. This status icon appears if any of the following conditions occur: - The managed product has not updated successfully for more than 14 days. - The pattern and engine deploy rate on desktop and server computers is less than 70%. - At least one Exchange server is running with outdated security components. 6-2

Monitoring System Status To address update problems, you can run the following commands from the menu bar in the Customers tab: Update Client Server Security Agent deploys the latest security components, including the scan engine and pattern files, to all Client Server Security Agents in the domain. Update Managed Server deploys the latest security components, including the scan engine and pattern files, to the managed server. Note: Because Update Client Server Security Agent uses components already on the managed server, the effectiveness of this command relies on whether the managed server has updated successfully (which can be done by Update Managed Server). Once you have successfully updated the managed server and have deployed the latest components, consider running the Manual Scan command (under the Action menu). A scan can find threats that outdated components missed. For detailed instructions on running commands, see Submitting Network Commands on page 8-6. The dashboard lists domains whose statuses are not normal. To get details, click the (+) icon next to each section and then click the name of the domain. For instruction on accessing details on domains that are in normal status, see Normal Status Information on page 4-3. System Status Lack of disk space on the managed server can prevent it from implementing various tasks properly including hosting component updates and gathering security information. Desktops and other server computers may also experience problems due to inadequate disk space. The dashboard lets you monitor disk space usage problems on computers in the domain by displaying icons to indicate potential and current disk space problems. To understand what these icons mean, see the table below. TABLE 6-3. System (disk usage) status icons STATUS ICON DESCRIPTION Normal This icon is not used to indicate the disk usage status. Action required. This status icon appears if more than one computer has less than 1% disk space. To address disk usage issues, contact the administrator of the affected domain. The dashboard lists domains whose statuses are not normal. To get details, click the (+) icon next to each section and then click the name of the domain. For instruction on accessing details on domains that are in normal status, see Normal Status Information on page 4-3. 6-3

Chapter 7 Understanding Security Indicators / Events Security Indicators are a summary of events. Events are based on regular assessments. You can view event information on the table provided on the Events tab. Event thresholds can be customized for individual domains. You can subscribe individuals to event notifications which Worry-Free Remote Manager sends when an event occurs. FIGURE 7-1 Security Indicators on the dashboard The following sections in this chapter discuss events further: Security Indicators on page 7-2 Security Indicators on page 7-2 Viewing Events on page 7-4 Handling Events on page 7-5 Customizing Assessment Settings on page 7-7 Subscribing to Event Notifications on page 7-8 Customizing Notification Content on page 7-8 Viewing Assessment History on page 7-9 7-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Security Indicators The Security Indicators that employ the Worry-Free Remote Manager assessment indexes include: Internal Virus Outbreak which should be addressed by quarantining the virus/malware, containing and removing the virus/malware from the affected computers and cleaning them. Virus Infection which should be addressed by quarantining and removing the virus/malware and cleaning the infected computer(s). Spyware Infection which should be handled by containing and removing the spyware and cleaning the infected computer(s). Outdated Virus Pattern which should be handled by identifying the computers that do not have the current virus/malware pattern files, determining which files require updating, and performing the update. Outdated Spyware Pattern which can be addressed by identifying the computers that do not have the current spyware/grayware pattern files, determining which files require updating, and performing the update. The Security Indicators assessment indexes combine two to three factors: an assessment frequency, a range of time for performing the assessment before triggering an event, and the risk levels associated with the assessment, which can all be configured through the WFRM console. Thus, you use index-based criteria for assessing your customer networks and monitoring the assessment results for security breaches. Understanding Events Events are based on regular assessments. Worry-Free Remote Manager assesses data at configurable intervals and matches this data to predefined risk levels. Specific risk levels are set as event triggers. When these risk levels are reached, an event occurs, and Worry-Free Remote Manager sends corresponding notifications. Assessment intervals, risk levels, event triggers, and notifications are defined separately for each event type. Whenever an event occurs in a domain, the console generates a unique ID to allow you to track that event. There are two groups of event types: Assessment index-based events System events 7-2

Understanding Security Indicators / Events Assessment Indexes Assessment indexes are key security indicators that are the basis for assessments. The assessment indexes are the same Security Indicators shown on the dashboard. Worry-Free Remote Manager supports five assessment indexes, described in the table below (default values are shown). TABLE 7-1. Assessment indexes ASSESSMENT INDEX / SECURITY INDICATOR DESCRIPTION ASSESSMENT FREQUENCY RANGE RISK LEVELS Internal virus outbreak Number of computers on which the same virus/malware is detected 10 minutes 1 hour of data (customizable from 30 minutes to 24 hours) - Medium: 3 - Critical: 5 - Events are triggered at medium risk by default Virus infection Number of computers infected with the same virus/malware 10 minutes 1 hour of data (customizable from 30 minutes to 24 hours) - Medium: 3 - Critical: 5 - Events are triggered at medium risk by default Spyware infection Number of computers infected with the same spyware/grayware 10 minutes 1 hour of data (customizable from 30 minutes to 24 hours) - Medium: 3 - Critical: 5 - Events are triggered at medium risk by default Outdated virus pattern Percentage of computers that do not have the latest virus pattern 30 minutes Not applicable; based on data gathered at the time of assessment - Medium: 5% - Critical: 10% - Events are triggered at medium risk by default Outdated spyware pattern Percentage of computers that do not have the latest spyware/grayware pattern 30 minutes Not applicable; based on data gathered at the time of assessment - Medium: 5% - Critical: 10% - Events are triggered at medium risk by default 7-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers System Events System events are maintenance-related events (and can be viewed only under the Events tab). These events help ensure that the Agent and the managed servers are online. Another system event enables you to automatically notify customers whenever a software vendor announces a vulnerability. Worry-Free Remote Manager supports the following system events: CSM server shutdown the CS/CSM or WFBS/WFBS-A server computer has turned off. Exchange server shutdown the Exchange server computer has turned off. Microsoft critical vulnerability a security vendor has announced an important vulnerability. Agent abnormal the Agent appears offline and is not responding to the Worry-Free Remote Manager server but has not sent a logoff request. Agent offline the Agent has closed normally, having sent a logoff request to Worry-Free Remote Manager. Agent online the Agent has gone online and is now running normally. Note: For more information on Agent status types, see Agent Status Types on page 9-2. Viewing Events In addition to the security indicators on the dashboard, you can view the list of events as they occur. To view events, click the Events tab. The Overview tab lists all open events. For alternative ways to view events, see the following procedures: Searching Events on page 7-4 Using Event Display Rules on page 7-5 Searching Events Use the search function to search for an event using the Event ID which is a unique identifier assigned to each unique event and used while the event remains open. To run a search: 1. Type an event ID. 2. Click Search. Tip: To reset the list, click Return. 7-4

Understanding Security Indicators / Events Using Event Display Rules Event display rules are customizable filtering rules that let you display only the events that match specific filters or combinations of filters. For example, you can create a rule that will display only certain event types. To create event display rules: 1. Click the Events tab. The Overview tab is selected by default. 2. Click Edit Display Rules. 3. In the Display rule window, click Add at the bottom of the screen. 4. Provide a name and configure the new rule. 5. Click Save. To use a specific rule when viewing events, select the rule from the drop-down list on top of the events table as shown below. FIGURE 7-2 Event display rule drop-down Handling Events Because events typically indicate security problems that require attention, you may need to perform the following: Changing Event Status on page 7-6 Sending Notifications Manually on page 7-6 Adding Event Notes on page 7-6 7-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Changing Event Status You need to manually change the status of events depending on your progress with handling them. Events can have any of the following statuses: New the default status of events when they are triggered In-progress the event is currently being handled Closed the event has been handled, all related issues have been resolved, and conditions are back to normal Note: All new and in-progress events are considered open. To change the status of an event: 1. Click Events. The Overview tab is selected by default. 2. From the display rule drop-down list, select a display rule that covers the event or search for the event using the event ID. 3. Click the event ID link on the table. 4. In the pop-up window, select the status from the Status drop-down list. 5. Click Change Status. Tip: Add a note every time you change an event's status to keep a record of the change. Sending Notifications Manually In addition to automatic event notifications, you can send event notifications manually. To send an event notification manually: 1. Click Events. The Overview tab is selected by default. 2. From the display rule drop-down list, select a display rule that covers the event or search for the event using the event ID. 3. Click the event ID link in the table. 4. In the pop-up window, select a contact from the Contact drop-down list. 5. Click Notify. Adding Event Notes Event notes allow reseller administrators to track actions made in relation to an event, such as status changes. To add an event note: 1. Click Events. The Overview tab is selected by default. 2. From the display rule drop-down list, select a display rule that covers the event or search for the event using the event ID. 3. Click the event ID link on the table. 4. Under Add note, type the event note. 5. Click Add. 7-6

Understanding Security Indicators / Events Customizing Assessment Settings You can customize the following settings for each assessment index: Risk levels risk levels, what constitutes an event, and whether a report is attached to notifications Assessment interval data range covered by assessments To customize assessment settings: 1. Click Events. 2. Click Notifications. 3. Select a service (Currently, Worry-Free Remote Manager supports only the CS/CSM and WFBS/WFBS-A service and supports all assessment indexes through this service). 4. Select the customer. 5. Select the domain. Assessment index settings Use the following settings for each individual Assessment Index (each corresponds to a column heading): Enabled enable or disable an index Risk Levels click Edit to define the risk levels and specify the risk levels that will trigger an event. A pop-up window (entitled Assessment Index Risk Levels) lets you define the following settings: Critical risk the assessment result that Worry-Free Remote Manager considers critical risk Medium risk the assessment result that Worry-Free Remote Manager considers medium risk Event trigger level the risk level that will trigger an event Attach report on notification email set Worry-Free Remote Manager to include a report in the notification email message Tip: Click Load Default to reset risk levels to default values. Assessment interval the period between each assessment; clicking Edit opens a pop-up window (entitled Assesment Interval) that lets you specify the following settings: Assessment interval the time between each assessment; this value is predefined for each assessment index Assess data from_to_earlier Worry-Free Remote Manager will run the assessment on data collected from this period. For example, if you specify the values 2 and 1 hour(s), Worry-Free Remote Manager will assess data collected during the period between 2 hours to 1 hour before the assessment. Therefore, for an assessment that runs at 3:00 PM, Worry-Free Remote Manager will assess data collected from 1:00 to 2:00 PM. Notifications click the Edit link that corresponds to an assessment index to subscribe contacts to event notifications for that index. In the pop-up window, select at least one of the listed notification methods to subscribe a contact. Worry-Free Remote Manager supports the following notification types: Email sent to the recipient's email address MSN sent to the recipient's MSN account Pop-up message displays a pop-up window to notify the recipient; the recipient receives this notification only if he or she is logged on to Worry-Free Remote Manager 7-7

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Subscribing to Event Notifications The console can send notifications every time an event occurs. To allow contacts to automatically receive these notifications, subscribe them to the notifications. To subscribe users to event notifications: 1. Click Events. 2. Click Notifications. 3. Select the service (Currently, Worry-Free Remote Manager supports only the CS/CSM and WFBS/WFBS-A service and supports all assessment indexes through this service). 4. Select the customer. 5. Select the domain. 6. Click the Edit link under Notifications that corresponds to the event type. 7. In the pop-up window, select notification methods to subscribe the listed contacts. 8. Click Save. Customizing Notification Content You can customize the content of event notifications by: Attaching detailed Comma Separated Value (CSV) reports to email notifications for all assessment index events Listing specific computers in notifications for the new critical vulnerability system event Attaching Reports You can configure the console to attach detailed reports to assessment index event notifications. These event reports are in CSV format and contain all the data associated with the event. To attach event reports to notifications: 1. Click Events. 2. Click Notifications. 3. Select the service. Currently, Worry-Free Remote Manager supports only the CS/CSM and WFBS/WFBS-A service at this time and supports all assessment indexes through this service. 4. Select the customer. 5. Select the domain. 6. Click the Edit link under Risk Levels that corresponds to the event type. 7. Select Attach report on notification email. 8. Click Save. Listing Computers in Vulnerability Notifications The Microsoft critical vulnerability event occurs when Microsoft announces an important software vulnerability. Worry-Free Remote Manager automatically sends a notification to all subscribed contacts. You can include a list of important computers in the notification so that notification recipients immediately know which computers to check. 7-8

Understanding Security Indicators / Events To list a computer in vulnerability notifications: 1. Click Customers. 2. Expand the network tree until the computer is visible. 3. Select the computer. FIGURE 7-3 List in vulnerability notifications option 4. In the information pane on the right-hand side, select List in vulnerability notification email. 5. Click Save. Viewing Assessment History Assessment results that do not trigger events do not appear in the Events tab. However, you can view these assessment results in the Reports tab. To query assessment results: 1. Click Reports. 2. Click Assessment Logs. FIGURE 7-4 Assessment Logs tab under Reports 3. Select the customer. 7-9

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers 4. Select the domain name and assessment index. 5. To specify the data range, select the start and end time in the From and To fields. 6. Click Query. Tip: To start a new query, click the Back button at the bottom of the results table. 7-10

Chapter 8 Managing Networks Worry-Free Remote Manager enables you to effectively manage customer networks by providing a view of the structure of all managed domains. You can also run commands to address security concerns remotely. This chapter covers the following aspects of Worry-Free Remote Manager: Viewing Managed Networks on page 8-2 Removing Customers on page 8-4 Understanding Network Commands on page 8-4 Submitting Network Commands on page 8-6 8-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Viewing Managed Networks To view managed networks, click the Customers tab. This tab provides a representation of the customers and their domain(s) that you manage. By default, the tab displays a tree view of all customer networks on the left pane and a list of your customers on the right pane. To display a particular customer's domain(s), select the domain from the Show drop-down list. FIGURE 8-5 Customers tab The Customers tab has three sections: Customer menu bar Network tree Information pane Menu Bar The menu bar on the left side contains network commands grouped into menus. These network commands enable you to manage critical aspects of network security including real-time scan settings and the deployment of component updates. For a list of the network commands on the menu bar and instructions on how to use these commands, see Submitting Network Commands on page 8-6. Note: Items in the menu bar are disabled and will not respond to mouse clicks if the selected network object cannot receive commands. You need to select a domain to use any item in the menu bar. Network Tree On the left side of the Customers tab, below the menu bar, the screen displays a tree representation of your customers networks. The table below describes the objects in the network tree. TABLE 8-1. Network tree objects ICON NETWORK OBJECT DESCRIPTION My Customers All your Worry-Free Remote Manager customers Customer A customer 8-2

Managing Networks TABLE 8-1. Network tree objects (Continued) ICON NETWORK OBJECT DESCRIPTION Domain The customer's domain Group Computer Exchange server Groups of computers in the domain; by default, CS/CSM and WFBS/WFBS-A groups desktop computers and servers together. A desktop or server computer that is not running Exchange Server; this computer runs the Client Security Agent (CSA) for desktop and server computers. An Exchange Server computer; this computer runs the Messaging Security Agent (MSA). Information Pane The information pane is the right pane of the Customers tab. It displays tabs related to the selected network tree object. See the table below for the tabs displayed for each network object. TABLE 8-2. Network tree objects and their information pane tabs NETWORK OBJECT INFORMATION PANE TABS TAB DESCRIPTION My Customers Customer Domain Group All Customers All Agents Customer Profile Domains Contacts Domain Profile Products Domain Status No tab; cannot be selected Lists all your customers and lets you add and remove customers. Clicking the name of a customer opens the Customer Profile tab. Lists all Agents and lets you add and remove Agents. After clicking the name of an Agent, you can also modify Agent settings and view Agent details in this tab. Enables you to modify the name and description of the selected customer. Lists all the customer s domains and lets you add or delete domains. Clicking the name of a domain on the network tree opens the Domain Profile tab. This tab lists all the customer s contacts and lets you add or delete contacts. Clicking the name of a contact lets you edit the contact s details. Enables you to modify the name and description of the selected domain. Displays a summary of the status of the managed server. You can view the system status details and a summary of threat incidents in the selected domain in this tab. Displays the threat status details. N/A 8-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers TABLE 8-2. Network tree objects and their information pane tabs (Continued) NETWORK OBJECT INFORMATION PANE TABS TAB DESCRIPTION Computer Exchange server Single screen; no tab Single screen; no tab This screen displays system information and a summary of virus/malware, spyware/grayware, network virus incidents, Behavior Monitoring, and Web Reputation Services incidents on the selected computer. This screen also lets you set Worry-Free Remote Manager to list the selected computer in the New Critical Vulnerability notification. This screen displays system information and a summary of virus/malware and spam incidents in the selected Exchange server. This screen also lets you set Worry-Free Remote Manager to list the selected computer in the New Critical Vulnerability notification. Adding Customers See Adding Customers on page 3-2. Removing Customers To delete a customer from the WFRM Server: 1. Remove all the associated domains for the customer. Note: If you accidentally delete a domain, all the records for this domain will be deleted. If you wish to re-register the domain to the WFRM Server, you have to create a new domain and Globally Unique Identifier (GUID) for this customer. You also need to reinstall the WFRM Agent on the Security Server and use the new GUID. a. Click the Customers tab. b. On the left pane, select the target customer. c. On the right pane, click the Domains tab. d. Select the domain that you wish to delete and then click Delete. 2. Delete the customer from the list of customers. a. On the left pane, click My Customers. b. On the right pane, select the customer that you wish to remove and then click Delete. Understanding Network Commands The commands in the menu bar are designed to let you manage customer domains from a remote location. With these network commands, you can respond to different security situations for you customer. Worry-Free Remote Manager supports multiple command types for use in different situations. Before you submit a command, ensure that there is an agreement between you and your customer that allows you to do so. The table below shows the effects the commands may have on your customer s network. 8-4

Managing Networks TABLE 8-3. Network Commands MENU COMMAND ACTION EFFECTS Settings Real-time Antivirus/ Anti-spyware Enable/Disable the real-time Antivirus and Anti-spyware scanners on all computers in the domain. Real-time scan automatically scans accessed files. Disabling real-time scan will leave the domain at risk. Real-time Scan for POP3 Mail Enable/Disable Real-time Scan for POP3 Mail for the entire domain. POP3 Mail Scan (using the Trend Micro Anti-Spam toolbar plug-in) protects computers in real-time against security risks and spam transmitted through POP3 email messages. Behavior Monitoring Enable/Disable Behavior Monitoring for the entire domain. Behavior Monitoring protects computers from unauthorized changes to the operating system, registry entries, other software, or files and folders. Location Awareness Enable/Disable Location Awareness for the entire domain. With Location Awareness, administrators can control security settings depending on how the Client is connected to the network. This affects In Office / Out of Office settings of the Firewall, Web Reputation and TrendSecure toolbars: Anti-Key Loggers, Keystroke Encryption, Page Ratings.) In Office Settings work as the default settings if Location Awareness is disabled. Out of Office Settings are available only if Location Awareness is enabled. Firewall Enable/Disable the personal firewall for the entire domain. Depending on existing firewall rules, enabling the firewall can limit the ability of computers to communicate with the network. Disabling can expose computers to unwanted network traffic. Web Reputation Configure Web Reputation for the entire domain. Web Reputation helps prevent access to URLs that pose potential security risks by checking any requested URL against the Trend Micro Web Security database. Trend Secure Toolbars Configure Trend Secure Toolbars for the entire domain. TrendSecure helps safeguard Internet transactions by determining the safety of wireless connections and the Web page you are visiting. To prevent information theft, TrendSecure can also encrypt information typed into Web pages, including personal information, passwords, and credit card numbers. 8-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers MENU COMMAND ACTION EFFECTS Action Update Client Server Security Agent Deploy the latest security components, including the scan engine and pattern files, to all Client Server Security Agents (CSA) in the domain. Ensures that computers are running the latest security components. The deployment can increase traffic between computers and the managed server. Update Managed Server Deploy the latest security components, including the scan engine and pattern files, only to the Managed Server. Ensures that computers are running the latest security components. The deployment can increase traffic between computers and the managed server. Sync with Managed Server Force the Agent to resend its data to WFRM If a domain node in the client tree is clicked but the node does not expand, issue this command to synchronize the servers. Manual Scan Start/Stop a scan for an entire domain or desktops or servers only. Allows for an on-demand, manual scan OPS Automatic Outbreak Defense Enable or disable automatic deployment of Outbreak Prevention Services (OPS) from TrendLabs. If automatic deployment is enabled, the behavior of security solutions will automatically change during outbreaks. For example, the spam filter may automatically block certain messages based on general rules provided by TrendLabs. If automatic deployment is disabled, security solutions will not automatically enforce preventive measures during outbreaks, leaving the network without outbreak protection until TrendLabs releases a pattern file. Current Outbreak Defense Policies Enable or disable OPS (Outbreak Prevention Services) for ongoing alerts. Stopping the OPS during an outbreak will stop the deployment of the prevention policy. During an alert, stopping the OPS could leave the network vulnerable to the outbreak malware unless TrendLabs has released a pattern and network administrators have deployed this pattern to the network. Start Vulnerability Assessment Initiate Vulnerability Assessment (VA) to scan computers in the domain for known vulnerabilities. Consumes some resources on computers and slightly increases traffic between the managed server and the computers. Start Damage Cleanup Service Deploy Damage Cleanup Services (DCS) to clean infected computers. Consumes some resources on computers and can add some traffic between the managed server and the computers. Submitting Network Commands When you select a network command from the menu bar, you submit this command to the console database. As soon as the Agent queries and receives these commands, the managed server applies them to the domain. 8-6

Managing Networks Network commands allow you to deploy security components, scan computers for viruses and known vulnerabilities, and upgrade the managed server. For information on the different commands, see Understanding Network Commands on page 8-4. To submit a command: 1. Click the Customers tab. 2. In the network tree, click (+) to expand All Customers. 3. Click (+) to expand the customer. 4. Select the domain. 5. Select the desired command from the menu bar. Note: You will need to specify options through a pop-up window before you can submit some commands. 8-7

Chapter 9 Managing Agents This chapter provides information that will help with the management of Worry-Free Remote Manager Agents. Managing Agents from the server: Verifying Agent/Server Connectivity on page 9-2 Agent Status Types on page 9-2 Submitting Agent Commands on page 9-3 Managing Agents from the managed server: Agent Status Messages on page 9-4 Changing the Agent GUID on page 9-5 Agent Configuration on page 9-5 Removing the Agent: Removing Agents on page 9-8 9-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Managing Agents from the Server The following sections concern managing Agents from the WFRM console. Verifying Agent/Server Connectivity To ensure that the Worry-Free Remote Manager service is running smoothly, make sure that Agents have a status of "online". To view the status of Agents: 1. Click the Customers tab and ensure that My Customers is selected in the left pane. 2. Click the All Agents tab in the right pane. The tab lists the status of each Agent in the Status column. For details on each status, see Agent Status Types on page 9-2. Also see Verifying Agent Installation on page 3-6 Note: In addition to the current chapter, see Troubleshooting and Technical Support on page 11-1 for more issues dealing with Server/Agent connectivity. Agent Status Types The status of an Agent indicates whether the Agent is able to collect data and receive commands from the Worry-Free Remote Manager server. The status also indicates the reason why the Agent cannot function properly and how you can handle the situation. The table below describes the different Agent status types. TABLE 9-1. Agent status types STATUS DESCRIPTION RESOLUTION Abnormal Disabled Offline The Agent appears offline and is not responding to the Worry-Free Remote Manager server, but has not sent a logoff request. This status is set manually via the console. When an Agent in disabled status, the agent queries commands from the server every 10 minutes. The Agent closed normally after having sent a logoff request to the Worry-Free Remote Manager server. Typically, an Agent is in this status if a user has shut down the Agent service or the managed server has shut down. This status can occur if the managed server did not shut down properly. Ensure that the managed server administrator is aware of this situation. Contact the administrator if necessary. Submit a command to enable the Agent (see Submitting Agent Commands on page 9-3). Ensure that the managed server administrator is aware that the server has shut down. Contact the managed server administrator if necessary. Online The Agent is running normally. NA Plug-in errors The console has detected errors in the Agent's service plug-in component. Remove the Agent and ask the managed server administrator to re-install the Agent. Contact Trend Micro Customer if this problem persists. 9-2

Managing Agents TABLE 9-1. Agent status types (Continued) STATUS DESCRIPTION RESOLUTION Unregistered Version mismatch The Agent has not registered to the Worry-Free Remote Manager server. Incompatibility between the versions of any of the following components has been detected: - Agent - Worry-Free Remote Manager - CS/CSM or WFBS/WFBS-A The Agent may have not been installed or has not been able to communicate successfully with the Worry-Free Remote Manager server. Contact the managed server administrator. Upgrade the Agent and the managed server. If this does not work, report this problem to the Trend Micro Data Center administrator. Submitting Agent Commands Agent commands allow you to remotely resolve issues affecting the Agent. Table 9-2 lists the available Agent commands. TABLE 9-2. Agent commands COMMAND DESCRIPTION Enable Disable Uninstall Upgrade plugin Agent goes back from "disabled" status to normal functionality Agent stops collecting information but continues to query the server for commands every 10 minutes Agent removes itself from the managed server Agent downloads and installs updates To submit a command to an Agent: 1. Click Customers. 2. Ensure that My Customers is selected in the left pane. 3. Click the All Agents tab in the right pane. 4. Under Commands, click the Submit link that corresponds to the name of the Agent. 5. In the pop-up window, select the command. 6. Click Submit and click Close. 9-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Managing Agents from the Managed Server The following sections concern managing Agents from the managed server. Agent Status Messages On the managed server, the agent displays a system tray icon (either, or ). Whenever you move your mouse over the system tray icon, it displays a status message that indicates whether the agent is functioning normally. See the table below to understand the status messages and how you can address them On the managed server, the Agent displays one of the following system tray icons: ICON MEANING A green icon indicates that the Agent is connected to WFRM s communication server. A red icon indicates that the Agent isn t connected to WFRM s communication server or the version of the Agent is mismatched with the server and needs to be updated. An icon with a red arrow indicates that the Agent has logged off from WFRM Whenever you move your mouse over the system tray icon, it displays a status message that indicates whether the Agent is functioning normally. See the table below to understand the status messages and how you can address them. TABLE 9-3. Status messages displayed by the Agent s system tray icon Message Description Resolution Message Description Resolution Message Description Resolution Message Description Unknown error encountered. Check the system or restart the Agent. Unexpected errors typically system errors are preventing the Agent from functioning properly. Check the managed server for low memory or other system problems. Unable to register with the remote server. The GUID you provided may be wrong. Verify that you have used the correct GUID. If necessary, reinstall the Agent using the correct GUID. Unable to connect to the remote server. The managed server may be experiencing Internet connectivity problems. Check Internet connectivity on the managed server. Also, check the Agent s proxy settings and the specified server address and port. Agent disabled by Worry-Free Remote Manager. The Agent has been temporarily disabled through the Worry-Free Remote Manager console. 9-4

Managing Agents TABLE 9-3. Status messages displayed by the Agent s system tray icon (Continued) Resolution Message Description Resolution Message Description Resolution Message Description Resolution Enable the Agent through the Worry-Free Remote Manager console. Agent does not match the CS/CSM version. Install the correct Agent version. The CS/CSM and Agent versions do not match. Upgrade the CS/CSM server to the latest version and install the latest Agent. Agent service stopped. The Agent service has been stopped. Start the Agent service by right-clicking the Agent system tray icon and clicking Start Service. Unable to load components. You may need to reinstall the Agent. The Agent encountered problems while loading some components. First try restarting the Agent service by right-clicking the Agent system tray icon and clicking Restart Service or Start Service. If this does not work, uninstall and then reinstall the Agent. Make sure you use the same GUID. Changing the Agent GUID Use this procedure only if you entered an incorrect Globally Unique Identifier (GUID) during WFRM Agent installation: 1. Go to C:\Program Files\Trend Micro\WFRMAgentForCSM. 2. Open the AgentSysConfig.xml file using a text editor. 3. Look for the GUID between the parameters "<AgentGUID>" and "</AgentGUID>". 4. Edit the GUID and then save the file. 5. In the same folder, open the csmsysconfig.xml file using a text editor. 6. Look for the GUID between the parameters "<ProductGUID>" and "</ProductGUID>". 7. Edit the GUID and then save the file. 8. Right-click the Worry-Free Remote Manager Agent icon on the task bar and then click Restart Service. Agent Configuration The Agent Configuration Tool allows changes to be made to WRFM Agent configuration settings. To start the Agent configuration tool: Click Start > Programs > Worry-Free Remote Manager Agent > Agent Configuration Tool. 9-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Agent Configuration Menu To configure the Agent, right click on the tray icon to open the following menu: FIGURE 9-1 Agent Configuration Tool pop-up menu The following items appear: Configure Opens the Agent configuration screen (see Configuration Tool Main Dialog on page 9-7) Select Language in addition to other possible languages, the English language always exists Service Start, Stop, Restart Exit exiting the tool does not stop the WFRM service. It only closes the Configuration Tool and removes the icon from the task bar. The tool can be restarted at any time (See Agent Configuration on page 9-5) 9-6

Managing Agents Configuration Tool Main Dialog Right click on the tray icon and click Configure on the Agent configuration menu to open the Agent configuration tool General screen. FIGURE 9-2 Agent Configuration Tool "General" tab Configuration Tool General Panel The following sections of the Agent configuration screen are the only presently relevant sections of this tool. Server Settings Configure server communication by setting the following: Server address The fully qualified domain name (FQDN) of the Worry-Free Remote Manager communication server. The FQDN varies in each region as follows: Asia Pacific - wfrm-apaca.trendmicro.com Europe and the Middle East - wfrm-emeaa.trendmicro.com Latin America - wfrm-lara.trendmicro.com North America - wfrm-usa.trendmicro.com 9-7

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Port The port that the WFRM server uses to communicate with the Agent. This should be 80 for HTTP and port 443 for HTTPS. Protocol The protocol used for communication between the server and the Agent. Proxy Server Settings Enable this area by clicking the Proxy server settings checkbox if the user s network requires a proxy to communicate with the WFRM server. Address The IP address of the proxy server Port The port or the proxy server Protocol Test Connection button The Test Connection button is used to test communication between the Agent and the WFRM server. Use this function to test if the basic connection to the communication server works well. If it fails (a popup dialog box will appear if the tool cannot connect to the server), there may be a basic issue such as the address of the communication server and its port, or the Proxy server address and its port. Removing Agents There are two ways to remove an Agent: Locally on the managed server Remotely from Worry-Free Remote Manager Note: When removing Agents locally, the Agent will unregister from Worry-Free Remote Manager which automatically deletes all data associated with the Agent. To prevent the Agent from unregistering, modify the Server address value on the Agent interface before removing the Agent. Removing Agents Locally There are three ways to remove an Agent locally: 1. Directly uninstall the WFRM Agent 2. Uninstall the WFRM Agent via the Control Panel 3. Uninstall the WFRM Agent manually Option 1: Directly uninstall the WFRM Agent: 1. Open the WFRM Agent installation file. 2. The installation wizard will prompt you to confirm the uninstallation. Click Yes. 9-8

Managing Agents Note: During removal, you will be prompted to close certain applications. Close these applications and click Retry to continue. 3. Click Finish to close the wizard after the uninstallation is complete. Option 2: Uninstall the WFRM Agent via the Control Panel: 1. Open the Control Panel s Add or Remove Programs applet. 2. Select Worry-Free Remote Manager Agent and then click the Change/Remove button. Option 3: Uninstall the WFRM Agent manually: If for any reason anagent cannot be removed through standard ways, perform the following steps to manually remove it: 1. Stop the Trend Micro Worry-Free Remote Manager Agent service a. Click Start > Run. b. Type "cmd" on the command line and then press the Enter key. c. Run this command: net stop Trend Micro Worry-Free Remote Manager Agent 2. Remove the Trend Micro Worry-Free Remote Manager Agent service. a. On the command line, use the change directory (cd) command to go to the WFRM Agent directory. b. Run this command: TMICAgent -u 3. Remove the program files. Delete [Agent install directory] WFRMAgentForCSM 4. Open the Registry Editor (regedit.exe) and remove the following registry keys: Note: Always create a backup before modifying the registry. Incorrect registry changes may cause serious issues. Should this occur, restore it by referring to the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\TMIC4CSM\Agent\.. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\ 23FC8F347B51DD440AD13A73D13A73D22D58E6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Installer\UserData\S-1-5-18\Products\ 23FC8F347B51DD440AD13A73D13A73D22D58E6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\{43F8CF32-15B7-44DD-A01D-A3372DD2856E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\InstallShield Uninstall Information\ {43F8CF32-15B7-44DD-A01D-A3372DD2856E} 9-9

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\InstallShield_\{43F8CF32-15B7-44DD-A01D-A3372DD2856E} 5. Remove the WFRM Agent shortcut from the Start menu. a. On the desktop, click My Computer. b. Change the current directory to..\documents and Settings\ All Users\Start Menu\Programs. c. Delete the Worry-Free Remote Manager Agent folder. Removing Agents Remotely To uninstall the WFRM Agent remotely: 1. From the Worry-Free Remote Manager control panel, click Customers. Ensure that My Customers is selected in the left pane. 2. Click the All Agents tab in the right pane. 3. Under Commands, click the Submit link that corresponds to the name of the Agent. 4. In the pop-up window, select Uninstall. 5. Click Submit and click Close. Note: To remove an Agent from Worry-Free Remote Manager completely, delete the domain associated with it. For more information, see the Online Help. 9-10

Chapter 10 Managing Reports Worry-Free Remote Manager lets you generate, export, and automatically send out Operational Reports. Operational Reports provide an overview of assessment results, security incidents, major threats, and the most affected computers, files, and email addresses in your customers networks. To understand more about the reporting features of the console, read the following sections of this chapter: Understanding Operational Reports on page 10-2 Supported Report Formats on page 10-2 Generating and Exporting Reports on page 10-3 Subscribing to Reports on page 10-3 10-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Understanding Operational Reports Worry-Free Remote Manager currently supports a complete report type called the Operational Report. This report provides the following information: Asset summary includes data on the number of desktops, servers and Exchange servers in the domain. This section also includes information on how current the patterns in these computers are relative to the Worry-Free Remote Manager servers. Assessment results this section includes two sets of information: Latest risk rating for the outdated virus pattern and outdated spyware/grayware pattern assessment indexes Risk rating distribution (critical, medium, or low) for the virus infection, internal virus outbreak, and spyware/grayware infection indexes Security incidents number of virus, spyware/grayware, spam, and network virus incidents Virus detection distribution distribution of detections between desktop/server computers and Exchange servers Major threats and targets this section includes six diagrams containing the following information: Computers with most viruses found Most prevalent viruses Most prevalent spyware/grayware Computers with most virus infections File names most often found infected with viruses Email addresses that received the most number of viruses Tip: To view a sample of the Operational Report, generate one. See Generating and Exporting Reports on page 10-3. Supported Report Formats The table below presents the different file formats that you can use when generating an Operational Report. TABLE 10-1. Supported report file formats FORMAT DESCRIPTION OPENS WITH PDF Adobe PDF format Adobe Acrobat Reader 5.0 DOC Microsoft Word document format Microsoft Word 2000 XLS Microsoft Excel spreadsheet format Microsoft Excel 97 or 2000 10-2

Managing Reports Generating and Exporting Reports You can generate reports for viewing on the console. To keep a copy of the report, export the report. To generate or export a report: 1. Click Reports. 2. Click View Report. 3. Select the service. Currently, Worry-Free Remote Manager supports only the CS/CSM or WFBS-WFBS-A service. 4. From the Report drop-down list, select the report type. Currently, Worry-Free Remote Manager supports only the Operational Report. 5. Select the customer. 6. Select the domain. 7. From the Duration drop-down list, select the time period. 8. Specify the From date. Note: The To field is for future services that can support customized durations. 9. Choose whether to generate or to export the report: To generate the report, click Generate. To export the report to a file, select a format and click Export. Tip: To keep your favorite report settings, click Add to Favorites. Subscribing to Reports When subscribed, contacts automatically receive reports. To subscribe contacts to reports: 1. Click Reports. 2. Click Notifications. 10-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers FIGURE 10-1 Report subscription intervals 3. Select the service. Currently, Worry-Free Remote Manager supports only the CS/CSM or WFBS-WFBS-A service. 4. Select the customer. 5. Select the domain. 6. Select to subscribe by: Contact select a contact for subscription to reports Report select a report type and subscribe contacts to the report 7. Select the contact or the report. 8. For each listed contact or report: Select the language. Select all the report intervals to which you would like to subscribe the contact. 9. For each interval, select a report format. 10. Click Save. 10-4

Chapter 11 Troubleshooting and Technical Support The following sections discuss issues you may encounter while working with Worry-Free Remote Manager and possible solutions you can try before calling technical support (although these are organized by server, Agent and other, they often cross lines): Issues Dealing (largely) with the WFRM Console starting on page 11-2 (These issues are seen from the WFRM console.) Domain Tree not Visible after Installing the Agent starting on page 11-2 Node on tree Cannot Be Expanded starting on page 11-2 Page Cannot be Displayed on page 11-2 Unable to Receive Notifications on page 11-3 Incorrect Information on the Dashboard on page 11-3 Unable to Deploy Commands on page 11-3 Agent Status Is Abnormal on page 11-3 Issues Dealing (largely) with the Agent: starting on page 11-4 (These issues are seen from the managed servers.) Agent Does Not Match the CS/CSM Version on page 11-4 Unable to Connect to the Server on page 11-4 Unable to Register with the Remote Server on page 11-5 Other Issues starting on page 11-5 Resetting a Lost Password on page 11-5 Backing Up and Restoring Agent Settings on page 11-5 Finding the Agent Build Number on page 11-6 Using Internet Explorer to View Reports on page 11-7 Known Issues on page 11-7 Contacting Technical Support on page 11-9 11-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Issues Dealing (largely) with the WFRM Console These issues in this section are seen from the WFRM console. Domain Tree not Visible after Installing the Agent The domain tree does not appear on the console after you install the Worry-Free Remote Manager Agent on the managed server. There are two possible reasons why this happened: The Globally Unique Identifier (GUID) is incorrect. The Worry-Free Remote ManagerAgent cannot communicate with the Worry-Free Remote Manager Server. To fix the issue: Make sure that the GUID (steps 1-4) entry is correct: 1. On the Security Server, use a text editor like Notepad to open C:\Program Files\Trend Micro\WFRMAgentForCSM\AgentSysConfig.xml. 2. Check the GUID right after the <AgentGUID> parameter. 3. If you corrected the GUID, save the file then restart the Trend Micro Worry-Free Remote Manager Agent service. 4. Check the status of the customer's domain from the Worry-Free Remote Manager Server after a couple of minutes. Check the Agent-Server connection using the Test Connection feature (steps 5-7): 5. Click Start > Programs > Worry-Free Remote Manager Agent > Agent Configuration Tool. 6. Click the Test Connection button. 7. If the test connection fails: a. Check if the managed server can connect to the Internet. b. Check if you entered the Worry-Free Remote Manager Server address correctly. c. If the Security Server uses a proxy to connect to the Internet, make sure that you also entered the proxy server settings. Node on tree Cannot Be Expanded If a node on on the domain tree (under Customers) does not expand when clicked, group and client information on the WFBS server and the WFRM server may be out of sync. To remedy this, highlight the node, then click Action > Sync with Managed Server to resend data from the Agent to the WFRM server. Page Cannot be Displayed "Page cannot be displayed" shows up when trying to open the Worry-Free Remote Manager Server URL. The error shows up in Microsoft Internet Explorer (MSIE) when you try to access https://wfrm.trendmicro.com/tmic/ This happens if: The URL is incorrect The WFRM Server's URL is not an MSIE Trusted Site. 11-2

Troubleshooting and Technical Support To fix the issue: 1. Verify that the "TMIC" in the URL is in uppercase, and that "/" appears after it: https://wfrm.trendmicro.com/tmic/ 2. Make sure that the WFRM Server's URL is an MSIE Trusted Site. a. Open MSIE. b. Click Tools > Internet Options > Security > Trusted Sites > Sites. c. Check if the WFRM Server URL is in the list. If not, type it in and then click OK. Unable to Receive Notifications If notifications (via email, MSN or pop-up message) are not being received even though contacts are set to recieve these notifications, check for the following: Incorrect Notification Adress (for customer) to set the correct notification information, click Customers > [Customer Name] > Contacts > Contact Name > Email, Pager, or MSN Incorrect Notification Adress (for reseller) to set the correct notification information, click Administration > [My Account] > Email, Pager, or MSN Incorrect Information on the Dashboard If the dashboard seems to be giving you incorrect or incomplete information about a particular domain, check the following: Check if the managed server is started. Check if the Agent is started and running correctly. Check both the Worry-Free Remote Manager console at Customers > All Agents > Status (see Agent Status Types on page 9-2) and the status of the Agent on the managed server (see Managing Agents from the Managed Server on page 9-4). Also see Verifying Agent Installation on page 3-6. Check if the customer re-installed the Agent. Also check if the customer re-installed the Agent and used a different or duplicate GUID. By default, the Agent should get up to the last three days of data from the managed server. You can try generating a new GUID and re-installing the Agent. Unable to Deploy Commands If you are unable to deploy network commands to an Agent, check the following: CS/CSM or WFBS-WFBS-A service is running. Client Agent is running. If not, to start the Agent, see Agent Service on page 3-6 Ports 80 and 443 are open. You can check this by telneting from the Worry-Free Remote Manager server to the Agents on ports 80 and 443 and vice versa. If the ports are not open, the customer administrator must open the ports on their firewall. Agent Status Is Abnormal Agent status will be abnormal if the Agent did not send a log off request to the Worry-Free Remote Manager server before the Agent shut down. To fix this, restart the Agent service (see Agent Service on page 3-6) 11-3

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers Issues Dealing (largely) with the Agent: These issues in this section are seen from the managed servers. Agent Does Not Match the CS/CSM Version After installing the WFRM Agent on the managed server, you get the following error message: Agent does not match the CS/CSM version. Install the correct Agent version. This happens because of either of the following: 1. Your CS/CSM build is not supported by WFRM. The following builds are required: For CS/CSM 3.5, the required build is 1113 or higher. For CS/CSM 3.6, the required build is 1095 or higher. To check the build number, open the CS/CSM Security Dashboard and go to Help > About. You can then download the supported CS or CSM build from the Update Center and install it on the server. 2. The WFRM Agent is downloading the latest program upgrade from the WFRM Server. This may take 2-3 minutes. After downloading is done, the WFRM Agent icon will return to normal (green). Note: WFRM supports all versions of WFBS/WFBS-A 5.0, so the above issue does not apply to WFBS/WFBS-A 5.0. Unable to Connect to the Server The following error message shows up when you click the Test Connection button in the Agent Configuration Tool of WFRM: "Unable to connect to the server. It may be invalid settings. Enter valid settings and try again." There are three possible reasons for this: The managed server cannot connect to the Internet. Make sure CS/CSM or WFBS-WFBS-A can access the Internet. The FWDN of the Worry-Free Remote Manager communication server address is incorrect. Use the FQDN that corresponds to your region: Asia Pacific: wfrm-apaca.trendmicro.com Europe/Middle East: wfrm-emeaa.trendmicro.com Latin America: wfrm-lara.trendmicro.com North America: wfrm-usa.trendmicro.com If the Security Server uses a proxy server to connect to the Internet, make sure the proxy and user authentication settings are correctly configured. 11-4

Troubleshooting and Technical Support Unable to Register with the Remote Server "Unable to register with the remote server" shows up when the mouse is moved over the Worry-Free Remote Manager Agent icon This happens when the Globally Unique Identifier (GUID) is incorrect. To fix this issue: 1. Go to C:\Program Files\Trend Micro\WFRMAgentForCSM. 2. Open the AgentSysConfig.xml file using a text editor. 3. Look for the GUID between the parameters "<AgentGUID>" and "</AgentGUID>". 4. Edit the GUID and then save the file. 5. In the same folder, open the csmsysconfig.xml file using a text editor. 6. Look for the GUID between the parameters "<ProductGUID>" and "</ProductGUID>". 7. Edit the GUID and then save the file. 8. Right-click the Worry-Free Remote Manager Agent icon on the task bar and then click Restart Service. Other Issues Resetting a Lost Password If you forgot your WFRM password, click the Forgot your password link on the Worry-Free Remote Manager login page. If you cannot reset your password because the system tells you that you are entering an invalid email address, please send a password reset request to the email address corresponding to your region: North America: wfrm_support@trendmicro.com Asia Pacific: wfrm_apacsupport@trendmicro.com Latin America: wfrm_larsupport@trendmicro.com Europe/Middle East: wfrm_emeasupport@trendmicro.com Include the following information in your email: User name Phone number Office address Primary distributor Backing Up and Restoring Agent Settings If you need to uninstall and then reinstall the Agent using the same GUID within a span of three days, keep the Agent settings to avoid any overlapping data. To do this, back up the configuration files manually and then replace the configuration files with the backup after reinstalling the Agent. To back up the configuration files: 1. On the managed server, right click the Agent system tray icon and click Stop Service to stop the Agent service. 11-5

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers 2. Copy all the.xml,.dat, and.ini files from the installation folder C:\Program Files\ Trend Micro\WFRMAgentforCSM. These files are listed below: FIGURE 10-2. Agent configuration files.xml FILES.DAT FILES.INI FILES csmsysconfig.xml MSA.dat csmstatusdata.ini csmlogdef.xml csmlocalconfig.xml AgentWorkConfig.xml AgentSysConfig.xml logbuf.dat group.dat CSA.dat CriticalVA.dat AgentStatus.xml AgentLocalConfig.xml 3. Copy all the files from the \Cache folder. 4. Restart the Agent service. To restore the settings from backup: 1. Remove the Agent locally if you haven t already. For detailed instructions, see Removing Agents on page 9-8. Note: When removing the Agent locally, the Agent will unregister from Worry-Free Remote Manager which automatically deletes all data associated with the Agent. To prevent the Agent from unregistering, modify the Server address value in Agent interface before removing the Agent. 2. Reinstall the Agent. Ensure that you use the same GUID which can be obtained from AgentSysConfig.xml. 3. On the managed server, right click the Agent system tray icon and click Stop Service to stop the Agent service. 4. Replace the configuration files with the backup files. 5. Right-click the Agent system tray icon and click Start Service to restart the Agent service. Finding the Agent Build Number To check the build number of the Agent: 1. Go to the C:\Program Files\Trend Micro\WFRMAgentForCSM directory. 2. Right-click the csmplugin.dll file and then click Properties > Version tab to see the build number. To check the build number from the Worry-Free Remote Manager console 1. Click the Customers tab. 2. Select the target domain from the Show dropdown list in the left pane. The Domain profile tab will open. 3. Check the Agent plug-in version. 11-6

Troubleshooting and Technical Support Using Internet Explorer to View Reports When using Microsoft Internet Explorer to view reports, do the following: 1. Open Internet Explorer 2. Click Tools > Internet Options 3. Click the Security Tab 4. Under Select a zone to view or change security settings, click Trusted Sites 5. Under Security level for this zone, set the slider to low 6. Click the Sites button 7. Enter the FQDN of the WFRM server (the addresses without the "a"; for example "apac" instead of "apaca") Asia Pacific: wfrm-apac.trendmicro.com Europe/Middle East: wfrm-emea.trendmicro.com Latin America: wfrm-lar.trendmicro.com North America: wfrm-us.trendmicro.com 8. Click Add > Close > OK Known Issues The table below lists all the known issues and how you can address them. TABLE 11-1. Known issues Issue Description Inconsistent status icons During the initial stages of data gathering (right after the agent registers with the server) Worry-Free Remote Manager may display antivirus and anti-spam status icons that are inconsistent with the displayed number of virus and spam incidents. Right after it registers with the server, the agent transmits the current antivirus and anti-spam statuses from CS/CSM, but does not transmit the historical data on which these statuses are based. As a result, it may display, for example, a red status symbol but show no incidents. Resolution Issue Description Resolution Issue Description Resolution Worry-Free Remote Manager will display the correct icon and data as soon as CS/CSM detects an incident. Unable to uninstall agent remotely Users cannot send the uninstall command to the agent when there is a version mismatch. This occurs when the "automatic upgrade" option is enabled and the upgrades keep failing. Disable automatic upgrades and then uninstall the agent. Spam data inconsistent with CS/CSM Spam incident information may differ between CS/CSM and Worry-Free Remote Manager if the servers running both systems are in different time zones. Keep in mind that spam incidents in Worry-Free Remote Manager console and reports may be dated earlier or later, depending on the time difference between the servers. Note that Worry-Free Remote Manager servers are located in the following time zones: - APAC servers are in GMT +08:00 - North America servers are in GMT -08:00 (adjusts with DST) 11-7

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers TABLE 11-1. Known issues (Continued) Issue Description Resolution Issue Description Resolution Issue Description Resolution Issue Description Resolution Issue Description Resolution Issue Description Resolution Issue Description Resolution Issue Description Reinstalled agents can provide overlapping data Agents automatically transmit three days worth of certain CS/CSM data upon registration. If an agent is uninstalled and then reinstalled within a three-day period, the agent will likely pull data that will overlap with data that it pulled before it was uninstalled. Back up the agent configuration files before removing the agent and restore these files after reinstalling the agent. See Backing Up and Restoring Agent Settings on page 11-5. Truncated or overlapping text in report charts Text in pie and histogram charts in reports can overlap or get truncated. This is a known issue in the Crystal Reports module used by Worry-Free Remote Manager. Layout issues in XLS and HTML reports Reports in Microsoft Excel format and HTML have layout and alignment problems. This is a known issue. You can edit the reports manually after generating them. Display of percentage values in reports In reports, when a percentage value is less than one percent, this value is not displayed as expected. For example, the value that should be displayed as "0.99%" is displayed as ".99%". This is a known issue in the Crystal Reports module used by Worry-Free Remote Manager. Result of scan command cannot be verified The agent cannot verify whether CS/CSM successfully deploys the "scan" command to the network. This prevents Worry-Free Remote Manager from verifying the results of the "scan" command. You may need to verify the status of the scan command through your customer s IT administrator. Sorting order of clients inconsistent with CS/CSM Clients with computer names that use double-byte characters (DBCS characters) are sorted differently on the CS/CSM dashboard and Worry-Free Remote Manager console. DBCS characters are typically used to represent characters from East Asian languages, including Chinese, Japanese, and Korean languages. Take note of this issue when comparing the client lists on the CSM and Worry-Free Remote Manager consoles. Both lists should contain the same clients, albeit in a different order. Inconsistent console language If WFRM is set to use a language other than English, but the operating system is set to use English as its default language, then the "OK" and "Cancel" buttons will be in English, not the other language. There is presently no known resolution for this issue. Online report contains English words when the language is set to any language other than English Online report contains English words when the language is set to any language other than English. Due to limitations in Crystal Reports, certain strings cannot be translated. 11-8

Troubleshooting and Technical Support TABLE 11-1. Known issues (Continued) Resolution Issue Description Resolution Issue Description Resolution Issue Description Resolution There is presently no known resolution for this issue. Report content not clear Report content is not clear when the WFRM Web console language is set to any language other than English. There is presently no known resolution for this issue. The Agent Configuration Tool is not visible after the Agent has been updgraded even though it is running The Agent Configuration Tool is not visible after upgrading the Agent on a Vista or Windows Server 2008 operating system. Before the upgrade, the user usually runs the Agent Configuration tool under the user s account. During the upgrade process, the tool is killed, then restarted by LocalSystem instead of the user s account. Therefore, even though it is running, the user cannot see it. The machine should be restarted in order to restart the Agent Configuration Tool under the user s account. When using multiple tabs in Internet Explorer 7, two instances of the WFRM Console should not be opened at the same time using different accounts When using multiple tabs in Internet Explorer 7, information from one tab may be incorrectly shown on the other tab if the reseller is signed into two different accounts at the same time. There is presently no known resolution for this issue. However, only one instance of WFRM should be open at a time. Contacting Technical Support Before contacting technical support, consult the following information sources: Online Help offers information on interface screens, product concepts, user tasks Knowledge Base contains information on Trend Micro products and services, including information on support cases; visit the Knowledge Base at: http://esupport.trendmicro.com/ For information on how to contact Worry-Free Remote Manager technical support, visit the Trend Micro Web site at: http://www.trendmicro.com/support/wfrm 11-9

Index A access 2-2 action unsuccessful 5-4 agent 1-5 backing up settings 11-5 commands 9-3 GUID 3-3 3-4 icon 9-4 installation 3-4 installer 3-4 removal 9-8 requirements 3-4 restoring settings 11-5 status 9-2, 9-8 system tray icon 9-4 agent abnormal event 7-4 agent offline event 7-4 agent online event 7-4 agent status abnormal 9-2 disabled 9-2 Offline 9-2 online 9-2 plug-in errors 9-2 unregistered 9-3 version mismatch 9-3 agents managing 9-1 alert status 5-2 anti-spam 1-2, 4-4 anti-spam status icons 5-6 monitoring 5-6 anti-spyware 1-2, 4-4 anti-spyware status icons 5-5 monitoring 5-5 antivirus 1-2, 4-4 antivirus status icons 5-4 monitoring 5-4 assessment 1-5 assessment indexes 1-5, 7-3 assessments logs 7-9 Auto OPS command 8-6 B behavior monitoring 4-4 C Client Server Messaging Security 1-5 Client Server Security 1-5 Client/Server Security Agent 1-5 commands 1-3, 6-3, 8-1 8-2, 9-3 submitting 8-6 understanding 8-4 component updates 1-3 computer 8-3 computer restart required 5-6 computers to clean 5-3 contacts 3-4 CS 1-5 CS/CSM server requirements 3-5 CSA 1-5 CSM 1-5 CSM server shutdown event 7-4 customer 8-2 customer benefits 2-6 customer, coordinating with 2-6 customers, adding 3-2 D damage cleanup 1-3 Damage Cleanup Services 2-6, 5-3, 5-5 dashboard 1-2 1-3, 1-5, 4-1, 7-3 default domain 3-3 Deploy Components command 6-3 Detection 1-5 detection 1-5 disk space 6-3 disk usage 1-3 disk usage status icons 6-3 monitoring 6-3 domain 8-3 domain status 3-3 domains 1-6, 3-3 adding 3-3 E email 3-4 event display rules 7-5 events 1-3, 1-6, 7-1 handling 7-5 manual notifications 7-6 notes 7-6 notification 3-4, 7-8 status types 7-6 understanding 7-2 viewing 7-4 Exchange server 8-3 Exchange server shutdown event 7-4 F features 1-2 firewall 1-3 FQDN 3-4 3-5 fully qualified domain name 3-4 G Getting Started Guide for Resellers 1-1, 1-6 globally unique identifier 3-3 glossary 1-5 group 8-3 GUID 3-3 3-4 H help 2-4 IN-1

Trend Micro Worry-Free Remote Manager Getting Started Guide for Resellers I icon 9-4 infected 5-6 infection 1-6 information pane 8-3 Initial Collection command 8-5 internal virus outbreak 4-5 internal virus outbreak index 7-3 Internet Explorer 2-2 2-3 K known issues 11-7 L license 4-5 license expiration 6-2 license renewal 6-2 license status icons 6-2 monitoring 6-2 license usage 1-3 logs 7-9 M managing agents 9-1 menu bar 6-3, 8-2 Messaging Security Agent 1-6 MSA 1-6 MSN 3-4 My Customers 8-2 N network management 1-3, 8-1 network tree 4-3, 8-2 network virus protection 1-2, 4-4 network virus protection status icons 5-8 monitoring 5-8 new critical vulnerability event 7-4 notifications 3-4, 7-6, 7-8, 10-3 notifications, contents of 7-8 O Online Help 1-6 operational report 10-2 Outbreak Defense 2-6, 5-2 outbreak defense 1-2, 4-4 outbreak defense status icons 5-2 monitoring 5-2 outbreak response 1-3 outdated security components 6-2 outdated spyware pattern 4-5 outdated spyware pattern index 7-3 outdated virus pattern 4-5 outdated virus pattern index 7-3 P password, changing 2-5 password, forgotten 11-5 pattern and engine deploy rate 6-2 phishing messages 5-7 plug-in 1-6 pop-up blockers 2-3 providers 1-6 R real-time scan 1-3 Real-time Scan Disabled 5-5 real-time scanner 5-5 report formats 10-2 reporting 1-3 reports 3-4, 10-1 exporting 10-3 file formats 10-2 generating 10-3 notifications 10-3 subscribing 3-4, 10-3 reports in notifications 7-8 reseller administrators 1-6 reseller agreement 2-2 reseller profile 2-5 resellers 1-6 S Scan command 6-3 security indicators 7-3 security server 1-6 security status 1-2 server address 3-4 3-5 service infrastructure 3-1 significant number 4-4 spam messages 5-7 spam threshold 5-6 spyware infection 4-5 spyware infection index 7-3 spyware/grayware threat incidents 5-6 status icons general 4-2 subscriptions 3-4, 10-3 system 4-5, 9-4 system events 7-4 system status 1-3, 4-5 icons 6-3 monitoring 6-1, 6-3 system tray icon 9-4 T technical support 11-1, 11-9 terminology 1-5 threat status 4-4 monitoring 5-1 tray icon 9-4 troubleshooting 11-1 trusted sites 2-3 U update status icons 6-2 monitoring 6-2 updates 1-3, 4-5 updates status 1-3 URL 2-2 IN-2

V virus alert 1-6 virus infection 4-5 virus infection index 7-3 virus outbreak 1-6 virus threat incidents 5-4 Vulnerability Assessment 1-3, 2-6, 5-3 vulnerability notifications 7-8 vulnerable computers 5-3 W Web browser 2-2 web reputation 4-4 WFRMAgentforCSM 3-4 IN-3