OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 What is Trend Micro OfficeScan? Trend Micro OfficeScan Corporate Edition protects campus networks from viruses, Trojans, worms, Web-based threats, hackers, and network viruses, plus spyware and mixed threat attacks. It supports Windows 7, Vista, XP, 2000 and Windows Server 2008 and 2003 operating systems. You can find the blue colour OfficeScan client icon in your system tray.. OfficeScan consists of a client program that resides at the endpoint and a server program that manages all clients. The client guards the endpoint and reports its security status to the server. The server, through the Web-based management console, makes it easy to set coordinated security policies and deploy updates to every client. What is the Enterprise Client Firewall? The Enterprise Client Firewall is one of the features of Trend Micro OfficeScan Enterprise Edition helps protect Windows 7, Vista, XP, 2000 and Windows Server 2008 and 2003 clients from hacker attacks and network viruses by creating a barrier between the client and the network. The default setting for the Enterprise Client Firewall is MEDIUM security level. (Medium: blocks all incoming and allows all out going traffic, except as specified otherwise in the Exception List) What can the Enterprise Client Firewall do? 1. Traffic Filtering Enterprise Client Firewall filters all incoming and outgoing traffic, providing the ability to block certain types of traffic based on the following criteria: Direction (in coming or outgoing) Protocol (TCP/UDP/ICMP) Destination ports Destination computer 2. Scanning for Network Viruses Enterprise Client Firewall also examines each packet to determine if it is infected with a network virus. A network virus spreading over a network is not, strictly speaking, a network virus. Only some of the security risks mentioned above, such as worms, qualify as network viruses. Specifically, network viruses use network protocols, such as TCP, FTP, UDP, HTTP, and email protocols to replicate. They often do not alter system files or modify the boot sectors of hard disks. Instead, network viruses infect the memory of client machines, forcing them to flood the network with traffic, which can cause slowdowns and even complete network failure. Because network viruses remain in memory, they are often undetectable by conventional disk-based file I/O scanning methods. Enterprise Client Firewall works with a virus pattern file to identify and block network viruses. 3. Customized Profiles and Policies Enterprise Client Firewall gives the administrators the ability to configure policies to block or allow specified types of network traffic. Assign a policy to one or more profiles, which administrators can then deploy to specified OfficeScan clients. This provides a highly customized method of organizing and configuring Enterprise Client Firewall settings for our clients. 4. Stateful Inspection Enterprise Client Firewall is a stateful inspection firewall; it monitors all connections to the client and remembers all connection states. It can identify specific conditions in any connection, predict what actions should follow, and detect when normal conditions are violated. Filtering decisions, therefore, are based not only on profiles and policies, but also on the context established by analyzing connections and filtering packets that have already passed through the firewall. 5. Intrusion Detection System
Enterprise Client Firewall also includes an Intrusion Detection System (IDS). When enabled, IDS can help identify patterns in network packets that may indicate an attack on the client. Enterprise Client Firewall can help prevent the following well-known intrusions: Too Big Fragment Ping of Death Conflicted ARP SYN flood Overlapping Fragment Teardrop Tiny Fragment Attack Fragmented IGMP LAND attack 6. Firewall Outbreak Monitor Firewall Outbreak Monitor sends a customized alert message to specified recipients when log counts exceed certain thresholds, which may signal an attack. 7. Client firewall Privileges Grant clients the privilege to view the Firewall tab on the OfficeScan client program. The Firewall tab displays the firewall settings for the client. Also grant users the privilege to adjust the security level and the exception rule list. Note: You can install, configure, and use Trend Micro Enterprise Client Firewall on Windows machines that also have Windows Firewall enabled. However, you must manage you policies carefully to avoid creating conflicting firewall policies and producing unexpected results. For example, if you configure one firewall to allow traffic from a certain port but the other firewall blocks traffic from the same port, the traffic will be blocked. Please see the Microsoft documentation for details on Windows Firewall. (Our recommendation is that you should NOT do this) Has the Enterprise Client Firewall been tested? IT Services tested and implemented Trend Micro Enterprise Protect Strategy and installed both Enterprise Client Firewall and Intrusion Detection System (IDS) for OfficeScan clients to guard campus computers from threats (viruses, worms, Trojans, spyware/adware, and others) three year before Microsoft introduced Windows Firewall in the Windows XP Service Pack 2 (SP2). Which Firewall should I use (Windows or OfficeScan)? IT Services recommends all OfficeScan users use the Enterprise Client Firewall for the following reasons: It provides network virus protection It provides intrusion protection A centrally managed firewall reduces the confusion and support for IT Service and other campus technicians. It scans not only inbound but also outbound traffic to prevent hackers from using your computer to attack other computers It enables firewall configuration flexibility against virus outbreaks Will two firewalls give me better protection? The answer is NO. Enabling two or more firewalls together will cause driver conflicts. When you have more than one firewall enabled at the same time, you will see the following warning from Start -> Settings -> Control Panel -> Security Center:
By clicking the link, you will be provided with the following information: Please refer to the How do I disable Windows firewall? section to disable Windows firewall. Do I have Enterprise Client Firewall Installed and Enabled? The following steps show you how to verify the Enterprise Client Firewall Installed and Enabled on your computer(s): 1. Right-click the TrendMicro icon in your system tray and select OfficeScan Console. 2. Select Firewall tab. 3. The following information shows that firewall, Intrusion Detection System (IDS), and Alert Message are all enabled.
Do I have the newest version of OfficeScan client? The following steps show you how to verify the version of OfficeScan client on your computer: 1. Right-click the TrendMicro icon in your system tray and select OfficeScan Console. 2. Select Component Versions.
3. The following shows the version of OfficeScan client on your computer. Current version of OfficeScan client is 10.0. How is the OfficeScan firewall configured? By default, the firewall is configured to MEDIUM security level. High security level blocks all in coming and out going traffic, except as specified otherwise in the Exception List Medium security level blocks all incoming and allows all outgoing traffic, except as otherwise specified in the exception list; Low security level allows all incoming and outgoing traffic, except as otherwise specified in the exception list. We recommend MEDIUM security level because: The increasing Network threats, Low security level has been using since 2001. Medium security level is the default configuration for MS Windows firewall. Instructions on changing the security level are given below. Please check the troubleshooting suggestions section first.
How do I disable the Windows firewall? 1. Start -> Settings -> Control Panel -> Security Center 2. Double-click Windows Firewall 3. Select Off (not recommended) and click OK OfficeScan Firewall Troubleshooting Suggestions If you have applications that previously worked when OfficeScan firewall security level was LOW but after the security level was changed to MEDIUM these applications were no longer available, please use the following steps to check if the problem is related to OfficeScan firewall: 1. Make sure there is only ONE firewall active on your computer. (Please refer to the Will two firewalls give me better protection? section of this document) If your computer has more then one firewall, please refer to the How do I disable Windows firewall? section. 2. Make sure the latest version of OfficeScan client is running on you computer. (Please refer to the Do I have the newest version of OfficeScan client? section) 3. Change the OfficeScan Firewall Security level from Medium to Low and execute your application one at a time. Will low security level make a difference? If your application works fine at low security level, then you need to configure the exception list on your computer. Please use the link under the Related Topics section to find out the Protocol(s) and port number(s) that got blocked by OfficeScan firewall: Note: The OfficeScan Firewall Logs only records blocked network traffic. It doesn t show successful connections. 4. If you need to use some applications on your computer right away but you are not able to resolve the firewall issues, the fastest way you can get around the problem is to change the OfficeScan firewall security level from Medium to Low temporarily. After the situation has been resolved, please don t forget to configure the exception list on your computer and change the security level back to Medium. 5. If your lab computers run Deep Freeze, please make all necessary changes under thawed status then refreeze otherwise the changes will not stay. Related Topics 1. To modify the OfficeScan client security level 2. To modify the OfficeScan exception list 3. How to identify Protocols and Ports for OfficeScan Firewall