Trend Micro™ OfficeScan 11esupport.trendmicro.com/media/13497821/OSCE_11SP1_BPG.pdf · 1.1 >...

25
Trend Micro™ OfficeScan 11.0 Best Practice Guide for Malware

Transcript of Trend Micro™ OfficeScan 11esupport.trendmicro.com/media/13497821/OSCE_11SP1_BPG.pdf · 1.1 >...

  • Trend Micro OfficeScan 11.0

    Best Practice Guide for Malware

  • 2014 Trend Micro Inc. 2

    Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2015 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Author: Celeste Alagad Released: May 16, 2014

  • Best Practice Guide

    2014 Trend Micro Inc. 3

    Table of Contents Table of Contents ................................................................................................... 3

    OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection ........... 4 1.1 > Enable Smart Scan Agents .............................................................................................. 4 1.2 > Configure Manual Scan Settings ................................................................................... 9 1.3 > Configure Real-time Scan Settings.............................................................................. 10 1.4 > Configure Scheduled Scan Settings ............................................................................. 11 1.5 > Configure Scan Now Settings ....................................................................................... 12 1.6 > Table Summary ................................................................................................................ 14 1.7 > Enable Web Reputation .................................................................................................. 15 1.8 > Configure Global C&C Callback Settings .................................................................... 16 1.9 > Enable Smart Feedback.................................................................................................. 16 1.10 > Enable Behavior Monitoring ......................................................................................... 17 1.11 > Configure Global Agent Settings ................................................................................. 18 1.12 > Configure Agent Self-protection................................................................................. 18 1.13 > Configure Device Control.............................................................................................. 19

    1.13.1 Permissions for Storage Devices ........................................................................ 19 1.14 > Disable Roaming Mode for Machines in the Network ............................................20 1.15 > Install Intrusion Defense Firewall (IDF) plug-in ......................................................20 1.16 > Anti-Threat Tool Kit ....................................................................................................... 21 1.17 > Install OfficeScan ToolBox plug-in .............................................................................. 21 1.18 > Using the Security Compliance .................................................................................. 23 1.19 > Disable System Restore...............................................................................................24 1.20 > Disable Autorun ............................................................................................................24 1.21 > Run Microsoft Baseline Security Analyzer monthly .............................................. 25

    1.21.1 Check Unpatched PC .............................................................................................. 25 1.22 > Educate users not to click on links they do not trust .......................................... 25

  • Best Practice Guide

    2014 Trend Micro Inc. 4

    .

    OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    1.1 > Enable Smart Scan Agents Ensure that OfficeScan agent can query at least two (2) Smart Protection Servers.

    This guideline prevents the creation of a single-point of failure on the anti-malware security. If the lone Smart Protection Server on the network crashes, it can cause repercussions on the desktop security throughout the network.

    Adding a second Smart Protection Server on the network, or ensuring that all File Reputation-enabled agents can connect to the Trend Micro scan service if the primary scan service fails, results in a more robust security implementation.

    Options:

    Enable the Integrated Smart Protection Server on multiple OfficeScan servers

    Install VMware-based Standalone Smart Protection Servers

    There are two types of local Smart Protection Server:

    Integrated Smart Protection Server

    Standalone Smart Protection Server

    Both essentially work the same way, but are ported for different software platforms.

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 5

    Integrated Smart Protection Server The Integrated Smart Protection Server is automatically installed on the OfficeScan server. It can be installed during the OfficeScan server installation or at a later time.

    Standalone Smart Protection Server The Standalone Smart Protection Server is recommended for large networks. Currently, this type of server is only available as a VMware image that runs CentOS.

    For more information regarding the image compatibility on virtual servers, refer to this link: http://docs.trendmicro.com/en-us/enterprise/smart-protection-server.aspx

    When opting to use the Integrated Smart Protection Server, make sure it is installed.

    To verify if the Integrated Smart Protection Server is installed and accessible from a particular desktop, enter any of the following URLs in the desktops browser:

    https://:/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104

    http://:/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104

    Examples:

    https://OSCE11:4343/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104

    http://OSCE11:8080/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104

    http://docs.trendmicro.com/en-us/enterprise/smart-protection-server.aspxhttps://officescan_host:%3cport%3e/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104https://officescan_host:%3cport%3e/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104https://osce11:4343/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104http://osce11:8080/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 6

    If the browser returns the following notification, the Integrated Smart Protection Server is enabled and accessible.

    ENABLE SMART SCAN The Smart Scan solution uses lightweight patterns to provide the same protection offered by conventional anti-malware and anti-spyware patterns. Smart Protection Server hosts the Smart Scan pattern, which is updated hourly and contains the majority of pattern definitions. Smart Scan agents do not download this pattern. Instead, these agents send scan queries to the Smart Protection Server to verify potential threats against the pattern.

    In Smart Scan solution, the agents determine the risk of a file using the identification data provided by Trend Micro technology to Smart Protection Servers. Agents never send the entire file. This method minimizes the amount of downloaded pattern by relying on the cloud technology. Thus, Smart Scan agents benefit from local scans and in-the-cloud queries provided by File Reputation Services.

    Before including the Integrated Smart Protection Server in the Smart Protection Sources, make sure it is enabled using the following checkboxes on the OfficeScan management console under Administration > Smart Protection > Integrated Server.

    Figure 1. Integrated Smart Protection Server warning

    Figure 2. Enabling the Integrated Smart Protection Server

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 7

    When using the File Reputation functionality with an Integrated Smart Protection Server, ensure that the Smart Protection Server is activated before switching scan types. This is important because the mechanism for switching from Conventional Scan to File Reputation does not automatically verify the Smart Protection Server functionality. It is, therefore, possible to assign a File Reputation-enabled OfficeScan agent to a non-functional Smart Protection Server.

    Another way to determine an enabled Smart Protection Server is by navigating to Administration > Smart Protection > Smart Protection Sources, and then under Internal Agents tab, click the standard list link.

    To configure:

    1. Create separate domains for Smart and Conventional agents.

    Upon installation, the default scan mode for OfficeScan network is the Smart Scan. Similar to other OfficeScan agent settings, the scan mode is also set at the root of the OfficeScan agent tree. Thus, all future agents and existing agents with no assigned agent-specific scan method will adapt this default setting.

    Figure 3. Standard Smart Protection Server List

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 8

    To separate conventional agents, create an OfficeScan domain and migrate the agents with enabled Conventional Scan to the created domain.

    2. Schedule the Smart Protection Server to update on an hourly basis.

    Figure 4. Agent Management settings window

    Figure 5. Update Settings window

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 9

    1.2 > Configure Manual Scan Settings 1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management. 3. Select the group/domain where to apply the settings to. 4. Click Settings > Scan Settings > Manual Scan Settings. 5. Configure the settings in the Target tab. 6. Under Files to Scan, choose All Scannable files.

    7. Configure the Scan Settings by selecting the following options:

    Scan hidden folders

    Scan network

    Scan compressed files

    Scan OLE objects o Detect exploit code in OLE files

    8. Click Virus/Malware Scan Settings Only > Scan boot area. 9. Under CPU Usage, select Medium: Pause slightly between file scans. 10. Configure the settings in the Action tab. 11. Under Virus/Malware, select the Use a specific action for each virus/malware type

    option and set the following:

    11.1. Joke: Quarantine 11.2. Trojans: Quarantine 11.3. Virus: Clean & Quarantine 11.4. Test Virus: Quarantine 11.5. Packer: Quarantine 11.6. Probable Malware: Quarantine 11.7. Other Malware: Clean & Quarantine

    12. Back up the files before cleaning.

    13. Configure the Damage Cleanup Services. 13.1. For the Cleanup type, select Advanced cleanup. 13.2. Enable the Run cleanup when probable virus/malware is detected option.

    14. Under Spyware/Grayware, select Clean to allow OfficeScan to terminate processes or delete registries, files, cookies, and shortcuts.

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 10

    15. Configure the Scan Exclusion list for directories and files. 15.1. Under Scan Exclusion list (Directories), select the following options:

    Exclude directories where Trend Micro products are installed

    Retains OfficeScan agents exclusion list

    15.2. Under Scan Exclusion list (Files), select the following option:

    Retains OfficeScan agents exclusion list

    1.3 > Configure Real-time Scan Settings 1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management. 3. Select the group/domain where to apply the settings to. 4. Click Settings > Scan Settings > Real-time Scan Settings. 5. Select the Enable virus/malware scan and Enable spyware/grayware scan options. 6. Configure the settings in the Target tab. 7. On the User Activity on Files, enable Scan files being: created/modified and retrieved.

    8. Under Files to Scan, choose All Scannable files. 9. Configure the Scan Settings by selecting the following options:

    Scan network drive

    Scan the boot sector of the USB storage device after plugging in

    Scan all files in removable storage device after plugging in

    Quarantine malware variants detected in memory

    Scan compressed files

    Scan OLE objects

    o Detect exploit code in OLE files 10. Click Virus/Malware Scan Settings Only > Enable IntelliTrap. 11. Configure the settings in the Action tab.

    12. Under Virus/Malware, select the Use a specific action for each virus/malware type option and set the following:

    12.1. Joke: Quarantine 12.2. Trojans: Quarantine 12.3. Virus: Clean & Quarantine 12.4. Test Virus: Quarantine

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 11

    12.5. Packer: Quarantine 12.6. Probable Malware: Quarantine

    12.7. Other Malware: Clean & Quarantine 13. Back up the files before cleaning. 14. Under Damage Cleanup Services, enable the Run cleanup when probable virus/malware

    is detected option.

    15. Under Spyware/Grayware, select Clean to allow OfficeScan to terminate processes or delete registries, files, cookies, and shortcuts.

    16. Configure the Scan Exclusion by enabling the following: 16.1. Under Scan Exclusion list (Directories), select the following options:

    Exclude directories where Trend Micro products are installed

    Retains OfficeScan agents exclusion list

    16.2. Under Scan Exclusion list (Files), select the following option:

    Retains OfficeScan agents exclusion list

    1.4 > Configure Scheduled Scan Settings 1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management. 3. Select the group/domain where to apply the settings to. 4. Click Settings > Scan Settings > Scheduled Scan Settings. 5. Select the Enable virus/malware scan and Enable spyware/grayware scan options. 6. Configure the settings in the Target tab. 7. Set the Scheduled Scan to run at least once a week. 8. Under Files to Scan, choose All Scannable files.

    9. Configure the Scan Settings by selecting the following options:

    Scan compressed files

    Scan OLE objects

    o Detect exploit code in OLE files

    10. Click Virus/Malware Scan Settings Only > Scan boot area. 11. Under CPU Usage, select Medium: Pause slightly between file scans. 12. Configure the settings in the Action tab. 13. Under Virus/Malware, select the Use a specific action for each virus/malware type

    option and set the following:

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 12

    13.1. Joke: Quarantine 13.2. Trojans: Quarantine

    13.3. Virus: Clean & Quarantine 13.4. Test Virus: Quarantine 13.5. Packer: Quarantine 13.6. Probable Malware: Quarantine 13.7. Other Malware: Clean & Quarantine

    14. Back up the files before cleaning. 15. Configure the Damage Cleanup Services.

    15.1. For the Cleanup type, choose Advanced cleanup.

    15.2. Enable the Run cleanup when probable virus/malware is detected option. 16. Under Spyware/Grayware, select Clean to allow OfficeScan to terminate processes or delete

    registries, files, cookies, and shortcuts.

    17. Configure the Scan Exclusion by enabling the following: 17.1. Under Scan Exclusion list (Directories), select the following options:

    Exclude directories where Trend Micro products are installed

    Retains OfficeScan agents exclusion list

    17.2. Under Scan Exclusion list (Files), select the following option:

    Retains OfficeScan agents exclusion list

    1.5 > Configure Scan Now Settings 1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management.

    3. Select the group/domain where to apply the settings to. 4. Click Settings > Scan Settings > Scan Now Settings. 5. Select the Enable virus/malware scan and Enable spyware/grayware scan options. 6. Configure the settings in the Target tab. 7. Under Files to Scan, choose All Scannable files. 8. Configure the Scan Settings by selecting the following options:

    Scan compressed files

    Scan OLE objects

    o Detect exploit code in OLE files

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 13

    9. Click Virus/Malware Scan Settings Only > Scan boot area. 10. Under CPU Usage, select Medium: Pause slightly between file scans.

    11. Configure the settings in the Action tab. 12. Under Virus/Malware, select the Use a specific action for each virus/malware type

    option and set the following:

    12.1. Joke: Quarantine 12.2. Trojans: Quarantine 12.3. Virus: Clean & Quarantine 12.4. Test Virus: Quarantine 12.5. Packer: Quarantine

    12.6. Probable Malware: Quarantine 12.7. Other Malware: Clean & Quarantine

    13. Back up the files before cleaning. 14. Configure the Damage Cleanup Services.

    14.1. For the Cleanup type, select Advanced cleanup. 14.2. Enable the Run cleanup when probable virus/malware is detected option.

    15. Under Spyware/Grayware, select Clean to allow OfficeScan to terminate processes or delete registries, files, cookies, and shortcuts.

    16. Configure Scan Exclusion by enabling the following: 16.1. Under Scan Exclusion list (Directories), select the following options:

    Exclude directories where Trend Micro products are installed

    Retains OfficeScan agents exclusion list

    16.2. Under Scan Exclusion list (Files), select the following option:

    Retains OfficeScan agents exclusion list

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 14

    1.6 > Table Summary

    Real-time Scan

    Manual Scan Scheduled Scan

    Scan Now

    Files to scan All Scannable All Scannable All Scannable All Scannable

    Scan hidden folders

    Scan network drive

    Scan boot sector of USB storage device after plugging in

    Scan all files in removable storage devices after plugging in

    Quarantine malware variants detected in memory

    Scan compressed files

    Scan OLE objects

    Detect exploit code in OLE files

    Enable IntelliTrap

    Scan boot area

    CPU usage Medium Medium Medium

    Cleanup type for Damage Cleanup Services

    Advanced Cleanup

    Advanced Cleanup

    Advanced Cleanup

    Run cleanup for probable virus

    Clean action for detected Spyware

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 15

    1.7 > Enable Web Reputation Web Reputation Service (WRS) allows OfficeScan to detect and block access to sites that harbor web-based threats. When an agent requests a URL, it checks first the reputation score of the URL by querying the Trend Micro reputation servers. Access to the URL is then allowed or denied depending on the score and the configured security level.

    To configure WRS, do the following:

    1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management. 3. Select the group/domain where to apply the settings to. 4. Click Settings and select Web Reputation Settings. 5. For both external and internal agents, enable the Web Reputation Policy.

    6. Enable the Check HTTPS URLs option. 7. Select the Medium security level for the policy. 8. Click Browser Exploit Prevention and enable Block pages containing malicious script. 9. Configure the Approved/Block URL list.

    Add the URLs of the websites to be approved or blocked. By default, Trend Micro and Microsoft websites are included in the Approved list.

    10. Select whether to allow agents to send logs to the OfficeScan server. This option is used to analyze URLs blocked by WRS.

    11. Click Apply to All Agents. 12. On Internet Explorer, enable the TmBpIeBHO Class, which is the Browser Exploit

    Prevention add-on.

    Figure 6. Enabled TmBpIeBHO Class

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 16

    1.8 > Configure Global C&C Callback Settings

    Administrators can configure OfficeScan to log all the connections between agents and confirmed Command & Control (C&C) IP addresses. The Trend Micro C&C Contact Alert Services provide enhanced detection and alert capabilities to mitigate the damage caused by Advanced Persistent Threats (APT) and targeted attacks.

    1. Navigate to Agents > Agent Management.

    2. Select the group/domain where to apply the settings to. 3. Click Settings > Suspicious Connection Settings. 4. Enable the following:

    Log network connections made to addresses in the Global C&C IP list

    Log and allow access to User-defined Blocked IP list addresses

    Log connections using malware network fingerprinting

    Clean suspicious connections when a C&C callback is detected

    5. Click Apply to All Agents and click Close. 6. Click Settings > Additional Service Settings. 7. Under Suspicious Connection Service, select Enable service on the following operating

    systems.

    8. Click Apply to All Agents, and then click Close.

    1.9 > Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort in gathering, analyzing, and resolving threat. It does not only increase the detection rate, but also provide a quick practical scenario. It also benefits the customers by ensuring they get the latest protection in the shortest possible time.

    1. On the OfficeScan server, log in to the management console. 2. Click Administration > Smart Protection > Smart Feedback. 3. Check the Trend Micro Smart Feedback option. 4. Click Save.

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 17

    1.10 > Enable Behavior Monitoring OfficeScan constantly monitors computers or endpoints for unusual modifications in the operating system or installed software.

    Administrators can create exception lists that allow certain programs to start despite violating a monitored change. In addition, programs with valid digital signature or certification are always allowed to start. It is also possible to set an exception list that completely blocks certain programs. To configure the Behavior Monitorings Malware Blocking feature:

    1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management > Settings > Behavior Monitoring Settings. 3. Tick the Enable Malware Behavior Blocking for known and potential threats checkbox

    and choose Known and potential threats in the drop-down menu.

    4. Check the following options:

    Protect documents against unauthorized encryption or modification

    Block processes commonly associated with ransomware

    Enable Event Monitoring

    5. Click Apply to All Agents.

    Figure 7. Behavior Monitoring Settings

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 18

    Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of the files downloaded through HTTP channels or email applications. After detecting a newly encountered file, administrators can choose to prompt the users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network.

    To enable the Behavior Monitoring feature to monitor the newly encountered files:

    1. On the OfficeScan server management console, go to Agents > Global Agent Settings. 2. Under Behavior Monitoring Settings, check Prompt users before executing newly

    encountered programs downloaded through HTTP or email applications.

    3. Click Save.

    1.11 > Configure Global Agent Settings

    The Global Agent Settings are the advance settings that will apply to all the OfficeScan agents within the network. 1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Global Agent Settings. 3. Under OfficeScan Service Restart, select Automatically restart any OfficeScan agent

    service if the service terminates unexpectedly.

    4. Click Save.

    1.12 > Configure Agent Self-protection

    1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management.

    3. Select the group/domain where to apply the settings. 4. Click Settings and select Privileges and Other Settings. 5. Click Other Settings tab.

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 19

    6. Enable the following Agent Self-protection options:

    Protect OfficeScan agent services

    Protect files in the OfficeScan agent installation folder

    Protect OfficeScan agent registry keys

    Protect OfficeScan agent processes

    7. Click Apply to All Agents and click Close.

    1.13 > Configure Device Control Device Control provides a feature that regulates the access to external storage devices and network resources connected to the computers. It prevents data loss and leakage and guards against security risks.

    By default, Device Control feature is enabled but all devices have full access.

    1. On the OfficeScan server, log in to the management console. 2. Go to Agents > Agent Management. 3. Select the group/domain where to apply the settings to. 4. Click Settings and select Device Control Settings.

    5. Check the Enable Device Control option for both external and internal agents. 6. Enable the Block the AutoRun function on USB storage devices option.

    1.13.1 Permissions for Storage Devices

    Configure the permission settings according to the users preference.

    Allow access to USB storage devices, CD/DVD, floppy disks, and network drives. It is possible to grant full or limited access to these devices. Limiting the level of access allows the programs on storage devices to have Modify, Read and Execute, or Read and List device content only.

    Configure the list of approved USB storage devices. Device Control allows you to block access to all USB storage devices, except those in the list of approved devices. It is possible to grant full or limited access to the approved devices.

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 20

    1.14 > Disable Roaming Mode for Machines in the Network Trend Micro recommends disabling roaming mode for the machines located in the Local Area Network (LAN).

    1. Log in to the OfficeScan management console. 2. Go to Agents > Agent Management. 3. Select the group/domain where to apply the settings to. 4. Click Settings > Privileges and Other Settings. 5. On the Privileges tab, select Roaming. 6. Uncheck the Enable roaming mode option if it is enabled for LAN machines. Otherwise,

    leave it as is.

    1.15 > Install Intrusion Defense Firewall (IDF) plug-in

    For more information, refer to this link: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=3795&lang_loc=1

    1. Log in to the OfficeScan management console.

    2. Click Plug-ins. 3. Under Intrusion Defense Firewall, click Download.

    NOTE Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager. This requires a new activation code. Please contact sales to obtain a license.

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 21

    1.16 > Anti-Threat Tool Kit

    Trend Micro Anti-Threat Toolkit (ATTK) is a collection of tools including the general on-demand scanner, suspicious file collector, specific malware cleaner, and others. The on-demand scanner supports both online and offline detection and removal of viruses, Trojans, worms, unwanted browser plug-ins, and other malware.

    The ATTK Tool can be deployed via OfficeScan toolbox for ease and convenience. Alternatively, it can be downloaded from this link: https://spnsupport.trendmicro.com/

    1.17 > Install OfficeScan ToolBox plug-in

    OfficeScan Toolbox manages, deploys, executes, and consolidates logs for a variety of standalone Trend Micro tools.

    1. Log in to the OfficeScan management console. 2. Click Plug-ins. 3. Under Trend Micro OfficeScan ToolBox, download and install the plug-in.

    4. After installing the plug-in, click Manage Program to access the OfficeScan ToolBox console.

    5. Select which OfficeScan agents to deploy the ATTK package, and then click Deploy.

    Figure 8. OfficeScan ToolBox

    https://spnsupport.trendmicro.com/

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 22

    6. On the Deployment Settings window, the ATTK is already selected by default. Click Deploy.

    7. When a confirmation appears stating that the tool deployment is successful, click Close. The

    ATTK package will be deployed on the agent in a few minutes.

    8. Go to the Logs tab to check if the ATTK deployment is being processed. Once the

    deployment is finished, a notification in the Tool Deployment page will appear.

    Figure 9. Deployment Settings window for ATTK

    Figure 10. Tool deployment successful

    Figure 11. ATTK Deployment Progress

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 23

    9. On the Logs tab, make sure that the result shows Completed. The file can now be downloaded and sent to Trend Micro Technical Support for analysis.

    10. Select the Feedback tab and send the Reference ID to Trend Micro Technical Support.

    1.18 > Using the Security Compliance Security Compliance allows you to detect the agent computers with no installed antivirus software within the network environment. It scans the Active Directory Scope and connects to the ports used by OfficeScan servers to communicate with the OfficeScan agents.

    Security Compliance can then install the OfficeScan agent on unprotected computers.

    1. Log in to the OfficeScan management console. 2. Click Assessment > Unmanaged Endpoints. 3. On Active Directory Scope/IP Address Scope, click the Define Scope button. 4. If you have more than one (1) OfficeScan server, click Advanced Settings > Specify Ports. 5. Click Save.

    Figure 12. Completed ATTK download

    Figure 13. ATTK Reference ID

  • OfficeScan 11.0 Best Practice Guide

    2014 Trend Micro Inc. 24

    6. Click Save and Reassess. The assessment result of the machines within the Active Directory Scope appears.

    7. Highlight the machines where to deploy the OfficeScan agent and click Install.

    1.19 > Disable System Restore

    1. In Active Directory Users and Computers, select Computer Configuration. 2. Navigate to Administrative Templates > System > System Restore. 3. Double-click Turn off System Restore and set it to Enabled. Click OK. 4. Close the policy and exit Active Directory Users and Computers. The changes will take

    effect on the next policy refresh.

    1.20 > Disable AutoRun

    1. Click Start, and then click Run. 2. Type GPEDIT.MSC and press ENTER. 3. Go to Local Computer Policy > Administrative Template > System.

    4. On the right pane, double-click Turn off Autoplay. 5. On the Properties dialog box, click Enabled. 6. Select All drives from the drop-down list. 7. Click OK.

    NOTE If there is more than one (1) OfficeScan server installed within the environment, specify each communication port being used by OfficeScan agents to connect to the respective OfficeScan server.

    This feature can only validate machines with OfficeScan agent software installed. If a machine runs other anti-virus program, it will return a blank result in the assessment.

  • Best Practice Guide OfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection

    2014 Trend Micro Inc. 25

    1.21 > Run Microsoft Baseline Security Analyzer monthly

    1.21.1 Check Unpatched PC

    1. Download the tool using the link below: http://www.microsoft.com/en-us/download/details.aspx?id=7558

    2. For more information, follow the link below: http://technet.microsoft.com/en-au/security/cc184924.aspx

    1.22 > Educate users not to click on links they do not trust

    Do not open suspicious links or files especially from instant messengers, emails from unidentified users, and from pop-up windows.

    http://www.microsoft.com/en-us/download/details.aspx?id=7558http://technet.microsoft.com/en-au/security/cc184924.aspx

    Table of ContentsOfficeScan (OSCE) 11.0 Best Practice Guide for Malware Protection1.1 > Enable Smart Scan AgentsIntegrated Smart Protection ServerStandalone Smart Protection ServerEnable Smart Scan

    1.2 > Configure Manual Scan Settings1.3 > Configure Real-time Scan Settings1.4 > Configure Scheduled Scan Settings1.5 > Configure Scan Now Settings1.6 > Table Summary1.7 > Enable Web Reputation1.8 > Configure Global C&C Callback Settings1.9 > Enable Smart Feedback1.10 > Enable Behavior Monitoring1.11 > Configure Global Agent Settings1.12 > Configure Agent Self-protection1.13 > Configure Device Control1.13.1 Permissions for Storage Devices

    1.14 > Disable Roaming Mode for Machines in the Network1.15 > Install Intrusion Defense Firewall (IDF) plug-in1.16 > Anti-Threat Tool Kit1.17 > Install OfficeScan ToolBox plug-in1.18 > Using the Security Compliance1.19 > Disable System Restore1.20 > Disable AutoRun1.21 > Run Microsoft Baseline Security Analyzer monthly1.21.1 Check Unpatched PC

    1.22 > Educate users not to click on links they do not trust