Trend Micro OfficeScan Corporate Edition (OSCE) · There are four major OSCE environment components...

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2017 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Released: January 2017

There are four major OSCE environment components that should be identified when designing the deployment. Each component is described below.

OfficeScan Server: A server that provides the OSCE management console and stores information in a local CodeBase database, or a local or remote SQL. It uses standard HTTP or HTTPS protocols for communication and for managed agent updates. The three basic functions of an OfficeScan server are:

Agent configuration (Privileges and Policy settings)

Program, scan engine, and virus pattern file update provider

Centralized logs, report, and quarantine functionality

OfficeScan Agent: A host reporting to a particular OSCE server. It can be configured to get update information from an OfficeScan server, an update agent, or directly from the internet via Trend Micro ActiveUpdate server. Moreover, the OfficeScan agent has the function to protect the system where it is installed. It can be configured to use a standalone or Integrated Smart Protection Server for Smart Scan instead of conventional scan. Through cloud technology, this method minimizes the total amount of pattern download.

Update Agent: A regular OfficeScan agent that is designated to copy update information from an OfficeScan server to distribute these information to other OfficeScan agents. Any OfficeScan agent can be configured as an update agent using the OfficeScan server management console. OfficeScan agent IP address ranges are then assigned to get update information from specific update agents. Update agents can push component updates, setting updates, and program/hotfix updates to agents. Older agent versions can receive program upgrades from OSCE XG update agents as long as they report to the OSCE XG update agents.

Smart Protection Server (SPS): The Smart Protection Server provides the file reputation and web reputation through a local cloud service. When users opt to employ Smart Scan technology, agents send a query to SPS in their scanning files. When they use web reputation protection, agents send URLs to SPS. Thus, SPS works as a local file reputation server and as a local web rating server as well.

These are the two types of Smart Protection Server:

Integrated Smart Protection Server: Installed as part of the OfficeScan server, Integrated Smart Protection Server is managed through OfficeScan management console.

Standalone Smart Protection Server: This server is installed on a VMware or Hyper-V host.

The following sections show the recommended software and hardware specifications for an OfficeScan environment.

For the full list of minimum system requirements, refer to the Installation and Deployment Guide or OfficeScan Readme. For the recommended set up based on number of agents, check the sizing section in Chapter 3.

The OfficeScan agent with the best available resources at a particular site should be designated as an update agent. Since this agent will serve updates to the other agents in the remote office, it must be reliable. This can be a domain controller on the site, a file server, print server, or any endpoint that is always online. To serve its function, this agent should have an additional 700 MB of free disk space for engines and patterns storage, an additional 160 MB for programs/hot fix updates, and an additional 20 KB for every domain setting updates. Minimum requirements for update agents should follow the minimum hardware requirements of OfficeScan agents.

The minimum hardware specifications for this server are the same as the recommended requirements for the OfficeScan server.

The minimum hardware specifications for standalone Smart Protection Server:

Dual 2.0 GHz Intel Core 2 Duo 64-bit processor supporting Intel Virtualization Technology, or equivalent

2 GB of RAM

30 GB for virtualization requirements (35 GB recommended)

Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, and Web Editions) with Service Pack 1 or 2, 32-bit and 64-bit versions

Windows Server 2008 R2 (Standard, Enterprise, Datacenter, and Web Editions), 64-bit version

Windows Storage Server 2008 (Basic, Standard and Enterprise Edition), 32-bit version

Windows Storage Server 2008 (Basic, Standard, Enterprise and Workgroup Edition), 64-bit version

Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64-bit version

Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions

Microsoft Windows HPC Server 2008 R2, 64-bit version

Windows MultiPoint Server 2010, 64-bit version

Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit version

Windows Server 2012 (Standard and Datacenter Editions), 64-bit version

Windows Server 2012 R2 (Standard and Datacenter Editions), 64-bit version

Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit version

Windows Storage Server 2012 (Standard and Workgroup Editions), 64-bit version

Windows Server 2016 (Standard and Datacenter Editions), 64-bit version

OfficeScan supports server installation on guest operating systems hosted on the following virtualization applications:

ESX/ESXi Server (Server Edition) 4.0, 4.1, 5.0, 5.15.x , 6.0

Server (Server Edition) 1.0.3, 2

Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0

ViewTM 4.5, 5.0, 5.1

XenDesktop 5.0, 5.5, 5.6, 7.0

XenServer 5.5, 5.6, 6.0, 6.1, 6.2

XenApp 4.5, 5.0, 6.0, 6.5

XenClient 2.1

VDI-in-a-Box 5.1

Windows Server 2008 64-bit Hyper-V

Windows Server 2008 R2 64-bit Hyper-V

Windows 8 Pro/Enterprise 64-bit Hyper-V

Windows 8.1 Pro/Enterprise 64-bit Hyper-V

Windows Server 2012 64-bit Hyper-V

Windows Server 2012 R2 64-bit Hyper-V

Microsoft Windows XP (Home, Professional, Professional for Embedded Systems Editions, and Tablet PC) with Service Pack 3, 32-bit version

Microsoft Windows XP Professional with Service Pack 2, 64-bit version

Microsoft Windows Vista (Business, Enterprise, Ultimate, Home Premium, Home Basic, Business for Embedded Systems, and Ultimate for Embedded Systems) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows 7 (Home Basic, Home Premium, Ultimate, Professional, Enterprise, Professional for Embedded Systems, and Ultimate for Embedded Systems) with or without Service Pack 1, 32-bit and 64-bit versions

Microsoft Windows Embedded POSReady 2009, 32-bit version

Microsoft Windows Embedded POSReady 7, 32-bit and 64-bit versions

Microsoft Windows 8 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions

Microsoft Windows 8.1 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions

Microsoft Windows 10 (Home, Pro, Education and Enterprise Editions), 32-bit and 64-bit versions

Microsoft Windows 10 RS1 (Home, Pro, Education and Enterprise Editions), 32-bit and 64-bit versions

Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter, and Web Editions) with Service Pack 2, 32-bit and 64-bit version

Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise, and Workgroup) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Compute Cluster Server 2003 (Active/Passive), 32-bit and 64-bit versions

Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, Web Editions, and Server Core) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2008 (Basic Edition), 32-bit and 64-bit versions

Microsoft Windows Storage Server 2008 (Standard, Enterprise, and Workgroup Editions) with or without Service Pack 1, 64-bit version

Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter, Web Editions, and Server Core), 64-bit version

Microsoft Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64-bit version

Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions

Microsoft Windows HPC Server 2008 R2, 64-bit version

Microsoft Windows Server 2008 Failover Clusters (Active/Passive), 32-bit and 64-bit versions

Microsoft Windows Server 2008 R2 Failover Clusters (Active/Passive), 64-bit version

Microsoft Windows MultiPoint Server 2010, 64-bit version

Microsoft Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit version

Microsoft Windows Server 2012 (Standard, Datacenter, and Server Core Editions), 64-bit version

Microsoft Windows Storage Server 2012 (Workgroup and Standard Editions), 64-bit version

Microsoft Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit version

Microsoft Windows Server 2012 Failover Clusters, 64-bit version

Microsoft Windows Server 2012 R2 (Standard, Datacenter, and Server Core Editions), 64-bit version

Microsoft Windows Server 2016 (Standard and Datacenter Editions), 64-bit version

The administrator will not be able to remotely install OfficeScan agent to Windows 7 x86 platforms without enabling the default administrator account. Use the systematic guide below to resolve this issue:

1. Enable the Remote Registry service on the Windows 7 machine. By default, Windows 7 machines disable this feature.

2. Use the domain administrator account to remotely install OfficeScan agents into Windows 7 computers. As another option, use the default administrator account:

a. Type the net user administrator/active: yes command on the command console to enable the default administrator account.

b. Use the default administrator account to remotely install the OfficeScan agent into the Windows 7 machine.

Smart Protection Server has the following virtualization platform requirements:

VMware ESX 4.1 Update 1

VMware ESX 4.0 Update 3

VMware ESXi 5.5

VMware ESXi 6.0 (for SPS 3.1 or up)

VMware ESXi 5.1 Update 1




Microsoft Windows Server 2008 R2 with Hyper-V

Microsoft Windows Server 2012 with Hyper-V

Microsoft Windows Server 2016 with Hyper-V

Citrix XenServer (7.0, 6.5 for SPS 3.1 or up), 6.2, 6.0, 5.6

The following requirements are recommended for Trend Micro Smart Protection Server as a virtual machine:

If you are using VMware, use CentOS 5 64-bit (Guest Operating System).

If you are using Citrix XenServer, create a new virtual machine using the Other install media template.

If you are using Hyper-V, create a new virtual machine and add a Legacy Network Adapter.

Allocate at least 2 GB RAM and two (2) virtual processors for the virtual machine.

Create a new virtual disk image that will be sufficient for the logging requirements (specify at least 30 GB of disk space).

Allocate one (1) physical network card for the virtual switch where Trend Micro Smart Protection Server is connected.

Account Administrator or domain admin account to log-in to target hosts for installation

Ports NetBIOS (445, 137,138,139) for NT Remote Install

OfficeScan agent port, which is defined during OfficeScan server installation and is saved under Client_LocalServer_Port parameter on Ofcscan.ini

OfficeScan virtual directory port as defined in IIS. This value needs to be consistent with what is defined in the OfficeScan management console under Administration > Settings > Agent Connection Settings > Port

Bandwidth Approximately 50 MB, which may vary depending on current virus pattern file size

Others Remote Registry service is enabled on target host

System partition of the target host is administratively shared (C$)

Windows XP Simple File Sharing must be disabled on the agent machines. SFS is a Microsoft feature that forces all network connections to login as guest even if alternative credentials are provided. When SFS is enabled, OSCE cannot login to the machine using the credentials specified, so the installation fails. SFS can be disabled via GPO or a registry hack. It can be individually disabled in the target machines under My Computer > Tools > Folder Options > View > Use Simple File Sharing (Recommended) option.

The OfficeScan server may receive and establish multiple HTTP sessions to communicate with its agents. The TCP properties of Windows can be modified to prevent delays and slowdowns caused by TCP time-wait accumulation and port exhaustion.

Add or modify the following registry keys to improve TCP performance:

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort

Data type: REG_DWORD

Default value: 5000

Range: 5,000 - 65,534 (port number)

Purpose: Determines the highest port number TCP can assign when an application requests an available user port from the system

Trend Recommendation: 65,534

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay

Data type: REG_DWORD

Default value: 0xF0 (240 seconds = 4 minutes)

Range: 0x1E 0x12C (30300 seconds)

Purpose: Determines the time that must elapse before TCP can release a closed connection and reuse its resources

Trend Recommendation: 30

The OfficeScan server uses Windows IIS to communicate with its agents. The applications CGI timeout can be increased to allow more time for the server and agent communication. The Remote Install deployment method is dependent on this timeout as well. Copying the installation files over a slow link may cause installation failures.

To modify IIS CGI settings, download and install MetaEdit or Metabase Explorer depending on the version of IIS in use.

For Microsoft IIS 7 on Windows 2008

1. Download and install the Microsoft Administration Pack for IIS 7.0 using this link: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682

As an option, use the default IIS Manager that comes with IIS 7.0.

2. Open the IIS Manager.

3. In Connections view, select the server and select the OfficeScan site.

4. In Features view, double-click CGI.

5. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply.

For Microsoft IIS 7.5, 8.0, 8.5

1. Open the IIS Manager.

2. In the Connections view, select the server and select the OfficeScan site.

3. In Features view, double-click CGI.

4. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply.

The following are recommended permission settings to the OfficeScan folders and files. These are already set as default during installation:
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682

There are times when the permission might have been changed accidentally. To reset the permissions back to default:

1. Open the command prompt.

2. Browse to the OfficeScan Servers PCCSRV folder (i.e. drive:\Program Files\Trend Micro\OfficeScan\PCCSRV).

3. Run the following command:

SVRSVCSETUP.EXE setprivilege

OfficeScan XG enhances the server-agent communications by authenticating the notifications and data sent in order to protect against man-in-the-middle attacks. Authentication is implemented using a public-key infrastructure (PKI) where the agent only accepts commands from a trusted server.

To perform authentication, OfficeScan server signs its data using a private key while the OfficeScan agent decrypts this data using a public key. These keys are uniquely generated during the installation or upgrade of any OfficeScan server.

If for some reason, the OfficeScan server and agents have mismatched keys, agents will reject the notification from this server. This may happen if the OfficeScan server had an irrecoverable crash and needs to be replaced.

To simplify the management of keys regarding OfficeScan encrypted communication:

When managing multiple OfficeScan servers, it is recommended to use one key for all to simplify and lessen the complexity in management.

On the original OfficeScan server, keep a secure copy of the key (C:\Program Files\Trend Micro\OfficeScan\AuthCertBackup\OfficeScanAuth.dat). Whenever you upgrade or install an OfficeScan XG server, import the same file.

For more details on generating and restoring certificates, refer to OfficeScan XG Admin Guide: http://docs.trendmicro.com/all/ent/officescan/v12.0/en-us/osce_12.0_ag.pdf
http://docs.trendmicro.com/all/ent/officescan/v12.0/en-us/osce_12.0_ag.pdf

The recommendations below can be used as a guideline to determine the location and number of OfficeScan servers needed to effectively manage the LAN or WAN.

A single OfficeScan server can manage up to 30,000 agents depending on the machine specifications. Below is a quick summary.

Another point for consideration is the database size. Depending on the number of logs generated, disk space usage increases as well.

Here is a quick reference for SQL database size given the certain number of logs and agent counts:

The table above helps to determine the initial database size of OfficeScan. These estimates are based on following assumptions:

Default log maintenance is applied while the log deletion is performed on 7-day older logs on a weekly basis.

Behavior Monitoring and DLP features are enabled.

The above log types are generally major contributors in terms of the log count and data sizes.

OfficeScan servers that manage agents across the WAN are recommended to be installed on sites with the healthiest bandwidth, which are typically datacenters or head offices.

Consider installing a local OfficeScan server for sites with approximately 500 or more agents. This is highly recommended if the WAN bandwidth is limited for a particular site.

An update agent is a regular OfficeScan agent that is designated to replicate update information from an OfficeScan server for the purpose of distributing the update information to other OfficeScan agents.

Here is a reference on the number of agents that an update agent can handle:

This table can be used as a template to scope the different sites and generate architecture proposal:

Smart Protection Servers are placed in the local network, making them available to users who have access to their local corporate network. These servers are designed to localize operations within

the corporate network to optimize efficiency. This network-based solution hosts majority of the malware pattern definitions and web reputation scores. The Smart Protection Server makes these definitions available to other endpoints on the network for verifying potential threats. Queries are only sent to Smart Protection Servers if the risk of the file or URL cannot be determined at the endpoint. Endpoints leverage file reputation and web reputation technology to query the Smart Protection Servers and Trend Micro Smart Protection Network as part of their regular system protection activities. In this solution, agents only send identification details determined by Trend Micro technology to Smart Protection Servers. Agents never send the entire file when using file reputation technology. Risk is determined using the file identification details only.

The integrated Smart Protection Server can be pre-installed in the OfficeScan server if the user included it during the OfficeScan server installation. These are the main reasons to install a Standalone Smart Protection Server:

If the number of smart agents is more than 20,000

If they dont want to use Integrated Smart Protection Server

Load can be distributed by adding more Standalone Smart Protection Servers. Check the load balancing section below for more details:

If the latency is huge between the branch office and the main office, it is recommended to install a Standalone Smart Protection Server on the branch office. If the Standalone Smart Protection Server cannot be installed, or there is no available hardware, it is best to switch the agents to conventional scan.

Below are the hardware specifications used to install virtualization platforms and the guest virtual machine resource allocation for the Standalone Smart Protection Server:

The following table and graph show the number of agents handled by an individual Standalone Smart Protection Server meeting these performance criteria:

Average latency time is less than 100 ms (0.1 second)

Total HTTP request failed rate is under 0.05%

Total mean value of CPU usage is under 80%

The amount of endpoints shows the maximum supported iCRC v2.0 agents for one (1) TMSPS, taking into consideration that there are two (2) other TMSPS with the same load running within the same virtualized host.

The transaction rate is the sum of the FRS transaction rate and the WRS transaction rate per second.

The performance of TMSPS 3.0 has improved dramatically compared to the previous version. TMSPS 3.0 has increased the scalability by reducing the traffic between agents and TMSPS. Under the same test scenario, with three (3) TMSPS running on the same host, it could support more than twice the number of agents compared to the previous release, TMSPS 2.5.

Enabling the Smart Protection Service Proxy on OfficeScan XG allows TMSPS 3.1 to handle Predictive Machine Learning queries.

For organizations desiring the maximum transaction rate from FRS and WRS and can accept 100% of CPU usage, the CPU capability becomes the bottleneck.

Disk I/O speed is another important factor. Currently, the pattern updates will cause a lot of disk I/O operations. Therefore, if the customers environment uses external storage and shares the disk I/O bandwidth with many other VMs (or the disk I/O bandwidth is poor), the overall performance may suffer.

The disk could be monitored using performance counter provided by virtualization platform. The ESXi Server provides the following disk-related performance counters:

Kernel Latency: 0-1 ms is ideal. If > 4 ms, check the CPU usage and queue latency

Device Latency: If > 15 ms, check for a storage array problem

Queue Latency: 0 ms is ideal. If > 0 ms, check the storage array

If the TMSPS virtual machine shares resources with many other VMs on the same VM host, then TMSPS must compete with other VMs for disk I/O, network traffic, CPU, and memory. TMSPS performance will suffer as a result.

Despite the competition for resources, hypervisors from different vendors can deliver different performance. This might be caused by emulated device drivers that are required to provide an interface between the physical hardware and the virtual machine. Generally speaking, TMSPS running on ESXi server has the best performance, compared to Xen Server and Hyper-V.

Smart Protection Servers can be setup in order to achieve load balancing. Load balancing will help ensure that HTTP requests are distributed among the Smart Protection Servers.

There are two (2) ways to achieve load balancing using the OfficeScan web console:

Random OfficeScan agent randomly chooses a Smart Protection Server from the Smart Protection Server list.

Based on IP range OfficeScan agent connects to its assigned server from the Smart Protection Server list.

Smart Protection Servers should always be installed in redundant pairs to avoid WAN saturation during a hardware failure.

Initial scans require more requests to the Smart Protection Server. Agents should set their first scheduled scan in phases, especially when their Smart Protection Server is centrally located. Running scheduled scans in batches will increase capacity and normalize iCRC network utilization.

Use this table as a guideline to determine how many Smart Protection Server you need inside your environment. Even when one (1) Smart Protection Server is more than enough to cater to all agents, it is still a best practice to install at least two (2) standalone Smart Protection Server for redundancy and load balancing purposes.

When opting to use the Integrated Smart Protection Server, make sure that it is actually installed and running. If the Integrated Smart Protection Server is not properly installed, Smart Scan agents disconnect and cannot utilize the cloud technology properly.

The integrated server is intended for mid-scale deployments of OfficeScan, in which the number of agents does not exceed 20,000. For larger deployments, the standalone Smart Protection Server is recommended.

In OfficeScan XG, the Integrated Smart Protection Server (ISPS) ports have changed. Note the new ports used below:

Make sure the setting Do not save encrypted pages to disk is not enabled in IE in order to check for whether Integrated Smart Protection Server is running or not.

After checking the setting above, type the URL below into your browser:

https://OfficeScan_server:port/tmcss/?LCRC=08000000BCB3080092000080C4F01936DD430000

You should see the following pop-up window, which will confirm that the Integrated Smart Protection Server is running.

Ensure that OfficeScan agents can query at least two (2) scan servers. This prevents having a single point of failure in the event that the Smart Protection Server is unreachable. In order to take full advantage of the cloud technology, all agents must be online and connected to a Smart Protection Server.

To add Smart Protection Servers:

1. Go to Administration > Smart Protection > Smart Protection Sources.

2. Choose Internal Agents tab and select the standard list or custom list based on IP address.

3. Click Notify All Agents to push this setting.

Because the integrated server and the OfficeScan server run on the same computer, the computers performance may reduce significantly during peak traffic. When possible, consider using a standalone Smart Protection Server as the primary source for agents and the integrated server as a backup.

Do not use Smart Scan as the default scanning method at the root level. Always use Conventional Scan as the root level scanning method. When selecting OfficeScan agents to use Smart Scan, always choose a regular domain instead of a root level. If the root level is defined to use the Smart Scan method, and if it is placed in a domain where it uses Conventional Scan, it will download Conventional Scan components.
https://OfficeScan_server:port/tmcss/?LCRC=08000000BCB3080092000080C4F01936DD430000

Make sure Computer Location settings have correct settings defined. Computer Location setting can be reached under Agents > Endpoint Location.

The default setting is Agent connection status. This means that OfficeScan agents use the reference server list defined to determine if it is an external or internal agent.

An agent that can connect to the OfficeScan server or any of the reference servers listed, is recognized as internal agent. Therefore, this agent connects to the Smart Protection Server defined under Internal Agents for Smart Protection Sources.

If a connection cannot be established, the agent is classified as an external agent. This agent uses the settings set under External Agents for Smart Protection Sources. By default, external agent uses the global Smart Protection Network (https://osce11.icrc.trendmicro.com/tmcss).

If Gateway IP address setting is applied, and the client computers gateway IP address matches any of the gateway IP addresses specified on the Endpoint Location screen, the computers location will be classified as internal. Otherwise, the computers location is external.

Optimize the performance of Smart Protection Servers by doing the following:

Avoid performing Manual Scans and Scheduled Scans simultaneously. Stagger the scans in groups.

Avoid configuring all endpoints from performing Scan Now simultaneously.

Customize Smart Protection Servers for slower network connections, about 512Kbps, by making changes to the ptngrowth.ini file.

1. Open the ptngrowth.ini file in \PCCSRV\WSS\.

2. Modify the ptngrowth.ini file using the recommended values below:

[COOLDOWN]

ENABLE=1

MAX_UPDATE_CONNECTION=1

UPDATE_WAIT_SECOND=360

3. Save the ptngrowth.ini file.

4. Restart the Trend Micro Smart Protection Server service.

One of the new features in OfficeScan XG is the ability to migrate an existing database (CodeBase) to an SQL server database. This is done using the SQL Server Migration tool.

The migration tool currently supports three (3) types of migrations:

OfficeScan CodeBase database to new SQL Server express database
https://osce11.icrc.trendmicro.com/tmcss

OfficeScan CodeBase database to a pre-existing SQL server database

OfficeScan SQL database (previously migrated) that was moved to another location

When you choose to migrate to a new SQL server express database, note that OfficeScan will install SQL Server 2008 R2 SP2 Express. This is required to be installed in a Windows 2008 SP2 server.

OfficeScan XG supports SQL 2008, 2008 R2, 2012, 2014 and 2016. For SQL 2008, note that Microsoft .NET Framework 3.5 SP1 is required and that Microsoft .NET Framework 4.0 is not compatible with SQL Server 2008.

Microsoft SQL server cannot be installed on Domain Controller machines. Consider this before choosing the server to install the database or OfficeScan. For more information, refer to this link: http://support.microsoft.com/kb/2032911.

User Account Control needs to be turned off before running the SQL migration tool on Windows Server 2008 or later, when using Windows Authentication credentials. Refer to this article for more details on disabling this option: http://windows.microsoft.com/en-us/windows/turn-user-account-control-on-off#1TC=windows-7.

Make sure that the OfficeScan Master Service is not running using the same domain user account used to log on to the SQL server. This could cause the service to fail in starting after the migration.

Back up the existing OfficeScan CodeBase database for recovery in case there are problems encountered during the migration. Refer to this article for more details: http://esupport.trendmicro.com/solution/en-US/1039284.aspx

OfficeScan automatically creates the new database on the SQL server. There is no need to pre-create a blank database.

Make sure to click the Test Connection option on the SQL migration tool before proceeding. This confirms that the settings entered are correct and verifies that the connection is possible.

When using the Windows Account to log on to the server:

For a default domain administrator account

User name format: domain_name\administrator

The account requires the following:

Groups: Administrators Group

User roles: Log on as a service and Log on as a batch job

Database roles: dbcreator, bulkadmin, and db_owner
http://support.microsoft.com/kb/2032911http://windows.microsoft.com/en-us/windows/turn-user-account-control-on-off#1TC=windows-7http://windows.microsoft.com/en-us/windows/turn-user-account-control-on-off#1TC=windows-7http://esupport.trendmicro.com/solution/en-US/1039284.aspx

For a domain user account

User name format: domain_name\user_name

The account requires the following:

Groups: Administrators Group and Domain Admins

User roles: Log on as a service and Log on as a batch job

Database roles: dbcreator, bulkadmin, and db_owner

To verify the type of database used, check the ofcserver.ini file under the OfficeScan servers Private directory (Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private).

Look for [INI_DBE_ENGINE_SECTION] and note the value defined for DBE_ENGINE.

DBE_ENGINE=1001 ; CodeBase

DBE_ENGINE=1002 ; SQL Server

Edge relay is a new component on OfficeScan XG that works as a proxy between OfficeScan server and off-premise OfficeScan agents to provide administrators visibility and increased protection of endpoints that users take outside of the company's intranet.

By installing the Edge Relay server in the Demilitarized Zone (DMZ), off-premises OfficeScan agents that cannot establish a functional connection to the OfficeScan server can now send their status report, detection logs, perform samples submissions and synchronize suspicious objects.

Sizing capacity depends on the number of Off-premise OfficeScan agents. For example, if your OfficeScan server has 30,000 agents but less than 10% are running Off-premise at a time, the minimal system requirement would be enough. Here is quick guide on the number of Off-premise agents an Edge relay server can support.

If more than 20,000 OfficeScan agents are expected to connect to Edge relay server, please setup additional Edge Relay Servers. Off-premise agents will connect using FQDN of Edge Relay Server so a public IP and FQDN are required. Off-premise agent uses HTTPS (443) to communicate with Edge Relay server. Edge Relay server uses HTTPS (10669) to communicate with OfficeScan XG server(s) (both default ports can be configured during setup). Please ensure any firewalls in between would allow this. Take note also that one Edge Relay server can handle multiple OfficeScan servers. However, OfficeScan server can only register to one Edge Relay server.

To protect communications between Off-premise agents and Edge Relay server, certificates are used to secure the data exchange channel. Please make sure OfficeScan agents can connect directly to OfficeScan server at least once to allow certificate deploy. Note: Certificates are not included on agent install packages.

Up to 5,000 CPU: 2 Cores

RAM: 4GB

Up to 20,000 CPU: 4 Cores

RAM: 8GB

Majority of the product default configurations provide substantial security with a consideration on server or network performance. The information noted below are different recommendations, and can be used as an additional reference to either enhance security or achieve better performance.

The following notifications in the UI shows these features are turned off by default.

To turn on these features, administrators should go to Agents > Agent Management > Settings > Additional Service Settings and enable the service for the feature they intend to use.

Administrators can enable the Unauthorized Change Prevention Service on a single server platform through Additional Service Settings. Administrators can also enable or disable the Unauthorized Change Prevention Service on endpoints by selecting a root/domain/single agent/multi-select agent.

To turn on this feature:

1. Enable the Unauthorized Change Prevention Service (TMBMSRV.EXE) to monitor the process launch.

Path: Agents> Agent Management > Settings > Additional service settings > Unauthorized Change Prevention Service.

2. Enable the Web Reputation (tmproxy.exe) to monitor the file download.

Path: Agents > Agent Management > Settings > Web Reputation Settings

Defer scan improves the performance of file copy operations. This feature is integrated with VSAPI 9.713 or higher version. Originally, OfficeScans scan engine performs two (2) scans during a file copy operations. The defer scan option adds one file scanning into the scan queue, and defer the other file scanning. File copy performance will improve by enabling this.

To enable defer scan function:

1. Navigate to Agent Management > Global Agent Setting > Scan Settings Tab.

2. Select the option Enable deferred scanning on file operations.

3. Click Save.

SECURITY COMPLIANCE

Manual Report

Select an OfficeScan domain to run compliance report on the agents to see which agents are incompatible with server. In Scan Compliance view, specify one or both of the following:

Number of days an agent has not performed Scan Now or Scheduled Scan

Number of hours the remote or scheduled scan task has been running

Scheduled Report

Enabled

Report can show status of OfficeScan agent services, components, scan compliance, and settings to find incompliant agents. This can be run on daily basis if needed. Trend Micro recommends enabling on-demand assessment to perform real-time queries for more accurate results. You can also disable on-demand assessment wherein OfficeScan queries the database instead of each agent. This option may be quicker but produces less accurate results.

UNMANAGED ENDPOINTS

Define Scope

Active Directory Scope

Select OUs containing less than 1000 account of computers for performance baseline, then increase and decrease the number of computers according to performance.

IP Address Scope

Choose an IP range to scan for unmanaged endpoints.

Advanced Settings

Specify Ports

Make sure to add all OfficeScan server communication ports.

Declare a computer unreachable by checking port

Port 135

Another port can be chosen but make sure it is a common port that will be available on all the computers.

Settings

Enabled

Enable scheduled query for once a week to find out agents that do not have OfficeScan agent.

SCAN METHOD

Conventional ScanConventional Scan leverages anti-malware and anti-spyware components stored locally on endpoints.

Smart Scan

Smart Scan now is default at the ROOT domain level. Smart Scan method should be selected at the Domain level so this way if a user installs an agent it is easier to move from conventional scan to Smart scan.

Smart Scan leverages anti-malware and anti-spyware signatures stored in-the-cloud.

MANUAL SCAN SETTINGS

Files to scan:All Scannable

Enabled

Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

Scan Settings

Scan Hidden Folders

Enabled

Scan Network Drive

Enabled

This function is not needed if the remote PC already has antivirus protection. Enabling this may cause redundant scanning and performance issues.

Scan compressed files

Enabled

Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.

Scan OLE objects Enabled Scanning 3 layers is reasonable.

Detect exploit code in OLE files

Enabled

This setting heuristically identifies malware by checking Microsoft Office files for exploit code.

Virus/Malware Settings only | Scan Boot Area

Enabled

CPU Usage | Medium

Enabled

Minimizes the slowdown of PCs when a scan is initiated. It is not recommended to run manual scan during working hours due to high CPU usage.

Scan Exclusions

Enable Scan Exclusion

Enabled

Apply scan exclusion settings to all scan types

Disabled

Exclude directories where Trend Micro products are installed

Enabled

MANUAL SCAN SETTINGS

Virus/ Malware

Use Active Action

Enabled

This setting will utilize the Trend Micro recommended settings for each type of virus/malware.

Customize action for probable virus/malware

Enabled

Select Quarantine to have the ability to restore any files that are needed.

Back up files before cleaning

Enabled

Damage Cleanup Services

Advanced cleanup Enabled

Run cleanup when probable virus/malware is detected

Enabled

Spyware/Grayware | Clean Enabled

REAL-TIME SCAN SETTING

Enable virus / malware scan Enabled

Enable spyware / grayware scan Enabled

User Activity on Files | Scan files being created/modified and retrieved

Created/modified and retrieved

In cases where the system is heavily accessed such as File servers, it may be advisable to select Scan files being created / modified but only use this option if the server performance is affected.

Files to scan | File types scanned by Intelliscan

Enabled

Selecting Intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.


Scan Settings

Scan floppy disk during system shutdown

Disabled

Scan Network Drive

Enabled

Scan the boot sector of the USB storage device after plugging in

Disabled (default)

Scan all files in removable storage devices after plugging in

Disabled(default)

Quarantine malware variants detected in memory

Enabled (default)

Scan Compressed Files

Enabled

Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.

Scan OLE Objects

Enabled

Scanning 3 layers is reasonable.


Enabled


Virus/Malware Scan Settings Only | Enable Intellitrap

Enabled

Turn off this setting on special cases if users regularly exchange/access compressed executable files in real-time.

Scan Exclusion

Enable Scan Exclusion

Enabled


Disabled


Enabled


Virus/ Malware

Use Active Action

Enabled



Enabled

Select Quarantine to be able to restore any files that are needed

Display a notification message on the agent computer when virus/malware is detected

Disabled

Turn off this setting to avoid end users to see popup messages, which can generate helpdesk calls.

Display a notification message on the agent computer when probable virus/malware is detected

Disabled



Enabled

Damage Cleanup Services | Run Cleanup when probable virus/malware is detected

Enabled

Spyware/ Grayware

Clean Enabled


Disabled


SCHEDULED SCAN SETTINGS

Enable Virus / Malware Scan

Enabled

Turn on Scheduled scan-to-scan systems on a regular basis.

Enable spyware/grayware scan

Enabled

Turn on Scheduled scan to scan systems on a regular basis

Schedule| Weekly on Friday 12pm

Suggested to scan during lunch time or after office hours if machine remain turned on.

Files to scan | All Scannable Files

Enabled

Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

Scan settings


Enabled

Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.

Scan OLE objects

Enabled

Scanning 3 layers is reasonable.


Enabled


Virus/Malware Settings Only | Scan Boot Area

Enabled

CPU Usage | Medium

Enabled

Prevent slowdown of PCs when a scheduled scan kicks off. Scan will finish longer if the setting is set to Low.


Scan Exclusions

Enable Scan Exclusion Enabled


Disabled


Enabled

Virus/ Malware

Use Active Action

Enabled



Enabled



Disabled

Turn off this setting to avoid end users to see pop-up messages which can generate help desk calls.

Display a notification message on the agent computer when probable virus/malware is detected

Disabled

Turn off this setting to avoid end users to see pop-up messages which can generate help desk calls.


Enabled


Advanced cleanup Enabled


Enabled


Spyware/ Grayware

Clean Enabled


Enabled

Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.

SCAN NOW SETTINGS

Enable Virus / Malware Scan Enabled

Enable Spyware/Grayware Scan Enabled

Files to Scan | File Type scanned by Intelliscan

Enabled

Selecting Intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

Scan Settings


Enabled

Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.

Scan OLE objects

Enabled

Scanning 3 layers is reasonable


Enabled


Virus/Malware Settings Only | Scan Boot Area

Enabled

CPU Usage |Medium

Enabled

Minimizes the slowdown of PCs when a scan is initiated. It is not recommended to run manual scan during working hours due to high CPU usage.

SCAN NOW SETTINGS

Scan Exclusion

Enable Scan Exclusion Enabled


Disabled


Enabled

Virus/ Malware

Use Active Action

Enabled



Enabled



Advanced Cleanup Enabled


Enabled

Spyware/Grayware |Clean Enabled

UPDATE AGENT SETTINGS

OfficeScan agents can act as Update Agent

Component Updates, Domain Settings, and Agent programs and hotfixes should be selected to take full advantage of Update Agents to save bandwidth and to speed up deployment.

Component Updates Enabled

Domain Settings Enabled

OfficeScan agent programs and hot fixes

Enabled

PRIVILEGES AND OTHER SETTINGS

Independent mode (known as roaming mode in older versions) Enable Scan Exclusion | Enable Independent mode

Disabled

It is highly recommended to disable this function as it will allow users to stop communication between OfficeScan Server and agent. Independent privilege allows users to isolate their systems to avoid getting notified by the server for scans or updates. This function has nothing to do with the ability to update when the machine is off the network, such as taking a laptop home.

Scans

Configure Manual Scan Settings

Disabled

Enable this to allow users to configure their own scan setting.

Configure Real-time Scan Settings

Disabled

Enable this to allow users to configure their own scan setting.

Configure Scheduled Scan Settings

Disabled Enable this to allow users to configure their own scan setting.

Scheduled Scans

Postpone Scheduled Scan

Disabled

Enable this to allow users to stop the Scheduled scan when it is triggered.

Skip and stop scheduled Scan

Disabled

Enable this to allow users to stop the Scheduled scan when it is triggered.

Firewall (if you have firewall activated)

Display the Firewall tab on the Agent console

Enabled

Allow users to enable/disable the firewall, Intrusion Detection System, and the firewall violation notification message

Disabled

Enable this to allow users to configure their own firewall settings other than what is set on the OfficeScan server.

Allow agents to send firewall logs to the OfficeScan Server

Disabled

Keep this disabled unless necessary as it increases traffic between the server and agents.


Behavior Monitoring | Display the Behavior Monitoring tab on the agent console.

Disabled

Trusted Program List Disabled

Mail Scan | Display the Mail Scan tab on the agent console

Disabled

Since most enterprises do not use POP3, this tab can be hidden to users to avoid confusion. If this setting is allowed then users can install this tool using OSCE agent GUI.

Proxy Settings | Allow the Agent user to Configure proxy Settings

Enabled

Enable this to allow users to configure proxy to update from internet; otherwise this can be turned off.

Component Updates

Perform Update Now

Enabled

Enabled to Allow users to initiate an update manually by right clicking on the OSCE icon on their system tray.

Enable Scheduled Update

Disabled

Leave this option disabled so users cannot turn off scheduled update. This will keep users up-to-date with the latest signature.

Unloading | Unloading the OfficeScan agent and unlocking advanced agent settings

Enabled

Enable this to prevent users from unloading OfficeScan agent from their system.

Uninstallation | Uninstalling the OfficeScan agent

Enabled

Enable this to prevent users from uninstalling OfficeScan agent from their system.


Update Settings

OfficeScan agents download updates from the Trend Micro ActiveUpdate Server

Enabled

Enable this function to allow agents to update from Trend Micro Active Update servers whenever the OfficeScan agent cannot contact the OfficeScan server or the Update Agents. This is especially helpful for users who travel with their laptop or bring their laptops home, keeping them up-to-date all the time.

Enable Scheduled Updates on OfficeScan agents

Enabled

Aside from notification from the OfficeScan Server for updates, this function is used to allow OfficeScan to check for updates on scheduled basis. Update checking is done in the background and no user intervention is required.

OfficeScan agents can update components but not upgrade the agent program or deploy hot fixes

Disabled

Enable this function in environments where bandwidth is limited. This allows agent to update their regular signatures and engines and avoid downloading hotfixes or program updates from the OfficeScan Server.

Web Reputation Settings | Display a Notification when a web site is blocked

Enabled

Turn this off to avoid getting popups when websites are blocked.

Behavior Monitoring Settings | Display a notification when a program is blocked

Enabled

Enable this function to avoid confusion on the users as to why a certain program wont run.

C&C Contact Alert Settings | Display a notification when a C&C callback is detected

Enabled

Enable this function to receive notifications on C&C callbacks

Central Quarantine Restore Alert Settings | Display a notification when a quarantine file is Restored

Disabled

Enable this function to get notifications when quarantined files are restored.

Predictive Machine Learning Settings Enabled


OfficeScan agent Self-protection

Protect OfficeScan agent services

Enabled

Protect files in the OfficeScan agent installation folder

Enabled

Protect OfficeScan agent registry keys

Enabled

Protect OfficeScan agent processes

Enabled

Scheduled Scan Settings | Display a notification before a scheduled scan occurs

Disabled

Cache Settings for Scans

Enable the digital signature cache

Enabled and set to 28 days.

Enable the on-demand scan cache

Disabled

If the on-demand scans seldom run, then enabling this is not necessary since the console settings are satisfactory. If you want to enable this, extend the expiration would be better option.

POP3 Email Scan Settings | Scan POP3 email

Disabled

Enable this only when using POP3 mail in the network. When selected, this setting enabled POP3 mail scan on the agent console.

Note that this setting only applies to agents with the mail scan privileges.


OfficeScan Agent Console Access Restriction | Do not allow users to access the agent console from the system tray or Windows Start menu

Disabled

In some environment where any user changes are prohibited, this function allows administrators to restrict users from accessing the OfficeScan agent console.

Restart Notification | Display a notification message if the agent computer needs to restart to finish cleaning infected files.

Enabled

ADDITIONAL SERVICES

Unauthorized Change Prevention Service

Enabled

Unauthorized Chang Prevention Service regulates application behavior and verifies program trustworthiness. Behavior Monitoring, Device Control, Certified Safe Software Service, and Agent Self-protection all require this service. If an Administrator wants to allow this service on a server then a single server must be chosen to view the option to enable this service.

Firewall Service

This setting will turn on the firewall service on the OfficeScan agents.

WARNING: Enabling this service will temporarily disconnect the OfficeScan agent from the network.

Suspicious Connection Service

The Suspicious Connection Service provides advanced protection against Command & Control callbacks through the following features:

User-defined IP Approved and Blocked lists

Global C&C IP List

Malware network fingerprinting

Advanced Protection Service

Advanced Protection Service facilitates advanced scanning and protection features. Behavior Monitoring and Browser Exploit Prevention require this service.

WEB REPUTATION SETTINGS

External Agents Tab

Enable Web Reputation Policy on the following operating systems

Enabled

Enable this feature to protect agents from web threats when they are not connected to the internal network. Enabling this will provide them protection from accessing malicious sites.

Enable assessment

Disabled

Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action.

Check HTTPS URLs

Enabled

Scan common HTTP ports only

Disabled

When disabled, WRS will scan all HTTP URLs regardless of their port information. If enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned.

Security Level | Medium Enabled

Untested URLs | Block pages that have not been tested by Trend Micro

Enabled

Note that any website that has not been tested by Trend Micro will be blocked if its enabled.

Browser Exploit Prevention | Block pages containing malicious script

Enabled

Agent Log | Allow agents to Send Logs to the OfficeScan Server

Enabled

Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.

WEB REPUTATION SETTINGS

Internal Agents Tab

Enable Web Reputation Policy on the operating systems

Enabled If there is already a web security on the gateway, this may be turned off.

Enable assessment

Disabled Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action.

Check HTTPS URL Enabled

Scan common HTTP ports only

Disabled When disabled, WRS will scan all HTTP URLs regardless of their port information. If enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned.

Send queries to Smart Protection Servers

Enabled Agents will send queries to Smart Protection Servers. Make sure they are available. If this option is disabled then agents will need internet access to reach Trend Micro Smart Protection Network, if agent does not have web access then it will use approved/blocked web site list as the only web reputation date.

Security Level | Low

Enabled Internet traffic usage is lowest and browsing info is kept in house. When combine with Use only Smart Protection Servers, do not send queries to Smart Protection Network checked, Security level is always Low.

Untested URLs | Block pages that have not been tested by Trend Micro

Enabled

Browser Exploit Prevention | Block pages containing malicious script

Enabled

Approved/Blocked URL List | Allow agents to Send Logs to the OfficeScan Server

Enabled

Agent Log | Allow agents to Send Logs to the OfficeScan Server

Enabled Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.

Log network connections made to addresses in the Global C&C IP list

Enabled

Log and allow access to User-defined Blocked IP list addresses

Disabled

Enable this feature to perform assessment of the violations first, and then set to Disable.

Log connections using malware network fingerprinting

Enabled

OfficeScan performs pattern matching on packet headers. OfficeScan logs all connections made by packets with headers that match known malware threats using the Relevance Rule pattern.

Clean suspicious connections when a C&C callback is detected

Enabled

OfficeScan uses GeneriClean to clean the malware threat and terminate the connection to the C&C server.

Enable Malware Behavior Blocking for known and potential threats

Known Threats

Enable this setting to protect your agents from specific threats, threat types and threat families through behavior analysis.

Enable Event Monitoring

Enabled

Enable this to monitor system events to filter potentially malicious actions. Refer to list below for recommended settings if this is enabled.

Exceptions (Approve/Block) Enter the full path of programs you would want to exempt from Behavior Monitoring or directly Block.

Policies (Under Event Monitoring if Enabled)

The Assess action will log events that violate the policy but will not take action. To avoid interfering with normal activity, it is recommended that administrators start with this action set for all policies. This would help them define the proper action they need to take once data is available.

Duplicated System File Assess

Hosts File Modification Assess

Suspicious Behavior Assess

New Internet Explorer Plugin Assess

Internet Explorer Setting Modification Assess

Security Policy Modification Assess

Program Library Injection Assess

Shell Modification Assess

New Service Assess

System File Modification Assess

Firewall Policy Modification Assess

System Process Modification Assess

New Startup Program Assess

External Agents Tab

Enabled Device Control

Enabled

Enable this setting to take advantage of the Block auto-run function on USB devices but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention.

Apply all settings to internal agents Disabled

Block auto-run function on USB storage devices

Enabled

Enable this to prevent the potential threat auto-run can cause.

Storage Devices

CD/DVD Full Access

Floppy Disks Full Access

Network Drives Full Access

USB storage devices Full Access

External Agents Tab

Program Lists

Programs with read and write access to storage devices

Enter the full path of programs to allow write access to storage devices.

Programs on storage devices that are allowed to execute

Enter the full path of programs to allow execution.

Notification | Display a notification message on the agent computer when OfficeScan detects unauthorized event

Enabled

Enable this when Device Control Access is not set to Full Access to avoid causing confusion to users as to why they cannot access their drives fully.

Internal Agents Tab

Enabled Device Control

Enabled

Enable this setting to take advantage of the Block auto-run function on USB devices but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention.

Apply all settings to external agents Disabled

Block auto-run function on USB storage devices

Enabled

Enable this to prevent the potential threat auto-run can cause.

Storage Devices

CD/DVD Full Access

Floppy Disks Full Access

Network Drives Full Access

USB storage devices

Full Access

Program Lists

Programs with read and write access to storage devices

Enter the full path of programs to allow write access to storage devices.

Programs on storage devices that are allowed to execute

Enter the full path of programs to allow execution.

Notification | Display a notification message on the agent computer when OfficeScan detects unauthorized event

Enabled

Enable this when Device Control Access is not set to Full Access to avoid causing confusion to users as to why they cannot access their drives fully.

Below are the available Agent Grouping:

NetBIOS domain (only used during agent installation)

Active Directory domain

DNS domain

Custom agent groups (can be used anytime to group the agents)

o Automatic Agent Grouping

o Schedule Domain Creation

In Automatic Agent Grouping, administrators can create agent grouping according to Active Directory or IP. On the other hand, performing scheduled domain creation creates a domain in the agent tree. This may take a long time to complete, especially if the scope is broad. However, this does not move existing agents to this domain. Custom agent grouping must be used.

To move the agents, refer to manual sort agent or OfficeScan can automatically move agents when the following events occur:

Agent installation

Agent reload

Change of agents IP addresses

Agent enabling or disabling roaming mode

Scan Settings

Exclude the OfficeScan server database folder from Real-time Scan

Enabled Prevent OfficeScan database from getting corrupted.

Exclude Microsoft Exchange server folders from scanning

Enabled Prevent OfficeScan from interfering with the mails being processed by the Exchange server and the antivirus that scans the mail traffic.

Enabled deferred scanning on file operations

Disabled This option can be enabled to help improve performance of file copy operation.

Enable Early Launch Anti-Malware protection on endpoints

Enabled

Scan Settings for Large Compressed Files

Configure scan settings for large compressed files

Enabled

This option will skip files within the compressed files from being scanned to improve on performance.

Real-time scan

Do not Scan files (in a compressed file) if size exceeds

2 MB

In a compressed file, scan only the first X files

10 files

Manual Scan/ Scheduled Scan/ Scan Now

Do not Scan files (in a compressed file) if size exceeds

30 MB

In a compressed file, scan only the first X files

100 files

Virus/Malware Scan Settings only | Clean/Delete infected files within compressed files

Enabled

Spyware/Grayware Scan Settings Only | Enable Assessment Mode

Enabled

Turn this on with a recommended of at least 3 weeks to allow administrator to assess the detection of spyware in the network. Any detection will not have any action taken on them. This allows admin to monitor and verify if there is any false positive detection especially on home grown applications.

Scan for Cookies

Enabled

Turn on to allow cookie scanning and cleaning.

Count Cookie into spyware log

Disabled

Turn this off to prevent logs generated from cookie detection to overpopulate the virus log database.

Scheduled Scan Settings

Remind users of the Scheduled Scan

10 minutes before it runs

This setting only applies to users who have the privilege to control Scheduled Scans.

Postpone Scheduled Scan for up to

1 hour

***This setting only applies to users who have the privilege to control Scheduled scans.

Automatically stop Scheduled Scan when scanning lasts more than

Disabled

Skip Scheduled Scan when a wireless computers battery life is less than

Enabled

Enable this setting to 20 percent when there are a number of laptop users in your environment to save battery life.

Resume a missed scheduled scan Enabled

Firewall Settings (If you have firewall activated)

Send firewall logs to the server every

4 hours

If it is really needed, set this to Daily or every 4 to 8 hours to prevent agents from saturating the network by sending logs at short intervals regularly.

Update the OfficeScan firewall driver only after a system reboot

Enabled

This setting will let agents update the firewall driver settings during reboot. This way, there will be no loss of network connectivity. This setting applies only to updates/upgrades done through OfficeScan server.

Send firewall log information to the OfficeScan Server hourly to determine the possibility of a firewall outbreak.

Enabled

Suspicious Connection Settings |

Define customized Approved and Blocked IP lists used to detect C&C callbacks

Define approved or blocked IP, IP range or subnets for C&C callback

Behavior Monitoring Settings

Automatically take action if user does not respond within X seconds.

30 seconds is default

If the timeout is reached, BM will automatically block the program.

Certified Safe Software Service Settings

Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans .

Disabled

When enabled, the OfficeScan agent will query the Trend Micro back-end servers via Internet to reduce Behavior Monitoring false alarms.

Smart Protection Service Proxy

Use configured Smart Protection Sources for service queries

Disabled (default)

Can help reduce queries to Trend Micro Smart Protection Network, but would require Smart Scan Protection Server 3.1 or higher to support it. If using Integrated Smart Protection Server, HTTPS scan queries need to enabled as well: Administration > SmartProtection >Integrated Server: Use HTTPS for scan queries (default is HTTP)

Updates

Download only the pattern files from the Active Update server when performing updates

Disabled

Reserve X MB of disk space for updates

Enabled (60 MB)

OfficeScan Service Restart

Automatically restart an OfficeScan agent service if the service terminates unexpectedly

Enabled

Restart the service after 1 minute

If the first attempt to restart the service fails, retry

6 times

Reset the restart failure count after 1 hour

Proxy Configuration

Automatically detect settings

Enabled

To allow auto detection of proxy for updates, this can be enabled.

Preferred IP Address

Agents with IPv4 and IPv6 addresses register to the server using

IPv4 first, then IPv6

Server-Agent Communication

AES-256 encryption for communication between the OfficeScan server and OfficeScan agents.

Disabled

Can increase security but can cause complete connection loss if there are older OfficeScan agent versions that are unable to decrypt the AES-256 encrypted communication. Use with caution.

Virus/Malware Log Bandwidth Settings

Enable OfficeScan agents to consolidate network virus logs and send them to the OfficeScan Server hourly

Enabled

This allows agents to send only a single log to a server about multiple detections of viruses detected on the same location and same virus for a period of time.

Unreachable Network

Server Polling Select the IP range of unreachable network and how often the agents should poll to the server.

Heartbeat

Allow agents to send heartbeat to the server

Enabled

Only agents in the unreachable network should send heartbeats since other agents would be connected to the server.

Agent send heartbeat every 10

The agent is offline if there is no heartbeat after X minutes

60

General Settings

Add Manual Scan to the Windows shortcut menu on agent computers

Disabled

Alert Settings

Show the alert icon on the Windows taskbar if the virus pattern file is not updated after X days

Disabled

Display a notification message if the agent computer needs to restart to load a kernel mode driver

Enabled

Agent Language Configuration

The OfficeScan agent program applies the following language setting:

Enable: OfficeScan server language

Agent Connection status (edit reference server list)

Disabled

***Gateway addresses can be entered instead of reference list to determine whether OfficeScan agents are online or offline.

Gateway IP address Mac address (optional)

Enable Scheduled Verification

Enabled Daily at 10:30am

***This allows the server to recheck the status of the agents that are in the network, it is ideal to set it to run on a schedule where most agents are already online.

Log Maintenance

Enable Scheduled Deletion

Enable

Enable this to maintain a manageable size of log and prevent performance issue on the OSCE server when retrieving logs. If Control Manager is used the logs are also sent to Control Manager, hence there is no need to keep 2 copies of logs. You can get reports from Control Manager. Ensure all Log types are selected.

Logs to Delete

Logs older than 7 days

Delete old logs to keep the log database small enough for efficiency.

Log Deletion Schedule

Daily at 2 AM

It is advisable to have this checked every day. The time suggested is 2 AM so that the traffic to server is low and can be purged before the system backup kicks off. OfficeScan server automatically does database maintenance during midnight, so avoid scheduling during this time.

Server

Enable scheduled update of the OfficeScan server

Enabled

Update Schedule

Hourly

It is best to check on a more regular basis to get the latest updates.

Agents Automatic Updates

Initiate component update on agents immediately after the OfficeScan Server downloads a new component

Enabled

Include Independent and offline agent(s)

Disabled

It is unnecessary if the agents are offline and unreachable.

Let agents initiate component update when they restart and connect to the OfficeScan Server (roaming agents are excluded)

Enabled

There are instances where the agents are offline when the server updated from the internet. This function will allow agents to get their updates from the server when they are back online.

Perform Scan Now after update (excluding roaming agents)

Disabled

It is not extremely necessary to do a full scan right after performing an update. The scheduled scan is normally sufficient.

Schedule-based Update

Enabled

Depending on the number of agents that the server manages, you can set this from 2 hours to every 4 hours. This is the setting to configure agents on how often they will check for updates from the OfficeScan Server, the Update Agent or the Internet.

Update Source

Standard Update Source

Enabled

Enable this if No Update Agents will be used. Administrators can allow agents to get updates from OfficeScan Servers if Update Agents are not available.

Customized Update Source | Update Agents update components, domain settings, and agent programs and hot fixes, only from the OfficeScan server

Enabled

Enable this to have Update Agents always update from the OfficeScan server.

Components

Disabled

To allow OfficeScan agents to strictly update from Update Agents for pattern and engine updates.

Domain Settings

Enabled

Domain settings are small enough to allow agents to go to OfficeScan Server to get updates from as long as Update Agents are not available.

OfficeScan agent programs and hot fixes

Disabled

This setting should not be turned on unless OfficeScan agents are allowed to upgrade from OfficeScan server. This might cause bandwidth problems depending on the network.

Smart Protection Sources

Internal Agents

Use standard list (for all Internal Agents)

The settings configure the agents to check the Scan Servers in the order specified on the list. Integrated Smart Protection Server will always be the last.

Use customer lists based on agent IP address

Use this setting to customize which Smart Protection Server the agents will use. It is recommended that each sub site has its own Smart Protection Server.

Use standard list if customer list becomes unavailable

Enabled

To help ensure full redundancy in situations where the customer Smart Protection Server list is unavailable, the agent should check the standard list.

Integrated Server

Enable File Reputation Services

Check box should be enabled if the Integrated Smart Protection Server will be used. The Integrated Smart Protection Server should not be used to support more than 20,000 agents in a primary role. If more than 20,000 agents need to be supported a Standalone Smart Protection Server should be installed in the environment and the Integrated Smart Protection Server should be used for backup purposes only.

Use HTTP for scan queries

HTTP(default)

Note: Enable HTTPS if using Smart Protection Proxy

Enable Web Reputation Service

Enabled

Update Settings

Enable scheduled updates every 15 mins

Active Directory Integration

Active Directory Domains Add Active Directory domains OfficeScan will associate with the agent tree.

Encrypt Active Directory Credentials

Specify an encryption key and file path to ensure an additional layer of protection for your Active Directory credentials.

Scheduled Synchronization

Enable Scheduled Active Directory synchronization

Enabled

Administrators can set the scheduled synchronization daily.

Criteria

Virus/Malware | Send notifications only when the action on the virus/malware is unsuccessful

Enable

Enable this to only notify when an action failed on the virus/malware.

Spyware/Grayware | Send notifications only when the action on the virus/malware is unsuccessful

Enable

Enable this to only notify when an action failed on the spyware/grayware.

C&C Callbacks | Send notifications only when the risk level of the callback address is High

Enable

Outbreak Notifications

Virus/ Malware

Unique Sources 1

Detections 100

Time Period 24 hrs.

Spyware/ Grayware

Unique Sources 1

Detections 100

Time Period 24 hrs.

Firewall Violations

Monitor Firewall violations on networked computers

Enabled

Enable this to alert administrators when there are suspicious firewall violations.

IDS Logs 100

Firewall Logs 100

Network Virus Logs

100

Time Period 1 hr.

Shared Folder Session

Monitor Shared Folder session on your network

Enabled

Enable this to alert administrators of suspicious network sessions being generated.

Shared Folder Sessions

100

Proxy

Internal Proxy

Agent Connection with the OfficeScan server compute

Disabled

This should be disabled all the time unless the OfficeScan agents require connection to an intranet proxy to communicate with the OfficeScan server.

Agent Connection with the Local Smart Protection Servers

Disabled

This should be disabled all the time unless the OfficeScan agents require connection to an intranet proxy to communicate with the local Smart Protection Server.

External Proxy Settings

OfficeScan Server Computer Updates

Enabled

Enable this option and fill out the fields when a proxy server is required to download updates from the internet.

Agent Connection with Trend Micro Servers

Enabled

Fill this out if the proxy server used requires authentication credentials.

Scheduled Synchronization

Enable Scheduled Active Directory synchronization

Enabled

Administrators can set the scheduled synchronization daily.

Time Period 3 min

C&C Callbacks

Same compromised host

Enabled

Enable this to alert administrators of potential compromised hosts performing C&C callbacks

C&C risk level Only High

Action Any Action

Detections 10

Time period 24

Inactive Agents

Enable automatic removal of inactive agents

Enabled

Enable this function to allow OfficeScan to remove old agents that are inactive for X days. Whenever these agents come back online, they will automatically be added and show up in the console.

Automatically remove an agent if inactive for X days

7 days

Quarantine Manager

Quarantine folder capacity

10240 MB

Note that the Quarantine folder on the OfficeScan server does not cleanup by itself. It is important to clean the folder up on a regular basis.

Maximum size for a single file 5 MB

Web Console Settings

Auto Refresh Settings | Enable Auto Refresh

Enabled

Set it for 30 seconds.

Timeout Settings | Enable Timeout Setting

Enabled

Set it for 30 minutes.

Database Backup

Enable Scheduled Database Backup

Daily at 3 AM

OfficeScan server does database maintenance usually at midnight, and it is best not to interfere with the maintenance. Therefore, it is recommended either to set the time few hours before or few hours after midnight after log purging.

Add/Change value to 1 to disable the Damage Cleanup Service from executing whenever the OfficeScan Real-Time Scan starts up. This is helpful for systems with low resource to speed up the bootup/startup time.

Enable this feature to allow Update Agents to download only one incremental file from the OfficeScan server and allow it to automatically generate full pattern and the rest of the incremental files. This will help minimize bandwidth usage.

If the remote PC does not have an antivirus, this function enables scheduled scans for network drives. This function is not needed if the remote PC already has antivirus function. Enabling this may cause redundant scheduled scanning and performance issues.

If this function is turned on by setting the value to 1, USB will be scanned by Real-Time Scan.

If this function is turned on by setting the value to 1, USB will give a pop-up message asking the users if they want to scan the device. Device Control Settings take higher priority than USB scan insertion.

Manual scan supports switching to Intensive Scan which is a higher detecting mode once the detected virus number is over a certain threshold. To enable, set a value. For a sample value, 5 means using 5 as the intensive threshold. Ideal threshold value should be 100.

This setting enables admin to select multiple servers at once when enabling WRS function on server platforms.

The parameters below can be added or edited to further improve the performance of the OSCE server.

Increase the number of Command Handler threads

1. Edit : \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini.

2. Add the parameter Command_Handler_Maximum_Thread_Number= under [INI_SERVER_SECTION] and set its value to 20 x Number of CPUs.

3. Restart the OfficeScan Master Service.

Increase Database Cache to improve performance

1. Edit : \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini.

2. Locate the entry DB_MEM_OPT_MAX = 10240 and set its value to at least 10% of available memory.

3. Restart the OfficeScan Master Service.

4. Verify the Connection Thread Count Parameter.

5. Go to [INISERVER_SECTION] and look for the VerifyConnectionThreadCount=16 parameter.

This value is dependent on the network capacity. If you have a 100 MBPS intranet, entering a value of 64 or 128 is acceptable.

Enable this option to resolve IP from FQDN. If this is set to 0, OfficeScan resolves IP from NetBIOS first and then resolves IP from FQDN. If this is set to 1, OfficeScan resolves IP from FQDN first and then resolves IP from NetBIOS.

When this option is set to 1, it allows Active Directory Integration to query all objects including containers.

This OfficeScan server parameter controls the number of threads responsible for receiving agent communications. Default value is 20. Add the parameter under [INI_SERVER_SECTION] of ofcscan.ini to modify default setting. Recommended value is 20 multiplied by the number of CPUs. NOTE: The word Maxium is intentionally misspelled.

Increase the server database cache to improve performance. Recommended value is at 10% of available memory.

The following sections only apply to OfficeScan itself. This does not include plug-ins and Integrated Scan Server backup. Customers who have OfficeScan with Integrated Scan Server should not follow these steps.

The OfficeScan server can be set to automatically back up the agent database information. This is configurable via web-based management console under Administration > Database Backup section. This process copies all database files under [ : \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ] to either a local or remote location.

It is recommended to do a daily back up especially during agent deployment. The schedule can be changed to weekly after the deployment is complete. It is also recommended to configure the back up to start at 2:00 AM when agent interaction is minimal and the process does not coincide with other OfficeScan scheduled tasks. It is recommended to use the OfficeScan built-in backup function to back up the database. Using third-party application to back up the database may cause system instability or database corruption.

It is also recommended to manually back up the OfficeScan server configuration files which can be used to recover from a server disaster.

1. Stop the OfficeScan Master Service.

2. Manually Back up the OfficeScan server and Firewall configuration files:

\ PCCSRV \ Ofcscan.ini Server configuration information

\ PCCSRV \ Private \ Ofcserver.ini Server and Update Source configuration

\ PCCSRV \ Ous.ini Agent update source configuration

\ PCCSRV \ Private \ PFW folder Firewall profiles / policies

\ Private \ SortingRuleStore \ SortingRule.xml

\ Private \ AuthorStore folder RBA User Profile

\ Private \ vdi.ini vdi settings

3. Start the OfficeScan Master Service.

4. Run the Certificate Manager tool to back up the certificate used for OfficeScan communication with its agents.

5. Open cmd prompt with administrator privileges and go to [ : \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ADMIN \ UTILITY \ CERTIFICATE MANAGER ] folder.

6. Run the following commands to back up the certificate:

CertificateManager.exe b [Password] [Certificate Path]

For example, CertificateManager.exe b mypassword c:\certificate.zip

7. Make a backup copy of c:\certificate.zip along with other OfficeScan server configurations.

In an event of server corruption, the OfficeScan server settings can be restored by following the procedure below. This procedure assumes that the OfficeScan server is being restored to the same host, using the same FQDN and IP address.

1. Stop the OfficeScan Master Service and WWW Publishing Service.

2. Restore the backup database files under [ : \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ].

Trend Micro OfficeScan Corporate Edition (OSCE) · There are four major OSCE environment components...

Documents

Transcript of Trend Micro OfficeScan Corporate Edition (OSCE) · There are four major OSCE environment components...