Trend Micro™ OFFICESCAN 11 11_BPG.pdf · agents can receive program upgrades from OfficeScan 11.0...

Trend Micro™

OFFICESCAN 11.0 Best Practice Guide

TECHNICAL SUPPORT Best Practice Guide

2 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user.

Copyright © 2014 Trend Micro Incorporated. All rights reserved.

No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated.

All other brand and product names are trademarks or registered trademarks of their respective companies or organizations.

Released: June 16, 2014



Table of Contents

Chapter 1: Product Description ................................................................................. 5

Chapter 2: Architecture ............................................................................................... 6

2.1 > Installation ......................................................................................................................................... 6

2.1.1 Minimum Hardware .................................... 6 2.1.2 Software Requirements ............................... 9

2.2 > Operating System and Related Applications .................................................................... 16

2.2.1 2.2.1 Security Tuning .............................. 19

2.3 > Server Upgrade Checklist .......................................................................................................... 21

Chapter 3: Sizing Summary ..................................................................................... 23

3.1 > Smart Protection Server Layout (Standalone) .................................................................. 27

3.1.1 Using SQL Server for Database ...................... 34

3.2 > Integrated Smart Protection Server Best Practices ........................................................ 36

3.3 > Configuration ................................................................................................................................. 39

3.3.1 Management Console ................................. 43 3.3.2 INI Configuration Files ............................ 78

3.4 > Performance Tuning .................................................................................................................... 80

Chapter 4: Backup and Disaster Recovery ........................................................... 82

4.1 > OfficeScan Server Database Files ........................................................................................... 82

4.2 > OfficeScan Server Configuration Files .................................................................................. 82

4.3 > OfficeScan Agent Configuration Settings ........................................................................... 84

Chapter 5: Behavior Monitoring ............................................................................ 85

5.1 > Behavior Monitoring Overview ............................................................................................... 85

5.1.1 Malware Behavior Blocking .......................... 85 5.1.2 Event Monitoring ................................... 86 5.1.3 Enabling Behavior Monitoring ....................... 88

5.2 > OfficeScan Agent self-protection ........................................................................................ 89

5.3 > Device Control Overview ........................................................................................................... 90

5.3.1 Using Device Control ............................... 91 5.3.2 How Behavior Monitoring and Device Control Can Affect

Performance ........................................... 103 5.3.3 Deploying Behavior Monitoring and Device Control ..103



5.4 > Alternative Ways to Prevent Performance Impact ...................................................... 106

5.4.1 Disabling Features from the Web Console ........... 106 5.4.2 Stopping the Service .............................. 107

Chapter 6: Data Loss Prevention .......................................................................... 108

6.1 > Pre-Deployment ......................................................................................................................... 108

6.1.1 Deploying and Testing Agents ...................... 108 6.1.2 Calculating Disk Space ............................ 108

6.2 > Deployment ................................................................................................................................. 109

6.3 > Deployment DLPlite template and policy ....................................................................... 113

6.3.1 Define a DLPlite template ......................... 113 6.3.2 Define and then deploy DLP policy ................. 114

6.4 > Investigate and restore forensic data ............................................................................... 114

Chapter 7: Miscellaneous ....................................................................................... 119

7.1 > Product Communication Ports ............................................................................................. 119

7.2 > IPv6 for OfficeScan ................................................................................................................... 120

7.2.1 IPv6 Support for OfficeScan Server and Agents ..... 120 7.2.2 OfficeScan Server Requirements .................... 120 7.2.3 OfficeScan Agent Requirements ..................... 120

7.3 > Update Architecture and Network Usage ....................................................................... 121

7.3.1 The Update Process ................................ 121 7.3.2 Network Usage (Bandwidth Consumption) ............. 123

7.4 > Virtual Desktop Infrastructure (VDI) .................................................................................. 125

7.4.1 Golden Image Preparation .......................... 125 7.4.2 Install the VDI Support in OfficeScan server Plugin

Manager ............................................... 125

7.5 > Recommended Installation Adjustments for Special Environments ..................... 132

7.5.1 Citrix Environment ................................ 132 7.5.2 Citrix Known Issues ............................... 134 7.5.3 Citrix Exclusions ................................. 136 7.5.4 Citrix Firewall Port .............................. 136 7.5.5 Installation of OfficeScan agents on Cisco Callmanager

......................................................136

7.6 > Recommended Scan-Exclusion List .................................................................................... 138

7.7 > Some Common Server Ports ................................................................................................ 147



Chapter 1: Product Description

There are four major OfficeScan environment components that should be identified when designing the deployment. Each component is described below.

OfficeScan Server: A server that provides the OfficeScan management console and stores information in a local CodeBase® database, or a local or remote SQL. It uses standard http or https protocols for communication, and for managed agent updates. The three basic functions of an OfficeScan server are:

• Agent configuration (Privileges and Policy settings)

• Program, scan engine, and virus pattern file update provider

• Centralized logs, reporting and quarantine functionality

OfficeScan Agent: A host reporting to a particular OfficeScan server. It can be configured to get update information from an OfficeScan server, an Update Agent, or directly from the internet via the Trend Micro ActiveUpdate server. Moreover, the OfficeScan agent has the function for protecting the system where it’s installed. It can be configured to use Integrated Smart Protection Server or standalone Smart Protection Server for Smart Scan instead of conventional scan. Through cloud technology, this method minimizes the total amount of pattern download.

Update Agent: A regular OfficeScan agent that’s designated to copy update information from an OfficeScan server for the purposes of distributing the update information to other OfficeScan agents. Any OfficeScan agent can be configured as an Update Agent via the OfficeScan server management console. OfficeScan agent IP address ranges are then assigned to get update information from specific update agents. Update agents can push component updates, setting updates, and program/hotfix updates to agents. Older version OfficeScan agents can receive program upgrades from OfficeScan 11.0 Update Agents as long as they report to the OfficeScan 11.0 Update Agents.

Smart Protection Server (SPS): The Smart Protection Server provides the file reputation and web reputation through a local cloud service. When users opt to employ Smart Scan technology, agents send a query to SPS in their scanning files. When they use web reputation protection, agents send URLs to SPS. Thus, SPS works as a local file reputation server and as a local web rating server as well.

These are the two types of Smart Protection Server:

• Integrated Smart Protection Server: Installed as part of the OfficeScan server, Integrated Smart

Protection Server is managed through OfficeScan management console.

• Standalone Smart Protection Server: This server is installed on a VMware or Hyper-V host.



Chapter 2: Architecture

2.1 > Instal ation

2.1.1 Minimum Hardware

The following sections show the recommended software and hardware specifications for an OfficeScan environment. For the full list of minimum system requirements, kindly refer to the Installation and Deployment Guide or OfficeScan Readme.

Trend Micro™ OfficeScan Server

MINIMUM HARDWARE SPECIFICATIONS

Windows 32-bit 64-bit

Windows 2003 • 1.86GHz Intel Core2 Duo

• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB recommended)

• 6.5GB of available disk space

• 1.86GHz Intel Core2 Duo or equivalent

• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB recommended)


Windows 2008 • 1.86GHz Intel Core2 Duo

• AMD 64 processor

• Intel 64 processor

• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB

• 1.86GHz Intel Core2 Duo



• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB



recommended)


recommended)


Windows 2010

Windows 2011

Windows 2012

• 1.86GHz Intel Core2 Duo



• 2GB minimum with at least 500MB exclusively for OfficeScan


Please refer to sizing section, Chapter 3, for recommended setups depending on number of agents.

Update Agents

The OfficeScan agent with the best available resources at a particular site should be designated as an Update Agent. Since this agent will be the one serving updates to the other agent in the remote office, it must be reliable. This can be a domain controller on the site, a file server, print server or any type of server that is always online. Because of this, this agent should have an additional 700 MB of free disk space for engines and patterns storage, an additional 160 MB for programs/hot fix updates, and an additional 20KB for every domain setting updates. Minimum requirements for Update Agents should follow the minimum hardware requirements of OfficeScan Agents.

Trend Micro™ OfficeScan Agents

MINIMUM HARDWARE SPECIFICATIONS

Windows 32-bit 64-bit

Windows XP

Windows 2003

• 300MHz Intel Pentium processor or equivalent

• 256MB of RAM (512MB recommended)

• 450MB of available disk space

• Intel x64 processor, AMD x64 processor





Windows Vista • 1GHz Intel Pentium or equivalent

• 1GB of RAM (1.5GB recommended)



• 1GHz Intel Pentium or equivalent

• 1GB of RAM (1.5GB recommended)


Windows 2008 • 1GHz Intel Pentium or equivalent (2GHz recommended)

• 512MB of RAM (2GB recommended)



• 1.4 GHz Intel Pentium or equivalent (2GHz recommended)



Windows 2010

Windows 2011

Windows 2012


• 1.4 GHz Intel Pentium or equivalent (2GHz recommended)



Windows 7

Windows 8

Windows 8.1

Windows Embedded POSReady 2007

Windows Embedded POSReady 7

• 1GHz Intel Pentium or equivalent (2GHz recommended)

• 1GB of RAM (2GB recommended)



• 2GHz Intel Pentium or equivalent

• 1.5GB of RAM (2GB recommended)


Windows Embedded • 300MHz Intel Pentium



POSReady 2009 processor or equivalent



Integrated Smart Protection Server

The minimum hardware specifications for this server are the same as the recommended requirements for the OfficeScan Server.

Standalone Smart Protection Server

The minimum hardware specifications for Standalone Smart Protection Server:

• Dual 2.0 GHz Intel Core2Duo 64-bit processor supporting Intel Virtualization Technology, or equivalent.

• 2GB of RAM

• 30GB for virtualization requirements (35GB recommended)

•

NOTE: Trend Micro™ Smart Protection Server automatically partitions the detected disk space as required.

The Blocked Web Access log stops collecting data once the available disk space is less than 1 GB. It’ll start collecting data again once the administrators free at least 1.5 GB of disk space.

Monitor must support 1024 x 768 resolution with at least 256 colors.

2.1.2 Software Requirements

OfficeScan Server

Microsoft Windows Server 2003 (Standard, Enterprise and Datacenter Editions) with Service Pack 2 or later, 32-bit/64-bit versions

Microsoft Windows Server 2003 R2 (Standard, Enterprise and Datacenter Editions) with Service Pack 2 or later, 32-bit/64-bit versions

Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise and Workgroup Editions) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup Editions) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Compute Cluster Server 2003



Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter and Web Editions) with Service Pack 1 or 2, 32-bit and 64-bit versions

Windows Server 2008 R2 (Standard, Enterprise, Datacenter and Web Editions), 64-bit version

Windows Storage Server 2008 (Basic, Standard and Enterprise Edition), 32-bit versions.

Windows Storage Server 2008 (Basic, Standard, Enterprise and Workgroup Edition), 64-bit versions.

Windows Storage Server 2008 R2 (Basic, Standard, Enterprise and Workgroup Editions), 64-bit version

Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions

Microsoft Windows HPC Server 2008 R2, 64-bit versions

Windows MultiPoint Server 2010, 64-bit versions

Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit versions

Windows Server 2012 (Standard and Datacenter Editions), 64-bit versions

Windows Server 2012 R2 (Standard and Datacenter Editions), 64-bit versions

Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit versions

Windows Storage Server 2012 (Standard and Workgroup Editions), 64-bit versions

NOTE: OfficeScan Server cannot be installed if Microsoft Windows runs on the Server Core environment.

OfficeScan supports server installation on guest operating systems hosted on the following virtualization applications:

VMware

ESX/ESXi Server (Server Edition) 3.5, 4.0, 4.1, 5.0, 5.15.x

Server (Server Edition)1.0.3, 2

Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0

vCenterTM 4, 4.1, 5.0, 5.1,5.5

ViewTM 4.5, 5.0, 5.1

Citrix

XenDesktop 5.0, 5.5, 5.6, 7.0



XenServer 5.5, 5.6, 6.0, 6.1, 6.2

XenApp 4.5, 5.0, 6.0, 6.5

XenClient 2.1

VDI-in-a-Box 5.1

Microsoft

Windows Server 2008 64-bit Hyper-V

Windows Server 2008 R2 64-bit Hyper-V

Hyper-V Server 2008 64-bit

Hyper-V Server 2008 R2 64-bit

Windows 8 Pro/Enterprise 64-bit Hyper-V

Windows 8.1 Pro/Enterprise 64-bit Hyper-V



NOTE: OfficeScan only provides support for virtual platforms that are supported by the installed operating system.

OfficeScan Agents

Microsoft Windows XP (Home, Professional, Professional for Embedded Systems Editions and Tablet PC) with Service Pack 3, 32-bit versions

Microsoft Windows XP Professional with Service Pack 2, 64-bit versions

Microsoft Windows Vista (Business, Enterprise, Ultimate, Home Premium, Home Basic, Business for Embedded Systems, Ultimate for Embedded Systems) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows 7 (Home Basic, Home Premium, Ultimate, Professional, Enterprise, Professional for Embedded Systems and Ultimate for Embedded Systems) with/without Service Pack 1, 32-bit/64-bit versions

Microsoft Windows Embedded POSReady 2009, 32-bit versions

Microsoft Windows Embedded POSReady 7, 32-bit/64-bit versions

Microsoft Windows 8 (Standard, Pro and Enterprise Editions), 32-bit/64-bit versions

Microsoft Windows 8.1 (Standard, Pro and Enterprise Editions), 32-bit/64-bit versions

Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter and Web Editions) with Service Pack 2, 32-bit/64-bit version



Microsoft Windows Server 2003 R2 (Standard, Enterprise and Datacenter) with Service Pack 2, 32-bit/64-bit versions

Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise and Workgroup) with Service Pack 2, 32-bit/64-bit versions

Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup) with Service Pack 2, 32-bit/64-bit versions

Microsoft Windows Compute Cluster Server 2003 (Active/Passive), 32-bit/64-bit versions

Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, Web Editions and Server Core) with Service Pack 1 or Service Pack 2, 32-bit/64-bit versions

Microsoft Windows Storage Server 2008 (Basic Edition), 32-bit/64-bit versions

Microsoft Windows Storage Server 2008 (Standard, Enterprise, and Workgroup Editions) with/without Service Pack 1, 64-bit version

Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter, Web Editions and Server Core), 64-bit version

Microsoft Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64-bit version

Microsoft Windows HPC Server 2008, 32-bit/64-bit versions

Microsoft Windows HPC Server 2008 R2, 64-bit versions

Microsoft Windows Server 2008 Failover Clusters (Active/Passive), 32-bit/64-bit versions

Microsoft Windows Server 2008 R2 Failover Clusters (Active/Passive), 64-bit versions

Microsoft Windows MultiPoint Server 2010, 64-bit versions

Microsoft Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit versions

Microsoft Windows Server 2012 (Standard, Datacenter and Server Core Editions), 64-bit versions

Microsoft Windows Storage Server 2012 (Workgroup and Standard Editions), 64-bit versions

Microsoft Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit versions

Microsoft Windows Server 2012 Failover Clusters, 64-bit versions

Microsoft Windows Server 2012 R2 (Standard, Datacenter and Server Core Editions), 64-bit versions

NOTE: Trend Micro only guarantees continued support for Windows XP platforms until January 30, 2017. Kindly prepare a migration plan to continue receiving the highest level of security on all endpoints.

NOTE: The administrator will not be able to remotely install OfficeScan agent to Windows 7 x86 platforms without enabling the default administrator account. Use this step-by-step guide to resolve this issue:



STEP 1: Enable the Remote Registry service on the Windows 7 machine. By default, Windows 7 machines disable this feature.

STEP 2, Option A: Use the domain administrator account to remotely install OfficeScan 10.6 Service Pack 1 agents into Windows 7 computers.

STEP 2, Option B: Use the default administrator account.

1. Type the "net user administrator/active: yes" command from the command console to enable the default administrator account.

2. Use the default administrator account to remotely install the OfficeScan agent into the Windows 7 machine.



OfficeScan supports server installation on guest operating systems hosted on the following virtualization applications:

VMware

ESX/ESXi Server (Server Edition) 3.5, 4.0, 4.1, 5.x

Server (Server Edition)1.0.3, 2

Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0

vCenterTM 4, 4.1, 5.0, 5.1,5.5

ViewTM 4.5, 5.0, 5.1

Citrix

XenDesktop 5.0, 5.5, 5.6, 7.0

XenServer 5.5, 5.6, 6.0, 6.1, 6.2

XenApp 4.5, 5.0, 6.0, 6.5

XenClient 2.1

VDI-in-a-Box 5.1

Microsoft



Hyper-V Server 2008 64-bit

Hyper-V Server 2008 R2 64-bit

Windows 8 Pro/Enterprise 64-bit Hyper-V

Windows 8.1 Pro/Enterprise 64-bit Hyper-V



NOTE: OfficeScan only provides support for virtual platforms that are supported by the installed operating system.



Smart Protection Server (Standalone)

Smart Protection Server has the following Virtualization Platform requirements

VMware ESX 4.1 Update 1



VMware ESXi 5.5

VMware ESXi 5.1 Update 1




Microsoft Windows Server 2008 R2 with Hyper-V

Microsoft Windows Server 2012 with Hyper-V

Citrix XenServer 6.2 / 6.0 / 5.6

• NOTE: A purpose-built, hardened, and performance-tuned 64-bit Linux operating system is included in the Trend Micro Smart Protection Server.

The following requirements are recommended for Trend Micro Smart Protection Server as a Virtual Machine.

• If you’re using VMware, use CentOS 5 64-bit (Guest Operating System).

• If you’re using a VMWare version (such as 3.5 and 4.0) that does not support CentOS, use Red Hat® Enterprise Linux® 5 64-bit.

• If you’re using Citrix XenServer, create a new Virtual Machine using the “Other install media” template.

• If you’re using Hyper-V, create a new Virtual Machine and add a “Legacy Network Adapter”.

• Allocate this Virtual Machine with at least 2GB RAM and 2 virtual processors for the Virtual Machine.

• Create a new Virtual Disk image that will be sufficient for your logging requirements (specify at least 30GB of disk space).



• Allocate 1 physical network card for the virtual switch where Trend Micro Smart Protection Server is connected.

NOTE: Blocked Web Access Log displays Web Reputation queries for malici ous websites. These logs can consume significant memory and disk space. This feature can be disabled from the Command Line Interface (CLI) (Disable adhoc-query).

Account Administrator or Domain Admin account to log-in to target hosts for installation

Ports NetBIOS (445, 137,138,139) for NT Remote Install

OfficeScan agent port (defined during OfficeScan server installation and is saved under Ofcscan.ini Client_LocalServer_Port parameter)

OfficeScan virtual directory port as defined in Apache / IIS. This value needs to be consistent with what is defined in the OfficeScan management console [ Administration | Settings | Agent Connection Settings | Port ]

Bandwidth Approximately 50 MB (may vary depending on current virus pattern file size)

Others Remote Registry service is enabled on target host

System partition of the target host is administratively shared (C$)

Windows XP Simple File Sharing must be disabled on the agent machines. SFS is a Microsoft feature that forces all network connections to login as Guest even if alternate credentials are provided. When SFS is enabled, OSCE can't login to the machine using the credentials specified, so the installation fails. SFS can be disabled via GPO or a registry hack. It can be disabled in the target machines individually under [ My Computer | Tools | Folder Options | View | Use Simple File Sharing (Recommended) ] option.

2.2 > Operating System and Related Applications

TCP Stack

The OfficeScan server may receive and establish multiple HTTP sessions to communicate with its agents. The TCP properties of Windows can be modified to prevent delays and slowdowns caused by TCP time-wait accumulation and port exhaustion. Add or modify the following registry keys to improve TCP performance.



MaxUserPort

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort

Data type: REG_DWORD

Default value: 5000

Range: 5,000–65,534 (port number)

Purpose: Determines the highest port number TCP can assign when an application requests an available user port from the system.

Trend Recommendation: 65,534

TcpTimedWaitDelay

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay

Data type: REG_DWORD

Default value: 0xF0 (240 seconds = 4 minutes) Range: 0x1E 0x12C (30–300 seconds)

Purpose: This determines the time that must elapse before TCP can release a closed connection and reuse its resources.

Trend Recommendation: 30

NOTE: These changes will require a reboot.

Microsoft IIS / Apache Web Server

The OfficeScan server uses either Apache or Windows IIS to communicate with its agents. The application’s CGI timeout can be increased to allow more time for the server and agent to communicate with each other. The Remote Install deployment method is dependent on this timeout as well. Copy process for the installation files over a slow link may cause installation failures.

Microsoft IIS

To modify IIS CGI settings, download and install MetaEdit or Metabase Explorer depending on the version of IIS in use.

For IIS 6, download Metabase Explorer from

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628- ade629c89499&DisplayLang=en

Install MetaEdit / Metabase Explorer.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en



After installation, open [ Start | All Programs | Administrative Tools | MetaEdit <version number> ]

Or [ Start | All Programs | IIS Resources | Metabase Explorer | Metabase Explorer ]

In the MetaEdit or Metabase Explorer console, Locate the key [ LM | W3SVC | 6033 ]. This corresponds to the CGITimeout key.

Double-click 6033 key to edit its properties. Set data parameter to 3600. Click OK to save changes.

Restart the World Wide Web Publishing Service.

For Microsoft IIS 7 on Windows 2008:

Note: To properly install IIS on Win2008, please refer to KB: http://esupport.trendmicro.com/solution/en-US/1061377.aspx

Download and install the Microsoft Administration Pack for IIS 7.0 http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682

Or use the default IIS Manager that comes with IIS 7.0

Open IIS Manager

Select the Server in the Connections Tree View, then select the OfficeScan site

In Features view, double-click CGI

Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply.

For Microsoft IIS 7.5, 8.0, 8.5

Open IIS Manager

Select the Server in the Connections Tree View, then select the OfficeScan site

In Features view, double-click CGI

Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply.

Apache

Follow the procedure below to modify Apache’s CGI timeout:

Open <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ apache2 \ conf \ httpd.conf configuration file.

http://esupport.trendmicro.com/solution/en-US/1061377.aspx

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682



Set Timeout 300 to Timeout 600.

Restart the Apache service.

NOTE: The definition of the Apache timeout is different from the IIS CGI timeout. With IIS, a CGI timeout of 300 seconds means that the CGI (e.g. cgiremoteinstall) must finish within 300 seconds or the session will expire. In Apache, the timeout parameter of 300 seconds means that if there is "no action" (or no next action) for 300 seconds, the session will expire.

2.2.1 2.2.1 Security Tuning

The following are recommended permission settings to the OfficeScan folders and files. These are already set as default during installation:

Directory/User

Administrator

Everyone

User

System

Ne twork Service

\PCCSRV Full control RX N/A Full control N/A

\PCCSRV\HTTPDB Full control N/A N/A N/A N/A

\PCCSRV\Log Full control N/A N/A Full control N/A

\PCCSRV\Temp Full control N/A RWXD N/A RWXD

\PCCSRV\Private Full control N/A N/A Full control RX

\PCCSRV\Download Full control R R Full control N/A

\PCCSRV\Web Full control N/A R Full control N/A

\PCCSRV\Web\Cgi Full control N/A RX N/A N/A

\PCCSRV\Web_OSC E\Web_console Full control RX N/A Full

control N/A

\PCCSRV\Web_OSC E\web_console\Remo teInstallCGI

Full control

N/A

RWXD

N/A

N/A

\PCCSRV\Web_OSC E\web_console\HTM L\ClientInstall

Full control

N/A

RWXD

N/A

N/A

\PCCSRV\Virus Full control N/A RW N/A N/A



There are times that the permission might have been changed accidentally. To reset the permissions back to default, follow these steps:

Open command prompt

Browse to the OfficeScan server’s PCCSRV folder (i.e drive:\Program Files\Trend Micro\OfficeScan\PCCSRV)

run the following command: SVRSVCSETUP.EXE –setprivilege

Server Certificate Authentication

OfficeScan 11.0 enhances server to agent communications by authenticating the notifications and data sent in order to protect against man-in-the-middle attacks. Authentication is implemented by using a public-key infrastructure (PKI) where the agent only accepts commands from a trusted server.

NOTE: This feature is enabled by default.

To perform authentication, OfficeScan server signs its data using a private key while the OfficeScan agent decrypts this data using a public key. These keys are uniquely generated during the installation or upgrade of any OfficeScan servers.

If for some reason, the OfficeScan server and agents have mismatched keys, agents will reject notification from this server. This could happen if the OfficeScan server had an irrecoverable crash and needs to be replaced.

NOTE: A normal OfficeScan server reinstall will automatically attempt to use the same certification to avoid certificate mismatch as shown below.

Figure 1: Caption goes here.



To minimize problems caused by mismatched certificates, following are recommended actions:

1. Store a copy of the certificate on a different machine/media.

Local backup of the certificate is found under: ..\PCCSRV\AuthCerBackup\OfficeScanAuth.dat

2. If you plan to have multiple OfficeScan servers within your network, consider using the same certificate. This will help avoid issues if you regularly move OfficeScan agents from one server to another.

2.3 > Server Upgrade Checklist

OSCE 11 has new features that will assist the user in migration or upgrade.

Hotfix Detection: When upgrading from previous OfficeScan server version, installation process will check and prompt you for hotfixes that are currently installed, but are not merged to OfficeScan 11.0.

NOTE: This feature is enabled by default.

Figure 2: Hotfix Detection Pop out

If you see the pop-up above, please review the hotfix list: ..\PCCSRV\TEMP\RollbackHotfix.txt

If you have important hotfixes in the list, you can consider delaying the upgrade, or requesting for an OfficeScan 11.0 equivalent hot fix(es) before proceeding.

Patch Availability Notifications: OfficeScan 11 will prompt new updates that are available. It is advisable to update to latest patch or Service Pack once available on the Management Console.

NOTE: This feature is enabled by default



Chapter 3: Sizing Summary IMPORTANT: This information can be used as a starting reference only. Actual performance may vary depending on enabled product features, topology, performance tweaks, and scan-exclusions as outlined throughout this best practice document.

The recommendations below can be used as a guideline to determine the location and number of OfficeScan servers needed to effectively manage your LAN or WAN.

A single OfficeScan server can manage up to 30,000 agents depending on the machine specifications. Below is a quick summary.

Agent Number Server Recommendation OSCE Server HW

Recommendation

Less 10K All-in-one server (OSCE/Code base with

iSPS) CPU: 4 Cores

RAM: 8GB

10K-20K*

Setup A: TMSPS + OSCE server + SQL server

Setup B: OSCE server(with iSPS) + SQL server

CPU: 8 Cores

RAM: 16GB

20K-30K

OSCE server + SQL server + TMSPS*

CPU: 12 Cores

RAM: 32GB

NOTE: Although both setups provide up to 20K agent support, it is still advisable to have a standalone Smart Protection Server. This will help provide extra headroom for resource usage spikes in the event of outbreaks or unexpected server loads. This also reduces impact to agent protection if the OfficeScan server goes offline.

Another point for considerations is the database size. Depending on the number of logs generated, disk space usage increases as well.

Here is a quick reference for SQL database size given certain number of logs and agent counts:



Agent Number Table type Record Count Database Size (Estimate)

5000

Agent Information* 5000

1~2 GB

Virus Log 5000

Web Reputation Log 15000

Behavior Monitoring Log 5000

DLP Log 15000

10000


2~4 GB

Virus Log 10000



DLP Log 30000

30000


6-12 GB

Virus Log 30000



DLP Log 90000

*Agent Information data are stored in multiple database tables, the total size of relevant database tables is used in this table.

The table above helps to determine the initial database size of OfficeScan. These estimates are based on following assumptions:

Default Log maintenance settings applied while log deletion performed on 7 days older logs by weekly basis.

Behavior Monitoring and DLP features are enabled

The above log types are generally major contributors in terms of the log count and data sizes.

OfficeScan servers managing agents across the WAN is recommended to be installed on sites with the healthiest bandwidth, which are typically datacenters or head offices.



Consider installing a local OfficeScan server for sites with approximately 500 or more agents. This is highly recommended if WAN bandwidth is limited for a particular site.

An Update Agent is a regular OfficeScan agent that is designated to replicate update information from an OfficeScan server for the purposes of distributing the update information to other OfficeScan agents.

Figure 4: Implementing Update Agents

Here is a reference on number of agents and Update agent can handle.

Agent type 2 Cores CPU machine

Network bandwidth 100Mbps 1000Mbps

Agent count 254 1022

Note: This data assumes an average daily scenario of downloading 700KB incremental pattern file, domain settings and server.ini.



Sample Deployment Architecture

This table can be used as a template to scope the different sites and generate architecture proposal.

LOCATION No. of AGENTS

OfficeScan INSTALLATION

NORTH AMERICA

New York 1400 OSCE Server for North America WAN

New York 1000 Integrated Scan Server for North America

Chicago 600 Local OSCE Server

Los Angeles 500 Local OSCE Server

Dallas 71 Update Agent

San Francisco 20 Update Agent

Houston 15 Update Agent

EUROPE

London 1600 OSCE Server for Europe WAN

Paris 360 Update Agent

Nyon 70 Update Agent

Copenhagen 25 Update Agent

Milan 25 Update Agent

Zurich 20 Update Agent

Istanbul 10 Update Agent

ASIA



Hong Kong 800 OSCE Server for Asia WAN

Tokyo 600 Local OSCE server (Japanese version)

Singapore 230 Update Agent

Manila 60 Update Agent

3.1 > Smart Protection Server Layout (Standalone)

IMPORTANT: OfficeScan agents running version 11.0 and later can only connect to Smart Protection Servers running version 3.0 and later.

Smart Protection Servers are placed in the local network, making them available to users who have access to their local corporate network. These servers are designed to localize operations within the corporate network to optimize efficiency. This network-based solution hosts majority of the malware pattern definitions and web reputation scores. The Smart Protection Server makes these definitions available to other endpoints on the network for verifying potential threats.

Queries are only sent to Smart Protection Servers if the risk of the file or URL cannot be determined at the endpoint.

Endpoints leverage file reputation and web reputation technology to query the Smart Protection Servers and Trend Micro Smart Protection Network as part of their regular system protection activities. In this solution, agents send only identification information determined by Trend Micro technology to Smart Protection Servers. Agents never send the entire file when using file reputation technology. Risk is determined using only the file identification information.

The integrated Smart Protection Server can be pre-installed in the OfficeScan Server if you decided to include it during the OfficeScan Server installation. These are 2 main reasons to install a Standalone Smart Protection Server:

1. If the number of smart agents are more than 10,000 instead of Integrated Smart Protection Server

2. If they don’t want to use Integrated Smart Protection Server

Load can be distributed by adding more Standalone Smart Protection Servers. Check the load balancing section below for more details.



Figure 5: Smart Protection Servers.

If the latency is huge between the branch office and the main office, it is recommended to install a Standalone Smart Protection Server on the branch office. If the Standalone Smart Protection Server cannot be installed, or there are no available hardware, it’s best to switch the agents to conventional scan.

NOTE: ESXi Host has the best performance result compared to other virtualization products, e.g. Windows Hyper-v, Citrix XenServer.

Smart Protection Server Sizing Recommendations

Following hardware specification was used to install virtualization platforms and the guest Virtual Machine resource allocation for the Standalone Smart Protection Server:

High-End Machine Specifications

Model Dell PowerEdge 2950

Processor Two Xeon E5420 2.50 GHz

Logical Processors 8 (2 Processor * 4 core, no Hyper-Threading )

Memory 8GB RAM

Local Hard Disk SAS (15k rpm) 271GB

Virtualization Platforms

VMWare ESXi Server 5.1



update1

Xen Server 6.2

Microsoft Hyper-V 2012 R2

Virtual Machine Configuration

vCPU 4

Memory 2 GB

Disk 30 GB

The following table and graph show the number of agents handled by an individual Standalone Smart Protection Server meeting these performance criteria:

• Average Latency Time was less than 100ms (0.1 second)

• Total HTTP Request Failed Rate was under 0.05%

• Total Mean Value of CPU Usage was under 80%

Hypervisor Amount of Agents*

vCPU Memory CPU Usage

Transaction Rate

Failed Rate

ESXi 5.1 update1

25,000 4 2GB 65.4 2,251 0%

Xen 6.2 7,000 4 2GB 70.7 642 0.02%

Hyper-V 2012 R2

10,000 4 2GB 65.8 899 0.01%

NOTE: The transaction rate is based on OfficeScan agents, and this statistics might not be suitable for SMEX, IWSVA clients, etc.

* The amount of endpoints shows the maximum supported iCRC v2.0 agents for one TMSPS, taking into consideration there are two other TMSPS with the same loading running within the same virtualized host.

** The transaction rate is the sum of the FRS transaction rate and the WRS transaction rate per second



Figure 6:

Compared to the Previous Version

The performance of TMSPS 3.0 has improved dramatically compared to the previous version. TMSPS 3.0 has increased the scalability by reducing the traffic between agents and TMSPS. Under the same test scenario, with three TMSPS running on one host, it could support more than double the number of agents compared to the previous release, TMSPS 2.5.



Sizing Bottleneck

CPU

For organizations that desire the maximum transaction rate from FRS and WRS and can accept 100% of CPU usage, the CPU capability becomes the bottleneck.

Disk I/O



Disk I/O speed is another important factor. Currently, the pattern updates will cause a lot of disk I/O operations. Therefore, if the customer’s environment uses external storage and shares the disk I/O bandwidth with many other VMs (or the disk I/O bandwidth is poor), then overall performance may suffer.

The disk could be monitored using performance counter provided by virtualization platform. The ESXi Server provides the following disk-related performance counters:

Kernel Latency: 0-1 ms is ideal. If > 4 ms, check the CPU usage and queue latency.

Device Latency: If > 15 ms, check for a storage array problem.

Queue Latency: 0 ms is ideal. If > 0 ms, check the storage array.

Hypervisor

If the TMSPS virtual machine shares resources with many other VMs on the same VM host, then TMSPS must compete with other VMs for disk I/O, network traffic, CPU and memory. TMSPS performance will suffer as a result.

Despite this competition for resources, hypervisors from different vendors can deliver different performance. This might be caused by emulated device drivers which are required to provide an interface between the physical hardware and the virtual machine. Generally speaking, TMSPS running on ESXi server had the best performance, compared to Xen Server and Hyper-V.

Load Balancing Smart Protection Servers can be setup in order to achieve load balancing. Load balancing will help ensure http requests can be distributed among the Smart Protection Servers.

There are two ways to achieve load balancing using the OfficeScan web console:

1. Random – This will ensure that OfficeScan Agents will randomly choose a Smart Protection Server from the Smart Protection Server list.

2. Based on IP range – OfficeScan Agent will connect to a server in the Smart Protection Server list they have been assigned to.



Figure 7:

Deployment Recommendations

Smart Protection Server Redundancy

Smart Protection Servers should always be installed in redundant pairs to avoid WAN saturation in the event of a hardware failure

Full System Scans

Initial scans require more requests to the Smart Protection Server. Agents should schedule their first scheduled scan in phases, especially when their Smart Protection Server is centrally located. Running scheduled scans in batches will increase capacity and normalize iCRC network utilization.

How to decide the number of TMSPS according to active users in the environment?

Use this table as a guideline to determine how many Smart Protection Server you need inside your environment. In the event you have only a few agents and 1 Smart Protection Server is more than enough to cater to all agents, it is best practice to always install at least 2 standalone Smart Protection Server for redundancy and load balancing purposes.



Hypervisor Amount of Agents*

vCPU Memory

ESXi 5.1 update1 25,000 4 2GB

Xen 6.2 7,000 4 2GB

Hyper-V 2012 R2 10,000 4 2GB

3.1.1 Using SQL Server for Database

One of the new features in OfficeScan 11 is the ability to migrate an existing database (CodeBase) to an SQL server database. This is done using the SQL Server Migration tool.

The migration tool currently supports 3 types of migrations:

OfficeScan CodeBase database to new SQL Server express database

NOTE: that choosing this option will install an SQL express server instance on the OSCE box and then migrate the database.

OfficeScan CodeBase database to a pre-existing SQL server database

OfficeScan SQL database (previously migrated) that was moved to another location.

3.1.1 Things to note before doing the migration:

When you choose to migrate to a new SQL server express database, note that OSCE will install “SQL Server 2008 R2 SP2 Express”. This is required to be installed in a Windows 2003 or Windows 2008 Sp2 server. Installing it on a Windows 2003 Sp1 server would result in failure. Refer to the MS article below for more details.

http://msdn.microsoft.com/en-us/library/ms143506(v=sql.105).aspx

OfficeScan 11 supports both SQL 2008 and SQL 2012. For SQL 2008, note that Microsoft .NET Framework 3.5 SP1 is required and that Microsoft .NET Framework 4.0 is not compatible with SQL Server 2008.

Microsoft SQL server cannot be installed on Domain Controller machines. Consider this before choosing the server to install the database or OfficeScan to.

http://support.microsoft.com/kb/2032911

“User Account Control” needs to be turned off before running the SQL migration tool on Windows Server 2008 or later (when using Windows Authentication credentials).

Refer to this article for more details on turning it off:

http://windows.microsoft.com/en-us/windows/turn-user-account-control-on- off#1TC=windows-7

http://msdn.microsoft.com/en-us/library/ms143506(v%3Dsql.105).aspx


http://windows.microsoft.com/en-us/windows/turn-user-account-control-on-off#1TC%3Dwindows-7

http://windows.microsoft.com/en-us/windows/turn-user-account-control-on-off#1TC%3Dwindows-7



Make sure the OfficeScan Master Service is NOT running using the same domain user account used to log on to the SQL server. This could cause the service to fail to start after the migration.

Create a back-up copy of your existing OfficeScan CodeBase database for recovery in case there are problems encountered during the migration.

Refer to this article for more details:


OfficeScan automatically creates the new database on the SQL server, there is no need to pre- create a blank database.

3.1.2 Migration best practices:

Ensure you click on the “Test Connection” option on the SQL migration tool before proceeding. This confirms the settings entered are correct and verifies that the connection is possible.

When using the Windows Account to log on to the server:

For a default domain administrator account:

• User name format: domain_name\administrator

• The account requires the following:

• Groups: Administrators Group

• User roles: Log on as a service and Log on as a batch job

• Database roles: dbcreator, bulkadmin, and db_owner

For a domain user account:

• User name format: domain_name\user_name

• The account requires the following:

• Groups: Administrators Group and Domain Admins

• User roles: Log on as a service and Log on as a batch job

• Database roles: dbcreator, bulkadmin, and db_owner

To verify the type of database used, check the ofcserver.ini file under the OfficeScan Server’s Private directory. (Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private)

Look for the section called “[INI_DBE_ENGINE_SECTION]” and note the value defined for DBE_ENGINE.

DBE_ENGINE=1001 ; CodeBase

DBE_ENGINE=1002 ; SQL Server




3.2 > Integrated Smart Protection Server Best Practices When opting to use the Integrated Smart Protection Server, make sure that it is actually installed and running. If Integrated Smart Protection Server is not properly installed, smart scan agents will be disconnected and will not be utilizing the cloud technology properly.

The integrated server is intended for small-scale deployments of OfficeScan, in which the number of agents does not exceed 1,000. For larger deployments, the standalone Smart Protection Server is recommended.

In OfficeScan 11, the Integrated Smart Protection Server (ISPS) ports have changed. Note the new ports used below:

Ports used by

ISPS (IIS) Ports used by ISPS (Apache)

HTTP (FRS)

8080 8082

HTTPS (FRS)

4343 4345

HTTP (WRS)

8080 5274

WARNING! When using Microsoft IIS as the Web Server, monitor the IIS logs generated by

Integrated Smart Protection Server because the daily log size can easily go up to 250MB in an

environment of around 1000 machines. IIS does not delete old IIS logs by default and can easily

consume all the available free space on the OfficeScan server.



Make sure the setting “Do not save encrypted pages to disk” is not enabled in IE in order to check for whether Integrated Smart Protection Server is running or not.


After checking the setting above, type the URL below into your browser:

https://OfficeScan_server:port/tmcss/?LCRC=08000000BCB3080092000080C4F01936DD4300 00

You should see the following pop up which will confirm that Integrated Smart Protection Server is running.




Ensure that OfficeScan agents can query at least two Scan servers. This avoids having a single point of failure in the event that the Smart Protection server is unreachable. In order to take advantage of the cloud technology fully, all agents must be online and connected to a Smart Protection Server. To add Smart Protection Servers go to [Administration | Smart Protection | Smart Protection Sources] then choose [Internal Agents] tab. Choose standard list or custom list based on IP address then click on Notify All Agents to push this setting.

Because the integrated server and the OfficeScan server run on the same computer, the computer’s performance may reduce significantly during peak traffic for the two servers. When possible, consider using a standalone Smart Protection Server as the primary smart protection source for agents and the integrated server as a backup.

Do not use Smart Scan as the default scanning method at the root level. Always use Conventional Scan as the root level scanning method. When selecting OfficeScan agents to use Smart Scan, always choose a regular domain instead of a root level. If the root level is defined to use the Smart Scan method, before a new agent is installed, and if it is placed in a domain where it uses Conventional Scan, it will download Conventional Scan components.

WARNING! When an agent switches from Smart Scan to conventional scan, it will download the

full pattern file if a conventional pattern file is not present or is more than 14 patterns behind.

Make sure Computer Location settings have correct settings defined. Computer Location setting can be reached by [Agents | Endpoint Location].

The default setting is “Agent connection status”. This means, OfficeScan Agents will use the reference server list defined to determine if it is an external or internal agent.

Agents that can connect to the OfficeScan Server or any of the reference servers listed, will be recognized as internal agents. These agents will therefore connect to Smart Protection servers defined under Internal Agents for Smart Protection Sources.



If connection cannot be established, the agents will be classified as external agents and will use the settings set for External Agents. By default, this is the global smart protection network (https://osce11.icrc.trendmicro.com/tmcss).

If “Gateway IP address” setting is applied, and the client computer’s gateway IP address matches any of the gateway IP addresses specified on the Endpoint Location screen, the computer’s location will be classified as internal. Otherwise, the computer’s location is external.

Optimize the performance of Smart Protection Servers by doing the following:

Avoid performing Manual Scans and Scheduled Scans simultaneously. Stagger the scans in groups.

Avoid configuring all endpoints from performing Scan Now simultaneously.

Customize Smart Protection Servers for slower network connections, about 512Kbps, by making changes to the ptngrowth.ini file.

** Customizing ptngrowth.ini for the Integrated Server:

1. Open the ptngrowth.ini file in <Server installation folder>\PCCSRV\WSS\.

2. Modify the ptngrowth.ini file using the recommended values below:

[COOLDOWN]

ENABLE=1

MAX_UPDATE_CONNECTION=1

UPDATE_WAIT_SECOND=360

3. Save the ptngrowth.ini file.

4. Restart the Trend Micro Smart Protection Server service.

3.3 > Configuration

Majority of the product default configurations provide substantial security with a consideration on server/network performance. The information noted below are different recommendations, and can be used as an additional reference to either enhance security, or achieve better performance.

NOTE: The following notifications in the UI shows these features are turned of f by default.

https://osce11.icrc.trendmicro.com/tmcss



To turn on these features, administrators should go to [Agents | Agent Management | Settings | Additional Service Settings] and enable the service for the feature they intend to use.



WARNING: Enabling or disabling the Firewall service temporarily disconnects the agents from the

network. Ensure that you change the settings only during non-critical hours to minimize network

interruptions.

Administrators can turn on “Unauthorized Change Prevention Service” on a single server platform by enabling/disabling it through “Additional Service Settings”. Administrators can also enable/disable “Unauthorized Change Prevention Service” on Workstations by selecting a root/domain/single agent/multi-select agent.

Meerkat is used to prevent 0-day attack from a software program. It pops out a notification/alert if user downloads a 0-day program through HTTP channel or email applicationsi and then executes the program within 24 hours.

NOTE: it is default disabled on Windows Server platforms

To turn on this features, administrators should enable “Unauthorized Change Prevention Service” (TMBMSRV.EXE) and “Web Reputation”feature(tmproxy.exe).

1. Enable Unauthorized Change Prevention Service” (TMBMSRV.EXE) to monitor the process launch.

Path: Agents> Agent Management > Settings > Additional service settings > enable Unauthorized Change Prevention Service.

2. Enable Web Reputation (tmproxy.exe) to monitor the file download.

Path: Agents > Agent Management > Settings > Web Reputation Settings >Select enable Web reputation policy on the following operating systems.

To enable Meerkat function:

Path: Agent Management > Global Agent Setting > Behavior Monitoring Settings > check “Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded)” > Save

Defer scan is to improve the performance of file copy operations.This feature is integrated with VSAPI 9.713 or higher version. Originally, OSCE scan engine will perform two scans during a file copy operations. The defer scan option will add one of the file scanning into scan queue, and defer the file scanning. File copy performance will improve by enabling this.



To enable defer scan function:

Path: Agent Management > Global Agent Setting > Scan Settings > Select “Enable deferred scanning on file operations”> Save



3.3.1 Management Console

ASSESSMENT Notes and Recommendations

SECURITY COMPLIANCE

Manual Report ***Select an OfficeScan domain to run compliance report on the agents to see which agents are incompatible with server. In “Scan Compliance” view, specify one or both of the following:

• Number of days a agent has not performed Scan Now or Scheduled Scan

• Number of hours the remote or scheduled scan task has been running

Scheduled Report

Scheduled Report Enabled

***Report can show status of OfficeScan agent services, components, Scan compliance, and settings to find incompliant agents. This can be run on daily basis if needed. Trend Micro recommends enabling on-demand assessment to perform real-time queries for more accurate results. You can also disable on-demand assessment wherein OfficeScan queries the database instead of each agent. This option may be quicker but produces less accurate results.

The SMTP setting in notification page is needed for sending the scheduled compliance report to user. Follow these steps to complete the settings:

a. Go to Notification > Administrator Notifications > General Settings page, fill in the fields “SMTP server”, “Port number” and “From” in Email Notification section and click Save.

“Scan Compliance” view uses the configurations that were used to do manual assessment last time.

UNMANAGED ENDPOINTS

Define Scope

Active Directory Scope ***Select OU’s containing less than 1000 account of computers for performance baseline then increase and decrease number of computers according to performance



IP Address Scope ***Choose an IP range to scan for unmanaged endpoints

Advanced Settings

Specify Ports ***Make sure to add all OSCE server communication ports

Declare a computer unreachable by checking port

135

***Different port can be chosen but make sure it is a common port that will be available on all the computers

Settings Enabled

***Enable scheduled query for once a week to find out agents that do not have OfficeScan agent.

AGENTS Notes and Recommendations

AGENT MANAGEMENT

SCAN SETTINGS

SCAN METHOD

Conventional Scan ***Conventional scan leverages anti-malware and anti- spyware components stored locally on endpoints.

SmartScan Smart Scan now is default at the ROOT domain level. Smart Scan method should be selected at the Domain level so this way if a user installs a agent it is easier to move from conventional scan to Smart scan.

***Smart Scan leverages anti-malware and anti-spyware signatures stored in-the-cloud.

MANUAL SCAN SETTINGS

Virus/Malware Scan Settings

Target Tab

Files to scan

All Scannable Enabled

***Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.



Scan Settings

Scan Hidden Folders E n a b l e d

Scan Network Drive Enabled

***This function is not needed if the remote PC already has antivirus protection. Enabling this may cause redundant scanning and performance issues.

Scan compressed files Enabled

***Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.

Scan OLE objects Enabled

***Scanning 3 layers is reasonable.

Detect exploit code in OLE files

Enabled

***This setting heuristically identifies malware by checking Microsoft Office files for exploit code.

Virus/Malware Settings only

Scan Boot Area Enabled

CPU Usage

Medium Enabled

***Minimizes the slowdown of PCs when a scan is initiated. It is not recommended to run manual scan during working hours due to high CPU usage.

Scan Exclusions

Enable Scan Exclusion Enabled

***Refer to section 6.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.

Apply scan exclusion settings to all scan types

Disabled



Exclude directories where Trend Micro products are installed

Enabled

Action Tab

Virus/Malware

Use Active Action Enabled

***This setting will utilize the Trend Micro recommended settings for each type of virus/malware.

Customize action for probable virus/malware

Enabled

***Select Quarantine to have the ability to restore any files that are needed.

Back up files before cleaning

Enabled

Damage Cleanup Services

Advanced cleanup Enabled

Run cleanup when probable virus/malware is detected

Enabled

Spyware/Grayware

Clean Enabled

REAL-TIME SCAN SETTINGS

Enable virus / malware scan

Enabled

Enable spyware / grayware scan

Enabled

Target Tab

User Activity on Files

Scan files being created/modified and retrieved

Created/modified and retrieved

***In cases where the system is heavily accessed such as File servers, it may be advisable to select Scan files being created / modified but only use this option if the server performance is affected.



Files to scan

File types scanned by Intelliscan

Enabled

***Selecting intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

Scan Settings

Scan floppy disk during system shutdown

Disabled

Scan Network Drive Enabled

***For additional security, it is recommended that this setting be enabled. Note that in some environments, this setting may cause performance issues, please disable if issues are encountered.

Scan Compressed Files Enabled

***Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.

Scan OLE Objects Enabled



Enabled


Virus/Malware Scan Settings Only

Enable Intellitrap Enabled

***Turn off this setting on special cases if users regularly exchange/access compressed executable files in real-time.

Scan Exclusion


***Refer to 6.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.

Apply scan exclusion Disabled



settings to all scan types


Enabled

Action Tab

Virus/Malware




Enabled

***Select Quarantine to be able to restore any files that are needed

Display a notification message on the agent computer when virus/malware is detected

Disabled

***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.

Display a notification message on the agent computer when probable virus/malware is detected

Disabled



Enabled


Run Cleanup when probable virus/malware is detected

Enabled

Spyware Grayware

Clean Enabled


Disabled


SCHEDULED SCAN SETTINGS

Enable Virus / Malware Enabled



Scan ***Turn on Scheduled scan to scan systems on a regular basis.

Enable spyware/grayware scan

Enabled

***Turn on Scheduled scan to scan systems on a regular basis

Target Tab

Schedule

Weekly on Friday 12pm Suggested to scan during lunch time or after office hours if machine remain turned on.

Files to scan

All Scannable Files Enabled

***Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

Scan settings


***Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.




Enabled


Virus/Malware Settings Only


CPU Usage

Medium Enabled

***Prevent slowdown of PCs when a scheduled scan kicks off. Scan will finish longer if the setting is set to Low.



Scan Exclusions




Disabled


Enabled

Action Tab

Virus/Malware




Enabled



Disabled


Display a notification message on the agent computer when probable virus/malware is detected.

Disabled



Enabled


Advanced cleanup Enabled


Enabled

Spyware/Grayware



Clean Enabled


Enabled


SCAN NOW SETTINGS

Enable Virus / Malware Scan

Enabled

Enable Spyware/grayware scan

Enabled

Target Tab

Files to Scan

File Type scanned by Intelliscan

Enabled

***Selecting Intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.

Scan Settings


***Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.


***Scanning 3 layers is reasonable


Enabled


Virus/Malware Settings Only


CPU Usage

Medium Enabled

***Minimizes the slowdown of PCs when a scan is



initiated. It is not recommended to run manual scan during working hours due to high CPU usage.

Scan Exclusion




Disabled


Enabled

Action Tab

Virus/Malware




Enabled



Advanced Cleanup Enabled


Enabled

Spyware/Grayware

Clean Enabled

UPDATE AGENT SETTINGS

OfficeScan agents can act as Update Agent

***Component Updates, Domain Settings, and Agent programs and hotfixes should be selected to take full advantage of Update Agents to save bandwidth and to speed up deployment.

Component Updates Enabled



Domain Settings Enabled

OfficeScan agent programs and hot fixes

Enabled

PRIVILEGES AND OTHER SETTINGS

Privileges Tab

Roaming

Enable Roaming mode Disabled

***It is highly recommended to disable this function as it will allow users to stop communication between OfficeScan server and agent. This Roaming privilege allows users to isolate their systems to avoid getting notified by the server for scans or updates. This function has nothing to do with the ability to update when the machine is off the network, such as taking a laptop home.

Scans

Configure Manual Scan Settings

Disabled

***Enable this to allow users to configure their own scan setting.

Configure Real-time Scan Settings

Disabled

***Enable this to allow users to configure their own scan setting.

Configure Scheduled Scan Settings

Disabled ***Enable this to allow users to configure their own scan setting.

Scheduled Scans

Postpone Scheduled Scan Disabled

***Enable this to allow users to stop the Scheduled scan when it is triggered.

Skip and stop scheduled Scan

Disabled

***Enable this to allow users to stop the Scheduled scan when it is triggered.

Firewall (if you have firewall



activated)

Display the Firewall tab on the Agent console

Enabled

Allow users to enable/disable the firewall, Intrusion Detection System, and the firewall violation notification message

Disabled

***Enable this to allow users to configure their own firewall settings other than what is set on the OfficeScan server

Allow agents to send firewall logs to the OfficeScan server

Disabled

***Keep this disabled unless necessary as it will increase traffic between OSCE server and Agents.

Behavior Monitoring

Display the Behavior Monitoring tab on the agent console.

Disabled

Mail Scan

Display the Mail Scan tab on the agent console

Disabled

***Since most enterprise does not use POP3, this tab can be hidden to users to avoid confusion. If this setting is allowed then users can install this tool using OSCE agent GUI.

Toolbox

Display the Toolbox tab on the agent console and allow users to install Check Point Secure Agent Support

Disabled

****Unless Checkpoint Secure Agent is used, this should be turned off to avoid confusion to users.

Proxy Settings

Allow the Agent user to Configure proxy Settings

Enabled

***Enable this to allow users to configure proxy to update from internet, otherwise this can be turned off.

Component Updates

Perform Update Now Enabled

***Enabled to Allow users to initiate an update manually by right clicking on the OSCE icon on their



system tray.

Enable Scheduled Update

Disabled

***Leave this option disabled so users cannot turn off scheduled update. This will keep users up-to-date with the latest signature.

Unloading

Unloading the OfficeScan agent and unlocking advanced agent settings

Enabled

***Enable this to prevent users from unloading OfficeScan agent from their system.

Uninstallation

Uninstalling the OfficeScan agent

Enabled

***Enable this to prevent users from uninstalling OfficeScan agent from their system.

Other Settings Tab

Update Settings

OfficeScan agents download updates from the Trend Micro ActiveUpdate Server

Enabled

***Enable this function to allow agents to update from Trend Micro Active Update servers whenever the OfficeScan agent cannot contact the OfficeScan Server or the Update agents. This is especially helpful for users who travel with their laptop or bring their laptops home, keeping them up-to-date all the time.

Enable Scheduled Update s on OfficeScan agents

Enabled

***Aside from notification from the OfficeScan server for updates, this function is used to allow OfficeScan to check for updates on scheduled basis. Update checking is done in the background and no user intervention is required.

OfficeScan agents can update components but not upgrade the agent program or deploy hot fixes

Disabled

***Enable this function in environments where bandwidth is limited. This allows agent to update their regular signatures and engines and avoid downloading hotfixes or program updates from the OfficeScan server.

Web Reputation Settings



Display a Notification when a web site is blocked

Enabled

***Turn this off to avoid getting popups when websites are blocked.

Behavior Monitoring Settings

Display a notification when a program is blocked.

Enabled

***Enable this function to avoid confusion on the users as to why a certain program won’t run.

C&C Contact Alert Settings

Display a notification when a C&C callback is detected

Enabled

***Enable this function to receive notifications on C&C callbacks

Central Quarantine Restore Alert Settings

Display a notification when a quarantine file is Restored

Disabled

***Enable this function to get notifications when a quarantined files are restored

OfficeScan agent Self-protection

Protect OfficeScan agent services

Enabled

Protect files in the OfficeScan agent installation folder

Enabled

Protect OfficeScan agent registry keys

Enabled

Protect OfficeScan agent processes

Enabled

Scheduled Scan Settings

Display a notification before a scheduled scan occurs

Disabled

Cache Settings for Scans

Enable the digital signature Enabled and set to 28 days.



cache

Enable the on-demand scan cache

Disabled

***If on demand scans are seldomly run then enabling this is not necessary since the console settings are satisfactory, if you want to enable this then extending the expiration would be better option.

OfficeScan agent Security Settings

High: Restrict users from accessing OfficeScan agent files and registries

Enabled

***Setting this to high prevent regular users from deleting OfficeScan files and registry entries.

POP3 Email Scan Settings

Scan POP3 email Disabled

***Enable this only when you use POP3 mail in your network. When selected, this setting enabled POP3 mail scan on the agent console. Note that this setting only applies to agents with the mail scan privileges.

OfficeScan Agent Console Access Restriction

Do not allow users to access the agent console from the system tray or Windows Start menu

Disabled

***In some environment where any user changes are prohibited, this function allows administrators to restrict users from accessing the OfficeScan Agent console.

Restart Notification

Display a notification message if the agent computer needs to restart to finish cleaning infected files.

Enabled

ADDITIONAL SERVICES

Unauthorized Change Prevention Service

Enabled

***Unauthorized Chang Prevention Service regulates application behavior and verifies program trustworthiness. Behavior Monitoring, Device Control, Certified Safe Software Service, and Agent Self protection all require this service. If an Administrator wants to allow this service on a server then a single server



must be chosen to view the option to enable this service.

Firewall Service

***This setting will turn on the firewall service on the OfficeScan agents.

WARNING: Enabling this service will temporarily disconnect the OfficeScan agent from the network.

Suspicious Connection Service ***The Suspicious Connection Service provides advanced protection against Command & Control callbacks through the following features:

User-defined IP Approved and Blocked lists

Global C&C IP List

Malware network fingerprinting

Advanced Protection Service ***Advanced Protection Service facilitates advanced scanning and protection features. Behavior Monitoring and Browser Exploit Prevention require this service.

WEB REPUTATIN SETTINGS

External agents tab

Enable Web Reputation Policy on the following operating systems:

Enabled

***Enable this feature to protect agents from web threats when they are not connected to the internal network. Enabling this will provide them protection from accessing malicious sites.

Enable assessment Disabled

***Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action.

Check HTTPS URLs Enabled

Scan common HTTP ports only Disabled

***When disabled, WRS will scan all HTTP URLs regardless of their port information. If



enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned.

Security Level

Medium Enabled

Untested URLs

Block pages that have not been tested by Trend Micro

Enabled

***Note that any website that has not been tested by Trend Micro will be blocked if it’s enabled.

Browser Exploit Prevention

Block pages containing malicious script

Enabled

Agent Log

Allow agents to Send Logs to the OfficeScan Server

Enabled

***Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.

Internal agents tab

Enable Web Reputation Policy on the following operating systems:

Enabled

***If there is already a web security on the gateway, this may be turned off.

Enable Assessment Disabled

***Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action.

Check HTTPS URLs Enabled

Scan common HTTP ports only Disabled

***When disabled, WRS will scan all HTTP URLs regardless of their port information. If enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned.



Send queries to Smart Protection Servers

Enabled

***Agents will send queries to Smart Protection Servers. Make sure they are available. If this option is disabled then agents will need internet access to reach Trend Micro Smart Protection Network, if agent does not have web access then it will use approved/blocked web site list as the only web reputation date.

Security Level

Low Enabled

***Internet traffic usage is lowest and browsing info is kept in house. When combine with “Use only Smart Protection Servers, do not send queries to Smart Protection Network” checked, Security level is always ‘low’.

Untested URLs

Block pages that have not been tested by Trend Micro

Enabled

Browser Exploit Prevention

Block pages containing malicious script

Enabled

Approved/Blocked URL List

Enable approved/blocked list Enabled

Agent Log

Allow agents to Send Logs to the OfficeScan Server

Enabled

***Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.

SUSPICIOUS CONNECTION SETTINGS

Notes and Recommendations

Log network connections made to addresses in the Global C&C IP list

Enabled



Log and allow access to User-defined Blocked IP list addresses

Log connections using malware network fingerprinting

Clean suspicious connections when a C&C callback is detected

Disabled

***Enable this feature to perform assessment of the violations first, then set to Disable.

Enabled

***OfficeScan performs pattern matching on packet headers. OfficeScan logs all connections made by packets with headers that match known malware threats using the Relevance Rule pattern.

Enabled

***OfficeScan uses GeneriClean to clean the malware threat and terminate the connection to the C&C server.

BEHAVIOR MONITORING Notes and Recommendations

Enable Malware Behavior Blocking for known and potential threats

Known Threats

***Enable this setting to protect your agents from specific threats, threat types and threat families through behavior analysis.

Enable Event Monitoring Enabled

***Enable this to monitor system events to filter potentially malicious actions. Refer to list below for recommended settings if this is enabled.

Policies (Under Event Monitoring if Enabled)

** The “Assess” action will log events that violate the policy but will not take action. To avoid interfering with normal activity, it is recommended that administrators start with this action set for all policies. This would help them define the proper action they need to take once data is available.

Duplicated System File Assess

Hosts File Modification Assess



Suspicious Behavior Assess

New Internet Explorer Plugin

Assess

Internet Explorer Setting Modification

Assess

Security Policy Modification Assess

Program Library Injection Assess

Shell Modification Assess

New Service Assess

System File Modification Assess

Firewall Policy Modification Assess

System Process Modification Assess

New Startup Program Assess

Exceptions (Approve/Block) ***Enter the full path of programs you would want to exempt from Behavior Monitoring or directly Block.

DEVICE CONTROL Notes and Recommendations

External Agents tab

Enabled Device Control Enabled

***Enable this setting to take advantage of the “Block autorun function on USB devices” but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention

Apply all settings to internal agents

Disabled

Block autorun function on USB storage devices

Enabled

***Enable this to prevent the potential threat autorun can cause.

Storage Devices

CD/DVD Full Access



Floppy Disks Full Access

Network Drives Full Access

USB storage devices Full Access

Program Lists

Programs with read and write access to storage devices

***Enter the full path of programs y ou would allow write access to storage devices.

Programs on storage devices that are allowed to execute

***Enter the full path of programs you would want to allow execution

Notification

Display a notification message on the agent

Computer when OfficeScan detects unauthorized

Enabled

***Enable this when device control access is not set to “Full Access” to avoid causing confusion to users as to why they cannot access their drives fully.

Internal Agents tab

Enabled Device Control Enabled

***Enable this setting to take advantage of the “Block autorun function on USB devices” but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention

Apply all settings to external agents

Disabled

Block autorun function on USB storage devices

Enabled

***Enable this to prevent the potential threat autorun can cause.

Storage Devices

CD/DVD Full Access

Floppy Disks Full Access

Network Drives Full Access

USB storage devices Full Access



Program Lists

Programs with read and write access to storage devices

Programs on storage devices that are allowed to execute

Notification

Display a notification message on the agent

Computer when OfficeScan detects unauthorized

***Enter the full path of programs y ou would allow write access to storage devices.

***Enter the full path of programs you would want to allow execution

Enabled

***Enable this when device control access is not set to “Full Access” to avoid causing

NetBIOS domain

Active Directory domain

DNS domain

***Only used during installation of a agent

Custom agent groups ***Can be used anytime to group agents

Automatic Agent Grouping ***Administrators can create agent grouping according to Active Directory or IP

Schedule Domain Creation Enabled

******Performing scheduled domain creation creates a domain in the agent tree. This may take a long time to complete, especially if the scope is broad. However, this does not move existing agents to this domain. Custom agent grouping must be used.

To move the agents, refer to manual sort agent or OfficeScan can automatically move agents when the following events occur:

1. Agent installation,

2. Agents reload

3. Agents change IP addresses

4. Agents enable or disable roaming mode

AGENT GROUPING Notes and Recommendations

CUSTOM AGENT GROUPS Notes and Recommendations



GLOBAL AGENT SETTINGS Notes and Recommendations



Scan Settings

Add Manual Scan to the Windows shortcut menu on agent computers

Disabled

***Enable this function to allow users to right-click on files or folders to perform a manual scan.

Exclude the OfficeScan server database folder from Real-time Scan

Enabled

***Prevent OfficeScan database from getting corrupted.

Exclude Microsoft Exchange server folders from scanning

Enabled

***Prevent OfficeScan from interfering with the mails being processed by the Exchange server and the antivirus that scans the mail traffic.

Enabled deferred scanning on file operations

Disabled

***This option can be enabled to help improve performance of file copy operation

Scan Settings for Large Compressed Files

Configure scan settings for large compressed files

Enabled

***This option will skip files within the compressed files from being scanned to improve on performance

Real-time scan

Do not Scan files (in a compressed file) if size exceeds

In a compressed file, scan onle the first X files

2MB

10 files

Manual Scan/Scheduled

Scan/Scan Now

Do not Scan files (in a compressed file) if size exceeds

In a compressed file, scan onle

30MB



the first X files 100 files

Virus/Malware Scan Settings only

Clean/Delete infected files within compressed files

Enabled

Spyware/Grayware Scan Settings Only

Enable Assessment Mode

Enabled

***Turn this on with a recommended of at least 3 weeks to allow administrator to assess the detection of spyware in the network. Any detection will not have any action taken on them. This allows admin to monitor and verify if there are any false positive detections specially on home grown applications.

Scan for Cookies Enabled

***Turn on to allow cookie scanning and cleaning

Count Cookie into spyware log Disabled

***Turn this off to prevent logs generated from cookie detection to overpopulate the virus log database.

Scheduled Scan Settings

Remind users of the Scheduled Scan

10 minutes before it runs

***This setting only applies to users who have the privilege to control Scheduled scans.

Postpone Scheduled Scan for up to 1 hour

***This setting only applies to users who have the privilege to control Scheduled scans.

Automatically stop Scheduled Scan when scanning lasts more than

Disable

Skip Scheduled Scan when a wireless computer’s battery life is

Enable



less than ***Enable this setting (20 percent) when there is a number of laptop users in your environment to save battery life.

Resume a missed scheduled scan Enable

Virus/Malware Log Bandwidth Settings

Enable OfficeScan agents to consolidate network virus logs and send them to the OfficeScan server hourly.

Enabled

***This allows agents to send only a single log to server on multiple detection of viruses detected on the same location, same virus for a period of time

Firewall Settings (If you have firewall activated)

Send firewall logs to the server every

4 hours

***If it is really needed, set this to Daily or every 4 to 8 hours to prevent agents from saturating the network by sending logs at short intervals regularly.

Update the OfficeScan firewall driver only after a system reboot

Enabled

***This setting will let agents update the firewall driver settings during reboot. This way there will be no loss of network connectivity. This setting applies to only updates/upgrades done through OfficeScan server.

Send firewall log information to the OfficeScan server hourly to determine the possibility of a firewall outbreak.

Enabled

Behavior Monitoring Settings

Automatically allow program if agent does not respond within X seconds.

30

***If timeout is reached, BM will “allow” the program.

Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms

Enabled

***Help prvent 0-day attack by monitoring applications that are downloaded through HTTP channel/email. Administrators should



excluded) enable ‘Unauthorized Change Prevention Service’ and ‘Web Reputation’ to have this feature

Certified Safe Software Service Settings

Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans

Disabled

***When enabled, the OSCE agent will query the Trend Micro back-end servers via the Internet to reduce BM false alarms.

C&C Contact Alert Settings

Define customized Approved

and Blocked IP lists used to detect C&C callbacks

***Define approved or blocked IP, IP range or subnets for C&C callback

Updates

Download only the pattern files from the ActiveUpdate server when performing updates

Disabled

***Administrators can use this setting to let OfficeScan agents to update only patterns from the Trend Micro Active Updatesite

Reserved Disk Space

Reserve 60 MB of disk space for updates

Enabled

Unreachable Network

Server Polling ***Select the IP range of unreachable network and how often the agents should poll to the server.

Heartbeat

Allow agents to send heartbeat to the server

Enabled

***Only agents in the unreachable network should send heartbeats since other agents would be connected to the server.



Agent send heartbeat every 10

The agent is offline if there is no heartbeat after X minutes

60

Alert Settings

Show the alert icon on the Windows taskbar if the virus pattern file is not updated after X days

5

Enabled

***Only agents in the unreachable network should send heartbeats since other agents would be connected to the server.

Display a notification message if the agent computer needs to restart to load a kernel mode driver

Enabled

***When firewall is enabled, it is suggested to have this turned on so that whenever the firewall driver is updated, the agent may be notified to reboot for the update to take effect, otherwise, without reboots, the firewall may not function properly with the updated component.

OfficeScan Service Restart

Automatically restart an OfficeScan agent service if the service terminates unexpectedly

Enabled

Restart the service after 1 minute

If the first attempt to restart the service fails, retry

6 times

Reset the restart failure count after 1 hour

Automatically detect settings

Enabled

***To allow auto detection of proxy for updates, this can be enabled

Use automatic configuration script Disabled

***To allow use of proxy scripts for connection, this can be enabled.

Proxy Configuration

Automatically detect settings Enabled

***To allow auto detection of proxy for updates, this



can be enabled

Enabled

***OfficeScan agents will try to communicate with reference servers to determine if their status will be online or offline if the OfficeScan server is not available.

Prefered IP Address

Agents with IPv4 and IPv6 addresses register to the server using

IPv4 first then IPv6

ENDPOINT LOCATION Notes and Recommendations

Endpoint Location

Agent Connection status (edit reference server list)

Disabled

***Gateway addresses can be entered instead of reference list to determine whether OfficeScan agents are online or offline.

Gateway IP address

Mac address (optional)

CONNECTION VERIFICATION Notes and Recommendations

Scheduled Verification

Enable Scheduled Verification Enabled Daily at 10:30am

***This allows the server to recheck the status of the agents that are in the network, it is ideal to set it to run on a schedule where most agents are already online.

LOGS Notes and Recommendations

LOG MAINTENANCE

Enable Scheduled Deletion Enable

***Enable this to maintain a manageable size of log and prevent performance issue on the OSCE server when retrieving logs. If Control Manager is used the logs are also sent to Control Manager, hence there is no need to keep 2 copies of logs. You can get reports from Control



Manager. Ensure all Log types are selected.

Logs to Delete

Logs Older than 7 days

***To Keep the log database small enough for efficiency.

Log Deletion Schedule Daily @ 2am

***It is advisable to have this checked everyday. The Time suggested is 2am so that the traffic to server is low and can be purged before the system backup kicks off. OfficeScan Server automatically does database maintenance during midnight, so avoid scheduling during this time.

UPDATES Notes and Recommendations

SER VER

Enable scheduled update of the OfficeScan server

Enabled

Update Schedule Hourly

***It is best to check on a more regular basis to get the latest updates.

Agents

Agent Automatic Updates

Initiate component update on agents immediately after the OfficeScan server downloads a new component

Enabled

Include roaming agent(s) Disabled

***It is unnecessary if the agents are offline and unreachable.

Let agents initiate component update when they restart and connect to the OfficeScan server (roaming agents are

Enabled

***There are instances where the agents are offline when the server updated from the internet. This function will allow



excluded) agents to get their updates from the server when they are back online.

Perform Scan Now after update (excluding roaming agents)

Disabled

***It is not extremely necessary to do a full scan right after performing an update. The scheduled scan is normally sufficient.

Schedule-based Update

2 or 4 hours

Enabled

***Depending on the number of agents that the server manages, you can set this from 2 hours to every 4 hours. This is the setting to configure agents on how often they will check for updates fro the OfficeScan server, the update agent or the Internet.

Agent Update Source

Standard Update Source Enabled

***Enable this if No update agents will be used

Enabled

***Administrators can allow agents to get updates from OfficeScan servers if Update Agents are not available

Customized Update Source

Update Agents update components, domain settings, and agent programs and hot fixes, only from the OfficeScan server

Enabled

***Enable this to have update agents always update from the OfficeScan server

OfficeScan agents update the following items from the OfficeScan server if all customized sources are unavailable or not found:

Components Disabled

***To allow OfficeScan agents to strictly update from update agents for pattern and engine updates.

Domain Settings Enabled

***Domain settings are small enough to allow agents to go to OfficeScan server to get updates from as long as Update Agents are not available.



OfficeScan agent programs and hotfixes

Disabled

***This setting should not be turned on unless OfficeScan agents are allowed to upgrade from OfficeScan server. This might cause bandwidth problems depending on the network.

NOTIFICATIONS Notes and Recommendations

ADMINISTRATOR NOTIFICATIONS

Standard Notifications

Virus/Malware

Send notifications only when the action on the virus/malware is unsuccessful

Enable

***Enable this to only notify when an action failed on the virus/malware.

Spyware/Grayware

Send notifications only when the action on the virus/malware is unsuccessful

Enable

***Enable this to only notify when an action failed on the spyware/grayware.

Outbreak Notifications

Virus/Malware Enable

***Enable this to alert administrators when infections are starting to grow.

Unique Sources 1

Detections 100

Time Period 24 hrs

Spyware/Grayware Enabled

***Enable this to alert administrators when infections are starting to grow.

Unique Sources 1

Detections 100

Time Period 24 hrs



Firewall Violations

Monitor Firewall violations on networked computers

Enabled

***Enable this to alert administrators when there are suspicious firewall violations

IDS Logs 100

Firewall Logs 100

Network Virus Logs 100

Time Period 1 hr

Shared Folder Session

Monitor Shared Folder session on your network

Enabled

***Enable this to alert administrators of suspicious network sessions being generated.

Shared Folder Sessions 100

Time Period 3 min

ADMINISTRATION Notes and Recommendations

Account Management

User Accounts ***User accounts are used to logon to OSCE web console. These accounts are assigned privileges as deemed appropriate. Use this section to add custom accounts or Active Directory accounts.

User Roles ***User roles define a list of operations that a user can perform. These operations are roughly tied to the navigation menu. Use this section to assign/create/modify roles for a user or a windows group. This would give the account permission to perform operations defined in that group.

SMART PROTECTION

Smart Protection Sources

Internal Agents



Use the standard list (for all internal agents)

***The setting will configure the agents to check the Scan Servers in the order specified on the liste. (Integrated Smart Protection Server will always be last)

***If all Scan Servers are equal in performance, availability and location, the random setting will allow the agents to load balance between all of the Smart Protection Servers on the list.

Use customer lists based on agent IP address

***Use this setting to customize which Smart Protection Server agents will use. It is recommended that each sub site will have its own Smart Protection Server.

Use standard list if customer list becomes unavailable

Enabled

***To help ensure full redundancy in situations where the customer Smart Protection Server list is unavailable, the agent should check the standard list

Integrated Server

***Check box should be enabled if the Integrated Smart Protection Server will be used. The Integrated Smart Protection Server should not be used to suppor more than 3000 agents in a primary role. If more than 3000 agents need to be supported a Stand-Alone Smart Protection Server should be installed in the environment and the Integrated Smart Protection Server should be used for backup purposes only.

Enable File Reputation Service Enabled

Use HTTP for scan queries Enabled

Enable Web Reputation Service Enabled

Enable scheduled updates Enabled

Update Settings Hourly

Enable scheduled updates Enabled

***When enabled, Trend Micro Smart Feedback shares threat information with the Smart Protection Network, allowing Trend Micro to rapidly identify and address new threats.



Smart Feedback

Smart Protection Network Disabled

Active Directory

Active Directory Integration

Active Directory Domains ***Add Active Directory domains OfficeScan will associate with the agent tree.

Encrypt Active Directory Credentials ***Specif an ecryption key and file path to ensure an additional layer of protection for your Active Directory credentials.

Scheduled Synchronization

Enable Scheduled Active Directory synchronization

Enabled

***Administrators can set the scheduled synchronization daily.

Settings

Proxy Settings

Internal Proxy

Agent Connection with the OfficeScan Server Computer

Use the following proxy settings when agents connect to the OfficeScan server and the Integrated Smart Protection Server.

Disabled

***This should be disabled all the time unless the OfficeScan Agents require connection to an intranet proxy to communicate with the OfficeScan Server.

Agent Connection with the Local Smart Protection Servers

Use the following proxy settings when agents connect to the local Smart Protection Servers.

Disabled

***This should be disabled all the time unless the OfficeScan agents require connection to an INTRANET proxy to communicate with the local Smart Protection Server.

External Proxy



OfficeScan Server Computer Updates

Use a proxy server for pattern, engine, and license updates

Enabled

***Enable this option and fill out the fields when a proxy server is required to download updates from the internet.

Agent Connection with Trend Micro Servers

Specify proxy server authentication credentials the agent will use to connect to the Trend Micro Global Smart Protection Server and Web reputation servers.

Enabled

***Fill this out if the proxy server used requires authentication credentials.

Inactive Agents

Enable automatic removal of inactive agents

Enabled

***Enable this function to allow OfficeScan to remove old agents that are inactive for X days. Whenever these agents come back online, they will automatically be added and show up in the console.

Automatically remove a agent if inactive for X days

7 days

Quarantine Manager

Quarantine folder capacity 10240MB

***Please note that the Quarantine folder on the OfficeScan server does not cleanup by itself. It is important to clean the folder up on a regular basis.

Maximum size for a single file 5 MB

Web Console Settings

Auto Refresh Settings

Enable Auto Refresh Enabled

***Set it for 30 seconds

Timeout Settings

Enable Timeout Setting Enabled

***Set it for 30 minutes

Database Backup



Database Backup Schedule

Enable Scheduled Database Backup Daily @ 3AM

***OfficeScan Server does database maintenance usually at midnight, and it is best not to interfere with the maintenance so it is recommended either to set the time few hours before or few hours after Midnight after log purging.

3.3.2 INI Configuration Files

OfcScan.ini

PARAMETER USAGE / NOTES

[Global Setting]

DisableTSCAtStart=1

Add/Change value to 1 to disable the Damage Cleanup service from executing whenever the OfficeScan realtime scan starts up. This is helpful for systems with low resource to speed up the bootup/startup time.

[Global Setting]

UADuplicationOptValue =128

Enable this feature to allow Update Agents to download only one incremental file from the OfficeScan server and allow it to automatically generate full pattern and the rest of the incremental files. This will help minimize bandwidth usage.

[Global Setting]

ScheduledScanForNetworkDrive=1

If the remote PC does not have an antivirus, this function enables scheduled scans for network drives.

***This function is not needed if the remote PC already has antivirus function. Enabling this may cause redundant scheduled scanning and performance issues.

[Global Setting]

EnableRTScanUSBInsert=1

If this function is turned on by setting the value to 1, USB will be scanned by Real Time Scan



[Global Setting]

USBScanConfirm=1

If this function is turned on by setting the value to 1, USB will give a pop up message asking the user if they want to scan the device.

***Note: Device Control Settings will take higher priority than USB scan insertion

[Global Setting]

IntensiveScanThreshold=0

Manual scan supports switching to Intensive Scan which is a higher detecting mode once the detected virus number is over a certain threshold. To enable, set a value.

***Ex: when setting up the value, “5” means using “5” as the intensive threshold. Ideal threshold value should be 100.

[Global Setting]

SupportToConfigureWRServerPlatformForMultiAgent=1

This setting enables admins to select multiple servers at once when enabling WRS function on server platforms.

OfcServer.ini

PARAMETER USAGE / NOTES

[INI_AD_INTEGRATION_SECTION]]

ApplyFQDNToResolveIPFirst=1

For FQDN environment only when this is set to 1. Enable this option to resolve IP from FQDN.

If this is set to 0, OfficeScan resolve IP from NetBIOS first and then resolve IP from FQDN.

If this is set to 1, OfficeScan resolve IP from FQDN first and then resolve IP from NetBIOS.

[INI_AD_INTEGRATION_SECTION]]

EnableQueryAllContainer=1

When this option is set to 1, it allows Active Directory Integration to query all objects including containers.



3.4 > Performance Tuning OfficeScan Server (ofcscan.ini) Parameters

The parameters below can be added or edited to further improve the performance of the OfficeScan server.

PARAMETER (ofcscan.ini) USAGE / NOTES

Command_Handler_Maxium_Thread_Number This OfficeScan server parameter controls the number of threads responsible for receiving agent communications. Default value is 20. Add the parameter under [INI_SERVER_SECTION] of ofcscan.ini to modify default setting. Recommended value is 20 multiplied by the number of CPUs.

NOTE: the word Maxium is intentionally misspelled.

DB_MEM_OPT_MAX Increase the server database cache to improve performance. Recommended value is at 10% of available memory.

Increase the number of Command Handler threads

Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini

Add the parameter Command_Handler_Maximum_Thread_Number= under [INI_SERVER_SECTION] section and set its value to 20 x Number of CPUs.

Restart the OfficeScan Master Service.

Increase Database Cache to improve performance


Locate the entry DB_MEM_OPT_MAX = 10240 and set its value to be at least 10% of available memory.

Restart the OfficeScan Master Service.



Verify Connection Thread Count Parameter

Go to the [INISERVER_SECTION] section.

Look for the VerifyConnectionThreadCount=16 parameter.

This value is dependent on the network capacity. If you have a 100 Mbps intranet, entering a value of 64 or 128 is acceptable.



Chapter 4: Backup and Disaster

Recovery NOTE: Section below applies only to OfficeScan itself (does not include plug-ins and the Integrated Scan Server backup). Customers who have OfficeScan with Integrated Scan Server should not follow these steps.

4.1 > OfficeScan Server Database Files

The OfficeScan server can be set to automatically backup agent database information. This is configurable via the web-based management console under [ Administration | Database Backup ] section. This process copies all database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ] to either a local or remote location. It is recommended to do a Daily backup especially during agent deployment. The schedule can be changed to Weekly after the deployment is complete. It is also recommended to configure the backup to start at 2:00 AM when agent interaction is minimal and the process does not coincide with other OfficeScan scheduled tasks. It is recommended to use the OfficeScan builtin backup function to do the backup for the database. Using third party application to backup the database may cause system instability or database corruption.

4.2 > OfficeScan Server Configuration Files It is also recommended to manually backup the OfficeScan server configuration files which can be used to recover from a server disaster.

Backup OfficeScan Server Configuration Stop the OfficeScan Master Service

Manually Back up the OfficeScan Server and Firewall configuration files:

OfficeScan Server and Firewall configuration Files

\ PCCSRV \ Ofcscan.ini – Server configuration information

\ PCCSRV \ Private \ Ofcserver.ini – Server and Update Source configuration



\ PCCSRV \ Ous.ini – Agent update source configuration

\ PCCSRV \ Private \ PFW folder – Firewall profiles / policies

\ Private \ SortingRuleStore \ SortingRule.xml

\ Private \ AuthorStore folder – RBA User Profile

\ Private \ vdi.ini – vdi settings

Start the OfficeScan Master Service. Run Certificate Manager tool to backup certificate used for OfficeScan communication with its agents. Open cmd prompt with administrator privileges then Go to [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ADMIN \ UTILITY \ CERTIFICATE MANAGER ] folder. Run the following commands to backup certificate.

CertificateManager.exe –b [Password] [Certificate Path]

Example: CertificateManager.exe –b mypassword c:\certificate.zip

Make a backup copy of c:\certificate.zip along with other OfficeScan Server configurations.

In an event of server corruption, the OfficeScan server settings can be restored by following the procedure below.

Restoring OfficeScan Server Configuration This procedure assumes that the OfficeScan server is being restored to the same host,

using the same FQDN and IP address.

Stop the OfficeScan Master Service and WWW Publishing Service.

Restore the backup database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ]

Restore the OfficeScan server and Firewall policy configurations

o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ofcscan.ini

o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ Ofcserver.ini

o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ous.ini

o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ PFW directory

o \ Private \ SortingRuleStore \ SortingRule.xml

o \ Private \ AuthorStore folder – RBA User Profile

o \ Private \ vdi.ini

From the command prompt, go to \Program Files\Trend Micro\ OfficeScan folder and Run the command srvsvcsetup.exe –setprivilege.



Restart the OfficeScan Master Service and WWW Publishing Service. Restore OfficeScan certificate by importing it during installation. In above example, certificate.zip is the file that needs to be selected to import the certificates.

4.3 > OfficeScan Agent Configuration Settings Saving the Agent Configuration Settings

Log on to the Officesan Management Console

Go to Networked Computers | Agent Management

To save the Global Domain settings, highlight the OfficeScan Server domain; To save just the domain level setting, highlight only the subdomain; To save only a specific agent’s setting, highlight the agent.

Once highlighted, select Settings | Export Settings

Click on the Export button and save the file.

Restoring the Agent Configuration Settings

Log on to the Officesan Management Console

Go to Networked Computers | Agent Management

To restore the Global Domain settings, highlight the OfficeScan Server domain; To restore just the domain level setting, highlight only the subdomain; To restore only a specific agent’s setting, highlight the agent.

Once highlighted, select Settings | Import Settings

Browse to the DAT file saved previously that you want to restore, then click in Import button

Put a check to Apply to all Domains or Apply to all computers belonging to the selected domain(s)

Click on the Apply to Target button



Chapter 5: Behavior Monitoring Trend Micro™ OfficeScan™ protects enterprise networks from malware, network viruses, Web- based threats, spyware, and mixed threat attacks. Behavior Monitoring and Device Control are some of the new OfficeScan features that proactively aim to prevent malware attacks.

This document aims to increase knowledge about Behavior Monitoring and Device Control and help readers avoid potential issues during deployment.

5.1 > Behavior Monitoring Overview Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or installed software. Behavior Monitoring is composed of the following sub-features:

Malware Behavior Blocking

Event Monitoring

5.1.1 Malware Behavior Blocking

Malware Behavior Blocking provides a necessary layer of additional threat protection from programs that exhibit malicious behavior. It observes system events over a period of time and as programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.

Figure 1-1: Malware Behavior Blocking setting

A new option, Known and potential threats, provides a more aggressive scan mode to detect malwares which has higher detection rate.

Under this mode, system will query DCE (product calls DCE to perform memory scan and decides the scan action) and Census (product queries the Census backend server and then feedbacks the action)

Registry Location on an Agent



Path: \PC-cillinNTCorp\CurrentVersion\AEGIS

Key: EnableTDC (Value: 1-Aggressive; 0-Normal)

DCE detects log type : Virus/Malware

Census detects log type: Behavior Monitoring

5.1.2 Event Monitoring

Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It uses a policy-based approach where system areas are monitored for certain changes, allowing administrators to regulate programs that cause such changes.

If attempts to change the system are made, Event Monitoring will:

Refer to the Event Monitoring policies and perform the configured action.

Notify the user or administrator

Use the Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

Figure 1-2: Event Monitoring setting



Administrators can choose to perform one of the following actions to respond to monitored events:

Assess: Always allow processes associated with an event but record this action in the logs for assessment

NOTE: Use this option during initial deployment to assess the impact of enabling Behavior Monitoring features.

Allow: Always allow processes associated with an event

Ask When Necessary: Prompts users to allow or deny processes that may have violated Behavior Monitoring policies. If selected, a prompt asking users to allow or deny the process and add to the Allowed Programs or Blocked Programs appears. If users do not respond within the time period specified in the Behavior Monitoring settings screen, OfficeScan automatically allows the process to continue.

Deny: Always block processes associated with an event and record this action in the

logs

Here’s a sample log while “Shell Modification” event was violated by a process

2012/2/12 12:31 ComputerName Shell Modification Assess Process Low C:\kh\notes\nlnotes.exe Create HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

NOTE: While testing the function, don't modify hosts file with notepad.exe, notepad.exe is in AEGIS white list, as a result, nothing occurs as modifying hosts file with notepad.exe.



5.1.3 Enabling Behavior Monitoring NOTE: Since Malware Behavior Blocking is enabled by default, Trend Micro strongly recommends identifying system-intensive applications and adding them to the exception list before deploying OfficeScan. For more information, see How Behavior Monitoring and Device Control Can Affect Performance.

The BM function will work depending on the both options below:

Settings/Behavior Monitoring Settings/ Enable Malware Behavior Blocking or Enable Event Monitoring

Additional Service /Enable Unauthorized Change Prevention Service

Two steps for enabling “Malware Behavior Blocking setting”

Path: Agent > Agent Management > Settings > Behaviors Monitoring Settings

Tick the option “”

To enable Malware Behavior Blocking or Event Monitoring, select the following options:

Enable Malware Behavior Blocking for known and potential threats (workstation default: on; server default: off )

Known threads, default option as provided by previous OfficeScan versions

Known and potential threats, a more aggressive scan mode

Enable Event Monitoring (workstation default: on; server default: off)

Behavior Monitoring settings can be applied to specific entities in the client tree or all entities (root). If you are applying settings to the root, you need to select one of the following options:

Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain (domains not yet created during configuration).

Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.

Path: Agent > Agent Management > Settings > Additional Services Settings

Tick the option “Enable service on the following operating systems” under the section “Unauthorized Change Prevention Service”

Note: To help ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms, even when it is enabled through the console.

To enable this feature on a server computer, select an individual server and go to Agent > Agent Management > Settings > Additional Services Settings. For instructions, see the Administrator’s Guide.




NOTE: Before deploying Malware Behavior Blocking, Trend Micro recommends running a pilot deployment. See Deploying Behavior Monitoring and Device Control for more information.

5.2 > OfficeScan Agent self-protection In OSCE11, AEGIS provides one enhancement called Light-weight Solution which focuses on all agents’ self-protection including Agent’s services, Processes and Registry keys

Previous OSCE

OSCE 11

Server Disable Enable

Desktop Enable Enable

The protection will be enabled on Server in OSCE 11 by default

Path: Agent > Agent Management > Settings > Privileges and Other Settings




5.3 > Device Control Overview

Device Control regulates access to external storage devices and network resources. Device Control helps prevent the propagation of malware on removable drives and network shares and, combined with file scanning, helps guard against security risks.

Figure 1-3: Device Control settings

Notification messages are displayed on the endpoints when device control violations occur. Administrators can modify the default notification message.



In OfficeScan 11, Device Control function integrates both AEGIS feature and DLP feature to control storage devices. AEGIS device control and DLP device control play different roles. For example, as Fig.1-3 shown below, different privilege can be set on USB storage devices. AEGIS device control handles the following privileges, modify, read and execute, read, and list device content only. The block privilege is handled by DLP device control.

Fig.1-3 USB Permissions

Furthermore, DLP Device Control supports one more device type: Mobile devices

Smartphones & Pads

Sync App

Ex: iTunes、htcsync

5.3.1 Using Device Control

Device Control supports several kinds of devices, here takes USB as sample to introduce how it works in the following environments

Only Aegis Device Control enabled

Aegis +DLP Device Control

Only DLP Device control enabled

8.1 Manage your USB device by Aegis Device Control To enable this feature, user must enable “unauthorized change prevention service” (web

console -> [agents] -> [agent management] -> [settings] -> [additional service settings] ->



[unauthorized change prevention service]) and “Device Control” ([settings] -> [device control settings]) for OfficScan agent.

OfficeScan only monitors USB storage devices when DLP module is not activated. Here is what Device Control can do with an USB device:

Check “Block the AutoRun function on USB storage devices” could let OfficeScan to prohibit USB storage AutoRun. It means that do not permit USB storage to run Autorun.inf then to pop the content of the storage. Since some virus could use autorun.inf to infect the system.

Select the permission for accessing USB storage devices, Device Control only provide “Full access”, “modify”, “read and execute”, “read” and “list device content only” 5 access permissions to choose. As Fig 8-1 shows

Fig 8-1 Permission list

Chart 1 Device Control Permissions

Permissions Files on the Device Incoming Files

Full access Permitted operations: Copy, Move, Open, Save, Delete, Execute

Permitted operations: Save, Move, Copy

This means that a file can be saved, moved, and copied to the device.

Modify Permitted operations: Copy, Move, Open, Save, Delete

Prohibited operations: Execute

Permitted operations: Save, Move, Copy

Read and execute

Permitted operations: Copy, Open, Execute

Prohibited operations: Save, Move, Delete

Prohibited operations: Save, Move, Copy

Read Permitted operations: Copy, Open




Prohibited operations: Save, Move, Delete, Execute

List device content only

Prohibited operations: All operations

The device and the files it contains are visible to the user (for example, from Windows Explorer).


*For the detail information about the action of different permission, please refer to online help [Permissions for storage devices]

Use “Program List” to except the permission to some specified programs and certificate providers.

Put local programs and programs on storage devices into “Programs with read and write access to storage devices” to give them read and write access permission. For detail usage of this functionality and how users could add the file path, please refer [Advanced Permissions for Storage Devices Parent topic] and [Specifying a Program Path and Name] from online help.

>>for example, add “c:\windows\system32\notepad.exe” into “Programs with read and write access to storage devices” list, users could open and modify, as Fig 8-2

Fig 8-2

Put programs on storage devices into “Programs on storage devices that are allowed to execute” so that users or the system can execute. For detail usage of this functionality and how users could add the file path and digital signature provider, please refer [Advanced Permissions for Storage Devices Parent topic], [Specifying a Program Path and Name] and [Specifying a Digital Signature Provider] from online help.

>>Fig 8-3 shows an example



Fig 8-3

NOTE: The antivirus feature in OfficeScan complements Device Control. For example, if Device Control allows a file to open from a regulated device but OfficeScan detects that the file is infected, a scan action will still be performed on the file to eliminate the malware.

Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access.

If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon , choose from the following options:

Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.


8.2 Manage USB devices by Device Control with Data Protection Plugin activated

To enable this feature, user must install OfficeScan Data Protection plug-in (web console -> [plug-ins]) and activated it, then enable “unauthorized change prevention service” (web console -> [agents] -> [agent management] -> [settings] -> [additional service settings] -> [unauthorized change prevention service]) and “Device Control” ([settings] -> [device control settings]) for OfficScan agent.

The UI of “Device Control Settings” will be different from before.

“Block” permission is activated and acted by iDLP. This sector will focusing on the function that idlp has added to “Device Control settings” for USB devices.

Chart 2 Block permission

Permissions Files on the Device Incoming Files

Block

(available after installing Data Protection)

Prohibited operations: All operations

The device and the files it contains are not visible to the user (for example, from Windows Explorer).




With Data Protection (iDLP) installed, OfficeScan offer more functionality for USB access. Besides keeping the function of Device Control, iDLP add the following items.

Allow or block access to mobile devices. It means that iDLP adds one control item for smart phone and pad. The major purpose of adding “mobile device” is making iDLP can disable the access when people use sync app (or not use any sync tools) to connect smart phone or pad.

Fig 8-4 Mobile devices setting

Chart 3 Mobile operating system and sync app list

OS support list

Synchronous application list

Android、iOS

iTunes、htcsync、Htcsync manager、Samsung kies、豌豆

荚、HiSuite、91Mobile

windows phone

windows phone(desktop)、windows phone(metro)、

Nokia PC Suite、zune

Blackberry Blackberry Device manager

Symbian OS

>> For detailed support mobile device list, please refer [device control settings] console -> click [supported device models] -> [date protection lists]. Fig 8-5 shows a mobile device is blocked.

Fig 8-5 Mobile device is blocked

Allow or block access to non-storage devices that UI lists. For detail device list, please refer [device control settings] UI -> click [supported device models] -> [date protection lists].

http://docs.trendmicro.com/en-us/enterprise/officescan.aspx





Chart 4 iDLP for non-storage devices

Device Type Device Description

Permission

Non-storage Devices

COM and LPT ports

Block/Allow

IEEE 1394 interface

Block/Allow

Imaging Devices

Block/Allow

Infrared devices

Block/Allow

Modems Block/Allow

PCMCIA card

Block/Allow

Print screen key

Block/Allow

Bluetooth adapter

Block/Allow

Wireless NICs

Block/Allow

Permissions for USB storage devices. It will add a permission “block” into the permissions of “USB Storage devices”. As Fig 8-6 shows

Fig 8-6 Permissions of USB storage devices



However, two permissions in this (shown in Fig 8-6) list ----- “read” and “block” are controlled by iDLP.

>> Since iDLP takes the control of these two permissions, so users can add whitelist to these two permissions:

Select “read” permission, click “advanced permissions and notifications” on its right, as Fig 8-7 shows.

Fig 8-7

Then it provide user a way to add a specified device by using its vendor, model and serial ID which could be get from system device management (Fig 8-8) to iDLP whitelist.

*If the device is in the whitelist, all the access action for this device will be allowed.

The settings on this page are all controlled by iDLP.



Fig 8-8

* Trend also provide a tool called listDeviceInfo.exe for list these three parameters for a USB storage device, user can found it on server folder ..\pccsrv\admin\utility\listdeviceinfo.exe

listdeviceinfo.exe shows the device information on a popped-up web page. As Fig 8-10 shows.

Fig 8-10



* To add the specified device, “vendor” parameter is required on the page. However, if some devices that system just cannot read its vendor information, user can add “*” to this blank and add other parameter that listDeviceInfo provides, it will also help to put the device that users want to the whitelist.

* For the settings of [Program list], please refer to 8.1 and online help document. The usage is the same with the one in section 8.1.

If users choose “block” permission, there also will be a way to add specified USB storage device to whitelist. Click “approved devices” on the right side. Then it will show as Fig 8-12.

Fig 8-11

Fig 8-12

Users could change the permission they want to access this device and for the permissions except “full access”, there will also be “program lists” function for the device (click “advanced permissions and notifications”).

*It means that this specified device will not be blocked and it has the access permission that user assigns to.



Fig 8-13 set permission of the device in whitelist

Fig 8-14 advanced permissions and notifications

8.3 Unauthorized Change Prevention Service is disabled and Data Protection is activated

For section 8.1, without Data Protection plug-in (iDLP), disabling “Unauthorized Change Prevention Service” (web console -> [agents] -> [agent management] -> [settings] -> [additional service settings] -> [unauthorized change prevention service]) will also make “Device Control Settings” not work at all. However, with iDLP, things are different.



When “unauthorized change prevention service” is disabled, and “Device Control” is enabled, only the functionality of iDLP will work.

As section 8.2 said the additional function of iDLP. Chart 5 shows the devices still be controlled.

Chart 5 only iDLP is enabled the settings that work

Device Type Device Description Permission

Mobile Devices

Phones and tablets with/without sync app

Block/Allow

USB storage devices

Storage device Block/Allow/Read

Non-storage Devices

COM and LPT ports Block/Allow

IEEE 1394 interface Block/Allow

Imaging Devices Block/Allow

Infrared devices Block/Allow

Modems Block/Allow

PCMCIA card Block/Allow

Print screen key Block/Allow

Bluetooth adapter Block/Allow

Wireless NICs Block/Allow

* For USB storage devices, three permissions in the select list will work. They are “full access”, “Read” and “Block”.

> “advanced permissions and notifications” of [read] permission will all work properly



> “approved devices” of [block] permission will partly work. It means that users can add the specified device to whitelist (vendor, model and serial ID). However, user cannot assign other permissions to this device except “full access”. Since other permissions are controlled by [unauthorized change prevention service]. So “program list” under “advanced permissions and notifications” of this page also cannot work.

8.4 Notification for USB access If OfficeScan encounter a violation of USB access and “Display a notification on endpoints

when OfficeScan detects unauthorized device access” is checked, OfficeScan agent will pop an alert for this access action. Fig 8-15, 8-16 and 8-17 show the screenshot of the setting and alert.

Fig 8-15

Fig 8-16



5.3.2 How Behavior Monitoring and Device Control Can Affect

Performance The Behavior Monitoring and Device Control features both use the Trend Micro Unauthorized Change Prevention Service (running under the process name TMBMSRV.EXE). These features use TMBMSRV.EXE to monitor for system events and check these events against rules to determine whether certain application activities are unwanted.

TMBMSRV.EXE delivers highly beneficial behavior-based security functionality, particularly the capability to check applications for suspicious behavior (Behavior Monitoring) and control access to storage devices (Device Control). Its monitoring mechanism, however, can strain system resources, especially when the computer is running applications that cause numerous system events. To prevent impacting system performance, Trend Micro recommends configuring OfficeScan so that these “system-intensive” applications are not monitored by TMBMSRV.EXE.

5.3.3 Deploying Behavior Monitoring and Device Control

Running TMBMSRV.EXE and system-intensive applications on the same computer can affect system performance and disrupt critical applications. It is for this reason that a properly managed deployment of Behavior Monitoring and Device Control is recommended.

To ensure smooth deployment of OfficeScan with Behavior Monitoring and Device Control:

• Set up and deploy a pilot environment.

• Identify system-intensive applications.

• Add system-intensive applications to the Behavior Monitoring exception list.



Step 1: Preparing a Pilot Environment Before performing a full-scale deployment, conduct a pilot deployment in a controlled environment. A pilot deployment provides opportunity to determine how features work and, most importantly, how Behavior Monitoring and Device Control can affect your endpoints.

The pilot process should result in:

A better understanding of the implications of deploying the new Behavior Monitoring and Device Control features.

A better understanding of applications that may conflict with these features.

A list of applications that can be added to the Behavior Monitoring exception list.

When setting up the pilot environment:

Prepare an environment that matches the production environment as closely as possible.

Ensure that the following are included in the pilot environment:

Business applications

Custom applications

All network applications used by groups or individuals (such as payroll, inventory, accounting, and database applications)

Deploy the OfficeScan agents into the pilot environment with the features that you intend to enable. For example, Behavior Monitoring and Device Control may both be enabled.

Allow the pilot environment to run for a reasonable amount of time (give sufficient “soak time”) with the standard applications running and with average daily use.

Step 2: Identifying System Intensive Applications Trend Micro provides a standalone performance tuning tool to help identify applications that could potentially cause a performance impact. The TMPerfTool tool, available from Trend Micro technical Support, should be run on a standard workstation image and/or a few target workstations during the pilot process to preempt performance issues in the actual deployment of Behavioral Monitoring and Device Control.

To identify system intensive applications:

Unzip the TMPerfTool.zip file.

Place the TMPerfTool.exe file in the OfficeScan default installation folder (%ProgramDir%/Trend Micro/OfficeScan agent) or in the same folder as the TMBMCLI.dll file.

Double-click TMPerfTool.exe.



Click Analyze when the system or applications start to slow down. If a red highlighted row appears, it means that the TMPerfTool found the system-intensive process.

Select the highlighted row and click Exclude.

After excluding the process, verify if the system or application performance improves. If the performance improves, select the process row again and click Include. If the performance drops again, it means you found a system-intensive application. Perform the following:

Note the name of the application.

Click Stop.

Click Report and save the .xml file in your specified folder.

Review the applications that have been identified as conflicting and add the applications to the Behavior Monitoring exception list.

Step 3: Adding System-Intensive Applications to the Behavior Monitoring Exception List The Behavior Monitoring exception list is a user-configurable list of approved and blocked programs that are not monitored by Behavior Monitoring and Device Control. These features automatically allow approved programs to continue—approved programs are still checked by other OfficeScan features. Blocked programs are never allowed to run.

Trend Micro strongly recommends adding system-intensive applications to the Behavior Monitoring exception list to reduce the likelihood of performance issues from occurring. System- intensive applications can cause TMBMSRV.EXE (the service used by both Behavior Monitoring and Device Control) to consume very high amounts of CPU resources and disrupt critical applications.

Figure 1-4: Adding programs to the exception list

To add programs to the exception list:



Path: Agents > Agent Management > Settings > Behavior Monitoring Settings

Type the full path of the program under Exceptions.

NOTE: Separate multiple entries with semicolons (;). The exception list supports wildcards and UNC paths.

Click Approved Programs or Blocked Programs

NOTE: All exceptions apply to both Behavior Monitoring and Device Control. Add only verified programs to the Approved Programs list to ensure network security.


Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.


5.4 > Alternative Ways to Prevent Performance Impact

To prevent TMBMSRV.EXE from affecting performance, you can disable the service itself or disable both Behavior Monitoring and Device Control.

WARNING! Disabling the Behavior Monitoring, Device Control, and other features may put your

network at risk from new and suspicious attacks. Perform these actions only as a last resort.

You can disable Behavior Monitoring and Device Control from the Web console or from the

registry.

Behavior Monitoring

5.4.1 Disabling Features from the Web Console

Path: Agents > Agent Management > Settings > Behavior Monitoring Settings

To disable Behavior Monitoring, deselect the following options:

Enable Malware Behavior Blocking for known and potential threats

Enable Event Monitoring

If you selected domain(s) or client(s) on the client tree, click Save to apply settings to those domain(s) or client(s). If you selected the root icon , choose from the following options:



Apply to All Clients

Apply to Future Domains Only

Device Control

Path: Agents > Agent Management > Settings > Device Control

To disable Device Control, deselect Enable Device Control.


Apply to All Clients

Apply to Future Domains Only

5.4.2 Stopping the Service

Disable Behavior Monitoring and Device Control by stopping the Trend Micro Unauthorized Change Prevention Service (TMBMSRV.EXE). Perform this task directly on each endpoint.

NOTE: Starting and stopping services directly overrides settings on the console. However, these changes will not take effect if the Client Self-Protection feature is enabled. Disable Client Self-Protection before starting or stopping OfficeScan services on OSCE server console.

To stop the service:

Open the Services console. Click Start > Run. Type SERVICES.MSC and click Open.

In the Services console, stop Trend Micro Unauthorized Change Prevention Service



.

Chapter 6: Data Loss Prevention

6.1 > Pre-Deployment

6.1.1 Deploying and Testing Agents

DLP agents should be deployed without any policies enabled. Proper testing of policies suggested before pushing it out to production environment. Poorly configured and tested policies may lead to the disruption of daily work routine and might end up in computers flooding OfficeScan server with large numbers of false positives.

6.1.2 Calculating Disk Space

To determine the amount of disk space needed for the server, you must decide if there is a need to capture the files when a policy violation occurs. The files captured during the violation are referred as “forensic data”. The benefit of capturing forensic data allows you to identify quickly why the alert occurred and if it was a false positive. While the forensic data function is helpful when tuning policies, you can still gather this information by reviewing the alerts. The alerts contain the path to the file that triggered it.

Default iDLP log purge time table OfficeScan agent OfficeScan server Control

Manag er server

Time for

purge

Default setting

180 days 180 days 90 days

Allow user to modify the setting

Yes Yes

Max number in configurati on

36500 days 360 days

Purge log

depen d on

Default setting

1000 logs

Allow user to modify

Yes Yes



size the setting

Max number in configurati on

900000 logs

Default locations of Logs and Forensic Data:

OfficeScan agent OfficeScan server Control Manager server

Violation Log DLPViolationLog.db dbDlpLog Control Manager database

Forensic Data

<OfficeScan agent folder>\dlplite\forensi

c\

\\<Server>\ofcscan\Priva te\DLPForensicData\

Will download from the

OSCE server

6.2 > Deployment DLP Installation and activation are performed from Plug-in Manager. Here are the steps:

NOTE: You do not need to install the Data Protection module if the standalone Trend Micro Data Loss Prevention software is already installed and running on endpoints.

The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However, only the Device Control feature can be deployed to pure IPv6 agents. The Data Loss Prevention feature does not work on pure IPv6 agents.

1. Download DLP package

On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Download.



Note:

The size of the file to be downloaded displays beside the Download button. Plug-in Manager stores the downloaded file to <Server installation folder>\PCCSRV\Download\Product.

If Plug-in Manager is unable to download the file, it automatically re-downloads after 24 hours. To manually trigger Plug-in Manager to download the file, restart the OfficeScan Plug-in Manager service from the Microsoft Management Console.

2. After downloaded, click Install Now, or to install at a later time

3. Activating OfficeScan Data Protection License is required right after installed

On the Plug-in Manager screen, go to the plug-in program section and click Manage Program. The Product License New Activation Code screen appears.



3. Deployment of Data Protection to OfficeScan Agents

By default, the module is disabled on Windows Server 2003, Windows Server 2008, and Windows Server 2012 to prevent impacting the performance of the host machine.

Data Protection now supports x64 environment.

Online agents install the Data Protection module immediately. Offline and roaming agents install the module when they become online.

Users must restart their computers to finish installing Data Loss Prevention drivers. Inform users about the restart ahead of time.

Procedure

a. Go to Agents > Agent Management > select a domain or a specified agent >Settings.



Deploy the module in two different ways:

• Click Settings > DLP Settings.

• Click Settings > Device Control Settings.

Note:

If you deploy from Settings > DLP Settings and the Data Protection module is deployed successfully, Data Loss Prevention drivers will be installed. If the drivers are installed successfully, a message displays, informing users to restart their endpoints to finish installing the drivers.

b. A message displays, indicating the number of agents that have not installed the module. Click “Yes” to start the deployment.

OfficeScan agents start to download the module from the server.



5. How to check if OfficeScan Data Protection is installed successfully:

1. In the agent tree, select a domain or an agent, check the Data Protection Status column. The deployment status should be "Running".

2. On the OSCE client, open CMD using administrator privilege and run the following command "sc query dsasvc", the state should be "Running".

6.3 > Deployment DLPlite template and policy

6.3.1 Define a DLPlite template

A. Configure data identifiers firstly, then define your own Templates, because Templates are defined based on data identifiers.

Path: Agents -> Agent Management -> select the targets -> Settings -> DLP settings Data identifiers include Expression, File Attribute, and Keyword,

• Expressions are predefined regular expressions, like Credit Card Number • File Attributes include File Type and File Size, for File Type, you can use true file type

recognition or define extension, for File Size, it supports Max 2GB, Min must be over 0 bytes

• Keywords, you can add or import, refer to "Importing a Keyword List" in Help document for how to import keywords.



B. Define a templates after defined a data identifier

Notes: OfficeScan supports to import or export templates, refer Help document for detail. Path：Agents -> Agent Management -> select the targets -> Settings -> DLP settings -> Templates -> Add -

> Add Template Or：Agents -> Data Loss Prevention -> DLP Templates -> Add

Choose a data identifier defined (Expression, File Attribute, or Keyword) in step A, or use a predefined data identifier, set the Operator (And, Or or Except) to set the relationship

Note: Pay attention to the priority of the statement, refer to the section "Condition Statements and Logical Operators" in Help document, and also the Preview of the statement on the console.

6.3.2 Define and then deploy DLP policy

• DLP policy is based on Templates which is defined in the previous section.

Path: Agents -> Agent Management -> select the targets -> Settings -> DLP settings ->Policies Take the actions: Add a policy select your template Choose Channel

Note: Some of channels support to use exception. Furthermore, pay attention on the section "Transmission Scope" under "Network Channels", one is PC boundary, another is LAN boundary.

Define an action for a policy

To deploy a policy, Enable it firstly, click the button "Save and Apply the settings to Agents" then.

Policy block/pass logical:

Given target may meet multiple policies conditions, during the scan if any policy with “Block” action defined, target is blocked even if it meets other policies with Pass action defined.

Policy “Additional Action”:

Each defined policy has respective “Additional Action” applied by administrator. If a target document meets “n” number of policy criteria, all respective “n” “Additional Action” will be applied on the target.

6.4 > Investigate and restore forensic data

To investigate the forensic data blocked by OfficeScan, a Control Manager 6.0 server is required. Only users who have appropriate permission in Control Manager Server have access to forensic data.

Setup



Follow the ControlManager administration guide to setup a ControlManager server is there is no ControlManager server available in your environment.

Register OfficeScan 11 to ControlManager server via Administration → Settings → Control Manager. A successful OfficeScan registration should show a similar page like the following:

1. In ControlManager, go to Direcotry→ Products, expand Local Folder → New Entity, the registered OfficeScan server should be displayed under the product tree:

2. Allow OfficeScan to record forensic data: a. Follow OfficeScan online help section [Creating a Data Loss Prevention Policy] to create

a DLP policy. b. On Action tab, make sure [Record data] is checked.

Check forensic data 1. Assign users who will have access to DLP data by enabling [Monitor, review, and investigate DLP

incidents triggered by all users]:



In Active Directory, you can refer to the following to create user accounts:

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack- 1/dlp_investigation_abt/dlp_inv_admin_tasks/dlp_roles_abt.aspx

2. Logon with an account with DLP review permission created in Step 1. 3. Forensic data in OfficeScan server will be encrypted and placed to the following folder:

..\PCCSRV\Private\DLPForensicData

4. The forensic data will be uploaded to [DLP Incident Investigation] tab on Control Manager Dashboard.

5. There are bunch of widgets can show a number of incidents detected, click the number will lead you to the details:

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/dlp_investigation_abt/dlp_inv_admin_tasks/dlp_roles_abt.aspx

http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-1/dlp_investigation_abt/dlp_inv_admin_tasks/dlp_roles_abt.aspx



6. Click [Edit] on the [Incident Information] popup you want to investigate. 7. You can then view the details of the incidents and download the blocked file:

8. Click the Incident Information link can direct you to detail logs of the incidents.



Chapter 7: Miscel aneous

7.1 > Product Communication Ports

Port Number Protocol Traffic

Direction Description

1 Server Port Configurable in ofcscan.ini Master_DomainPort parameter. Default value is 8080.

HTTP Agent to OSCE Server

The IIS / Apache web server listening port for the OfficeScan virtual directory. This is where agents download pattern file updates, and upload logs, quarantined files and status information. The virtual directory port setting must be consistent with the ofcscan.ini Master_DomainPort parameter.

2 Agent Port Configurable during installation. Stored in ofcscan.ini Client_LocalServer_ Port parameter

HTTP OSCE Server to Agent

OfficeScan agent listening port where CGI commands such as update notifications and configuration changes are received from the OSCE server.

3 Agent Port (Update Agent)

Configurable during installation. Stored in ofcscan.ini Client_LocalServer_ Port parameter

HTTP Agent to Update Agent

Update Agent hosts also use the Agent Port to reply to download requests for scan engine and pattern file updates pulled by peer OSCE agents.

4 Control Manager Agent (MCP Agent)

80,8080, 443 HTTP/HTTPS Bidirectional between OfficeScan Server and Control Manager

This will be used for notification for updates from Control Manager as well as sending back status/virus events from OfficeScan Server to Control Manager

5 Integrated Smart Protection Server

8080, 4343 HTTP/HTTPS Bidrectional Integrated Smart Protection Server ports on IIS. Scan server uses this port to receive queries from OfficeScan agents as part of cloud technology. When using OfficeScan virtual site, the scan server uses port 8080 if the OfficeScan management console uses HTTP. If HTTPS functionality is used, the scan server uses 4343.

6 Integrated Smart Protection Server

8082, 4345 HTTP/HTTPS Bidrectional Integrated Smart Protection Server ports on Apache. Scan server uses this port to receive queries from OfficeScan agents as part of cloud technology.

7 Integrated Web Reputation Service

8080 HTTP Bidrectional Integrated Web Reputation Service port on IIS. Local Web Reputation Service uses this port to receive



queries from OfficeScan agents as part of cloud technology.

7.2 > IPv6 for OfficeScan

7.2.1 IPv6 Support for OfficeScan Server and

Agents

IPv6 support for OfficeScan starts in this version. Earlier OfficeScan versions do not support IPv6 addressing. IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and agents that satisfy the IPv6 requirements.

7.2.2 OfficeScan Server Requirements

The IPv6 requirements for the OfficeScan server are as follows:

The server must be installed on Windows Server 2008 or higher. It cannot be installed on Windows Server 2003 because this operating system only supports IPv6 addressing partially.

The server must use an IIS web server. Apache web server does not support IPv6 addressing.

If the server will manage IPv4 and IPv6 agents, it must have both IPv4 and IPv6 addresses and must be identified by its host name. If a server is identified by its IPv4 address, IPv6 agents cannot connect to the server. The same issue occurs if pure IPv4 agents connect to a server identified by its IPv6 address.

If the server will manage only IPv6 agents, the minimum requirement is an IPv6 address. The server can be identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server cannot translate a host name to its corresponding IPv6 address.

NOTE: The FQDN can only be specified when performing a local installation of the server. It is not supported on remote installations.

7.2.3 OfficeScan Agent Requirements

The agent must be installed on:

Windows 7

Windows 8(.1)



Windows Server 2008 (R2)

Windows Server 2012 (R2)

Windows Vista

It cannot be installed on Windows Server 2003 and Windows XP because these operating systems only support IPv6 addressing partially

7.3 > Update Architecture and Network Usage

OfficeScan Server

7.3.1 The Update Process

The process starts with the OfficeScan server downloading update packages. The server can be configured to get updates from several locations:

Trend Micro’s Active Update Server (Internet) – Default method. It uses standard HTTP GET request to download update packages from the Internet. This only requires the HTTP port (80) to be open from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly, Daily, Weekly, or Monthly). Recommended setting is Hourly.

Trend Micro Control Manager (TMCM) server – Control Manager notifies the OfficeScan server when an update is available for download. OfficeScan will then check its Update Source [ Updates | Server Update | Update Source ] setting to know where it should download the package via HTTP. By default, the Update Source is set to the Internet (Trend’s Active Update server). This can be pointed to the Control Manager server if desired (i.e. http://<server fqdn or ip address>/tvcsdownload/activeupdate).

Custom Update Source (Other update source). Similar to the Internet update method except that the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP location (i.e. http://<server fqdn or ip address>/activeupdate). Control Manager and peer OfficeScan servers can service such request.

Update Agent

When the update package has been downloaded, the OfficeScan server notifies its Update Agents first that a new package is available. The Update Agents would then compare version information and download the package from its designated OfficeScan server as needed. The OfficeScan server waits for an acknowledgement command for the verification or download/update process to complete. If no acknowledgement is received, the OfficeScan server will wait to reach a timeout value before notifying the rest of its clients. Default timeout is 10 minutes and is configurable in Timeout for update agent parameter using SvrTune.exe [ Tools | Administrative Tools | Server Tuner ]. All communications are done through CGI commands via HTTP protocol. The OfficeScan server listens on its web server management port (typically 80 or 8080)



while the Update Agents listen on its pre-configured port (randomly generated or manually defined during the OfficeScan server installation).



OfficeScan Agent

Once the Update Agent notification process is completed, the OfficeScan server notifies the rest of its clients. Notification process is done by batches. The number by batch is configurable in Maximum Client Connections using SvrTune.exe [ Tools | Administrative Tools | Server Tuner ] utility. Once notified, clients would check for updates in the order below.

OfficeScan agent Update Source Order

Update Agent

OfficeScan Server

Trend Micro’s Active Update Server (Internet)

Privileges can be set to allow clients to update from the OfficeScan server when its Update Agent is unavailable. This setting is global and can be enabled under [ Updates | Client Deployment | Update Source | Update from OfficeScan server if all customized sources are not available or not found ].

NOTE: SvrTune.exe only controls the number of clients notified by the OfficeScan server at a given time after OfficeScan server completed an update. When OfficeScan agents are the ones who initiated the update, for example via ‘Scheduled Update’, the OfficeScan server will handle the client update request and the ones it cannot is queued in IIS for later processing. (IIS can process concurrently 256 cgi requests at a time, this is the default configuration.)

Individual or group of clients (OfficeScan Domain) can also be given privileges to download updates directly from the Internet. Highlight the client or Domain from the [ Clients ] main window and enable the option under [ Clients | Client Privileges/Settings | Update Settings | Download from the Trend Micro ActiveUpdate Server ].

Integrated Smart Protection Server

Trend Micro’s Active Update Server (Internet) – Default method. It uses standard HTTP GET request to download update packages from the Internet. This only requires the HTTP port (80) to be open from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly or every 15 minutes). Recommended setting is Hourly.

Trend Micro Control Manager (TMCM) server – Control Manager notifies the OfficeScan server when an update is available for download. OfficeScan will then check its Update Source [ Updates | Server Update | Update Source ] setting to know where it should download the package via HTTP. By default, the Update Source is set to the Internet (Trend’s Active Update server). This can be pointed to the Control Manager server if desired (i.e. http://<server fqdn or ip address>/tvcsdownload/activeupdate).

Custom Update Source (Other update source). Similar to the Internet update method except that the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP location (i.e. http://<server fqdn or ip address>/OfficeScan/download). Control Manager and peer OfficeScan servers can service such request.



7.3.2 Network Usage (Bandwidth Consumption)

OfficeScan generates network traffic when the server and client communicate with each other. Server initiated communications are mainly CGI commands sent through HTTP protocol and are only a few kilobytes in size. The clients, on the other hand, generate traffic as they upload information and pull component updates. Below is a summary of the different types of communications within OfficeScan.

Server Initiated Traffic

Notification on configuration changes

Notification on component updates

Client Initiated Traffic

Client start-up information

Uploading virus,event, firewall and web reputation logs

Infected files to be quarantined on the OfficeScan server (network usage depends on quarantined file size)

Downloading program and pattern file updates

Probably the most significant data transfer is when a client performs a pattern file update. To reduce network traffic generated during this process, OfficeScan uses a feature called incremental updates. Instead of downloading the full pattern each and every time, only the differences (deltas) are downloaded for up to 14 previous versions for virus definitions and 7 previous versions for spyware, network, and damage cleanup patterns. These new patterns are merged with the old pattern file as they are received by the OfficeScan agent. An incremental pattern may range from 1 kilobyte to several megabytes (i.e. 3 MB) depending on version increment (how far the delta is to the latest version).

To further save WAN bandwidth, specific clients can be promoted as an Update Agent to service peer clients. This implies that each client won’t have to individually pull incremental updates from the OfficeScan server. The Update Agent host replicates the complete engine and pattern packages (full version and increments). The engine and pattern packages are downloaded every time an update is available. To verify the latest size, simply log in to the OfficeScan server and view the size property of the folders below:

<drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Engine

<drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Pattern

The Engine and Pattern subfolders in the OfficeScan server are copied over to the Update Agent host under <drive> : \ Program Files \ Trend Micro \ OfficeScan agent \ ActiveUpdate folder.



For locations with limited bandwidth connectivity, an ini flag (UADuplicationOptValue) can be enabled in the OfficeScan server to change the behavior of the Update Agent. Instead of downloading the complete engine and pattern packages, only the latest increment (one version older) is downloaded. The Update Agent then generates its own full pattern file as well as the 7 incremental files.

Enabling Smart Duplicate for Update Agents


Locate the parameter UADuplicationOptValue and set value to 128.

Save changes on the INI file.

Log on to the Management Console Clients | Global Client Settings

Click on Save button.

NOTE: To disable Smart Duplicate if bandwidth is not an issue, configure the parameter as follows: UADuplicationOptValue=64

Sample computation of bandwidth usage:

Given: An incremental update is 300Kb

A full compressed pattern is 45MB

For an Update Agent using regular incremental updates, it downloads the full pattern file and 7 incremental files from the Officesan server

Total size downloaded = 7x(300kb incremental) + 45Mb full Pattern

= 2.1MB + 45Mb

= 47.1Mb

For an Update Agent configured for Smart Duplicate, it downloads only one incremental the full pattern file and generates its own full pattern and incremental, therefore

Total size download = 300Kb

Saves you 46.8Mb of transfer over the WAN link.



7.4 > Virtual Desktop Infrastructure (VDI)

OfficeScan 10.6 supports three types of VDI environment: Citrix XenServer, VMWare VCenter Server, and Microsoft Hyper-V Platform. Following two features have been added:

VM Awareness – to avoid all VM clients in the same physical machine to do on-demand scan or component update at the same time.

Whitelist Cache Mechanism – to reduce scan time of on-demand scan.

7.4.1 Golden Image Preparation

When deploying VDI, the following tasks need to be completed on the Golden Image.

Copy the TcacheGen.exe utility to the Golden Image.

Use TcacheGen to create a whitelist of files and folders in the Golden Image. The tool will scan files and folders in the Golden Image and add them into the OfficeScan Whitelist to reduce scanning load on the machine.

Use TcacheGen to clear the GUID key found in the OfficeScan agent Registry Hive: HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\GUID

Set the value of VDIEnabled=1 in OfficeScan registry hive: HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\MISC.\

Proceed to complete the Golden Image creation.

7.4.2 Instal the VDI Support in OfficeScan server

Plugin Manager

Open the OfficeScan Console >> Plug-in Manager. Download and install the VDI Support component.

Click on the Manage Program button to configure VDI Support.

Choose between VMWare vCenter Server, Citrix XenServer, Microsoft Hyper-V Platform or Other virtualization application (NOTE, that this will only simulate a virtual hypervisor)



Enter the server connection information, e.g.

Click the save button.

Check the vdi_list.ini to confirm the setting is applied correctly.

Adjust the VDI parameters depending on the actual need.

We can control very resource intensive actions from the OfficeScan agent namely On-demand Scan and Component Updates.

VDI.ini parameter’s description and their recommended values are:

Parameter Name Description Value

Cache_Time_Seconds This is the VDI client cache used by the OfficeScan server. When VDI client performs a scan/update, OfficeScan server uses the cache information to respond.

300



After the default value of 300 seconds, OfficeScan server will query XenServer/vCenter to update cache information.

Cache_Time_Error_Seconds When OfficeScan server tries to query XenServer/vCenter to get updated cache information but couldn’t (Failed), within 30 secs, OfficeScan server will use old cache to respond to clients’ request and will not try the query again within the elapse time.

30

Controller_Counts The number of VDI Client tasks controlled by OfficeScan server, currently we have 2 types, (00) is for on- demand scan and (01) is for update.

2

Controller_00_MaxRunningSec onds

Within 300 seconds, if the on-demand scan agent didn’t respond to the OfficeScan server, the OfficeScan server considers the scan task completed and will allow the next client to run on- demand scan.

300

Controller_00_MaxConcurrent Guests

Only one client can run on-demand scan at the same time.

1

Controller_00_BaseWaitingTim e

If the MaxConcurrentGuests value is reached, other requesting VDI clients need to wait 10 secs and then 10+10 secs, 10+10+10 secs, till it reaches

10



MaxWaitingTime value.

Controller_00_MaxWaitingTim e

Used by BaseWaitingTime to determine how long VDI Client should wait before trying to contact the OfficeScan server

30

Controller_00_TaskName Name of the VDI Client Task

ODScan

Controller_01_MaxRunningSec onds

Within 600 seconds, if the updating client didn’t respond to the OfficeScan server, the OfficeScan server considers the update task completed and will allow the next client to perform an update

600

Controller_01_MaxConcurrent Guests

Only three clients can perform an update at the same time.

3

Controller_01_TaskName Name of the VDI Client Task

PatternUpdat e

Performance Related Items To mitigate performance issue, you should comply with the best practices below when running OfficeScan 11 agents in VDI environment.

Suggest to first set scan mode to smart scan, and then deploy OfficeScan agent to VDI

Do not switch between conventional scan and smart scan on VDI guest environment. This is because scan type change will trigger full pattern update immediately on the guest environment causing Disk I/O congestion if occurring on multiple VM images at the same time.

When Smart Protection Server is offline, OfficeScan agents will add files into a queue list (suspicious list). When the Smart Protection Server comes back online, all the machines will perform a scan base on this list and can cause performance issue. Make sure to have a backup Smart Protection Server to ensure the Smart Scanning is available at all times.

Pattern Update rollback is very Disk I/O intensive and should be done as seldom as possible.

Take special caution deploying program updates or hotfix to VDI Agents. Deploy to a few machines at a time to minimize performance impact.



AEGIS is should be disabled in VDI environment and this should be done when golden image is prepared. This can help improve performance in VDI environment.

Enable/Disable firewall should not be performed on all agents at the same time; otherwise it will have heavy disk I/O usage.

If many agents are enabled to act as update agent at the same time then this will have heavy disk I/O and CPU, and will need long time to enable. It is recommended to avoid enabling many agents to act as update agents at the same time.

New installed agent might not appear in server console agent tree because the GUID has a duplicate. To avoid this, you need to log on to the OfficeScan console and perform ‘connection verification’ under Networked Computers.

Disable scheduled scan because simultaneous scanning in several guest OS will cause the host machine performance drop.

In the OfficeScan console, go to Tools -> Administrative Tools and use Server Tuner to configure the allowed concurrent pattern update agents to a small number. The suitable value depends on the HDD speed. Trend Micro recommends setting this value to “3” and then increasing it if the I/O usage is low during pattern update.



Central Quarantine File Restore

Central Quarantine Restore allows to trigger the restore of quarantined files from the OSCE server. The usage of this feature is described in detail in OSCE 11 AG. Please refer to page 1-4 resp.7-41

Considerations:

The quarantined viruses need to be available in the …\Suspect\Backup folder of the OSCE agent program folder.

You have to determine file name, security threat or path of file from the virus logs. The following sample shows the mask for file name of several files to restore



1. Central restore works from single machine up to domains/root level of the OSCE server-

2. When selecting a file to restore you can put this file to the exclusion list of the respective domain level.



If you do NOT select this, the file will be restored properly but redetected at next trigger.

7.5 > Recommended Installation Adjustments for Special

Environments

7.5.1 Citrix Environment

Installation of OfficeScan Agents on Citrix Servers Disable the Tray Icon Many instances of the PccNTMon process will be created in the memory for each user logged in where the agent is installed.

On the OfficeScan management console, go to Agents > Agent Management.



Create a group for all Citrix Servers, click on Manage Agent Tree > Add Domain. Move the Citrix servers to the group.

Select the group, click on Settings > Privileges and other Settings > Other Settings tab.

Under Agent Access Restriction, select Do not allow users to access the agent console from the system tray or Windows Start menu.

Click on Save.

Note: The only minimal side effect for this configuration is that there will be no popup messages that will come up on the Citrix Servers whenever a virus/malware, spyware/grayware, or web threats are detected

Set up TmPreFilter to run in MiniFilter-Mode

Open the Registry Editor.

Go to HKLM\SYSTEM\CurrentControlSet\Services\TmPreFilter\Parameters

Change the value of the key "EnableMiniFilter" (REG_DWORD) key to "1".

Close the Registry Editor and then restart the computer.

Change the memory usage of the PagedPool


Go to HKEY_LOCAL_MACNE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.

Change the value of the "PagedPoolSize" (REG_DWORD) key to "FFFFFFFF".

Close the Registry Editor and then restart the computer.

Exclude the files and folders

Exclude the following file extensions from scanning on a Citrix or Terminal server.

*.LOG

*.DAT

*.TMP

*.POL

*.PF

Exclude IIS and Citrix Receiver processes




Go to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList.

Create a new key named "Citrix ICA". This is the Citrix ICA Client remote desktop tool. Under this new key, create:

Type: String value

Name: ProcessImageName

Value: wfica32.exe

Create a new key named "IIS". Under this new key, create

Type: String value

Name: ProcessImageName

Value: w3wp.exe

Close the Registry Editor.

Restart the OfficeScan NT Listener service.

7.5.2 Citrix Known Issues

A. OfficeScan agent on the Citrix server cannot be published The OfficeScan agent on the Citrix server cannot be published. To allow users to access the OfficeScan agent, publish the Citrix Server desktop through the Citrix Access Management Console (CMC). When published, users need to:

1. Launch the desktop from the Citrix client Web interface.

2. In the Citrix desktop session, open the OfficeScan agent program from Start > Programs > Trend Micro OfficeScan Agent > OfficeScan Agent.

3. Launch the OfficeScan agent console from the system tray icon.

B. CSA does not support application streaming CSA installs drivers (Scan Engine, Firewall, TDI driver) and its services need to collaborate with these drivers. This means that some functions may appear to execute properly from the client console but may actually not run anything in the backend. This does not affect other programs published and streamed on the Citrix server.

C. Real-time scan is unable to detect infected files residing inside mapped folders on Citrix servers A drive or folder on a computer running Windows 2003 contains a file infected with virus/malware and the drive or folder is mapped to the Citrix server. When the infected file is opened during a Citrix client session, Real-time Scan may be unable to detect the virus/malware



on the file if the mapped drive has the same drive name, for example (C:), in a multi-user environment.

To resolve this issue:

Launch the desktop from the Citrix client Web interface.


Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the following value:

Type: Multi-string value (REG_MULTI_SZ)

Name: DependOnService

Value: Cdm

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter\Parameters and add the following value:

Type: DWORD value (REG_DWORD)

Name: CitrixOn2003Support

Value: Any number except zero

If you are using remote desktop, add the following value to the same key:

Type: DWORD value (REG_DWORD)

Name: MsRemoteDesktopSupport

Value: Any number except zero

Restart the computer for the changes to take effect.

D. Scan Notifications In a Citrix environment, when the OfficeScan agent detects a security risk during a particular user session, the notification message for the security risk displays on all active user sessions.

Security risk can be any of the following:

Virus/Malware

Spyware/Grayware

Firewall policy violation



Web Reputation policy violation

Unauthorized access to external devices

E. When manual update is in progress in one Citrix client session, other active sessions cannot launch manual update Trend Micro recommends disabling "Update Now" privileges from the OfficeScan web console. This prevents users from manually starting an update. Make sure, however, that scheduled updates and event-triggered updates are still in place.

To disable "Update Now" privileges, do the following:

On the OfficeScan management console, go to Agents > Agent Management.

Select the group, go to Settings > Privileges and other Settings > Privileges tab.

Under Component Updates, uncheck Perform “Update Now”.

Click on Save.

7.5.3 Citrix Exclusions

Refer to section 7.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.

7.5.4 Citrix Firewal Port

Refer to section 7.8 Some Server Common Ports for recommendations on Citrix ports to open.

7.5.5 Instal ation of OfficeScan agents on Cisco

Callmanager

The following are needed to be configured as recommended to support Cisco Callmanager:

Configure Real-time Scan Settings

On the OfficeScan management console, go to Agents > Agent Management

Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings

In the Target tab, under the Scan Settings, configure Scan compressed files > Maximum layers = 1



In the Action tab, uncheck the following:

Display a notification message on the client computer when virus/malware is detected

Display a notification message on the client computer when spyware/grayware is detected

Click on Save.

Configure Client Privileges and Settings


Select the Cisco Callmanager Agents, go to Settings > Privileges and Other Settings

In the Privileges tab, uncheck the following:

Display the Mail Scan tab on the client console and allow users to install/upgrade Outlook mail scan

Click on Save.

Configure Scan Exclusions


Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings

In the Target tab, under the Scan Exclusion, enable the following:

Enable scan exclusion


Add the following folders to the Scan Exclusion List (Directories)

Drive:\Program Files\Call Manager

Drive:\Program Files\Call Manager Serviceability

Drive:\Program Files\Call Manager Attendant

Click on Save button

Configure Update Settings


Select the Cisco Callmanager Agents, go to Updates > Agents > Automatic Update

Uncheck Perform Scan Now after update (roaming agents excluded)

Click on Save.

Turn off Scheduled Scan for Virus/Malware and Spyware/Grayware


Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Scheduled Scan Settings

Uncheck the following:

Enable virus/malware scan

Enable spyware/grayware scan



Click on Save.

Disable OfficeScan Firewall


Select the Cisco Callmanager Agents, go to Settings > Additional Service Settings

Under Firewall Service, uncheck Enable service on the following operating systems

Click on Save.

Delay the startup of Realtime Scan service by making it dependent on Call Manager service.


Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the following value:

Type: Multi-string value (REG_MULTI_SZ) Name: DependOnService Value: <Type the name or names of the services that you prefer to start before this service with one entry for each line. The name of the service you would enter in the Data dialog box is the exact name of the service as it appears in the registry under the Services key.>

Restart the computer for the changes to take effect.

7.6 > Recommended Scan-Exclusion List

Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues. Below are exclusions to consider depending on the type of machine you are installing the OfficeScan agent on.

General Exclusions for all Windows platforms

Pagefile.sys

*.pst

%systemroot%\System32\Spool (replace %systemroot% with actual directory)

%systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)

%allusersprofile%\NTUser.pol

%Systemroot%\system32\GroupPolicy\registry.pol

Appian Enterprise



Refer to the Knowledgebase article: Appian Enterprise slows down or hangs when installed with OfficeScan or ServerProtect.

Acronis Backup & Recovery

Refer to the Acronis article: Acronis Backup & Recovery: Exclude Program Folders and Executables from Security Programs.

ARCserve

For more information, refer to the following ARCserver articles:

Antivirus Process and Folder Exclusions for ARCserve Backup

CA ARCserve RHA best practices with regards to Anti-virus exclusion

How to exclude Arcserve RHA spool folder from the antivirus scans

ARCserve D2D

AutoDesk Inventor / AutoCAD

C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe

C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe

C:\Program Files\Autodesk\AutoCAD 2013\acad.exe

C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe

C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe

C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013\DesignReview.exe

C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe

BlackBerry Enterprise

For BlackBerry exlusions, refer to:

Anti-virus exclusions for the BlackBerry Enterprise Server

Anti-virus exclusions for BlackBerry Enterprise Service 10

Cisco CallManager

Drive:\Program Files\Call Manager

http://intkb.trendmicro.com/solution/en-US/1035660.aspx


https://kb.acronis.com/content/36429

https://kb.acronis.com/content/36429

http://www.arcserve-knowledgebase.com/index.php?View=entry&EntryID=3534


http://arcserve-knowledgebase.com/index.php?View=entry&EntryID=2494




http://www.blackberry.com/btsc/KB11573

http://www.blackberry.com/btsc/KB34346



Drive:\Program Files\Call Manager Serviceability

Drive:\Program Files\Call Manager Attendant

Citrix Exclusions

On Citrix systems, the following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.

General Citrix exclusions: *\Users\*\ShareFile\ *\Citrix Resource Manager\LocalDB *\ICAClient\Cache *\SoftwareDistribution\Datastore *\System32\Spool *\Users\*\ShareFile *\Program Files (x86)\Citrix\Deploy *\Program Files (x86)\Citrix\Independent Management Architecture *\Program Files (x86)\Citrix\RadeCache *\Windows\System32\spool\PRINTERS

For more information, refer to the Citrix articles:

Citrix Guidelines for Antivirus Software Configuration

Citrix Consolidated List of Antivirus Exclusions

Domino Data Directory

The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data.

Microsoft Exchange Server

Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store.

Exchange 5.5

<drive>: \ EXCHSRVR \ IMCData

<drive>: \ EXCHSRVR \ MDBData

Exchange 2000


<drive>: \ EXCHSRVR \ MTAData

<drive>: \ EXCHSRVR \ Mailroot

<drive>: \ EXCHSRVR \ SrsData

<drive>: \ WINNT \ system32 \ InetSrv

http://support.citrix.com/article/CTX127030

http://blogs.citrix.com/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/



Exchange 2003


<drive>: \ EXCHSRVR \ MTAData

<drive>: \ EXCHSRVR \ Mailroot

<drive>: \ EXCHSRVR \ SrsData

<drive>: \ WINNT \ system32 \ InetSrv

<drive>: \ EXCHSRVR \ MdbDataUtility

Exchange 2007

Refer to this Microsoft article:

http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx

Exchange 2010

http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx

Exchange 2013

http://technet.microsoft.com/en-us/library/bb332342.aspx

FAST Search Server 2010 for SharePoint

Refer to this Microsoft article: Review hardware and software requirements (FAST Search Server 2010 for SharePoint).

Mapped Drives / Shared Folders

This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan agent installed, and updated to the latest virus signature.

Microsoft Active Directory Domain Controller

<drive>: \ WINNT \ SYSVOL

<drive>: \ WINNT \ NTDS

<drive>: \ WINNT \ ntfrs

<drive>: \ WINNT \ system32 \ dhcp

<drive> : \ WINNT \ system32 \ dns

Microsoft IIS Server

http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx

http://technet.microsoft.com/en-us/library/bb332342(v%3Dexchg.141).aspx

http://technet.microsoft.com/en-us/library/bb332342.aspx

http://technet.microsoft.com/en-us/library/ff381239(v%3Doffice.14).aspx



Web Server log files should be excluded from scanning. By default, IIS logs are saved in

<drive>: \ WINNT \ system32 \ LogFiles

<drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files

Microsoft IIS 7.0 Server

Web Server log files should be excluded from scanning. By default, IIS logs are saved in

<drive>:\inetpub\logs\

Microsoft Internet Security and Acceleration Server (ISA)

<drive>: \ Program Files \ Microsoft ISA Server \ ISALogs

<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data

Microsoft Lync

Microsoft Lync 2010

Specifying Antivirus Scanning Exclusions

Microsoft Lync 2013

Antivirus Scanning Exclusions for Lync Server 2013

Microsoft Operations Manager Server (MOM)

<drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft

Operations Manager

<drive>: \ Program Files \ Microsoft Operations Manager 2005

Microsoft SharePoint Portal Server

<drive>: \ Program Files \ SharePoint Portal Server

<drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System

<drive>: \ Windows \ Temp \ Frontpagetempdir

M:\

Microsoft SharePoint Servers Foundation 2010

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions

http://technet.microsoft.com/en-us/library/gg195736(v%3Docs.14).aspx

http://technet.microsoft.com/en-us/library/dn440138.aspx



Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files

Drive:\Users\ServiceAccount\AppData\Local\Temp

Drive:\Users\Default\AppData\Local\Temp

Drive:\Users\the account that the search service is running as\AppData\Local\Temp

Drive:\WINDOWS\system32\LogFiles

Drive:\Windows\Syswow64\LogFiles

Reference: Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint.

Microsoft SharePoint Server 3.0 / 2007 / 2010

Drive:\Program Files\Microsoft Office Servers

Drive:\Program Files\Common Files\Microsoft Shared\Web Service Extensions

Drive:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files

Drive:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config

Drive:\Windows\Temp\WebTempDir

Drive:\Documents and Settings\the account that the search service is running as\Local Settings\Temp\

Drive:\WINDOWS\system32\LogFiles

Reference: http://support.microsoft.com/kb/952167

Microsoft SQL Server

Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.

<drive>:\ WINNT \ Cluster (if using SQL Clustering)

<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data

Q:\ (if using SQL Clustering)

C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data

File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm

Considerations for clustering

You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability.

If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:






Q:\ (Quorum drive)

C:\Windows\Cluster

SQL Server 2005

%ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe

%ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

%ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe

SQL Server 2008

%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe

%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2008 R2

%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe

%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2012

%ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe

%ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

%ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

Microsoft Systems Management Server (SMS)

SMS \ Inboxes \ SMS_Executive Thread Name

SMS_CCM \ ServiceData

SMS \ Inboxes

Microsoft Windows System Update Server (WSUS)

<drive:>\ WSUS

<drive:>\ WsusDatabase

<drive:>\MSSQL$WSUS

You can refer to the following Microsoft article for additional information: Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied

MySQL





MySQL main directory - <Drive>:\mysql\

MySQL Temporary Files - Uses the Windows system default, which is usually C:\windows\temp\

Novell Zenworks

C:\Program Files\Novell\Zenworks

C:\Program Files\Novell\ZENworks\logs\ExternalStore

C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache\metaData

C:\Program Files\Novell\ZENworks\cache\zmd

Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi, dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db

Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC

Oracle

.dbf - Database file

.log - Online Redo Log

.rdo - Online Redo Log

.arc - Archive log

.ctl - Control files

RA-MICRO

C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-E

C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO

C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO Software GmbH

C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA- MICRO_Software_GmbH

C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA-MICRO

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RA-MICRO

SAP

SAP ABAP or Java installs:

\usr\sap\

SAP Content Server Install:

\SAPDB\

SAP Printer Server:



SAPSprint.exe

Servers where are SAPGui is installed:

lsagent.exe

During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and subdirectories:

..\Program Files\SAPinst_instdir\

ScanMail for Exchange (SMEX) 7.0

..\Smex\Temp

..\Smex\Storage

..\Smex\ShareResPool\

SMART Notebook Express

File Exclusions:

java.exe

notebook-express.exe

C:\WINDOWS\Prefetch\NOTEBOOK-EXPRESS.EXE*

C:\WINDOWS\Prefetch\JAVA.EXE*

Folder Exclusions:

*\smarttech

*\notebook-express-server

C:\Documents and Settings\*\Local Settings\Temp\Jetty*

C:\Program Files\SMART Technologies

Symantec Backup Exec

~\Symantec\Backup Exec\beremote.exe

~\Symantec\Backup Exec\beserver.exe

~\Symantec\Backup Exec\bengine.exe

~\Symantec\Backup Exec\benetns.exe

~\Symantec\Backup Exec\pvlsvr.exe

~\Symantec\Backup Exec\BkUpexec.exe

VMWare

Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading



performance and the ability interact with the virtual machine. Exclusions can be configured for the directories that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files.

Volume Shadow Copies

Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access.

You can refer to the Knowledgebase article: Excluding Volume Shadow copies from OfficeScan agent real-time scans.

It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003.

Other Trend Micro Products

Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed." is enabled in WFBS’s Exclusion List settings (Security Settings>Antivirus/Anti-spyware>Exclusions).

7.7 > Some Common Server Ports

Application Ports Protocol

FTP 21 TCP

Telnet 23 TCP

SMTP 25 TCP

WINS Replication 42 TCP

DNS 53 TCP/UDP

Web server 80 TCP

Kerberos Authentication 88 TCP/UDP

POP3 110 TCP

Windows Time Synchronization Protocol – NTP 123 UDP

RPC 135 TCP

NetBIOS Name, Netlogon and Browsing 137,138 TCP





NetBIOS Session 139 UDP

IMAP4 143 TCP

IMAP3 220 TCP

LDAP 389 TCP/UDP

SSL (Secure Sockets Layer) Web server 443 TCP

Server message block (SMB) for Netlogon, LDAP conversion, and Microsoft Distributed File System (DFS) discovery

445

TCP

SQL Server 1433 TCP

PPTP 1723 TCP

Global Catalog LDAP 3268 TCP/UDP

Remote Desktop (Terminal Services) 3389 TCP

Citrix Server 1494,2598 TCP

Note: It is advisable to disable the firewall of the OSCE agents that are installed on the server platform.

Date Revision Editor

10/19/2011 Document created Alp Deveci, Jill Maceda, Jessie Prevost, Alwin Yu

2/5/2014 Updated for Sp3 Alp Deveci

Trend Micro™ OFFICESCAN 11 11_BPG.pdf · agents can receive program upgrades from OfficeScan 11.0...

Documents

Transcript of Trend Micro™ OFFICESCAN 11 11_BPG.pdf · agents can receive program upgrades from OfficeScan 11.0...