Trend Micro™ OFFICESCAN 11 11_BPG.pdf · agents can receive program upgrades from OfficeScan 11.0...
Transcript of Trend Micro™ OFFICESCAN 11 11_BPG.pdf · agents can receive program upgrades from OfficeScan 11.0...
Trend Micro™
OFFICESCAN 11.0 Best Practice Guide
TECHNICAL SUPPORT Best Practice Guide
2 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user.
Copyright © 2014 Trend Micro Incorporated. All rights reserved.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated.
All other brand and product names are trademarks or registered trademarks of their respective companies or organizations.
Released: June 16, 2014
TECHNICAL SUPPORT Best Practice Guide
3 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Table of Contents
Chapter 1: Product Description ................................................................................. 5
Chapter 2: Architecture ............................................................................................... 6
2.1 > Installation ......................................................................................................................................... 6
2.1.1 Minimum Hardware .................................... 6 2.1.2 Software Requirements ............................... 9
2.2 > Operating System and Related Applications .................................................................... 16
2.2.1 2.2.1 Security Tuning .............................. 19
2.3 > Server Upgrade Checklist .......................................................................................................... 21
Chapter 3: Sizing Summary ..................................................................................... 23
3.1 > Smart Protection Server Layout (Standalone) .................................................................. 27
3.1.1 Using SQL Server for Database ...................... 34
3.2 > Integrated Smart Protection Server Best Practices ........................................................ 36
3.3 > Configuration ................................................................................................................................. 39
3.3.1 Management Console ................................. 43 3.3.2 INI Configuration Files ............................ 78
3.4 > Performance Tuning .................................................................................................................... 80
Chapter 4: Backup and Disaster Recovery ........................................................... 82
4.1 > OfficeScan Server Database Files ........................................................................................... 82
4.2 > OfficeScan Server Configuration Files .................................................................................. 82
4.3 > OfficeScan Agent Configuration Settings ........................................................................... 84
Chapter 5: Behavior Monitoring ............................................................................ 85
5.1 > Behavior Monitoring Overview ............................................................................................... 85
5.1.1 Malware Behavior Blocking .......................... 85 5.1.2 Event Monitoring ................................... 86 5.1.3 Enabling Behavior Monitoring ....................... 88
5.2 > OfficeScan Agent self-protection ........................................................................................ 89
5.3 > Device Control Overview ........................................................................................................... 90
5.3.1 Using Device Control ............................... 91 5.3.2 How Behavior Monitoring and Device Control Can Affect
Performance ........................................... 103 5.3.3 Deploying Behavior Monitoring and Device Control ..103
TECHNICAL SUPPORT Best Practice Guide
4 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
5.4 > Alternative Ways to Prevent Performance Impact ...................................................... 106
5.4.1 Disabling Features from the Web Console ........... 106 5.4.2 Stopping the Service .............................. 107
Chapter 6: Data Loss Prevention .......................................................................... 108
6.1 > Pre-Deployment ......................................................................................................................... 108
6.1.1 Deploying and Testing Agents ...................... 108 6.1.2 Calculating Disk Space ............................ 108
6.2 > Deployment ................................................................................................................................. 109
6.3 > Deployment DLPlite template and policy ....................................................................... 113
6.3.1 Define a DLPlite template ......................... 113 6.3.2 Define and then deploy DLP policy ................. 114
6.4 > Investigate and restore forensic data ............................................................................... 114
Chapter 7: Miscellaneous ....................................................................................... 119
7.1 > Product Communication Ports ............................................................................................. 119
7.2 > IPv6 for OfficeScan ................................................................................................................... 120
7.2.1 IPv6 Support for OfficeScan Server and Agents ..... 120 7.2.2 OfficeScan Server Requirements .................... 120 7.2.3 OfficeScan Agent Requirements ..................... 120
7.3 > Update Architecture and Network Usage ....................................................................... 121
7.3.1 The Update Process ................................ 121 7.3.2 Network Usage (Bandwidth Consumption) ............. 123
7.4 > Virtual Desktop Infrastructure (VDI) .................................................................................. 125
7.4.1 Golden Image Preparation .......................... 125 7.4.2 Install the VDI Support in OfficeScan server Plugin
Manager ............................................... 125
7.5 > Recommended Installation Adjustments for Special Environments ..................... 132
7.5.1 Citrix Environment ................................ 132 7.5.2 Citrix Known Issues ............................... 134 7.5.3 Citrix Exclusions ................................. 136 7.5.4 Citrix Firewall Port .............................. 136 7.5.5 Installation of OfficeScan agents on Cisco Callmanager
......................................................136
7.6 > Recommended Scan-Exclusion List .................................................................................... 138
7.7 > Some Common Server Ports ................................................................................................ 147
TECHNICAL SUPPORT Best Practice Guide
5 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Chapter 1: Product Description
There are four major OfficeScan environment components that should be identified when designing the deployment. Each component is described below.
OfficeScan Server: A server that provides the OfficeScan management console and stores information in a local CodeBase® database, or a local or remote SQL. It uses standard http or https protocols for communication, and for managed agent updates. The three basic functions of an OfficeScan server are:
• Agent configuration (Privileges and Policy settings)
• Program, scan engine, and virus pattern file update provider
• Centralized logs, reporting and quarantine functionality
OfficeScan Agent: A host reporting to a particular OfficeScan server. It can be configured to get update information from an OfficeScan server, an Update Agent, or directly from the internet via the Trend Micro ActiveUpdate server. Moreover, the OfficeScan agent has the function for protecting the system where it’s installed. It can be configured to use Integrated Smart Protection Server or standalone Smart Protection Server for Smart Scan instead of conventional scan. Through cloud technology, this method minimizes the total amount of pattern download.
Update Agent: A regular OfficeScan agent that’s designated to copy update information from an OfficeScan server for the purposes of distributing the update information to other OfficeScan agents. Any OfficeScan agent can be configured as an Update Agent via the OfficeScan server management console. OfficeScan agent IP address ranges are then assigned to get update information from specific update agents. Update agents can push component updates, setting updates, and program/hotfix updates to agents. Older version OfficeScan agents can receive program upgrades from OfficeScan 11.0 Update Agents as long as they report to the OfficeScan 11.0 Update Agents.
Smart Protection Server (SPS): The Smart Protection Server provides the file reputation and web reputation through a local cloud service. When users opt to employ Smart Scan technology, agents send a query to SPS in their scanning files. When they use web reputation protection, agents send URLs to SPS. Thus, SPS works as a local file reputation server and as a local web rating server as well.
These are the two types of Smart Protection Server:
• Integrated Smart Protection Server: Installed as part of the OfficeScan server, Integrated Smart
Protection Server is managed through OfficeScan management console.
• Standalone Smart Protection Server: This server is installed on a VMware or Hyper-V host.
TECHNICAL SUPPORT Best Practice Guide
6 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Chapter 2: Architecture
2.1 > Instal ation
2.1.1 Minimum Hardware
The following sections show the recommended software and hardware specifications for an OfficeScan environment. For the full list of minimum system requirements, kindly refer to the Installation and Deployment Guide or OfficeScan Readme.
Trend Micro™ OfficeScan Server
MINIMUM HARDWARE SPECIFICATIONS
Windows 32-bit 64-bit
Windows 2003 • 1.86GHz Intel Core2 Duo
• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB recommended)
• 6.5GB of available disk space
• 1.86GHz Intel Core2 Duo or equivalent
• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB recommended)
• 6.5GB of available disk space
Windows 2008 • 1.86GHz Intel Core2 Duo
• AMD 64 processor
• Intel 64 processor
• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB
• 1.86GHz Intel Core2 Duo
• AMD 64 processor
• Intel 64 processor
• 1GB minimum with at least 500MB exclusively for OfficeScan (2GB
TECHNICAL SUPPORT Best Practice Guide
7 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
recommended)
• 6.5GB of available disk space
recommended)
• 6.5GB of available disk space
Windows 2010
Windows 2011
Windows 2012
• 1.86GHz Intel Core2 Duo
• AMD 64 processor
• Intel 64 processor
• 2GB minimum with at least 500MB exclusively for OfficeScan
• 6.5GB of available disk space
Please refer to sizing section, Chapter 3, for recommended setups depending on number of agents.
Update Agents
The OfficeScan agent with the best available resources at a particular site should be designated as an Update Agent. Since this agent will be the one serving updates to the other agent in the remote office, it must be reliable. This can be a domain controller on the site, a file server, print server or any type of server that is always online. Because of this, this agent should have an additional 700 MB of free disk space for engines and patterns storage, an additional 160 MB for programs/hot fix updates, and an additional 20KB for every domain setting updates. Minimum requirements for Update Agents should follow the minimum hardware requirements of OfficeScan Agents.
Trend Micro™ OfficeScan Agents
MINIMUM HARDWARE SPECIFICATIONS
Windows 32-bit 64-bit
Windows XP
Windows 2003
• 300MHz Intel Pentium processor or equivalent
• 256MB of RAM (512MB recommended)
• 450MB of available disk space
• Intel x64 processor, AMD x64 processor
• 256MB of RAM (512MB recommended)
• 450MB of available disk space
TECHNICAL SUPPORT Best Practice Guide
8 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Windows Vista • 1GHz Intel Pentium or equivalent
• 1GB of RAM (1.5GB recommended)
• 450MB of available disk space
• Intel x64 processor, AMD x64 processor
• 1GHz Intel Pentium or equivalent
• 1GB of RAM (1.5GB recommended)
• 450MB of available disk space
Windows 2008 • 1GHz Intel Pentium or equivalent (2GHz recommended)
• 512MB of RAM (2GB recommended)
• 450MB of available disk space
• Intel x64 processor, AMD x64 processor
• 1.4 GHz Intel Pentium or equivalent (2GHz recommended)
• 512MB of RAM (2GB recommended)
• 450MB of available disk space
Windows 2010
Windows 2011
Windows 2012
• Intel x64 processor, AMD x64 processor
• 1.4 GHz Intel Pentium or equivalent (2GHz recommended)
• 512MB of RAM (2GB recommended)
• 450MB of available disk space
Windows 7
Windows 8
Windows 8.1
Windows Embedded POSReady 2007
Windows Embedded POSReady 7
• 1GHz Intel Pentium or equivalent (2GHz recommended)
• 1GB of RAM (2GB recommended)
• 450MB of available disk space
• Intel x64 processor, AMD x64 processor
• 2GHz Intel Pentium or equivalent
• 1.5GB of RAM (2GB recommended)
• 450MB of available disk space
Windows Embedded • 300MHz Intel Pentium
TECHNICAL SUPPORT Best Practice Guide
9 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
POSReady 2009 processor or equivalent
• 256MB of RAM (512MB recommended)
• 450MB of available disk space
Integrated Smart Protection Server
The minimum hardware specifications for this server are the same as the recommended requirements for the OfficeScan Server.
Standalone Smart Protection Server
The minimum hardware specifications for Standalone Smart Protection Server:
• Dual 2.0 GHz Intel Core2Duo 64-bit processor supporting Intel Virtualization Technology, or equivalent.
• 2GB of RAM
• 30GB for virtualization requirements (35GB recommended)
•
NOTE: Trend Micro™ Smart Protection Server automatically partitions the detected disk space as required.
The Blocked Web Access log stops collecting data once the available disk space is less than 1 GB. It’ll start collecting data again once the administrators free at least 1.5 GB of disk space.
Monitor must support 1024 x 768 resolution with at least 256 colors.
2.1.2 Software Requirements
OfficeScan Server
Microsoft Windows Server 2003 (Standard, Enterprise and Datacenter Editions) with Service Pack 2 or later, 32-bit/64-bit versions
Microsoft Windows Server 2003 R2 (Standard, Enterprise and Datacenter Editions) with Service Pack 2 or later, 32-bit/64-bit versions
Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise and Workgroup Editions) with Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup Editions) with Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Compute Cluster Server 2003
TECHNICAL SUPPORT Best Practice Guide
10 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter and Web Editions) with Service Pack 1 or 2, 32-bit and 64-bit versions
Windows Server 2008 R2 (Standard, Enterprise, Datacenter and Web Editions), 64-bit version
Windows Storage Server 2008 (Basic, Standard and Enterprise Edition), 32-bit versions.
Windows Storage Server 2008 (Basic, Standard, Enterprise and Workgroup Edition), 64-bit versions.
Windows Storage Server 2008 R2 (Basic, Standard, Enterprise and Workgroup Editions), 64-bit version
Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions
Microsoft Windows HPC Server 2008 R2, 64-bit versions
Windows MultiPoint Server 2010, 64-bit versions
Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit versions
Windows Server 2012 (Standard and Datacenter Editions), 64-bit versions
Windows Server 2012 R2 (Standard and Datacenter Editions), 64-bit versions
Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit versions
Windows Storage Server 2012 (Standard and Workgroup Editions), 64-bit versions
NOTE: OfficeScan Server cannot be installed if Microsoft Windows runs on the Server Core environment.
OfficeScan supports server installation on guest operating systems hosted on the following virtualization applications:
VMware
ESX/ESXi Server (Server Edition) 3.5, 4.0, 4.1, 5.0, 5.15.x
Server (Server Edition)1.0.3, 2
Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0
vCenterTM 4, 4.1, 5.0, 5.1,5.5
ViewTM 4.5, 5.0, 5.1
Citrix
XenDesktop 5.0, 5.5, 5.6, 7.0
TECHNICAL SUPPORT Best Practice Guide
11 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
XenServer 5.5, 5.6, 6.0, 6.1, 6.2
XenApp 4.5, 5.0, 6.0, 6.5
XenClient 2.1
VDI-in-a-Box 5.1
Microsoft
Windows Server 2008 64-bit Hyper-V
Windows Server 2008 R2 64-bit Hyper-V
Hyper-V Server 2008 64-bit
Hyper-V Server 2008 R2 64-bit
Windows 8 Pro/Enterprise 64-bit Hyper-V
Windows 8.1 Pro/Enterprise 64-bit Hyper-V
Windows Server 2012 64-bit Hyper-V
Windows Server 2012 R2 64-bit Hyper-V
NOTE: OfficeScan only provides support for virtual platforms that are supported by the installed operating system.
OfficeScan Agents
Microsoft Windows XP (Home, Professional, Professional for Embedded Systems Editions and Tablet PC) with Service Pack 3, 32-bit versions
Microsoft Windows XP Professional with Service Pack 2, 64-bit versions
Microsoft Windows Vista (Business, Enterprise, Ultimate, Home Premium, Home Basic, Business for Embedded Systems, Ultimate for Embedded Systems) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows 7 (Home Basic, Home Premium, Ultimate, Professional, Enterprise, Professional for Embedded Systems and Ultimate for Embedded Systems) with/without Service Pack 1, 32-bit/64-bit versions
Microsoft Windows Embedded POSReady 2009, 32-bit versions
Microsoft Windows Embedded POSReady 7, 32-bit/64-bit versions
Microsoft Windows 8 (Standard, Pro and Enterprise Editions), 32-bit/64-bit versions
Microsoft Windows 8.1 (Standard, Pro and Enterprise Editions), 32-bit/64-bit versions
Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter and Web Editions) with Service Pack 2, 32-bit/64-bit version
TECHNICAL SUPPORT Best Practice Guide
12 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Microsoft Windows Server 2003 R2 (Standard, Enterprise and Datacenter) with Service Pack 2, 32-bit/64-bit versions
Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise and Workgroup) with Service Pack 2, 32-bit/64-bit versions
Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup) with Service Pack 2, 32-bit/64-bit versions
Microsoft Windows Compute Cluster Server 2003 (Active/Passive), 32-bit/64-bit versions
Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, Web Editions and Server Core) with Service Pack 1 or Service Pack 2, 32-bit/64-bit versions
Microsoft Windows Storage Server 2008 (Basic Edition), 32-bit/64-bit versions
Microsoft Windows Storage Server 2008 (Standard, Enterprise, and Workgroup Editions) with/without Service Pack 1, 64-bit version
Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter, Web Editions and Server Core), 64-bit version
Microsoft Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64-bit version
Microsoft Windows HPC Server 2008, 32-bit/64-bit versions
Microsoft Windows HPC Server 2008 R2, 64-bit versions
Microsoft Windows Server 2008 Failover Clusters (Active/Passive), 32-bit/64-bit versions
Microsoft Windows Server 2008 R2 Failover Clusters (Active/Passive), 64-bit versions
Microsoft Windows MultiPoint Server 2010, 64-bit versions
Microsoft Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit versions
Microsoft Windows Server 2012 (Standard, Datacenter and Server Core Editions), 64-bit versions
Microsoft Windows Storage Server 2012 (Workgroup and Standard Editions), 64-bit versions
Microsoft Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit versions
Microsoft Windows Server 2012 Failover Clusters, 64-bit versions
Microsoft Windows Server 2012 R2 (Standard, Datacenter and Server Core Editions), 64-bit versions
NOTE: Trend Micro only guarantees continued support for Windows XP platforms until January 30, 2017. Kindly prepare a migration plan to continue receiving the highest level of security on all endpoints.
NOTE: The administrator will not be able to remotely install OfficeScan agent to Windows 7 x86 platforms without enabling the default administrator account. Use this step-by-step guide to resolve this issue:
TECHNICAL SUPPORT Best Practice Guide
13 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
STEP 1: Enable the Remote Registry service on the Windows 7 machine. By default, Windows 7 machines disable this feature.
STEP 2, Option A: Use the domain administrator account to remotely install OfficeScan 10.6 Service Pack 1 agents into Windows 7 computers.
STEP 2, Option B: Use the default administrator account.
1. Type the "net user administrator/active: yes" command from the command console to enable the default administrator account.
2. Use the default administrator account to remotely install the OfficeScan agent into the Windows 7 machine.
TECHNICAL SUPPORT Best Practice Guide
14 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
OfficeScan supports server installation on guest operating systems hosted on the following virtualization applications:
VMware
ESX/ESXi Server (Server Edition) 3.5, 4.0, 4.1, 5.x
Server (Server Edition)1.0.3, 2
Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0
vCenterTM 4, 4.1, 5.0, 5.1,5.5
ViewTM 4.5, 5.0, 5.1
Citrix
XenDesktop 5.0, 5.5, 5.6, 7.0
XenServer 5.5, 5.6, 6.0, 6.1, 6.2
XenApp 4.5, 5.0, 6.0, 6.5
XenClient 2.1
VDI-in-a-Box 5.1
Microsoft
Windows Server 2008 64-bit Hyper-V
Windows Server 2008 R2 64-bit Hyper-V
Hyper-V Server 2008 64-bit
Hyper-V Server 2008 R2 64-bit
Windows 8 Pro/Enterprise 64-bit Hyper-V
Windows 8.1 Pro/Enterprise 64-bit Hyper-V
Windows Server 2012 64-bit Hyper-V
Windows Server 2012 R2 64-bit Hyper-V
NOTE: OfficeScan only provides support for virtual platforms that are supported by the installed operating system.
TECHNICAL SUPPORT Best Practice Guide
15 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Smart Protection Server (Standalone)
Smart Protection Server has the following Virtualization Platform requirements
VMware ESX 4.1 Update 1
VMware ESX 4.0 Update 3
VMware ESX 3.5 Update 4
VMware ESXi 5.5
VMware ESXi 5.1 Update 1
VMware ESXi 5.0 Update 3
VMware ESXi 4.1 Update 1
VMware ESXi 4.0 Update 3
Microsoft Windows Server 2008 R2 with Hyper-V
Microsoft Windows Server 2012 with Hyper-V
Citrix XenServer 6.2 / 6.0 / 5.6
• NOTE: A purpose-built, hardened, and performance-tuned 64-bit Linux operating system is included in the Trend Micro Smart Protection Server.
The following requirements are recommended for Trend Micro Smart Protection Server as a Virtual Machine.
• If you’re using VMware, use CentOS 5 64-bit (Guest Operating System).
• If you’re using a VMWare version (such as 3.5 and 4.0) that does not support CentOS, use Red Hat® Enterprise Linux® 5 64-bit.
• If you’re using Citrix XenServer, create a new Virtual Machine using the “Other install media” template.
• If you’re using Hyper-V, create a new Virtual Machine and add a “Legacy Network Adapter”.
• Allocate this Virtual Machine with at least 2GB RAM and 2 virtual processors for the Virtual Machine.
• Create a new Virtual Disk image that will be sufficient for your logging requirements (specify at least 30GB of disk space).
TECHNICAL SUPPORT Best Practice Guide
16 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
• Allocate 1 physical network card for the virtual switch where Trend Micro Smart Protection Server is connected.
NOTE: Blocked Web Access Log displays Web Reputation queries for malici ous websites. These logs can consume significant memory and disk space. This feature can be disabled from the Command Line Interface (CLI) (Disable adhoc-query).
Account Administrator or Domain Admin account to log-in to target hosts for installation
Ports NetBIOS (445, 137,138,139) for NT Remote Install
OfficeScan agent port (defined during OfficeScan server installation and is saved under Ofcscan.ini Client_LocalServer_Port parameter)
OfficeScan virtual directory port as defined in Apache / IIS. This value needs to be consistent with what is defined in the OfficeScan management console [ Administration | Settings | Agent Connection Settings | Port ]
Bandwidth Approximately 50 MB (may vary depending on current virus pattern file size)
Others Remote Registry service is enabled on target host
System partition of the target host is administratively shared (C$)
Windows XP Simple File Sharing must be disabled on the agent machines. SFS is a Microsoft feature that forces all network connections to login as Guest even if alternate credentials are provided. When SFS is enabled, OSCE can't login to the machine using the credentials specified, so the installation fails. SFS can be disabled via GPO or a registry hack. It can be disabled in the target machines individually under [ My Computer | Tools | Folder Options | View | Use Simple File Sharing (Recommended) ] option.
2.2 > Operating System and Related Applications
TCP Stack
The OfficeScan server may receive and establish multiple HTTP sessions to communicate with its agents. The TCP properties of Windows can be modified to prevent delays and slowdowns caused by TCP time-wait accumulation and port exhaustion. Add or modify the following registry keys to improve TCP performance.
TECHNICAL SUPPORT Best Practice Guide
17 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
MaxUserPort
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
Data type: REG_DWORD
Default value: 5000
Range: 5,000–65,534 (port number)
Purpose: Determines the highest port number TCP can assign when an application requests an available user port from the system.
Trend Recommendation: 65,534
TcpTimedWaitDelay
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
Data type: REG_DWORD
Default value: 0xF0 (240 seconds = 4 minutes) Range: 0x1E 0x12C (30–300 seconds)
Purpose: This determines the time that must elapse before TCP can release a closed connection and reuse its resources.
Trend Recommendation: 30
NOTE: These changes will require a reboot.
Microsoft IIS / Apache Web Server
The OfficeScan server uses either Apache or Windows IIS to communicate with its agents. The application’s CGI timeout can be increased to allow more time for the server and agent to communicate with each other. The Remote Install deployment method is dependent on this timeout as well. Copy process for the installation files over a slow link may cause installation failures.
Microsoft IIS
To modify IIS CGI settings, download and install MetaEdit or Metabase Explorer depending on the version of IIS in use.
For IIS 6, download Metabase Explorer from
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628- ade629c89499&DisplayLang=en
Install MetaEdit / Metabase Explorer.
TECHNICAL SUPPORT Best Practice Guide
18 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
After installation, open [ Start | All Programs | Administrative Tools | MetaEdit <version number> ]
Or [ Start | All Programs | IIS Resources | Metabase Explorer | Metabase Explorer ]
In the MetaEdit or Metabase Explorer console, Locate the key [ LM | W3SVC | 6033 ]. This corresponds to the CGITimeout key.
Double-click 6033 key to edit its properties. Set data parameter to 3600. Click OK to save changes.
Restart the World Wide Web Publishing Service.
For Microsoft IIS 7 on Windows 2008:
Note: To properly install IIS on Win2008, please refer to KB: http://esupport.trendmicro.com/solution/en-US/1061377.aspx
Download and install the Microsoft Administration Pack for IIS 7.0 http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682
Or use the default IIS Manager that comes with IIS 7.0
Open IIS Manager
Select the Server in the Connections Tree View, then select the OfficeScan site
In Features view, double-click CGI
Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply.
For Microsoft IIS 7.5, 8.0, 8.5
Open IIS Manager
Select the Server in the Connections Tree View, then select the OfficeScan site
In Features view, double-click CGI
Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER, and click Apply.
Apache
Follow the procedure below to modify Apache’s CGI timeout:
Open <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ apache2 \ conf \ httpd.conf configuration file.
TECHNICAL SUPPORT Best Practice Guide
19 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Set Timeout 300 to Timeout 600.
Restart the Apache service.
NOTE: The definition of the Apache timeout is different from the IIS CGI timeout. With IIS, a CGI timeout of 300 seconds means that the CGI (e.g. cgiremoteinstall) must finish within 300 seconds or the session will expire. In Apache, the timeout parameter of 300 seconds means that if there is "no action" (or no next action) for 300 seconds, the session will expire.
2.2.1 2.2.1 Security Tuning
The following are recommended permission settings to the OfficeScan folders and files. These are already set as default during installation:
Directory/User
Administrator
Everyone
User
System
Ne twork Service
\PCCSRV Full control RX N/A Full control N/A
\PCCSRV\HTTPDB Full control N/A N/A N/A N/A
\PCCSRV\Log Full control N/A N/A Full control N/A
\PCCSRV\Temp Full control N/A RWXD N/A RWXD
\PCCSRV\Private Full control N/A N/A Full control RX
\PCCSRV\Download Full control R R Full control N/A
\PCCSRV\Web Full control N/A R Full control N/A
\PCCSRV\Web\Cgi Full control N/A RX N/A N/A
\PCCSRV\Web_OSC E\Web_console Full control RX N/A Full
control N/A
\PCCSRV\Web_OSC E\web_console\Remo teInstallCGI
Full control
N/A
RWXD
N/A
N/A
\PCCSRV\Web_OSC E\web_console\HTM L\ClientInstall
Full control
N/A
RWXD
N/A
N/A
\PCCSRV\Virus Full control N/A RW N/A N/A
TECHNICAL SUPPORT Best Practice Guide
20 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
There are times that the permission might have been changed accidentally. To reset the permissions back to default, follow these steps:
Open command prompt
Browse to the OfficeScan server’s PCCSRV folder (i.e drive:\Program Files\Trend Micro\OfficeScan\PCCSRV)
run the following command: SVRSVCSETUP.EXE –setprivilege
Server Certificate Authentication
OfficeScan 11.0 enhances server to agent communications by authenticating the notifications and data sent in order to protect against man-in-the-middle attacks. Authentication is implemented by using a public-key infrastructure (PKI) where the agent only accepts commands from a trusted server.
NOTE: This feature is enabled by default.
To perform authentication, OfficeScan server signs its data using a private key while the OfficeScan agent decrypts this data using a public key. These keys are uniquely generated during the installation or upgrade of any OfficeScan servers.
If for some reason, the OfficeScan server and agents have mismatched keys, agents will reject notification from this server. This could happen if the OfficeScan server had an irrecoverable crash and needs to be replaced.
NOTE: A normal OfficeScan server reinstall will automatically attempt to use the same certification to avoid certificate mismatch as shown below.
Figure 1: Caption goes here.
TECHNICAL SUPPORT Best Practice Guide
21 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
To minimize problems caused by mismatched certificates, following are recommended actions:
1. Store a copy of the certificate on a different machine/media.
Local backup of the certificate is found under: ..\PCCSRV\AuthCerBackup\OfficeScanAuth.dat
2. If you plan to have multiple OfficeScan servers within your network, consider using the same certificate. This will help avoid issues if you regularly move OfficeScan agents from one server to another.
2.3 > Server Upgrade Checklist
OSCE 11 has new features that will assist the user in migration or upgrade.
Hotfix Detection: When upgrading from previous OfficeScan server version, installation process will check and prompt you for hotfixes that are currently installed, but are not merged to OfficeScan 11.0.
NOTE: This feature is enabled by default.
Figure 2: Hotfix Detection Pop out
If you see the pop-up above, please review the hotfix list: ..\PCCSRV\TEMP\RollbackHotfix.txt
If you have important hotfixes in the list, you can consider delaying the upgrade, or requesting for an OfficeScan 11.0 equivalent hot fix(es) before proceeding.
Patch Availability Notifications: OfficeScan 11 will prompt new updates that are available. It is advisable to update to latest patch or Service Pack once available on the Management Console.
NOTE: This feature is enabled by default
22 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 3: Caption goes here.
23 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Chapter 3: Sizing Summary IMPORTANT: This information can be used as a starting reference only. Actual performance may vary depending on enabled product features, topology, performance tweaks, and scan-exclusions as outlined throughout this best practice document.
The recommendations below can be used as a guideline to determine the location and number of OfficeScan servers needed to effectively manage your LAN or WAN.
A single OfficeScan server can manage up to 30,000 agents depending on the machine specifications. Below is a quick summary.
Agent Number Server Recommendation OSCE Server HW
Recommendation
Less 10K All-in-one server (OSCE/Code base with
iSPS) CPU: 4 Cores
RAM: 8GB
10K-20K*
Setup A: TMSPS + OSCE server + SQL server
Setup B: OSCE server(with iSPS) + SQL server
CPU: 8 Cores
RAM: 16GB
20K-30K
OSCE server + SQL server + TMSPS*
CPU: 12 Cores
RAM: 32GB
NOTE: Although both setups provide up to 20K agent support, it is still advisable to have a standalone Smart Protection Server. This will help provide extra headroom for resource usage spikes in the event of outbreaks or unexpected server loads. This also reduces impact to agent protection if the OfficeScan server goes offline.
Another point for considerations is the database size. Depending on the number of logs generated, disk space usage increases as well.
Here is a quick reference for SQL database size given certain number of logs and agent counts:
24 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Agent Number Table type Record Count Database Size (Estimate)
5000
Agent Information* 5000
1~2 GB
Virus Log 5000
Web Reputation Log 15000
Behavior Monitoring Log 5000
DLP Log 15000
10000
Agent Information* 10000
2~4 GB
Virus Log 10000
Web Reputation Log 30000
Behavior Monitoring Log 10000
DLP Log 30000
30000
Agent Information* 30000
6-12 GB
Virus Log 30000
Web Reputation Log 90000
Behavior Monitoring Log 30000
DLP Log 90000
*Agent Information data are stored in multiple database tables, the total size of relevant database tables is used in this table.
The table above helps to determine the initial database size of OfficeScan. These estimates are based on following assumptions:
Default Log maintenance settings applied while log deletion performed on 7 days older logs by weekly basis.
Behavior Monitoring and DLP features are enabled
The above log types are generally major contributors in terms of the log count and data sizes.
OfficeScan servers managing agents across the WAN is recommended to be installed on sites with the healthiest bandwidth, which are typically datacenters or head offices.
25 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Consider installing a local OfficeScan server for sites with approximately 500 or more agents. This is highly recommended if WAN bandwidth is limited for a particular site.
An Update Agent is a regular OfficeScan agent that is designated to replicate update information from an OfficeScan server for the purposes of distributing the update information to other OfficeScan agents.
Figure 4: Implementing Update Agents
Here is a reference on number of agents and Update agent can handle.
Agent type 2 Cores CPU machine
Network bandwidth 100Mbps 1000Mbps
Agent count 254 1022
Note: This data assumes an average daily scenario of downloading 700KB incremental pattern file, domain settings and server.ini.
26 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Sample Deployment Architecture
This table can be used as a template to scope the different sites and generate architecture proposal.
LOCATION No. of AGENTS
OfficeScan INSTALLATION
NORTH AMERICA
New York 1400 OSCE Server for North America WAN
New York 1000 Integrated Scan Server for North America
Chicago 600 Local OSCE Server
Los Angeles 500 Local OSCE Server
Dallas 71 Update Agent
San Francisco 20 Update Agent
Houston 15 Update Agent
EUROPE
London 1600 OSCE Server for Europe WAN
Paris 360 Update Agent
Nyon 70 Update Agent
Copenhagen 25 Update Agent
Milan 25 Update Agent
Zurich 20 Update Agent
Istanbul 10 Update Agent
ASIA
27 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Hong Kong 800 OSCE Server for Asia WAN
Tokyo 600 Local OSCE server (Japanese version)
Singapore 230 Update Agent
Manila 60 Update Agent
3.1 > Smart Protection Server Layout (Standalone)
IMPORTANT: OfficeScan agents running version 11.0 and later can only connect to Smart Protection Servers running version 3.0 and later.
Smart Protection Servers are placed in the local network, making them available to users who have access to their local corporate network. These servers are designed to localize operations within the corporate network to optimize efficiency. This network-based solution hosts majority of the malware pattern definitions and web reputation scores. The Smart Protection Server makes these definitions available to other endpoints on the network for verifying potential threats.
Queries are only sent to Smart Protection Servers if the risk of the file or URL cannot be determined at the endpoint.
Endpoints leverage file reputation and web reputation technology to query the Smart Protection Servers and Trend Micro Smart Protection Network as part of their regular system protection activities. In this solution, agents send only identification information determined by Trend Micro technology to Smart Protection Servers. Agents never send the entire file when using file reputation technology. Risk is determined using only the file identification information.
The integrated Smart Protection Server can be pre-installed in the OfficeScan Server if you decided to include it during the OfficeScan Server installation. These are 2 main reasons to install a Standalone Smart Protection Server:
1. If the number of smart agents are more than 10,000 instead of Integrated Smart Protection Server
2. If they don’t want to use Integrated Smart Protection Server
Load can be distributed by adding more Standalone Smart Protection Servers. Check the load balancing section below for more details.
28 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 5: Smart Protection Servers.
If the latency is huge between the branch office and the main office, it is recommended to install a Standalone Smart Protection Server on the branch office. If the Standalone Smart Protection Server cannot be installed, or there are no available hardware, it’s best to switch the agents to conventional scan.
NOTE: ESXi Host has the best performance result compared to other virtualization products, e.g. Windows Hyper-v, Citrix XenServer.
Smart Protection Server Sizing Recommendations
Following hardware specification was used to install virtualization platforms and the guest Virtual Machine resource allocation for the Standalone Smart Protection Server:
High-End Machine Specifications
Model Dell PowerEdge 2950
Processor Two Xeon E5420 2.50 GHz
Logical Processors 8 (2 Processor * 4 core, no Hyper-Threading )
Memory 8GB RAM
Local Hard Disk SAS (15k rpm) 271GB
Virtualization Platforms
VMWare ESXi Server 5.1
29 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
update1
Xen Server 6.2
Microsoft Hyper-V 2012 R2
Virtual Machine Configuration
vCPU 4
Memory 2 GB
Disk 30 GB
The following table and graph show the number of agents handled by an individual Standalone Smart Protection Server meeting these performance criteria:
• Average Latency Time was less than 100ms (0.1 second)
• Total HTTP Request Failed Rate was under 0.05%
• Total Mean Value of CPU Usage was under 80%
Hypervisor Amount of Agents*
vCPU Memory CPU Usage
Transaction Rate
Failed Rate
ESXi 5.1 update1
25,000 4 2GB 65.4 2,251 0%
Xen 6.2 7,000 4 2GB 70.7 642 0.02%
Hyper-V 2012 R2
10,000 4 2GB 65.8 899 0.01%
NOTE: The transaction rate is based on OfficeScan agents, and this statistics might not be suitable for SMEX, IWSVA clients, etc.
* The amount of endpoints shows the maximum supported iCRC v2.0 agents for one TMSPS, taking into consideration there are two other TMSPS with the same loading running within the same virtualized host.
** The transaction rate is the sum of the FRS transaction rate and the WRS transaction rate per second
30 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 6:
Compared to the Previous Version
The performance of TMSPS 3.0 has improved dramatically compared to the previous version. TMSPS 3.0 has increased the scalability by reducing the traffic between agents and TMSPS. Under the same test scenario, with three TMSPS running on one host, it could support more than double the number of agents compared to the previous release, TMSPS 2.5.
31 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Sizing Bottleneck
CPU
For organizations that desire the maximum transaction rate from FRS and WRS and can accept 100% of CPU usage, the CPU capability becomes the bottleneck.
Disk I/O
32 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Disk I/O speed is another important factor. Currently, the pattern updates will cause a lot of disk I/O operations. Therefore, if the customer’s environment uses external storage and shares the disk I/O bandwidth with many other VMs (or the disk I/O bandwidth is poor), then overall performance may suffer.
The disk could be monitored using performance counter provided by virtualization platform. The ESXi Server provides the following disk-related performance counters:
Kernel Latency: 0-1 ms is ideal. If > 4 ms, check the CPU usage and queue latency.
Device Latency: If > 15 ms, check for a storage array problem.
Queue Latency: 0 ms is ideal. If > 0 ms, check the storage array.
Hypervisor
If the TMSPS virtual machine shares resources with many other VMs on the same VM host, then TMSPS must compete with other VMs for disk I/O, network traffic, CPU and memory. TMSPS performance will suffer as a result.
Despite this competition for resources, hypervisors from different vendors can deliver different performance. This might be caused by emulated device drivers which are required to provide an interface between the physical hardware and the virtual machine. Generally speaking, TMSPS running on ESXi server had the best performance, compared to Xen Server and Hyper-V.
Load Balancing Smart Protection Servers can be setup in order to achieve load balancing. Load balancing will help ensure http requests can be distributed among the Smart Protection Servers.
There are two ways to achieve load balancing using the OfficeScan web console:
1. Random – This will ensure that OfficeScan Agents will randomly choose a Smart Protection Server from the Smart Protection Server list.
2. Based on IP range – OfficeScan Agent will connect to a server in the Smart Protection Server list they have been assigned to.
33 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 7:
Deployment Recommendations
Smart Protection Server Redundancy
Smart Protection Servers should always be installed in redundant pairs to avoid WAN saturation in the event of a hardware failure
Full System Scans
Initial scans require more requests to the Smart Protection Server. Agents should schedule their first scheduled scan in phases, especially when their Smart Protection Server is centrally located. Running scheduled scans in batches will increase capacity and normalize iCRC network utilization.
How to decide the number of TMSPS according to active users in the environment?
Use this table as a guideline to determine how many Smart Protection Server you need inside your environment. In the event you have only a few agents and 1 Smart Protection Server is more than enough to cater to all agents, it is best practice to always install at least 2 standalone Smart Protection Server for redundancy and load balancing purposes.
34 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Hypervisor Amount of Agents*
vCPU Memory
ESXi 5.1 update1 25,000 4 2GB
Xen 6.2 7,000 4 2GB
Hyper-V 2012 R2 10,000 4 2GB
3.1.1 Using SQL Server for Database
One of the new features in OfficeScan 11 is the ability to migrate an existing database (CodeBase) to an SQL server database. This is done using the SQL Server Migration tool.
The migration tool currently supports 3 types of migrations:
OfficeScan CodeBase database to new SQL Server express database
NOTE: that choosing this option will install an SQL express server instance on the OSCE box and then migrate the database.
OfficeScan CodeBase database to a pre-existing SQL server database
OfficeScan SQL database (previously migrated) that was moved to another location.
3.1.1 Things to note before doing the migration:
When you choose to migrate to a new SQL server express database, note that OSCE will install “SQL Server 2008 R2 SP2 Express”. This is required to be installed in a Windows 2003 or Windows 2008 Sp2 server. Installing it on a Windows 2003 Sp1 server would result in failure. Refer to the MS article below for more details.
http://msdn.microsoft.com/en-us/library/ms143506(v=sql.105).aspx
OfficeScan 11 supports both SQL 2008 and SQL 2012. For SQL 2008, note that Microsoft .NET Framework 3.5 SP1 is required and that Microsoft .NET Framework 4.0 is not compatible with SQL Server 2008.
Microsoft SQL server cannot be installed on Domain Controller machines. Consider this before choosing the server to install the database or OfficeScan to.
http://support.microsoft.com/kb/2032911
“User Account Control” needs to be turned off before running the SQL migration tool on Windows Server 2008 or later (when using Windows Authentication credentials).
Refer to this article for more details on turning it off:
http://windows.microsoft.com/en-us/windows/turn-user-account-control-on- off#1TC=windows-7
35 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Make sure the OfficeScan Master Service is NOT running using the same domain user account used to log on to the SQL server. This could cause the service to fail to start after the migration.
Create a back-up copy of your existing OfficeScan CodeBase database for recovery in case there are problems encountered during the migration.
Refer to this article for more details:
http://esupport.trendmicro.com/solution/en-US/1039284.aspx
OfficeScan automatically creates the new database on the SQL server, there is no need to pre- create a blank database.
3.1.2 Migration best practices:
Ensure you click on the “Test Connection” option on the SQL migration tool before proceeding. This confirms the settings entered are correct and verifies that the connection is possible.
When using the Windows Account to log on to the server:
For a default domain administrator account:
• User name format: domain_name\administrator
• The account requires the following:
• Groups: Administrators Group
• User roles: Log on as a service and Log on as a batch job
• Database roles: dbcreator, bulkadmin, and db_owner
For a domain user account:
• User name format: domain_name\user_name
• The account requires the following:
• Groups: Administrators Group and Domain Admins
• User roles: Log on as a service and Log on as a batch job
• Database roles: dbcreator, bulkadmin, and db_owner
To verify the type of database used, check the ofcserver.ini file under the OfficeScan Server’s Private directory. (Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private)
Look for the section called “[INI_DBE_ENGINE_SECTION]” and note the value defined for DBE_ENGINE.
DBE_ENGINE=1001 ; CodeBase
DBE_ENGINE=1002 ; SQL Server
36 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
3.2 > Integrated Smart Protection Server Best Practices When opting to use the Integrated Smart Protection Server, make sure that it is actually installed and running. If Integrated Smart Protection Server is not properly installed, smart scan agents will be disconnected and will not be utilizing the cloud technology properly.
The integrated server is intended for small-scale deployments of OfficeScan, in which the number of agents does not exceed 1,000. For larger deployments, the standalone Smart Protection Server is recommended.
In OfficeScan 11, the Integrated Smart Protection Server (ISPS) ports have changed. Note the new ports used below:
Ports used by
ISPS (IIS) Ports used by ISPS (Apache)
HTTP (FRS)
8080 8082
HTTPS (FRS)
4343 4345
HTTP (WRS)
8080 5274
WARNING! When using Microsoft IIS as the Web Server, monitor the IIS logs generated by
Integrated Smart Protection Server because the daily log size can easily go up to 250MB in an
environment of around 1000 machines. IIS does not delete old IIS logs by default and can easily
consume all the available free space on the OfficeScan server.
37 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Make sure the setting “Do not save encrypted pages to disk” is not enabled in IE in order to check for whether Integrated Smart Protection Server is running or not.
Figure 8: Caption goes here.
After checking the setting above, type the URL below into your browser:
https://OfficeScan_server:port/tmcss/?LCRC=08000000BCB3080092000080C4F01936DD4300 00
You should see the following pop up which will confirm that Integrated Smart Protection Server is running.
38 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 9: Caption goes here.
Ensure that OfficeScan agents can query at least two Scan servers. This avoids having a single point of failure in the event that the Smart Protection server is unreachable. In order to take advantage of the cloud technology fully, all agents must be online and connected to a Smart Protection Server. To add Smart Protection Servers go to [Administration | Smart Protection | Smart Protection Sources] then choose [Internal Agents] tab. Choose standard list or custom list based on IP address then click on Notify All Agents to push this setting.
Because the integrated server and the OfficeScan server run on the same computer, the computer’s performance may reduce significantly during peak traffic for the two servers. When possible, consider using a standalone Smart Protection Server as the primary smart protection source for agents and the integrated server as a backup.
Do not use Smart Scan as the default scanning method at the root level. Always use Conventional Scan as the root level scanning method. When selecting OfficeScan agents to use Smart Scan, always choose a regular domain instead of a root level. If the root level is defined to use the Smart Scan method, before a new agent is installed, and if it is placed in a domain where it uses Conventional Scan, it will download Conventional Scan components.
WARNING! When an agent switches from Smart Scan to conventional scan, it will download the
full pattern file if a conventional pattern file is not present or is more than 14 patterns behind.
Make sure Computer Location settings have correct settings defined. Computer Location setting can be reached by [Agents | Endpoint Location].
The default setting is “Agent connection status”. This means, OfficeScan Agents will use the reference server list defined to determine if it is an external or internal agent.
Agents that can connect to the OfficeScan Server or any of the reference servers listed, will be recognized as internal agents. These agents will therefore connect to Smart Protection servers defined under Internal Agents for Smart Protection Sources.
39 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
If connection cannot be established, the agents will be classified as external agents and will use the settings set for External Agents. By default, this is the global smart protection network (https://osce11.icrc.trendmicro.com/tmcss).
If “Gateway IP address” setting is applied, and the client computer’s gateway IP address matches any of the gateway IP addresses specified on the Endpoint Location screen, the computer’s location will be classified as internal. Otherwise, the computer’s location is external.
Optimize the performance of Smart Protection Servers by doing the following:
Avoid performing Manual Scans and Scheduled Scans simultaneously. Stagger the scans in groups.
Avoid configuring all endpoints from performing Scan Now simultaneously.
Customize Smart Protection Servers for slower network connections, about 512Kbps, by making changes to the ptngrowth.ini file.
** Customizing ptngrowth.ini for the Integrated Server:
1. Open the ptngrowth.ini file in <Server installation folder>\PCCSRV\WSS\.
2. Modify the ptngrowth.ini file using the recommended values below:
[COOLDOWN]
ENABLE=1
MAX_UPDATE_CONNECTION=1
UPDATE_WAIT_SECOND=360
3. Save the ptngrowth.ini file.
4. Restart the Trend Micro Smart Protection Server service.
3.3 > Configuration
Majority of the product default configurations provide substantial security with a consideration on server/network performance. The information noted below are different recommendations, and can be used as an additional reference to either enhance security, or achieve better performance.
NOTE: The following notifications in the UI shows these features are turned of f by default.
40 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
To turn on these features, administrators should go to [Agents | Agent Management | Settings | Additional Service Settings] and enable the service for the feature they intend to use.
41 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
WARNING: Enabling or disabling the Firewall service temporarily disconnects the agents from the
network. Ensure that you change the settings only during non-critical hours to minimize network
interruptions.
Administrators can turn on “Unauthorized Change Prevention Service” on a single server platform by enabling/disabling it through “Additional Service Settings”. Administrators can also enable/disable “Unauthorized Change Prevention Service” on Workstations by selecting a root/domain/single agent/multi-select agent.
Meerkat is used to prevent 0-day attack from a software program. It pops out a notification/alert if user downloads a 0-day program through HTTP channel or email applicationsi and then executes the program within 24 hours.
NOTE: it is default disabled on Windows Server platforms
To turn on this features, administrators should enable “Unauthorized Change Prevention Service” (TMBMSRV.EXE) and “Web Reputation”feature(tmproxy.exe).
1. Enable Unauthorized Change Prevention Service” (TMBMSRV.EXE) to monitor the process launch.
Path: Agents> Agent Management > Settings > Additional service settings > enable Unauthorized Change Prevention Service.
2. Enable Web Reputation (tmproxy.exe) to monitor the file download.
Path: Agents > Agent Management > Settings > Web Reputation Settings >Select enable Web reputation policy on the following operating systems.
To enable Meerkat function:
Path: Agent Management > Global Agent Setting > Behavior Monitoring Settings > check “Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded)” > Save
Defer scan is to improve the performance of file copy operations.This feature is integrated with VSAPI 9.713 or higher version. Originally, OSCE scan engine will perform two scans during a file copy operations. The defer scan option will add one of the file scanning into scan queue, and defer the file scanning. File copy performance will improve by enabling this.
42 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
To enable defer scan function:
Path: Agent Management > Global Agent Setting > Scan Settings > Select “Enable deferred scanning on file operations”> Save
43 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
3.3.1 Management Console
ASSESSMENT Notes and Recommendations
SECURITY COMPLIANCE
Manual Report ***Select an OfficeScan domain to run compliance report on the agents to see which agents are incompatible with server. In “Scan Compliance” view, specify one or both of the following:
• Number of days a agent has not performed Scan Now or Scheduled Scan
• Number of hours the remote or scheduled scan task has been running
Scheduled Report
Scheduled Report Enabled
***Report can show status of OfficeScan agent services, components, Scan compliance, and settings to find incompliant agents. This can be run on daily basis if needed. Trend Micro recommends enabling on-demand assessment to perform real-time queries for more accurate results. You can also disable on-demand assessment wherein OfficeScan queries the database instead of each agent. This option may be quicker but produces less accurate results.
The SMTP setting in notification page is needed for sending the scheduled compliance report to user. Follow these steps to complete the settings:
a. Go to Notification > Administrator Notifications > General Settings page, fill in the fields “SMTP server”, “Port number” and “From” in Email Notification section and click Save.
“Scan Compliance” view uses the configurations that were used to do manual assessment last time.
UNMANAGED ENDPOINTS
Define Scope
Active Directory Scope ***Select OU’s containing less than 1000 account of computers for performance baseline then increase and decrease number of computers according to performance
44 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
IP Address Scope ***Choose an IP range to scan for unmanaged endpoints
Advanced Settings
Specify Ports ***Make sure to add all OSCE server communication ports
Declare a computer unreachable by checking port
135
***Different port can be chosen but make sure it is a common port that will be available on all the computers
Settings Enabled
***Enable scheduled query for once a week to find out agents that do not have OfficeScan agent.
AGENTS Notes and Recommendations
AGENT MANAGEMENT
SCAN SETTINGS
SCAN METHOD
Conventional Scan ***Conventional scan leverages anti-malware and anti- spyware components stored locally on endpoints.
SmartScan Smart Scan now is default at the ROOT domain level. Smart Scan method should be selected at the Domain level so this way if a user installs a agent it is easier to move from conventional scan to Smart scan.
***Smart Scan leverages anti-malware and anti-spyware signatures stored in-the-cloud.
MANUAL SCAN SETTINGS
Virus/Malware Scan Settings
Target Tab
Files to scan
All Scannable Enabled
***Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.
45 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Scan Settings
Scan Hidden Folders E n a b l e d
Scan Network Drive Enabled
***This function is not needed if the remote PC already has antivirus protection. Enabling this may cause redundant scanning and performance issues.
Scan compressed files Enabled
***Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.
Scan OLE objects Enabled
***Scanning 3 layers is reasonable.
Detect exploit code in OLE files
Enabled
***This setting heuristically identifies malware by checking Microsoft Office files for exploit code.
Virus/Malware Settings only
Scan Boot Area Enabled
CPU Usage
Medium Enabled
***Minimizes the slowdown of PCs when a scan is initiated. It is not recommended to run manual scan during working hours due to high CPU usage.
Scan Exclusions
Enable Scan Exclusion Enabled
***Refer to section 6.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.
Apply scan exclusion settings to all scan types
Disabled
46 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Exclude directories where Trend Micro products are installed
Enabled
Action Tab
Virus/Malware
Use Active Action Enabled
***This setting will utilize the Trend Micro recommended settings for each type of virus/malware.
Customize action for probable virus/malware
Enabled
***Select Quarantine to have the ability to restore any files that are needed.
Back up files before cleaning
Enabled
Damage Cleanup Services
Advanced cleanup Enabled
Run cleanup when probable virus/malware is detected
Enabled
Spyware/Grayware
Clean Enabled
REAL-TIME SCAN SETTINGS
Enable virus / malware scan
Enabled
Enable spyware / grayware scan
Enabled
Target Tab
User Activity on Files
Scan files being created/modified and retrieved
Created/modified and retrieved
***In cases where the system is heavily accessed such as File servers, it may be advisable to select Scan files being created / modified but only use this option if the server performance is affected.
47 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Files to scan
File types scanned by Intelliscan
Enabled
***Selecting intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.
Scan Settings
Scan floppy disk during system shutdown
Disabled
Scan Network Drive Enabled
***For additional security, it is recommended that this setting be enabled. Note that in some environments, this setting may cause performance issues, please disable if issues are encountered.
Scan Compressed Files Enabled
***Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.
Scan OLE Objects Enabled
***Scanning 3 layers is reasonable.
Detect exploit code in OLE files
Enabled
***This setting heuristically identifies malware by checking Microsoft Office files for exploit code.
Virus/Malware Scan Settings Only
Enable Intellitrap Enabled
***Turn off this setting on special cases if users regularly exchange/access compressed executable files in real-time.
Scan Exclusion
Enable Scan Exclusion Enabled
***Refer to 6.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.
Apply scan exclusion Disabled
48 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
settings to all scan types
Exclude directories where Trend Micro products are installed
Enabled
Action Tab
Virus/Malware
Use Active Action Enabled
***This setting will utilize the Trend Micro recommended settings for each type of virus/malware.
Customize action for probable virus/malware
Enabled
***Select Quarantine to be able to restore any files that are needed
Display a notification message on the agent computer when virus/malware is detected
Disabled
***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.
Display a notification message on the agent computer when probable virus/malware is detected
Disabled
***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.
Back up files before cleaning
Enabled
Damage Cleanup Services
Run Cleanup when probable virus/malware is detected
Enabled
Spyware Grayware
Clean Enabled
Display a notification message on the agent computer when virus/malware is detected
Disabled
***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.
SCHEDULED SCAN SETTINGS
Enable Virus / Malware Enabled
49 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Scan ***Turn on Scheduled scan to scan systems on a regular basis.
Enable spyware/grayware scan
Enabled
***Turn on Scheduled scan to scan systems on a regular basis
Target Tab
Schedule
Weekly on Friday 12pm Suggested to scan during lunch time or after office hours if machine remain turned on.
Files to scan
All Scannable Files Enabled
***Selecting All Scannable Files improves security by only scanning all known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.
Scan settings
Scan compressed files Enabled
***Scanning 2 layers is reasonable. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.
Scan OLE objects Enabled
***Scanning 3 layers is reasonable.
Detect exploit code in OLE files
Enabled
***This setting heuristically identifies malware by checking Microsoft Office files for exploit code.
Virus/Malware Settings Only
Scan Boot Area Enabled
CPU Usage
Medium Enabled
***Prevent slowdown of PCs when a scheduled scan kicks off. Scan will finish longer if the setting is set to Low.
50 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Scan Exclusions
Enable Scan Exclusion Enabled
***Refer to section 6.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.
Apply scan exclusion settings to all scan types
Disabled
Exclude directories where Trend Micro products are installed
Enabled
Action Tab
Virus/Malware
Use Active Action Enabled
***This setting will utilize the Trend Micro recommended settings for each type of virus/malware.
Customize action for probable virus/malware
Enabled
***Select Quarantine to be able to restore any files that are needed
Display a notification message on the agent computer when virus/malware is detected
Disabled
***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.
Display a notification message on the agent computer when probable virus/malware is detected.
Disabled
***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.
Back up files before cleaning
Enabled
Damage Cleanup Services
Advanced cleanup Enabled
Run cleanup when probable virus/malware is detected
Enabled
Spyware/Grayware
51 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Clean Enabled
Display a notification message on the agent computer when virus/malware is detected
Enabled
***Turn off this setting to avoid end users to see popup messages which can generate helpdesk calls.
SCAN NOW SETTINGS
Enable Virus / Malware Scan
Enabled
Enable Spyware/grayware scan
Enabled
Target Tab
Files to Scan
File Type scanned by Intelliscan
Enabled
***Selecting Intelliscan slightly improves performance by only scanning types known to potentially carry malicious code. Using this setting also allows you to utilize True File Type scanning.
Scan Settings
Scan compressed files Enabled
***Scanning within 2 layers is recommended. Increasing the level may cause performance issues. Compressed files are scanned in real-time when extracted.
Scan OLE objects Enabled
***Scanning 3 layers is reasonable
Detect exploit code in OLE files
Enabled
***This setting heuristically identifies malware by checking Microsoft Office files for exploit code.
Virus/Malware Settings Only
Scan Boot Area Enabled
CPU Usage
Medium Enabled
***Minimizes the slowdown of PCs when a scan is
52 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
initiated. It is not recommended to run manual scan during working hours due to high CPU usage.
Scan Exclusion
Enable Scan Exclusion Enabled
***Refer to section 6.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.
Apply scan exclusion settings to all scan types
Disabled
Exclude directories where Trend Micro products are installed
Enabled
Action Tab
Virus/Malware
Use Active Action Enabled
***This setting will utilize the Trend Micro recommended settings for each type of virus/malware.
Customize action for probable virus/malware
Enabled
***Select Quarantine to be able to restore any files that are needed
Damage Cleanup Services
Advanced Cleanup Enabled
Run cleanup when probable virus/malware is detected
Enabled
Spyware/Grayware
Clean Enabled
UPDATE AGENT SETTINGS
OfficeScan agents can act as Update Agent
***Component Updates, Domain Settings, and Agent programs and hotfixes should be selected to take full advantage of Update Agents to save bandwidth and to speed up deployment.
Component Updates Enabled
53 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Domain Settings Enabled
OfficeScan agent programs and hot fixes
Enabled
PRIVILEGES AND OTHER SETTINGS
Privileges Tab
Roaming
Enable Roaming mode Disabled
***It is highly recommended to disable this function as it will allow users to stop communication between OfficeScan server and agent. This Roaming privilege allows users to isolate their systems to avoid getting notified by the server for scans or updates. This function has nothing to do with the ability to update when the machine is off the network, such as taking a laptop home.
Scans
Configure Manual Scan Settings
Disabled
***Enable this to allow users to configure their own scan setting.
Configure Real-time Scan Settings
Disabled
***Enable this to allow users to configure their own scan setting.
Configure Scheduled Scan Settings
Disabled ***Enable this to allow users to configure their own scan setting.
Scheduled Scans
Postpone Scheduled Scan Disabled
***Enable this to allow users to stop the Scheduled scan when it is triggered.
Skip and stop scheduled Scan
Disabled
***Enable this to allow users to stop the Scheduled scan when it is triggered.
Firewall (if you have firewall
54 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
activated)
Display the Firewall tab on the Agent console
Enabled
Allow users to enable/disable the firewall, Intrusion Detection System, and the firewall violation notification message
Disabled
***Enable this to allow users to configure their own firewall settings other than what is set on the OfficeScan server
Allow agents to send firewall logs to the OfficeScan server
Disabled
***Keep this disabled unless necessary as it will increase traffic between OSCE server and Agents.
Behavior Monitoring
Display the Behavior Monitoring tab on the agent console.
Disabled
Mail Scan
Display the Mail Scan tab on the agent console
Disabled
***Since most enterprise does not use POP3, this tab can be hidden to users to avoid confusion. If this setting is allowed then users can install this tool using OSCE agent GUI.
Toolbox
Display the Toolbox tab on the agent console and allow users to install Check Point Secure Agent Support
Disabled
****Unless Checkpoint Secure Agent is used, this should be turned off to avoid confusion to users.
Proxy Settings
Allow the Agent user to Configure proxy Settings
Enabled
***Enable this to allow users to configure proxy to update from internet, otherwise this can be turned off.
Component Updates
Perform Update Now Enabled
***Enabled to Allow users to initiate an update manually by right clicking on the OSCE icon on their
55 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
system tray.
Enable Scheduled Update
Disabled
***Leave this option disabled so users cannot turn off scheduled update. This will keep users up-to-date with the latest signature.
Unloading
Unloading the OfficeScan agent and unlocking advanced agent settings
Enabled
***Enable this to prevent users from unloading OfficeScan agent from their system.
Uninstallation
Uninstalling the OfficeScan agent
Enabled
***Enable this to prevent users from uninstalling OfficeScan agent from their system.
Other Settings Tab
Update Settings
OfficeScan agents download updates from the Trend Micro ActiveUpdate Server
Enabled
***Enable this function to allow agents to update from Trend Micro Active Update servers whenever the OfficeScan agent cannot contact the OfficeScan Server or the Update agents. This is especially helpful for users who travel with their laptop or bring their laptops home, keeping them up-to-date all the time.
Enable Scheduled Update s on OfficeScan agents
Enabled
***Aside from notification from the OfficeScan server for updates, this function is used to allow OfficeScan to check for updates on scheduled basis. Update checking is done in the background and no user intervention is required.
OfficeScan agents can update components but not upgrade the agent program or deploy hot fixes
Disabled
***Enable this function in environments where bandwidth is limited. This allows agent to update their regular signatures and engines and avoid downloading hotfixes or program updates from the OfficeScan server.
Web Reputation Settings
56 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Display a Notification when a web site is blocked
Enabled
***Turn this off to avoid getting popups when websites are blocked.
Behavior Monitoring Settings
Display a notification when a program is blocked.
Enabled
***Enable this function to avoid confusion on the users as to why a certain program won’t run.
C&C Contact Alert Settings
Display a notification when a C&C callback is detected
Enabled
***Enable this function to receive notifications on C&C callbacks
Central Quarantine Restore Alert Settings
Display a notification when a quarantine file is Restored
Disabled
***Enable this function to get notifications when a quarantined files are restored
OfficeScan agent Self-protection
Protect OfficeScan agent services
Enabled
Protect files in the OfficeScan agent installation folder
Enabled
Protect OfficeScan agent registry keys
Enabled
Protect OfficeScan agent processes
Enabled
Scheduled Scan Settings
Display a notification before a scheduled scan occurs
Disabled
Cache Settings for Scans
Enable the digital signature Enabled and set to 28 days.
57 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
cache
Enable the on-demand scan cache
Disabled
***If on demand scans are seldomly run then enabling this is not necessary since the console settings are satisfactory, if you want to enable this then extending the expiration would be better option.
OfficeScan agent Security Settings
High: Restrict users from accessing OfficeScan agent files and registries
Enabled
***Setting this to high prevent regular users from deleting OfficeScan files and registry entries.
POP3 Email Scan Settings
Scan POP3 email Disabled
***Enable this only when you use POP3 mail in your network. When selected, this setting enabled POP3 mail scan on the agent console. Note that this setting only applies to agents with the mail scan privileges.
OfficeScan Agent Console Access Restriction
Do not allow users to access the agent console from the system tray or Windows Start menu
Disabled
***In some environment where any user changes are prohibited, this function allows administrators to restrict users from accessing the OfficeScan Agent console.
Restart Notification
Display a notification message if the agent computer needs to restart to finish cleaning infected files.
Enabled
ADDITIONAL SERVICES
Unauthorized Change Prevention Service
Enabled
***Unauthorized Chang Prevention Service regulates application behavior and verifies program trustworthiness. Behavior Monitoring, Device Control, Certified Safe Software Service, and Agent Self protection all require this service. If an Administrator wants to allow this service on a server then a single server
TECHNICAL SUPPORT Best Practice Guide
58 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
must be chosen to view the option to enable this service.
Firewall Service
***This setting will turn on the firewall service on the OfficeScan agents.
WARNING: Enabling this service will temporarily disconnect the OfficeScan agent from the network.
Suspicious Connection Service ***The Suspicious Connection Service provides advanced protection against Command & Control callbacks through the following features:
User-defined IP Approved and Blocked lists
Global C&C IP List
Malware network fingerprinting
Advanced Protection Service ***Advanced Protection Service facilitates advanced scanning and protection features. Behavior Monitoring and Browser Exploit Prevention require this service.
WEB REPUTATIN SETTINGS
External agents tab
Enable Web Reputation Policy on the following operating systems:
Enabled
***Enable this feature to protect agents from web threats when they are not connected to the internal network. Enabling this will provide them protection from accessing malicious sites.
Enable assessment Disabled
***Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action.
Check HTTPS URLs Enabled
Scan common HTTP ports only Disabled
***When disabled, WRS will scan all HTTP URLs regardless of their port information. If
TECHNICAL SUPPORT Best Practice Guide
59 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned.
Security Level
Medium Enabled
Untested URLs
Block pages that have not been tested by Trend Micro
Enabled
***Note that any website that has not been tested by Trend Micro will be blocked if it’s enabled.
Browser Exploit Prevention
Block pages containing malicious script
Enabled
Agent Log
Allow agents to Send Logs to the OfficeScan Server
Enabled
***Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.
Internal agents tab
Enable Web Reputation Policy on the following operating systems:
Enabled
***If there is already a web security on the gateway, this may be turned off.
Enable Assessment Disabled
***Administrator can enable assessment to monitor the type of detections before deploying Web Reputation. When assessment is turned on OfficeScan will not take any action.
Check HTTPS URLs Enabled
Scan common HTTP ports only Disabled
***When disabled, WRS will scan all HTTP URLs regardless of their port information. If enabled, only URLs with no port information or those that point to ports 80, 81, or 8080 will be scanned.
TECHNICAL SUPPORT Best Practice Guide
60 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Send queries to Smart Protection Servers
Enabled
***Agents will send queries to Smart Protection Servers. Make sure they are available. If this option is disabled then agents will need internet access to reach Trend Micro Smart Protection Network, if agent does not have web access then it will use approved/blocked web site list as the only web reputation date.
Security Level
Low Enabled
***Internet traffic usage is lowest and browsing info is kept in house. When combine with “Use only Smart Protection Servers, do not send queries to Smart Protection Network” checked, Security level is always ‘low’.
Untested URLs
Block pages that have not been tested by Trend Micro
Enabled
Browser Exploit Prevention
Block pages containing malicious script
Enabled
Approved/Blocked URL List
Enable approved/blocked list Enabled
Agent Log
Allow agents to Send Logs to the OfficeScan Server
Enabled
***Depending on security requirements, you may or may not want to monitor what sites are being blocked on the agent side. On the other hand, turning this on will generate traffic between server and agents.
SUSPICIOUS CONNECTION SETTINGS
Notes and Recommendations
Log network connections made to addresses in the Global C&C IP list
Enabled
TECHNICAL SUPPORT Best Practice Guide
61 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Log and allow access to User-defined Blocked IP list addresses
Log connections using malware network fingerprinting
Clean suspicious connections when a C&C callback is detected
Disabled
***Enable this feature to perform assessment of the violations first, then set to Disable.
Enabled
***OfficeScan performs pattern matching on packet headers. OfficeScan logs all connections made by packets with headers that match known malware threats using the Relevance Rule pattern.
Enabled
***OfficeScan uses GeneriClean to clean the malware threat and terminate the connection to the C&C server.
BEHAVIOR MONITORING Notes and Recommendations
Enable Malware Behavior Blocking for known and potential threats
Known Threats
***Enable this setting to protect your agents from specific threats, threat types and threat families through behavior analysis.
Enable Event Monitoring Enabled
***Enable this to monitor system events to filter potentially malicious actions. Refer to list below for recommended settings if this is enabled.
Policies (Under Event Monitoring if Enabled)
** The “Assess” action will log events that violate the policy but will not take action. To avoid interfering with normal activity, it is recommended that administrators start with this action set for all policies. This would help them define the proper action they need to take once data is available.
Duplicated System File Assess
Hosts File Modification Assess
TECHNICAL SUPPORT Best Practice Guide
62 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Suspicious Behavior Assess
New Internet Explorer Plugin
Assess
Internet Explorer Setting Modification
Assess
Security Policy Modification Assess
Program Library Injection Assess
Shell Modification Assess
New Service Assess
System File Modification Assess
Firewall Policy Modification Assess
System Process Modification Assess
New Startup Program Assess
Exceptions (Approve/Block) ***Enter the full path of programs you would want to exempt from Behavior Monitoring or directly Block.
DEVICE CONTROL Notes and Recommendations
External Agents tab
Enabled Device Control Enabled
***Enable this setting to take advantage of the “Block autorun function on USB devices” but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention
Apply all settings to internal agents
Disabled
Block autorun function on USB storage devices
Enabled
***Enable this to prevent the potential threat autorun can cause.
Storage Devices
CD/DVD Full Access
TECHNICAL SUPPORT Best Practice Guide
63 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Floppy Disks Full Access
Network Drives Full Access
USB storage devices Full Access
Program Lists
Programs with read and write access to storage devices
***Enter the full path of programs y ou would allow write access to storage devices.
Programs on storage devices that are allowed to execute
***Enter the full path of programs you would want to allow execution
Notification
Display a notification message on the agent
Computer when OfficeScan detects unauthorized
Enabled
***Enable this when device control access is not set to “Full Access” to avoid causing confusion to users as to why they cannot access their drives fully.
Internal Agents tab
Enabled Device Control Enabled
***Enable this setting to take advantage of the “Block autorun function on USB devices” but leave Full Access permissions for the devices unless there is a need to control them due to virus outbreaks/data leak prevention
Apply all settings to external agents
Disabled
Block autorun function on USB storage devices
Enabled
***Enable this to prevent the potential threat autorun can cause.
Storage Devices
CD/DVD Full Access
Floppy Disks Full Access
Network Drives Full Access
USB storage devices Full Access
TECHNICAL SUPPORT Best Practice Guide
64 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Program Lists
Programs with read and write access to storage devices
Programs on storage devices that are allowed to execute
Notification
Display a notification message on the agent
Computer when OfficeScan detects unauthorized
***Enter the full path of programs y ou would allow write access to storage devices.
***Enter the full path of programs you would want to allow execution
Enabled
***Enable this when device control access is not set to “Full Access” to avoid causing
NetBIOS domain
Active Directory domain
DNS domain
***Only used during installation of a agent
Custom agent groups ***Can be used anytime to group agents
Automatic Agent Grouping ***Administrators can create agent grouping according to Active Directory or IP
Schedule Domain Creation Enabled
******Performing scheduled domain creation creates a domain in the agent tree. This may take a long time to complete, especially if the scope is broad. However, this does not move existing agents to this domain. Custom agent grouping must be used.
To move the agents, refer to manual sort agent or OfficeScan can automatically move agents when the following events occur:
1. Agent installation,
2. Agents reload
3. Agents change IP addresses
4. Agents enable or disable roaming mode
AGENT GROUPING Notes and Recommendations
CUSTOM AGENT GROUPS Notes and Recommendations
TECHNICAL SUPPORT Best Practice Guide
65 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
GLOBAL AGENT SETTINGS Notes and Recommendations
TECHNICAL SUPPORT Best Practice Guide
65 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Scan Settings
Add Manual Scan to the Windows shortcut menu on agent computers
Disabled
***Enable this function to allow users to right-click on files or folders to perform a manual scan.
Exclude the OfficeScan server database folder from Real-time Scan
Enabled
***Prevent OfficeScan database from getting corrupted.
Exclude Microsoft Exchange server folders from scanning
Enabled
***Prevent OfficeScan from interfering with the mails being processed by the Exchange server and the antivirus that scans the mail traffic.
Enabled deferred scanning on file operations
Disabled
***This option can be enabled to help improve performance of file copy operation
Scan Settings for Large Compressed Files
Configure scan settings for large compressed files
Enabled
***This option will skip files within the compressed files from being scanned to improve on performance
Real-time scan
Do not Scan files (in a compressed file) if size exceeds
In a compressed file, scan onle the first X files
2MB
10 files
Manual Scan/Scheduled
Scan/Scan Now
Do not Scan files (in a compressed file) if size exceeds
In a compressed file, scan onle
30MB
TECHNICAL SUPPORT Best Practice Guide
66 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
the first X files 100 files
Virus/Malware Scan Settings only
Clean/Delete infected files within compressed files
Enabled
Spyware/Grayware Scan Settings Only
Enable Assessment Mode
Enabled
***Turn this on with a recommended of at least 3 weeks to allow administrator to assess the detection of spyware in the network. Any detection will not have any action taken on them. This allows admin to monitor and verify if there are any false positive detections specially on home grown applications.
Scan for Cookies Enabled
***Turn on to allow cookie scanning and cleaning
Count Cookie into spyware log Disabled
***Turn this off to prevent logs generated from cookie detection to overpopulate the virus log database.
Scheduled Scan Settings
Remind users of the Scheduled Scan
10 minutes before it runs
***This setting only applies to users who have the privilege to control Scheduled scans.
Postpone Scheduled Scan for up to 1 hour
***This setting only applies to users who have the privilege to control Scheduled scans.
Automatically stop Scheduled Scan when scanning lasts more than
Disable
Skip Scheduled Scan when a wireless computer’s battery life is
Enable
TECHNICAL SUPPORT Best Practice Guide
67 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
less than ***Enable this setting (20 percent) when there is a number of laptop users in your environment to save battery life.
Resume a missed scheduled scan Enable
Virus/Malware Log Bandwidth Settings
Enable OfficeScan agents to consolidate network virus logs and send them to the OfficeScan server hourly.
Enabled
***This allows agents to send only a single log to server on multiple detection of viruses detected on the same location, same virus for a period of time
Firewall Settings (If you have firewall activated)
Send firewall logs to the server every
4 hours
***If it is really needed, set this to Daily or every 4 to 8 hours to prevent agents from saturating the network by sending logs at short intervals regularly.
Update the OfficeScan firewall driver only after a system reboot
Enabled
***This setting will let agents update the firewall driver settings during reboot. This way there will be no loss of network connectivity. This setting applies to only updates/upgrades done through OfficeScan server.
Send firewall log information to the OfficeScan server hourly to determine the possibility of a firewall outbreak.
Enabled
Behavior Monitoring Settings
Automatically allow program if agent does not respond within X seconds.
30
***If timeout is reached, BM will “allow” the program.
Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms
Enabled
***Help prvent 0-day attack by monitoring applications that are downloaded through HTTP channel/email. Administrators should
TECHNICAL SUPPORT Best Practice Guide
68 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
excluded) enable ‘Unauthorized Change Prevention Service’ and ‘Web Reputation’ to have this feature
Certified Safe Software Service Settings
Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans
Disabled
***When enabled, the OSCE agent will query the Trend Micro back-end servers via the Internet to reduce BM false alarms.
C&C Contact Alert Settings
Define customized Approved
and Blocked IP lists used to detect C&C callbacks
***Define approved or blocked IP, IP range or subnets for C&C callback
Updates
Download only the pattern files from the ActiveUpdate server when performing updates
Disabled
***Administrators can use this setting to let OfficeScan agents to update only patterns from the Trend Micro Active Updatesite
Reserved Disk Space
Reserve 60 MB of disk space for updates
Enabled
Unreachable Network
Server Polling ***Select the IP range of unreachable network and how often the agents should poll to the server.
Heartbeat
Allow agents to send heartbeat to the server
Enabled
***Only agents in the unreachable network should send heartbeats since other agents would be connected to the server.
TECHNICAL SUPPORT Best Practice Guide
69 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Agent send heartbeat every 10
The agent is offline if there is no heartbeat after X minutes
60
Alert Settings
Show the alert icon on the Windows taskbar if the virus pattern file is not updated after X days
5
Enabled
***Only agents in the unreachable network should send heartbeats since other agents would be connected to the server.
Display a notification message if the agent computer needs to restart to load a kernel mode driver
Enabled
***When firewall is enabled, it is suggested to have this turned on so that whenever the firewall driver is updated, the agent may be notified to reboot for the update to take effect, otherwise, without reboots, the firewall may not function properly with the updated component.
OfficeScan Service Restart
Automatically restart an OfficeScan agent service if the service terminates unexpectedly
Enabled
Restart the service after 1 minute
If the first attempt to restart the service fails, retry
6 times
Reset the restart failure count after 1 hour
Automatically detect settings
Enabled
***To allow auto detection of proxy for updates, this can be enabled
Use automatic configuration script Disabled
***To allow use of proxy scripts for connection, this can be enabled.
Proxy Configuration
Automatically detect settings Enabled
***To allow auto detection of proxy for updates, this
TECHNICAL SUPPORT Best Practice Guide
70 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
can be enabled
Enabled
***OfficeScan agents will try to communicate with reference servers to determine if their status will be online or offline if the OfficeScan server is not available.
Prefered IP Address
Agents with IPv4 and IPv6 addresses register to the server using
IPv4 first then IPv6
ENDPOINT LOCATION Notes and Recommendations
Endpoint Location
Agent Connection status (edit reference server list)
Disabled
***Gateway addresses can be entered instead of reference list to determine whether OfficeScan agents are online or offline.
Gateway IP address
Mac address (optional)
CONNECTION VERIFICATION Notes and Recommendations
Scheduled Verification
Enable Scheduled Verification Enabled Daily at 10:30am
***This allows the server to recheck the status of the agents that are in the network, it is ideal to set it to run on a schedule where most agents are already online.
LOGS Notes and Recommendations
LOG MAINTENANCE
Enable Scheduled Deletion Enable
***Enable this to maintain a manageable size of log and prevent performance issue on the OSCE server when retrieving logs. If Control Manager is used the logs are also sent to Control Manager, hence there is no need to keep 2 copies of logs. You can get reports from Control
TECHNICAL SUPPORT Best Practice Guide
71 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Manager. Ensure all Log types are selected.
Logs to Delete
Logs Older than 7 days
***To Keep the log database small enough for efficiency.
Log Deletion Schedule Daily @ 2am
***It is advisable to have this checked everyday. The Time suggested is 2am so that the traffic to server is low and can be purged before the system backup kicks off. OfficeScan Server automatically does database maintenance during midnight, so avoid scheduling during this time.
UPDATES Notes and Recommendations
SER VER
Enable scheduled update of the OfficeScan server
Enabled
Update Schedule Hourly
***It is best to check on a more regular basis to get the latest updates.
Agents
Agent Automatic Updates
Initiate component update on agents immediately after the OfficeScan server downloads a new component
Enabled
Include roaming agent(s) Disabled
***It is unnecessary if the agents are offline and unreachable.
Let agents initiate component update when they restart and connect to the OfficeScan server (roaming agents are
Enabled
***There are instances where the agents are offline when the server updated from the internet. This function will allow
TECHNICAL SUPPORT Best Practice Guide
72 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
excluded) agents to get their updates from the server when they are back online.
Perform Scan Now after update (excluding roaming agents)
Disabled
***It is not extremely necessary to do a full scan right after performing an update. The scheduled scan is normally sufficient.
Schedule-based Update
2 or 4 hours
Enabled
***Depending on the number of agents that the server manages, you can set this from 2 hours to every 4 hours. This is the setting to configure agents on how often they will check for updates fro the OfficeScan server, the update agent or the Internet.
Agent Update Source
Standard Update Source Enabled
***Enable this if No update agents will be used
Enabled
***Administrators can allow agents to get updates from OfficeScan servers if Update Agents are not available
Customized Update Source
Update Agents update components, domain settings, and agent programs and hot fixes, only from the OfficeScan server
Enabled
***Enable this to have update agents always update from the OfficeScan server
OfficeScan agents update the following items from the OfficeScan server if all customized sources are unavailable or not found:
Components Disabled
***To allow OfficeScan agents to strictly update from update agents for pattern and engine updates.
Domain Settings Enabled
***Domain settings are small enough to allow agents to go to OfficeScan server to get updates from as long as Update Agents are not available.
TECHNICAL SUPPORT Best Practice Guide
73 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
OfficeScan agent programs and hotfixes
Disabled
***This setting should not be turned on unless OfficeScan agents are allowed to upgrade from OfficeScan server. This might cause bandwidth problems depending on the network.
NOTIFICATIONS Notes and Recommendations
ADMINISTRATOR NOTIFICATIONS
Standard Notifications
Virus/Malware
Send notifications only when the action on the virus/malware is unsuccessful
Enable
***Enable this to only notify when an action failed on the virus/malware.
Spyware/Grayware
Send notifications only when the action on the virus/malware is unsuccessful
Enable
***Enable this to only notify when an action failed on the spyware/grayware.
Outbreak Notifications
Virus/Malware Enable
***Enable this to alert administrators when infections are starting to grow.
Unique Sources 1
Detections 100
Time Period 24 hrs
Spyware/Grayware Enabled
***Enable this to alert administrators when infections are starting to grow.
Unique Sources 1
Detections 100
Time Period 24 hrs
TECHNICAL SUPPORT Best Practice Guide
74 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Firewall Violations
Monitor Firewall violations on networked computers
Enabled
***Enable this to alert administrators when there are suspicious firewall violations
IDS Logs 100
Firewall Logs 100
Network Virus Logs 100
Time Period 1 hr
Shared Folder Session
Monitor Shared Folder session on your network
Enabled
***Enable this to alert administrators of suspicious network sessions being generated.
Shared Folder Sessions 100
Time Period 3 min
ADMINISTRATION Notes and Recommendations
Account Management
User Accounts ***User accounts are used to logon to OSCE web console. These accounts are assigned privileges as deemed appropriate. Use this section to add custom accounts or Active Directory accounts.
User Roles ***User roles define a list of operations that a user can perform. These operations are roughly tied to the navigation menu. Use this section to assign/create/modify roles for a user or a windows group. This would give the account permission to perform operations defined in that group.
SMART PROTECTION
Smart Protection Sources
Internal Agents
TECHNICAL SUPPORT Best Practice Guide
75 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Use the standard list (for all internal agents)
***The setting will configure the agents to check the Scan Servers in the order specified on the liste. (Integrated Smart Protection Server will always be last)
***If all Scan Servers are equal in performance, availability and location, the random setting will allow the agents to load balance between all of the Smart Protection Servers on the list.
Use customer lists based on agent IP address
***Use this setting to customize which Smart Protection Server agents will use. It is recommended that each sub site will have its own Smart Protection Server.
Use standard list if customer list becomes unavailable
Enabled
***To help ensure full redundancy in situations where the customer Smart Protection Server list is unavailable, the agent should check the standard list
Integrated Server
***Check box should be enabled if the Integrated Smart Protection Server will be used. The Integrated Smart Protection Server should not be used to suppor more than 3000 agents in a primary role. If more than 3000 agents need to be supported a Stand-Alone Smart Protection Server should be installed in the environment and the Integrated Smart Protection Server should be used for backup purposes only.
Enable File Reputation Service Enabled
Use HTTP for scan queries Enabled
Enable Web Reputation Service Enabled
Enable scheduled updates Enabled
Update Settings Hourly
Enable scheduled updates Enabled
***When enabled, Trend Micro Smart Feedback shares threat information with the Smart Protection Network, allowing Trend Micro to rapidly identify and address new threats.
TECHNICAL SUPPORT Best Practice Guide
76 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Smart Feedback
Smart Protection Network Disabled
Active Directory
Active Directory Integration
Active Directory Domains ***Add Active Directory domains OfficeScan will associate with the agent tree.
Encrypt Active Directory Credentials ***Specif an ecryption key and file path to ensure an additional layer of protection for your Active Directory credentials.
Scheduled Synchronization
Enable Scheduled Active Directory synchronization
Enabled
***Administrators can set the scheduled synchronization daily.
Settings
Proxy Settings
Internal Proxy
Agent Connection with the OfficeScan Server Computer
Use the following proxy settings when agents connect to the OfficeScan server and the Integrated Smart Protection Server.
Disabled
***This should be disabled all the time unless the OfficeScan Agents require connection to an intranet proxy to communicate with the OfficeScan Server.
Agent Connection with the Local Smart Protection Servers
Use the following proxy settings when agents connect to the local Smart Protection Servers.
Disabled
***This should be disabled all the time unless the OfficeScan agents require connection to an INTRANET proxy to communicate with the local Smart Protection Server.
External Proxy
TECHNICAL SUPPORT Best Practice Guide
77 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
OfficeScan Server Computer Updates
Use a proxy server for pattern, engine, and license updates
Enabled
***Enable this option and fill out the fields when a proxy server is required to download updates from the internet.
Agent Connection with Trend Micro Servers
Specify proxy server authentication credentials the agent will use to connect to the Trend Micro Global Smart Protection Server and Web reputation servers.
Enabled
***Fill this out if the proxy server used requires authentication credentials.
Inactive Agents
Enable automatic removal of inactive agents
Enabled
***Enable this function to allow OfficeScan to remove old agents that are inactive for X days. Whenever these agents come back online, they will automatically be added and show up in the console.
Automatically remove a agent if inactive for X days
7 days
Quarantine Manager
Quarantine folder capacity 10240MB
***Please note that the Quarantine folder on the OfficeScan server does not cleanup by itself. It is important to clean the folder up on a regular basis.
Maximum size for a single file 5 MB
Web Console Settings
Auto Refresh Settings
Enable Auto Refresh Enabled
***Set it for 30 seconds
Timeout Settings
Enable Timeout Setting Enabled
***Set it for 30 minutes
Database Backup
TECHNICAL SUPPORT Best Practice Guide
78 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Database Backup Schedule
Enable Scheduled Database Backup Daily @ 3AM
***OfficeScan Server does database maintenance usually at midnight, and it is best not to interfere with the maintenance so it is recommended either to set the time few hours before or few hours after Midnight after log purging.
3.3.2 INI Configuration Files
OfcScan.ini
PARAMETER USAGE / NOTES
[Global Setting]
DisableTSCAtStart=1
Add/Change value to 1 to disable the Damage Cleanup service from executing whenever the OfficeScan realtime scan starts up. This is helpful for systems with low resource to speed up the bootup/startup time.
[Global Setting]
UADuplicationOptValue =128
Enable this feature to allow Update Agents to download only one incremental file from the OfficeScan server and allow it to automatically generate full pattern and the rest of the incremental files. This will help minimize bandwidth usage.
[Global Setting]
ScheduledScanForNetworkDrive=1
If the remote PC does not have an antivirus, this function enables scheduled scans for network drives.
***This function is not needed if the remote PC already has antivirus function. Enabling this may cause redundant scheduled scanning and performance issues.
[Global Setting]
EnableRTScanUSBInsert=1
If this function is turned on by setting the value to 1, USB will be scanned by Real Time Scan
TECHNICAL SUPPORT Best Practice Guide
79 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
[Global Setting]
USBScanConfirm=1
If this function is turned on by setting the value to 1, USB will give a pop up message asking the user if they want to scan the device.
***Note: Device Control Settings will take higher priority than USB scan insertion
[Global Setting]
IntensiveScanThreshold=0
Manual scan supports switching to Intensive Scan which is a higher detecting mode once the detected virus number is over a certain threshold. To enable, set a value.
***Ex: when setting up the value, “5” means using “5” as the intensive threshold. Ideal threshold value should be 100.
[Global Setting]
SupportToConfigureWRServerPlatformForMultiAgent=1
This setting enables admins to select multiple servers at once when enabling WRS function on server platforms.
OfcServer.ini
PARAMETER USAGE / NOTES
[INI_AD_INTEGRATION_SECTION]]
ApplyFQDNToResolveIPFirst=1
For FQDN environment only when this is set to 1. Enable this option to resolve IP from FQDN.
If this is set to 0, OfficeScan resolve IP from NetBIOS first and then resolve IP from FQDN.
If this is set to 1, OfficeScan resolve IP from FQDN first and then resolve IP from NetBIOS.
[INI_AD_INTEGRATION_SECTION]]
EnableQueryAllContainer=1
When this option is set to 1, it allows Active Directory Integration to query all objects including containers.
80 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
3.4 > Performance Tuning OfficeScan Server (ofcscan.ini) Parameters
The parameters below can be added or edited to further improve the performance of the OfficeScan server.
PARAMETER (ofcscan.ini) USAGE / NOTES
Command_Handler_Maxium_Thread_Number This OfficeScan server parameter controls the number of threads responsible for receiving agent communications. Default value is 20. Add the parameter under [INI_SERVER_SECTION] of ofcscan.ini to modify default setting. Recommended value is 20 multiplied by the number of CPUs.
NOTE: the word Maxium is intentionally misspelled.
DB_MEM_OPT_MAX Increase the server database cache to improve performance. Recommended value is at 10% of available memory.
Increase the number of Command Handler threads
Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini
Add the parameter Command_Handler_Maximum_Thread_Number= under [INI_SERVER_SECTION] section and set its value to 20 x Number of CPUs.
Restart the OfficeScan Master Service.
Increase Database Cache to improve performance
Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini
Locate the entry DB_MEM_OPT_MAX = 10240 and set its value to be at least 10% of available memory.
Restart the OfficeScan Master Service.
81 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Verify Connection Thread Count Parameter
Go to the [INISERVER_SECTION] section.
Look for the VerifyConnectionThreadCount=16 parameter.
This value is dependent on the network capacity. If you have a 100 Mbps intranet, entering a value of 64 or 128 is acceptable.
82 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Chapter 4: Backup and Disaster
Recovery NOTE: Section below applies only to OfficeScan itself (does not include plug-ins and the Integrated Scan Server backup). Customers who have OfficeScan with Integrated Scan Server should not follow these steps.
4.1 > OfficeScan Server Database Files
The OfficeScan server can be set to automatically backup agent database information. This is configurable via the web-based management console under [ Administration | Database Backup ] section. This process copies all database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ] to either a local or remote location. It is recommended to do a Daily backup especially during agent deployment. The schedule can be changed to Weekly after the deployment is complete. It is also recommended to configure the backup to start at 2:00 AM when agent interaction is minimal and the process does not coincide with other OfficeScan scheduled tasks. It is recommended to use the OfficeScan builtin backup function to do the backup for the database. Using third party application to backup the database may cause system instability or database corruption.
4.2 > OfficeScan Server Configuration Files It is also recommended to manually backup the OfficeScan server configuration files which can be used to recover from a server disaster.
Backup OfficeScan Server Configuration Stop the OfficeScan Master Service
Manually Back up the OfficeScan Server and Firewall configuration files:
OfficeScan Server and Firewall configuration Files
\ PCCSRV \ Ofcscan.ini – Server configuration information
\ PCCSRV \ Private \ Ofcserver.ini – Server and Update Source configuration
83 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
\ PCCSRV \ Ous.ini – Agent update source configuration
\ PCCSRV \ Private \ PFW folder – Firewall profiles / policies
\ Private \ SortingRuleStore \ SortingRule.xml
\ Private \ AuthorStore folder – RBA User Profile
\ Private \ vdi.ini – vdi settings
Start the OfficeScan Master Service. Run Certificate Manager tool to backup certificate used for OfficeScan communication with its agents. Open cmd prompt with administrator privileges then Go to [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ADMIN \ UTILITY \ CERTIFICATE MANAGER ] folder. Run the following commands to backup certificate.
CertificateManager.exe –b [Password] [Certificate Path]
Example: CertificateManager.exe –b mypassword c:\certificate.zip
Make a backup copy of c:\certificate.zip along with other OfficeScan Server configurations.
In an event of server corruption, the OfficeScan server settings can be restored by following the procedure below.
Restoring OfficeScan Server Configuration This procedure assumes that the OfficeScan server is being restored to the same host,
using the same FQDN and IP address.
Stop the OfficeScan Master Service and WWW Publishing Service.
Restore the backup database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ HTTPDB ]
Restore the OfficeScan server and Firewall policy configurations
o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ofcscan.ini
o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ Ofcserver.ini
o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ous.ini
o \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ PFW directory
o \ Private \ SortingRuleStore \ SortingRule.xml
o \ Private \ AuthorStore folder – RBA User Profile
o \ Private \ vdi.ini
From the command prompt, go to \Program Files\Trend Micro\ OfficeScan folder and Run the command srvsvcsetup.exe –setprivilege.
84 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Restart the OfficeScan Master Service and WWW Publishing Service. Restore OfficeScan certificate by importing it during installation. In above example, certificate.zip is the file that needs to be selected to import the certificates.
4.3 > OfficeScan Agent Configuration Settings Saving the Agent Configuration Settings
Log on to the Officesan Management Console
Go to Networked Computers | Agent Management
To save the Global Domain settings, highlight the OfficeScan Server domain; To save just the domain level setting, highlight only the subdomain; To save only a specific agent’s setting, highlight the agent.
Once highlighted, select Settings | Export Settings
Click on the Export button and save the file.
Restoring the Agent Configuration Settings
Log on to the Officesan Management Console
Go to Networked Computers | Agent Management
To restore the Global Domain settings, highlight the OfficeScan Server domain; To restore just the domain level setting, highlight only the subdomain; To restore only a specific agent’s setting, highlight the agent.
Once highlighted, select Settings | Import Settings
Browse to the DAT file saved previously that you want to restore, then click in Import button
Put a check to Apply to all Domains or Apply to all computers belonging to the selected domain(s)
Click on the Apply to Target button
85 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Chapter 5: Behavior Monitoring Trend Micro™ OfficeScan™ protects enterprise networks from malware, network viruses, Web- based threats, spyware, and mixed threat attacks. Behavior Monitoring and Device Control are some of the new OfficeScan features that proactively aim to prevent malware attacks.
This document aims to increase knowledge about Behavior Monitoring and Device Control and help readers avoid potential issues during deployment.
5.1 > Behavior Monitoring Overview Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or installed software. Behavior Monitoring is composed of the following sub-features:
Malware Behavior Blocking
Event Monitoring
5.1.1 Malware Behavior Blocking
Malware Behavior Blocking provides a necessary layer of additional threat protection from programs that exhibit malicious behavior. It observes system events over a period of time and as programs execute different combinations or sequences of actions, Malware Behavior Blocking detects known malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of protection against new, unknown, and emerging threats.
Figure 1-1: Malware Behavior Blocking setting
A new option, Known and potential threats, provides a more aggressive scan mode to detect malwares which has higher detection rate.
Under this mode, system will query DCE (product calls DCE to perform memory scan and decides the scan action) and Census (product queries the Census backend server and then feedbacks the action)
Registry Location on an Agent
86 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Path: \PC-cillinNTCorp\CurrentVersion\AEGIS
Key: EnableTDC (Value: 1-Aggressive; 0-Normal)
DCE detects log type : Virus/Malware
Census detects log type: Behavior Monitoring
5.1.2 Event Monitoring
Event Monitoring provides a more generic approach to protecting against unauthorized software and malware attacks. It uses a policy-based approach where system areas are monitored for certain changes, allowing administrators to regulate programs that cause such changes.
If attempts to change the system are made, Event Monitoring will:
Refer to the Event Monitoring policies and perform the configured action.
Notify the user or administrator
Use the Event Monitoring if you have specific system protection requirements that are above and beyond what is provided by Malware Behavior Blocking.
Figure 1-2: Event Monitoring setting
87 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Administrators can choose to perform one of the following actions to respond to monitored events:
Assess: Always allow processes associated with an event but record this action in the logs for assessment
NOTE: Use this option during initial deployment to assess the impact of enabling Behavior Monitoring features.
Allow: Always allow processes associated with an event
Ask When Necessary: Prompts users to allow or deny processes that may have violated Behavior Monitoring policies. If selected, a prompt asking users to allow or deny the process and add to the Allowed Programs or Blocked Programs appears. If users do not respond within the time period specified in the Behavior Monitoring settings screen, OfficeScan automatically allows the process to continue.
Deny: Always block processes associated with an event and record this action in the
logs
Here’s a sample log while “Shell Modification” event was violated by a process
2012/2/12 12:31 ComputerName Shell Modification Assess Process Low C:\kh\notes\nlnotes.exe Create HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
NOTE: While testing the function, don't modify hosts file with notepad.exe, notepad.exe is in AEGIS white list, as a result, nothing occurs as modifying hosts file with notepad.exe.
88 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
5.1.3 Enabling Behavior Monitoring NOTE: Since Malware Behavior Blocking is enabled by default, Trend Micro strongly recommends identifying system-intensive applications and adding them to the exception list before deploying OfficeScan. For more information, see How Behavior Monitoring and Device Control Can Affect Performance.
The BM function will work depending on the both options below:
Settings/Behavior Monitoring Settings/ Enable Malware Behavior Blocking or Enable Event Monitoring
Additional Service /Enable Unauthorized Change Prevention Service
Two steps for enabling “Malware Behavior Blocking setting”
Path: Agent > Agent Management > Settings > Behaviors Monitoring Settings
Tick the option “”
To enable Malware Behavior Blocking or Event Monitoring, select the following options:
Enable Malware Behavior Blocking for known and potential threats (workstation default: on; server default: off )
Known threads, default option as provided by previous OfficeScan versions
Known and potential threats, a more aggressive scan mode
Enable Event Monitoring (workstation default: on; server default: off)
Behavior Monitoring settings can be applied to specific entities in the client tree or all entities (root). If you are applying settings to the root, you need to select one of the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain (domains not yet created during configuration).
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
Path: Agent > Agent Management > Settings > Additional Services Settings
Tick the option “Enable service on the following operating systems” under the section “Unauthorized Change Prevention Service”
Note: To help ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms, even when it is enabled through the console.
To enable this feature on a server computer, select an individual server and go to Agent > Agent Management > Settings > Additional Services Settings. For instructions, see the Administrator’s Guide.
89 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 10: Caption goes here.
NOTE: Before deploying Malware Behavior Blocking, Trend Micro recommends running a pilot deployment. See Deploying Behavior Monitoring and Device Control for more information.
5.2 > OfficeScan Agent self-protection In OSCE11, AEGIS provides one enhancement called Light-weight Solution which focuses on all agents’ self-protection including Agent’s services, Processes and Registry keys
Previous OSCE
OSCE 11
Server Disable Enable
Desktop Enable Enable
The protection will be enabled on Server in OSCE 11 by default
Path: Agent > Agent Management > Settings > Privileges and Other Settings
90 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Figure 11: Caption goes here.
5.3 > Device Control Overview
Device Control regulates access to external storage devices and network resources. Device Control helps prevent the propagation of malware on removable drives and network shares and, combined with file scanning, helps guard against security risks.
Figure 1-3: Device Control settings
Notification messages are displayed on the endpoints when device control violations occur. Administrators can modify the default notification message.
91 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
In OfficeScan 11, Device Control function integrates both AEGIS feature and DLP feature to control storage devices. AEGIS device control and DLP device control play different roles. For example, as Fig.1-3 shown below, different privilege can be set on USB storage devices. AEGIS device control handles the following privileges, modify, read and execute, read, and list device content only. The block privilege is handled by DLP device control.
Fig.1-3 USB Permissions
Furthermore, DLP Device Control supports one more device type: Mobile devices
Smartphones & Pads
Sync App
Ex: iTunes、htcsync
5.3.1 Using Device Control
Device Control supports several kinds of devices, here takes USB as sample to introduce how it works in the following environments
Only Aegis Device Control enabled
Aegis +DLP Device Control
Only DLP Device control enabled
8.1 Manage your USB device by Aegis Device Control To enable this feature, user must enable “unauthorized change prevention service” (web
console -> [agents] -> [agent management] -> [settings] -> [additional service settings] ->
TECHNICAL SUPPORT Best Practice Guide
92 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
[unauthorized change prevention service]) and “Device Control” ([settings] -> [device control settings]) for OfficScan agent.
OfficeScan only monitors USB storage devices when DLP module is not activated. Here is what Device Control can do with an USB device:
Check “Block the AutoRun function on USB storage devices” could let OfficeScan to prohibit USB storage AutoRun. It means that do not permit USB storage to run Autorun.inf then to pop the content of the storage. Since some virus could use autorun.inf to infect the system.
Select the permission for accessing USB storage devices, Device Control only provide “Full access”, “modify”, “read and execute”, “read” and “list device content only” 5 access permissions to choose. As Fig 8-1 shows
Fig 8-1 Permission list
Chart 1 Device Control Permissions
Permissions Files on the Device Incoming Files
Full access Permitted operations: Copy, Move, Open, Save, Delete, Execute
Permitted operations: Save, Move, Copy
This means that a file can be saved, moved, and copied to the device.
Modify Permitted operations: Copy, Move, Open, Save, Delete
Prohibited operations: Execute
Permitted operations: Save, Move, Copy
Read and execute
Permitted operations: Copy, Open, Execute
Prohibited operations: Save, Move, Delete
Prohibited operations: Save, Move, Copy
Read Permitted operations: Copy, Open
Prohibited operations: Save, Move, Copy
TECHNICAL SUPPORT Best Practice Guide
93 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Prohibited operations: Save, Move, Delete, Execute
List device content only
Prohibited operations: All operations
The device and the files it contains are visible to the user (for example, from Windows Explorer).
Prohibited operations: Save, Move, Copy
*For the detail information about the action of different permission, please refer to online help [Permissions for storage devices]
Use “Program List” to except the permission to some specified programs and certificate providers.
Put local programs and programs on storage devices into “Programs with read and write access to storage devices” to give them read and write access permission. For detail usage of this functionality and how users could add the file path, please refer [Advanced Permissions for Storage Devices Parent topic] and [Specifying a Program Path and Name] from online help.
>>for example, add “c:\windows\system32\notepad.exe” into “Programs with read and write access to storage devices” list, users could open and modify, as Fig 8-2
Fig 8-2
Put programs on storage devices into “Programs on storage devices that are allowed to execute” so that users or the system can execute. For detail usage of this functionality and how users could add the file path and digital signature provider, please refer [Advanced Permissions for Storage Devices Parent topic], [Specifying a Program Path and Name] and [Specifying a Digital Signature Provider] from online help.
>>Fig 8-3 shows an example
TECHNICAL SUPPORT Best Practice Guide
94 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Fig 8-3
NOTE: The antivirus feature in OfficeScan complements Device Control. For example, if Device Control allows a file to open from a regulated device but OfficeScan detects that the file is infected, a scan action will still be performed on the file to eliminate the malware.
Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon , choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
8.2 Manage USB devices by Device Control with Data Protection Plugin activated
To enable this feature, user must install OfficeScan Data Protection plug-in (web console -> [plug-ins]) and activated it, then enable “unauthorized change prevention service” (web console -> [agents] -> [agent management] -> [settings] -> [additional service settings] -> [unauthorized change prevention service]) and “Device Control” ([settings] -> [device control settings]) for OfficScan agent.
The UI of “Device Control Settings” will be different from before.
“Block” permission is activated and acted by iDLP. This sector will focusing on the function that idlp has added to “Device Control settings” for USB devices.
Chart 2 Block permission
Permissions Files on the Device Incoming Files
Block
(available after installing Data Protection)
Prohibited operations: All operations
The device and the files it contains are not visible to the user (for example, from Windows Explorer).
Prohibited operations: Save, Move, Copy
TECHNICAL SUPPORT Best Practice Guide
95 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
With Data Protection (iDLP) installed, OfficeScan offer more functionality for USB access. Besides keeping the function of Device Control, iDLP add the following items.
Allow or block access to mobile devices. It means that iDLP adds one control item for smart phone and pad. The major purpose of adding “mobile device” is making iDLP can disable the access when people use sync app (or not use any sync tools) to connect smart phone or pad.
Fig 8-4 Mobile devices setting
Chart 3 Mobile operating system and sync app list
OS support list
Synchronous application list
Android、iOS
iTunes、htcsync、Htcsync manager、Samsung kies、豌豆
荚、HiSuite、91Mobile
windows phone
windows phone(desktop)、windows phone(metro)、
Nokia PC Suite、zune
Blackberry Blackberry Device manager
Symbian OS
>> For detailed support mobile device list, please refer [device control settings] console -> click [supported device models] -> [date protection lists]. Fig 8-5 shows a mobile device is blocked.
Fig 8-5 Mobile device is blocked
Allow or block access to non-storage devices that UI lists. For detail device list, please refer [device control settings] UI -> click [supported device models] -> [date protection lists].
TECHNICAL SUPPORT Best Practice Guide
96 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Chart 4 iDLP for non-storage devices
Device Type Device Description
Permission
Non-storage Devices
COM and LPT ports
Block/Allow
IEEE 1394 interface
Block/Allow
Imaging Devices
Block/Allow
Infrared devices
Block/Allow
Modems Block/Allow
PCMCIA card
Block/Allow
Print screen key
Block/Allow
Bluetooth adapter
Block/Allow
Wireless NICs
Block/Allow
Permissions for USB storage devices. It will add a permission “block” into the permissions of “USB Storage devices”. As Fig 8-6 shows
Fig 8-6 Permissions of USB storage devices
TECHNICAL SUPPORT Best Practice Guide
97 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
However, two permissions in this (shown in Fig 8-6) list ----- “read” and “block” are controlled by iDLP.
>> Since iDLP takes the control of these two permissions, so users can add whitelist to these two permissions:
Select “read” permission, click “advanced permissions and notifications” on its right, as Fig 8-7 shows.
Fig 8-7
Then it provide user a way to add a specified device by using its vendor, model and serial ID which could be get from system device management (Fig 8-8) to iDLP whitelist.
*If the device is in the whitelist, all the access action for this device will be allowed.
The settings on this page are all controlled by iDLP.
98 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Fig 8-8
* Trend also provide a tool called listDeviceInfo.exe for list these three parameters for a USB storage device, user can found it on server folder ..\pccsrv\admin\utility\listdeviceinfo.exe
listdeviceinfo.exe shows the device information on a popped-up web page. As Fig 8-10 shows.
Fig 8-10
99 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
* To add the specified device, “vendor” parameter is required on the page. However, if some devices that system just cannot read its vendor information, user can add “*” to this blank and add other parameter that listDeviceInfo provides, it will also help to put the device that users want to the whitelist.
* For the settings of [Program list], please refer to 8.1 and online help document. The usage is the same with the one in section 8.1.
If users choose “block” permission, there also will be a way to add specified USB storage device to whitelist. Click “approved devices” on the right side. Then it will show as Fig 8-12.
Fig 8-11
Fig 8-12
Users could change the permission they want to access this device and for the permissions except “full access”, there will also be “program lists” function for the device (click “advanced permissions and notifications”).
*It means that this specified device will not be blocked and it has the access permission that user assigns to.
TECHNICAL SUPPORT Best Practice Guide
100 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Fig 8-13 set permission of the device in whitelist
Fig 8-14 advanced permissions and notifications
8.3 Unauthorized Change Prevention Service is disabled and Data Protection is activated
For section 8.1, without Data Protection plug-in (iDLP), disabling “Unauthorized Change Prevention Service” (web console -> [agents] -> [agent management] -> [settings] -> [additional service settings] -> [unauthorized change prevention service]) will also make “Device Control Settings” not work at all. However, with iDLP, things are different.
TECHNICAL SUPPORT Best Practice Guide
101 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
When “unauthorized change prevention service” is disabled, and “Device Control” is enabled, only the functionality of iDLP will work.
As section 8.2 said the additional function of iDLP. Chart 5 shows the devices still be controlled.
Chart 5 only iDLP is enabled the settings that work
Device Type Device Description Permission
Mobile Devices
Phones and tablets with/without sync app
Block/Allow
USB storage devices
Storage device Block/Allow/Read
Non-storage Devices
COM and LPT ports Block/Allow
IEEE 1394 interface Block/Allow
Imaging Devices Block/Allow
Infrared devices Block/Allow
Modems Block/Allow
PCMCIA card Block/Allow
Print screen key Block/Allow
Bluetooth adapter Block/Allow
Wireless NICs Block/Allow
* For USB storage devices, three permissions in the select list will work. They are “full access”, “Read” and “Block”.
> “advanced permissions and notifications” of [read] permission will all work properly
TECHNICAL SUPPORT Best Practice Guide
102 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
> “approved devices” of [block] permission will partly work. It means that users can add the specified device to whitelist (vendor, model and serial ID). However, user cannot assign other permissions to this device except “full access”. Since other permissions are controlled by [unauthorized change prevention service]. So “program list” under “advanced permissions and notifications” of this page also cannot work.
8.4 Notification for USB access If OfficeScan encounter a violation of USB access and “Display a notification on endpoints
when OfficeScan detects unauthorized device access” is checked, OfficeScan agent will pop an alert for this access action. Fig 8-15, 8-16 and 8-17 show the screenshot of the setting and alert.
Fig 8-15
Fig 8-16
TECHNICAL SUPPORT Best Practice Guide
103 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
5.3.2 How Behavior Monitoring and Device Control Can Affect
Performance The Behavior Monitoring and Device Control features both use the Trend Micro Unauthorized Change Prevention Service (running under the process name TMBMSRV.EXE). These features use TMBMSRV.EXE to monitor for system events and check these events against rules to determine whether certain application activities are unwanted.
TMBMSRV.EXE delivers highly beneficial behavior-based security functionality, particularly the capability to check applications for suspicious behavior (Behavior Monitoring) and control access to storage devices (Device Control). Its monitoring mechanism, however, can strain system resources, especially when the computer is running applications that cause numerous system events. To prevent impacting system performance, Trend Micro recommends configuring OfficeScan so that these “system-intensive” applications are not monitored by TMBMSRV.EXE.
5.3.3 Deploying Behavior Monitoring and Device Control
Running TMBMSRV.EXE and system-intensive applications on the same computer can affect system performance and disrupt critical applications. It is for this reason that a properly managed deployment of Behavior Monitoring and Device Control is recommended.
To ensure smooth deployment of OfficeScan with Behavior Monitoring and Device Control:
• Set up and deploy a pilot environment.
• Identify system-intensive applications.
• Add system-intensive applications to the Behavior Monitoring exception list.
TECHNICAL SUPPORT Best Practice Guide
104 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Step 1: Preparing a Pilot Environment Before performing a full-scale deployment, conduct a pilot deployment in a controlled environment. A pilot deployment provides opportunity to determine how features work and, most importantly, how Behavior Monitoring and Device Control can affect your endpoints.
The pilot process should result in:
A better understanding of the implications of deploying the new Behavior Monitoring and Device Control features.
A better understanding of applications that may conflict with these features.
A list of applications that can be added to the Behavior Monitoring exception list.
When setting up the pilot environment:
Prepare an environment that matches the production environment as closely as possible.
Ensure that the following are included in the pilot environment:
Business applications
Custom applications
All network applications used by groups or individuals (such as payroll, inventory, accounting, and database applications)
Deploy the OfficeScan agents into the pilot environment with the features that you intend to enable. For example, Behavior Monitoring and Device Control may both be enabled.
Allow the pilot environment to run for a reasonable amount of time (give sufficient “soak time”) with the standard applications running and with average daily use.
Step 2: Identifying System Intensive Applications Trend Micro provides a standalone performance tuning tool to help identify applications that could potentially cause a performance impact. The TMPerfTool tool, available from Trend Micro technical Support, should be run on a standard workstation image and/or a few target workstations during the pilot process to preempt performance issues in the actual deployment of Behavioral Monitoring and Device Control.
To identify system intensive applications:
Unzip the TMPerfTool.zip file.
Place the TMPerfTool.exe file in the OfficeScan default installation folder (%ProgramDir%/Trend Micro/OfficeScan agent) or in the same folder as the TMBMCLI.dll file.
Double-click TMPerfTool.exe.
TECHNICAL SUPPORT Best Practice Guide
105 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Click Analyze when the system or applications start to slow down. If a red highlighted row appears, it means that the TMPerfTool found the system-intensive process.
Select the highlighted row and click Exclude.
After excluding the process, verify if the system or application performance improves. If the performance improves, select the process row again and click Include. If the performance drops again, it means you found a system-intensive application. Perform the following:
Note the name of the application.
Click Stop.
Click Report and save the .xml file in your specified folder.
Review the applications that have been identified as conflicting and add the applications to the Behavior Monitoring exception list.
Step 3: Adding System-Intensive Applications to the Behavior Monitoring Exception List The Behavior Monitoring exception list is a user-configurable list of approved and blocked programs that are not monitored by Behavior Monitoring and Device Control. These features automatically allow approved programs to continue—approved programs are still checked by other OfficeScan features. Blocked programs are never allowed to run.
Trend Micro strongly recommends adding system-intensive applications to the Behavior Monitoring exception list to reduce the likelihood of performance issues from occurring. System- intensive applications can cause TMBMSRV.EXE (the service used by both Behavior Monitoring and Device Control) to consume very high amounts of CPU resources and disrupt critical applications.
Figure 1-4: Adding programs to the exception list
To add programs to the exception list:
TECHNICAL SUPPORT Best Practice Guide
106 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Path: Agents > Agent Management > Settings > Behavior Monitoring Settings
Type the full path of the program under Exceptions.
NOTE: Separate multiple entries with semicolons (;). The exception list supports wildcards and UNC paths.
Click Approved Programs or Blocked Programs
NOTE: All exceptions apply to both Behavior Monitoring and Device Control. Add only verified programs to the Approved Programs list to ensure network security.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon , choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
5.4 > Alternative Ways to Prevent Performance Impact
To prevent TMBMSRV.EXE from affecting performance, you can disable the service itself or disable both Behavior Monitoring and Device Control.
WARNING! Disabling the Behavior Monitoring, Device Control, and other features may put your
network at risk from new and suspicious attacks. Perform these actions only as a last resort.
You can disable Behavior Monitoring and Device Control from the Web console or from the
registry.
Behavior Monitoring
5.4.1 Disabling Features from the Web Console
Path: Agents > Agent Management > Settings > Behavior Monitoring Settings
To disable Behavior Monitoring, deselect the following options:
Enable Malware Behavior Blocking for known and potential threats
Enable Event Monitoring
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to those domain(s) or client(s). If you selected the root icon , choose from the following options:
TECHNICAL SUPPORT Best Practice Guide
107 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Apply to All Clients
Apply to Future Domains Only
Device Control
Path: Agents > Agent Management > Settings > Device Control
To disable Device Control, deselect Enable Device Control.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon , choose from the following options:
Apply to All Clients
Apply to Future Domains Only
5.4.2 Stopping the Service
Disable Behavior Monitoring and Device Control by stopping the Trend Micro Unauthorized Change Prevention Service (TMBMSRV.EXE). Perform this task directly on each endpoint.
NOTE: Starting and stopping services directly overrides settings on the console. However, these changes will not take effect if the Client Self-Protection feature is enabled. Disable Client Self-Protection before starting or stopping OfficeScan services on OSCE server console.
To stop the service:
Open the Services console. Click Start > Run. Type SERVICES.MSC and click Open.
In the Services console, stop Trend Micro Unauthorized Change Prevention Service
TECHNICAL SUPPORT Best Practice Guide
108 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
.
Chapter 6: Data Loss Prevention
6.1 > Pre-Deployment
6.1.1 Deploying and Testing Agents
DLP agents should be deployed without any policies enabled. Proper testing of policies suggested before pushing it out to production environment. Poorly configured and tested policies may lead to the disruption of daily work routine and might end up in computers flooding OfficeScan server with large numbers of false positives.
6.1.2 Calculating Disk Space
To determine the amount of disk space needed for the server, you must decide if there is a need to capture the files when a policy violation occurs. The files captured during the violation are referred as “forensic data”. The benefit of capturing forensic data allows you to identify quickly why the alert occurred and if it was a false positive. While the forensic data function is helpful when tuning policies, you can still gather this information by reviewing the alerts. The alerts contain the path to the file that triggered it.
Default iDLP log purge time table OfficeScan agent OfficeScan server Control
Manag er server
Time for
purge
Default setting
180 days 180 days 90 days
Allow user to modify the setting
Yes Yes
Max number in configurati on
36500 days 360 days
Purge log
depen d on
Default setting
1000 logs
Allow user to modify
Yes Yes
TECHNICAL SUPPORT Best Practice Guide
109 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
size the setting
Max number in configurati on
900000 logs
Default locations of Logs and Forensic Data:
OfficeScan agent OfficeScan server Control Manager server
Violation Log DLPViolationLog.db dbDlpLog Control Manager database
Forensic Data
<OfficeScan agent folder>\dlplite\forensi
c\
\\<Server>\ofcscan\Priva te\DLPForensicData\
Will download from the
OSCE server
6.2 > Deployment DLP Installation and activation are performed from Plug-in Manager. Here are the steps:
NOTE: You do not need to install the Data Protection module if the standalone Trend Micro Data Loss Prevention software is already installed and running on endpoints.
The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However, only the Device Control feature can be deployed to pure IPv6 agents. The Data Loss Prevention feature does not work on pure IPv6 agents.
1. Download DLP package
On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click Download.
110 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Note:
The size of the file to be downloaded displays beside the Download button. Plug-in Manager stores the downloaded file to <Server installation folder>\PCCSRV\Download\Product.
If Plug-in Manager is unable to download the file, it automatically re-downloads after 24 hours. To manually trigger Plug-in Manager to download the file, restart the OfficeScan Plug-in Manager service from the Microsoft Management Console.
2. After downloaded, click Install Now, or to install at a later time
3. Activating OfficeScan Data Protection License is required right after installed
On the Plug-in Manager screen, go to the plug-in program section and click Manage Program. The Product License New Activation Code screen appears.
111 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
3. Deployment of Data Protection to OfficeScan Agents
By default, the module is disabled on Windows Server 2003, Windows Server 2008, and Windows Server 2012 to prevent impacting the performance of the host machine.
Data Protection now supports x64 environment.
Online agents install the Data Protection module immediately. Offline and roaming agents install the module when they become online.
Users must restart their computers to finish installing Data Loss Prevention drivers. Inform users about the restart ahead of time.
Procedure
a. Go to Agents > Agent Management > select a domain or a specified agent >Settings.
112 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Deploy the module in two different ways:
• Click Settings > DLP Settings.
• Click Settings > Device Control Settings.
Note:
If you deploy from Settings > DLP Settings and the Data Protection module is deployed successfully, Data Loss Prevention drivers will be installed. If the drivers are installed successfully, a message displays, informing users to restart their endpoints to finish installing the drivers.
b. A message displays, indicating the number of agents that have not installed the module. Click “Yes” to start the deployment.
OfficeScan agents start to download the module from the server.
113 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
5. How to check if OfficeScan Data Protection is installed successfully:
1. In the agent tree, select a domain or an agent, check the Data Protection Status column. The deployment status should be "Running".
2. On the OSCE client, open CMD using administrator privilege and run the following command "sc query dsasvc", the state should be "Running".
6.3 > Deployment DLPlite template and policy
6.3.1 Define a DLPlite template
A. Configure data identifiers firstly, then define your own Templates, because Templates are defined based on data identifiers.
Path: Agents -> Agent Management -> select the targets -> Settings -> DLP settings Data identifiers include Expression, File Attribute, and Keyword,
• Expressions are predefined regular expressions, like Credit Card Number • File Attributes include File Type and File Size, for File Type, you can use true file type
recognition or define extension, for File Size, it supports Max 2GB, Min must be over 0 bytes
• Keywords, you can add or import, refer to "Importing a Keyword List" in Help document for how to import keywords.
114 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
B. Define a templates after defined a data identifier
Notes: OfficeScan supports to import or export templates, refer Help document for detail. Path:Agents -> Agent Management -> select the targets -> Settings -> DLP settings -> Templates -> Add -
> Add Template Or:Agents -> Data Loss Prevention -> DLP Templates -> Add
Choose a data identifier defined (Expression, File Attribute, or Keyword) in step A, or use a predefined data identifier, set the Operator (And, Or or Except) to set the relationship
Note: Pay attention to the priority of the statement, refer to the section "Condition Statements and Logical Operators" in Help document, and also the Preview of the statement on the console.
6.3.2 Define and then deploy DLP policy
• DLP policy is based on Templates which is defined in the previous section.
Path: Agents -> Agent Management -> select the targets -> Settings -> DLP settings ->Policies Take the actions: Add a policy select your template Choose Channel
Note: Some of channels support to use exception. Furthermore, pay attention on the section "Transmission Scope" under "Network Channels", one is PC boundary, another is LAN boundary.
Define an action for a policy
To deploy a policy, Enable it firstly, click the button "Save and Apply the settings to Agents" then.
Policy block/pass logical:
Given target may meet multiple policies conditions, during the scan if any policy with “Block” action defined, target is blocked even if it meets other policies with Pass action defined.
Policy “Additional Action”:
Each defined policy has respective “Additional Action” applied by administrator. If a target document meets “n” number of policy criteria, all respective “n” “Additional Action” will be applied on the target.
6.4 > Investigate and restore forensic data
To investigate the forensic data blocked by OfficeScan, a Control Manager 6.0 server is required. Only users who have appropriate permission in Control Manager Server have access to forensic data.
Setup
115 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Follow the ControlManager administration guide to setup a ControlManager server is there is no ControlManager server available in your environment.
Register OfficeScan 11 to ControlManager server via Administration → Settings → Control Manager. A successful OfficeScan registration should show a similar page like the following:
1. In ControlManager, go to Direcotry→ Products, expand Local Folder → New Entity, the registered OfficeScan server should be displayed under the product tree:
2. Allow OfficeScan to record forensic data: a. Follow OfficeScan online help section [Creating a Data Loss Prevention Policy] to create
a DLP policy. b. On Action tab, make sure [Record data] is checked.
Check forensic data 1. Assign users who will have access to DLP data by enabling [Monitor, review, and investigate DLP
incidents triggered by all users]:
116 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
In Active Directory, you can refer to the following to create user accounts:
http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack- 1/dlp_investigation_abt/dlp_inv_admin_tasks/dlp_roles_abt.aspx
2. Logon with an account with DLP review permission created in Step 1. 3. Forensic data in OfficeScan server will be encrypted and placed to the following folder:
..\PCCSRV\Private\DLPForensicData
4. The forensic data will be uploaded to [DLP Incident Investigation] tab on Control Manager Dashboard.
5. There are bunch of widgets can show a number of incidents detected, click the number will lead you to the details:
117 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
6. Click [Edit] on the [Incident Information] popup you want to investigate. 7. You can then view the details of the incidents and download the blocked file:
8. Click the Incident Information link can direct you to detail logs of the incidents.
118 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
119 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Chapter 7: Miscel aneous
7.1 > Product Communication Ports
Port Number Protocol Traffic
Direction Description
1 Server Port Configurable in ofcscan.ini Master_DomainPort parameter. Default value is 8080.
HTTP Agent to OSCE Server
The IIS / Apache web server listening port for the OfficeScan virtual directory. This is where agents download pattern file updates, and upload logs, quarantined files and status information. The virtual directory port setting must be consistent with the ofcscan.ini Master_DomainPort parameter.
2 Agent Port Configurable during installation. Stored in ofcscan.ini Client_LocalServer_ Port parameter
HTTP OSCE Server to Agent
OfficeScan agent listening port where CGI commands such as update notifications and configuration changes are received from the OSCE server.
3 Agent Port (Update Agent)
Configurable during installation. Stored in ofcscan.ini Client_LocalServer_ Port parameter
HTTP Agent to Update Agent
Update Agent hosts also use the Agent Port to reply to download requests for scan engine and pattern file updates pulled by peer OSCE agents.
4 Control Manager Agent (MCP Agent)
80,8080, 443 HTTP/HTTPS Bidirectional between OfficeScan Server and Control Manager
This will be used for notification for updates from Control Manager as well as sending back status/virus events from OfficeScan Server to Control Manager
5 Integrated Smart Protection Server
8080, 4343 HTTP/HTTPS Bidrectional Integrated Smart Protection Server ports on IIS. Scan server uses this port to receive queries from OfficeScan agents as part of cloud technology. When using OfficeScan virtual site, the scan server uses port 8080 if the OfficeScan management console uses HTTP. If HTTPS functionality is used, the scan server uses 4343.
6 Integrated Smart Protection Server
8082, 4345 HTTP/HTTPS Bidrectional Integrated Smart Protection Server ports on Apache. Scan server uses this port to receive queries from OfficeScan agents as part of cloud technology.
7 Integrated Web Reputation Service
8080 HTTP Bidrectional Integrated Web Reputation Service port on IIS. Local Web Reputation Service uses this port to receive
120 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
queries from OfficeScan agents as part of cloud technology.
7.2 > IPv6 for OfficeScan
7.2.1 IPv6 Support for OfficeScan Server and
Agents
IPv6 support for OfficeScan starts in this version. Earlier OfficeScan versions do not support IPv6 addressing. IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and agents that satisfy the IPv6 requirements.
7.2.2 OfficeScan Server Requirements
The IPv6 requirements for the OfficeScan server are as follows:
The server must be installed on Windows Server 2008 or higher. It cannot be installed on Windows Server 2003 because this operating system only supports IPv6 addressing partially.
The server must use an IIS web server. Apache web server does not support IPv6 addressing.
If the server will manage IPv4 and IPv6 agents, it must have both IPv4 and IPv6 addresses and must be identified by its host name. If a server is identified by its IPv4 address, IPv6 agents cannot connect to the server. The same issue occurs if pure IPv4 agents connect to a server identified by its IPv6 address.
If the server will manage only IPv6 agents, the minimum requirement is an IPv6 address. The server can be identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server cannot translate a host name to its corresponding IPv6 address.
NOTE: The FQDN can only be specified when performing a local installation of the server. It is not supported on remote installations.
7.2.3 OfficeScan Agent Requirements
The agent must be installed on:
Windows 7
Windows 8(.1)
121 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Windows Server 2008 (R2)
Windows Server 2012 (R2)
Windows Vista
It cannot be installed on Windows Server 2003 and Windows XP because these operating systems only support IPv6 addressing partially
7.3 > Update Architecture and Network Usage
OfficeScan Server
7.3.1 The Update Process
The process starts with the OfficeScan server downloading update packages. The server can be configured to get updates from several locations:
Trend Micro’s Active Update Server (Internet) – Default method. It uses standard HTTP GET request to download update packages from the Internet. This only requires the HTTP port (80) to be open from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly, Daily, Weekly, or Monthly). Recommended setting is Hourly.
Trend Micro Control Manager (TMCM) server – Control Manager notifies the OfficeScan server when an update is available for download. OfficeScan will then check its Update Source [ Updates | Server Update | Update Source ] setting to know where it should download the package via HTTP. By default, the Update Source is set to the Internet (Trend’s Active Update server). This can be pointed to the Control Manager server if desired (i.e. http://<server fqdn or ip address>/tvcsdownload/activeupdate).
Custom Update Source (Other update source). Similar to the Internet update method except that the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP location (i.e. http://<server fqdn or ip address>/activeupdate). Control Manager and peer OfficeScan servers can service such request.
Update Agent
When the update package has been downloaded, the OfficeScan server notifies its Update Agents first that a new package is available. The Update Agents would then compare version information and download the package from its designated OfficeScan server as needed. The OfficeScan server waits for an acknowledgement command for the verification or download/update process to complete. If no acknowledgement is received, the OfficeScan server will wait to reach a timeout value before notifying the rest of its clients. Default timeout is 10 minutes and is configurable in Timeout for update agent parameter using SvrTune.exe [ Tools | Administrative Tools | Server Tuner ]. All communications are done through CGI commands via HTTP protocol. The OfficeScan server listens on its web server management port (typically 80 or 8080)
122 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
while the Update Agents listen on its pre-configured port (randomly generated or manually defined during the OfficeScan server installation).
123 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
OfficeScan Agent
Once the Update Agent notification process is completed, the OfficeScan server notifies the rest of its clients. Notification process is done by batches. The number by batch is configurable in Maximum Client Connections using SvrTune.exe [ Tools | Administrative Tools | Server Tuner ] utility. Once notified, clients would check for updates in the order below.
OfficeScan agent Update Source Order
Update Agent
OfficeScan Server
Trend Micro’s Active Update Server (Internet)
Privileges can be set to allow clients to update from the OfficeScan server when its Update Agent is unavailable. This setting is global and can be enabled under [ Updates | Client Deployment | Update Source | Update from OfficeScan server if all customized sources are not available or not found ].
NOTE: SvrTune.exe only controls the number of clients notified by the OfficeScan server at a given time after OfficeScan server completed an update. When OfficeScan agents are the ones who initiated the update, for example via ‘Scheduled Update’, the OfficeScan server will handle the client update request and the ones it cannot is queued in IIS for later processing. (IIS can process concurrently 256 cgi requests at a time, this is the default configuration.)
Individual or group of clients (OfficeScan Domain) can also be given privileges to download updates directly from the Internet. Highlight the client or Domain from the [ Clients ] main window and enable the option under [ Clients | Client Privileges/Settings | Update Settings | Download from the Trend Micro ActiveUpdate Server ].
Integrated Smart Protection Server
Trend Micro’s Active Update Server (Internet) – Default method. It uses standard HTTP GET request to download update packages from the Internet. This only requires the HTTP port (80) to be open from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly or every 15 minutes). Recommended setting is Hourly.
Trend Micro Control Manager (TMCM) server – Control Manager notifies the OfficeScan server when an update is available for download. OfficeScan will then check its Update Source [ Updates | Server Update | Update Source ] setting to know where it should download the package via HTTP. By default, the Update Source is set to the Internet (Trend’s Active Update server). This can be pointed to the Control Manager server if desired (i.e. http://<server fqdn or ip address>/tvcsdownload/activeupdate).
Custom Update Source (Other update source). Similar to the Internet update method except that the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP location (i.e. http://<server fqdn or ip address>/OfficeScan/download). Control Manager and peer OfficeScan servers can service such request.
124 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
7.3.2 Network Usage (Bandwidth Consumption)
OfficeScan generates network traffic when the server and client communicate with each other. Server initiated communications are mainly CGI commands sent through HTTP protocol and are only a few kilobytes in size. The clients, on the other hand, generate traffic as they upload information and pull component updates. Below is a summary of the different types of communications within OfficeScan.
Server Initiated Traffic
Notification on configuration changes
Notification on component updates
Client Initiated Traffic
Client start-up information
Uploading virus,event, firewall and web reputation logs
Infected files to be quarantined on the OfficeScan server (network usage depends on quarantined file size)
Downloading program and pattern file updates
Probably the most significant data transfer is when a client performs a pattern file update. To reduce network traffic generated during this process, OfficeScan uses a feature called incremental updates. Instead of downloading the full pattern each and every time, only the differences (deltas) are downloaded for up to 14 previous versions for virus definitions and 7 previous versions for spyware, network, and damage cleanup patterns. These new patterns are merged with the old pattern file as they are received by the OfficeScan agent. An incremental pattern may range from 1 kilobyte to several megabytes (i.e. 3 MB) depending on version increment (how far the delta is to the latest version).
To further save WAN bandwidth, specific clients can be promoted as an Update Agent to service peer clients. This implies that each client won’t have to individually pull incremental updates from the OfficeScan server. The Update Agent host replicates the complete engine and pattern packages (full version and increments). The engine and pattern packages are downloaded every time an update is available. To verify the latest size, simply log in to the OfficeScan server and view the size property of the folders below:
<drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Engine
<drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Pattern
The Engine and Pattern subfolders in the OfficeScan server are copied over to the Update Agent host under <drive> : \ Program Files \ Trend Micro \ OfficeScan agent \ ActiveUpdate folder.
125 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
For locations with limited bandwidth connectivity, an ini flag (UADuplicationOptValue) can be enabled in the OfficeScan server to change the behavior of the Update Agent. Instead of downloading the complete engine and pattern packages, only the latest increment (one version older) is downloaded. The Update Agent then generates its own full pattern file as well as the 7 incremental files.
Enabling Smart Duplicate for Update Agents
Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini
Locate the parameter UADuplicationOptValue and set value to 128.
Save changes on the INI file.
Log on to the Management Console Clients | Global Client Settings
Click on Save button.
NOTE: To disable Smart Duplicate if bandwidth is not an issue, configure the parameter as follows: UADuplicationOptValue=64
Sample computation of bandwidth usage:
Given: An incremental update is 300Kb
A full compressed pattern is 45MB
For an Update Agent using regular incremental updates, it downloads the full pattern file and 7 incremental files from the Officesan server
Total size downloaded = 7x(300kb incremental) + 45Mb full Pattern
= 2.1MB + 45Mb
= 47.1Mb
For an Update Agent configured for Smart Duplicate, it downloads only one incremental the full pattern file and generates its own full pattern and incremental, therefore
Total size download = 300Kb
Saves you 46.8Mb of transfer over the WAN link.
126 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
7.4 > Virtual Desktop Infrastructure (VDI)
OfficeScan 10.6 supports three types of VDI environment: Citrix XenServer, VMWare VCenter Server, and Microsoft Hyper-V Platform. Following two features have been added:
VM Awareness – to avoid all VM clients in the same physical machine to do on-demand scan or component update at the same time.
Whitelist Cache Mechanism – to reduce scan time of on-demand scan.
7.4.1 Golden Image Preparation
When deploying VDI, the following tasks need to be completed on the Golden Image.
Copy the TcacheGen.exe utility to the Golden Image.
Use TcacheGen to create a whitelist of files and folders in the Golden Image. The tool will scan files and folders in the Golden Image and add them into the OfficeScan Whitelist to reduce scanning load on the machine.
Use TcacheGen to clear the GUID key found in the OfficeScan agent Registry Hive: HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\GUID
Set the value of VDIEnabled=1 in OfficeScan registry hive: HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\MISC.\
Proceed to complete the Golden Image creation.
7.4.2 Instal the VDI Support in OfficeScan server
Plugin Manager
Open the OfficeScan Console >> Plug-in Manager. Download and install the VDI Support component.
Click on the Manage Program button to configure VDI Support.
Choose between VMWare vCenter Server, Citrix XenServer, Microsoft Hyper-V Platform or Other virtualization application (NOTE, that this will only simulate a virtual hypervisor)
TECHNICAL SUPPORT Best Practice Guide
126 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Enter the server connection information, e.g.
Click the save button.
Check the vdi_list.ini to confirm the setting is applied correctly.
Adjust the VDI parameters depending on the actual need.
We can control very resource intensive actions from the OfficeScan agent namely On-demand Scan and Component Updates.
VDI.ini parameter’s description and their recommended values are:
Parameter Name Description Value
Cache_Time_Seconds This is the VDI client cache used by the OfficeScan server. When VDI client performs a scan/update, OfficeScan server uses the cache information to respond.
300
TECHNICAL SUPPORT Best Practice Guide
127 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
After the default value of 300 seconds, OfficeScan server will query XenServer/vCenter to update cache information.
Cache_Time_Error_Seconds When OfficeScan server tries to query XenServer/vCenter to get updated cache information but couldn’t (Failed), within 30 secs, OfficeScan server will use old cache to respond to clients’ request and will not try the query again within the elapse time.
30
Controller_Counts The number of VDI Client tasks controlled by OfficeScan server, currently we have 2 types, (00) is for on- demand scan and (01) is for update.
2
Controller_00_MaxRunningSec onds
Within 300 seconds, if the on-demand scan agent didn’t respond to the OfficeScan server, the OfficeScan server considers the scan task completed and will allow the next client to run on- demand scan.
300
Controller_00_MaxConcurrent Guests
Only one client can run on-demand scan at the same time.
1
Controller_00_BaseWaitingTim e
If the MaxConcurrentGuests value is reached, other requesting VDI clients need to wait 10 secs and then 10+10 secs, 10+10+10 secs, till it reaches
10
TECHNICAL SUPPORT Best Practice Guide
128 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
MaxWaitingTime value.
Controller_00_MaxWaitingTim e
Used by BaseWaitingTime to determine how long VDI Client should wait before trying to contact the OfficeScan server
30
Controller_00_TaskName Name of the VDI Client Task
ODScan
Controller_01_MaxRunningSec onds
Within 600 seconds, if the updating client didn’t respond to the OfficeScan server, the OfficeScan server considers the update task completed and will allow the next client to perform an update
600
Controller_01_MaxConcurrent Guests
Only three clients can perform an update at the same time.
3
Controller_01_TaskName Name of the VDI Client Task
PatternUpdat e
Performance Related Items To mitigate performance issue, you should comply with the best practices below when running OfficeScan 11 agents in VDI environment.
Suggest to first set scan mode to smart scan, and then deploy OfficeScan agent to VDI
Do not switch between conventional scan and smart scan on VDI guest environment. This is because scan type change will trigger full pattern update immediately on the guest environment causing Disk I/O congestion if occurring on multiple VM images at the same time.
When Smart Protection Server is offline, OfficeScan agents will add files into a queue list (suspicious list). When the Smart Protection Server comes back online, all the machines will perform a scan base on this list and can cause performance issue. Make sure to have a backup Smart Protection Server to ensure the Smart Scanning is available at all times.
Pattern Update rollback is very Disk I/O intensive and should be done as seldom as possible.
Take special caution deploying program updates or hotfix to VDI Agents. Deploy to a few machines at a time to minimize performance impact.
TECHNICAL SUPPORT Best Practice Guide
129 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
AEGIS is should be disabled in VDI environment and this should be done when golden image is prepared. This can help improve performance in VDI environment.
Enable/Disable firewall should not be performed on all agents at the same time; otherwise it will have heavy disk I/O usage.
If many agents are enabled to act as update agent at the same time then this will have heavy disk I/O and CPU, and will need long time to enable. It is recommended to avoid enabling many agents to act as update agents at the same time.
New installed agent might not appear in server console agent tree because the GUID has a duplicate. To avoid this, you need to log on to the OfficeScan console and perform ‘connection verification’ under Networked Computers.
Disable scheduled scan because simultaneous scanning in several guest OS will cause the host machine performance drop.
In the OfficeScan console, go to Tools -> Administrative Tools and use Server Tuner to configure the allowed concurrent pattern update agents to a small number. The suitable value depends on the HDD speed. Trend Micro recommends setting this value to “3” and then increasing it if the I/O usage is low during pattern update.
TECHNICAL SUPPORT Best Practice Guide
130 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
Central Quarantine File Restore
Central Quarantine Restore allows to trigger the restore of quarantined files from the OSCE server. The usage of this feature is described in detail in OSCE 11 AG. Please refer to page 1-4 resp.7-41
Considerations:
The quarantined viruses need to be available in the …\Suspect\Backup folder of the OSCE agent program folder.
You have to determine file name, security threat or path of file from the virus logs. The following sample shows the mask for file name of several files to restore
131 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
1. Central restore works from single machine up to domains/root level of the OSCE server-
2. When selecting a file to restore you can put this file to the exclusion list of the respective domain level.
132 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
If you do NOT select this, the file will be restored properly but redetected at next trigger.
7.5 > Recommended Installation Adjustments for Special
Environments
7.5.1 Citrix Environment
Installation of OfficeScan Agents on Citrix Servers Disable the Tray Icon Many instances of the PccNTMon process will be created in the memory for each user logged in where the agent is installed.
On the OfficeScan management console, go to Agents > Agent Management.
133 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Create a group for all Citrix Servers, click on Manage Agent Tree > Add Domain. Move the Citrix servers to the group.
Select the group, click on Settings > Privileges and other Settings > Other Settings tab.
Under Agent Access Restriction, select Do not allow users to access the agent console from the system tray or Windows Start menu.
Click on Save.
Note: The only minimal side effect for this configuration is that there will be no popup messages that will come up on the Citrix Servers whenever a virus/malware, spyware/grayware, or web threats are detected
Set up TmPreFilter to run in MiniFilter-Mode
Open the Registry Editor.
Go to HKLM\SYSTEM\CurrentControlSet\Services\TmPreFilter\Parameters
Change the value of the key "EnableMiniFilter" (REG_DWORD) key to "1".
Close the Registry Editor and then restart the computer.
Change the memory usage of the PagedPool
Open the Registry Editor.
Go to HKEY_LOCAL_MACNE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.
Change the value of the "PagedPoolSize" (REG_DWORD) key to "FFFFFFFF".
Close the Registry Editor and then restart the computer.
Exclude the files and folders
Exclude the following file extensions from scanning on a Citrix or Terminal server.
*.LOG
*.DAT
*.TMP
*.POL
*.PF
Exclude IIS and Citrix Receiver processes
Open the Registry Editor.
134 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Go to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList.
Create a new key named "Citrix ICA". This is the Citrix ICA Client remote desktop tool. Under this new key, create:
Type: String value
Name: ProcessImageName
Value: wfica32.exe
Create a new key named "IIS". Under this new key, create
Type: String value
Name: ProcessImageName
Value: w3wp.exe
Close the Registry Editor.
Restart the OfficeScan NT Listener service.
7.5.2 Citrix Known Issues
A. OfficeScan agent on the Citrix server cannot be published The OfficeScan agent on the Citrix server cannot be published. To allow users to access the OfficeScan agent, publish the Citrix Server desktop through the Citrix Access Management Console (CMC). When published, users need to:
1. Launch the desktop from the Citrix client Web interface.
2. In the Citrix desktop session, open the OfficeScan agent program from Start > Programs > Trend Micro OfficeScan Agent > OfficeScan Agent.
3. Launch the OfficeScan agent console from the system tray icon.
B. CSA does not support application streaming CSA installs drivers (Scan Engine, Firewall, TDI driver) and its services need to collaborate with these drivers. This means that some functions may appear to execute properly from the client console but may actually not run anything in the backend. This does not affect other programs published and streamed on the Citrix server.
C. Real-time scan is unable to detect infected files residing inside mapped folders on Citrix servers A drive or folder on a computer running Windows 2003 contains a file infected with virus/malware and the drive or folder is mapped to the Citrix server. When the infected file is opened during a Citrix client session, Real-time Scan may be unable to detect the virus/malware
135 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
on the file if the mapped drive has the same drive name, for example (C:), in a multi-user environment.
To resolve this issue:
Launch the desktop from the Citrix client Web interface.
Open the Registry Editor.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the following value:
Type: Multi-string value (REG_MULTI_SZ)
Name: DependOnService
Value: Cdm
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter\Parameters and add the following value:
Type: DWORD value (REG_DWORD)
Name: CitrixOn2003Support
Value: Any number except zero
If you are using remote desktop, add the following value to the same key:
Type: DWORD value (REG_DWORD)
Name: MsRemoteDesktopSupport
Value: Any number except zero
Restart the computer for the changes to take effect.
D. Scan Notifications In a Citrix environment, when the OfficeScan agent detects a security risk during a particular user session, the notification message for the security risk displays on all active user sessions.
Security risk can be any of the following:
Virus/Malware
Spyware/Grayware
Firewall policy violation
136 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Web Reputation policy violation
Unauthorized access to external devices
E. When manual update is in progress in one Citrix client session, other active sessions cannot launch manual update Trend Micro recommends disabling "Update Now" privileges from the OfficeScan web console. This prevents users from manually starting an update. Make sure, however, that scheduled updates and event-triggered updates are still in place.
To disable "Update Now" privileges, do the following:
On the OfficeScan management console, go to Agents > Agent Management.
Select the group, go to Settings > Privileges and other Settings > Privileges tab.
Under Component Updates, uncheck Perform “Update Now”.
Click on Save.
7.5.3 Citrix Exclusions
Refer to section 7.6 Recommended Scan-Exclusion List for recommendations on files and directories to exclude.
7.5.4 Citrix Firewal Port
Refer to section 7.8 Some Server Common Ports for recommendations on Citrix ports to open.
7.5.5 Instal ation of OfficeScan agents on Cisco
Callmanager
The following are needed to be configured as recommended to support Cisco Callmanager:
Configure Real-time Scan Settings
On the OfficeScan management console, go to Agents > Agent Management
Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings
In the Target tab, under the Scan Settings, configure Scan compressed files > Maximum layers = 1
137 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
In the Action tab, uncheck the following:
Display a notification message on the client computer when virus/malware is detected
Display a notification message on the client computer when spyware/grayware is detected
Click on Save.
Configure Client Privileges and Settings
On the OfficeScan management console, go to Agents > Agent Management
Select the Cisco Callmanager Agents, go to Settings > Privileges and Other Settings
In the Privileges tab, uncheck the following:
Display the Mail Scan tab on the client console and allow users to install/upgrade Outlook mail scan
Click on Save.
Configure Scan Exclusions
On the OfficeScan management console, go to Agents > Agent Management
Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings
In the Target tab, under the Scan Exclusion, enable the following:
Enable scan exclusion
Apply scan exclusion settings to all scan types
Add the following folders to the Scan Exclusion List (Directories)
Drive:\Program Files\Call Manager
Drive:\Program Files\Call Manager Serviceability
Drive:\Program Files\Call Manager Attendant
Click on Save button
Configure Update Settings
On the OfficeScan management console, go to Agents > Agent Management
Select the Cisco Callmanager Agents, go to Updates > Agents > Automatic Update
Uncheck Perform Scan Now after update (roaming agents excluded)
Click on Save.
Turn off Scheduled Scan for Virus/Malware and Spyware/Grayware
On the OfficeScan management console, go to Agents > Agent Management
Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Scheduled Scan Settings
Uncheck the following:
Enable virus/malware scan
Enable spyware/grayware scan
138 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Click on Save.
Disable OfficeScan Firewall
On the OfficeScan management console, go to Agents > Agent Management
Select the Cisco Callmanager Agents, go to Settings > Additional Service Settings
Under Firewall Service, uncheck Enable service on the following operating systems
Click on Save.
Delay the startup of Realtime Scan service by making it dependent on Call Manager service.
Open the Registry Editor.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the following value:
Type: Multi-string value (REG_MULTI_SZ) Name: DependOnService Value: <Type the name or names of the services that you prefer to start before this service with one entry for each line. The name of the service you would enter in the Data dialog box is the exact name of the service as it appears in the registry under the Services key.>
Restart the computer for the changes to take effect.
7.6 > Recommended Scan-Exclusion List
Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues. Below are exclusions to consider depending on the type of machine you are installing the OfficeScan agent on.
General Exclusions for all Windows platforms
Pagefile.sys
*.pst
%systemroot%\System32\Spool (replace %systemroot% with actual directory)
%systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)
%allusersprofile%\NTUser.pol
%Systemroot%\system32\GroupPolicy\registry.pol
Appian Enterprise
139 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Refer to the Knowledgebase article: Appian Enterprise slows down or hangs when installed with OfficeScan or ServerProtect.
Acronis Backup & Recovery
Refer to the Acronis article: Acronis Backup & Recovery: Exclude Program Folders and Executables from Security Programs.
ARCserve
For more information, refer to the following ARCserver articles:
Antivirus Process and Folder Exclusions for ARCserve Backup
CA ARCserve RHA best practices with regards to Anti-virus exclusion
How to exclude Arcserve RHA spool folder from the antivirus scans
ARCserve D2D
AutoDesk Inventor / AutoCAD
C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe
C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe
C:\Program Files\Autodesk\AutoCAD 2013\acad.exe
C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe
C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe
C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013\DesignReview.exe
C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe
BlackBerry Enterprise
For BlackBerry exlusions, refer to:
Anti-virus exclusions for the BlackBerry Enterprise Server
Anti-virus exclusions for BlackBerry Enterprise Service 10
Cisco CallManager
Drive:\Program Files\Call Manager
140 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Drive:\Program Files\Call Manager Serviceability
Drive:\Program Files\Call Manager Attendant
Citrix Exclusions
On Citrix systems, the following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.
General Citrix exclusions: *\Users\*\ShareFile\ *\Citrix Resource Manager\LocalDB *\ICAClient\Cache *\SoftwareDistribution\Datastore *\System32\Spool *\Users\*\ShareFile *\Program Files (x86)\Citrix\Deploy *\Program Files (x86)\Citrix\Independent Management Architecture *\Program Files (x86)\Citrix\RadeCache *\Windows\System32\spool\PRINTERS
For more information, refer to the Citrix articles:
Citrix Guidelines for Antivirus Software Configuration
Citrix Consolidated List of Antivirus Exclusions
Domino Data Directory
The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data.
Microsoft Exchange Server
Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store.
Exchange 5.5
<drive>: \ EXCHSRVR \ IMCData
<drive>: \ EXCHSRVR \ MDBData
Exchange 2000
<drive>: \ EXCHSRVR \ MDBData
<drive>: \ EXCHSRVR \ MTAData
<drive>: \ EXCHSRVR \ Mailroot
<drive>: \ EXCHSRVR \ SrsData
<drive>: \ WINNT \ system32 \ InetSrv
141 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Exchange 2003
<drive>: \ EXCHSRVR \ MDBData
<drive>: \ EXCHSRVR \ MTAData
<drive>: \ EXCHSRVR \ Mailroot
<drive>: \ EXCHSRVR \ SrsData
<drive>: \ WINNT \ system32 \ InetSrv
<drive>: \ EXCHSRVR \ MdbDataUtility
Exchange 2007
Refer to this Microsoft article:
http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx
Exchange 2010
http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx
Exchange 2013
http://technet.microsoft.com/en-us/library/bb332342.aspx
FAST Search Server 2010 for SharePoint
Refer to this Microsoft article: Review hardware and software requirements (FAST Search Server 2010 for SharePoint).
Mapped Drives / Shared Folders
This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan agent installed, and updated to the latest virus signature.
Microsoft Active Directory Domain Controller
<drive>: \ WINNT \ SYSVOL
<drive>: \ WINNT \ NTDS
<drive>: \ WINNT \ ntfrs
<drive>: \ WINNT \ system32 \ dhcp
<drive> : \ WINNT \ system32 \ dns
Microsoft IIS Server
142 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Web Server log files should be excluded from scanning. By default, IIS logs are saved in
<drive>: \ WINNT \ system32 \ LogFiles
<drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files
Microsoft IIS 7.0 Server
Web Server log files should be excluded from scanning. By default, IIS logs are saved in
<drive>:\inetpub\logs\
Microsoft Internet Security and Acceleration Server (ISA)
<drive>: \ Program Files \ Microsoft ISA Server \ ISALogs
<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data
Microsoft Lync
Microsoft Lync 2010
Specifying Antivirus Scanning Exclusions
Microsoft Lync 2013
Antivirus Scanning Exclusions for Lync Server 2013
Microsoft Operations Manager Server (MOM)
<drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft
Operations Manager
<drive>: \ Program Files \ Microsoft Operations Manager 2005
Microsoft SharePoint Portal Server
<drive>: \ Program Files \ SharePoint Portal Server
<drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
<drive>: \ Windows \ Temp \ Frontpagetempdir
M:\
Microsoft SharePoint Servers Foundation 2010
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
143 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
Drive:\Users\ServiceAccount\AppData\Local\Temp
Drive:\Users\Default\AppData\Local\Temp
Drive:\Users\the account that the search service is running as\AppData\Local\Temp
Drive:\WINDOWS\system32\LogFiles
Drive:\Windows\Syswow64\LogFiles
Reference: Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint.
Microsoft SharePoint Server 3.0 / 2007 / 2010
Drive:\Program Files\Microsoft Office Servers
Drive:\Program Files\Common Files\Microsoft Shared\Web Service Extensions
Drive:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
Drive:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config
Drive:\Windows\Temp\WebTempDir
Drive:\Documents and Settings\the account that the search service is running as\Local Settings\Temp\
Drive:\WINDOWS\system32\LogFiles
Reference: http://support.microsoft.com/kb/952167
Microsoft SQL Server
Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.
<drive>:\ WINNT \ Cluster (if using SQL Clustering)
<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
Q:\ (if using SQL Clustering)
C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm
Considerations for clustering
You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability.
If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:
144 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
Q:\ (Quorum drive)
C:\Windows\Cluster
SQL Server 2005
%ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe
SQL Server 2008
%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2008 R2
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2012
%ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe
Microsoft Systems Management Server (SMS)
SMS \ Inboxes \ SMS_Executive Thread Name
SMS_CCM \ ServiceData
SMS \ Inboxes
Microsoft Windows System Update Server (WSUS)
<drive:>\ WSUS
<drive:>\ WsusDatabase
<drive:>\MSSQL$WSUS
You can refer to the following Microsoft article for additional information: Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied
MySQL
145 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
MySQL main directory - <Drive>:\mysql\
MySQL Temporary Files - Uses the Windows system default, which is usually C:\windows\temp\
Novell Zenworks
C:\Program Files\Novell\Zenworks
C:\Program Files\Novell\ZENworks\logs\ExternalStore
C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache\metaData
C:\Program Files\Novell\ZENworks\cache\zmd
Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi, dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db
Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC
Oracle
.dbf - Database file
.log - Online Redo Log
.rdo - Online Redo Log
.arc - Archive log
.ctl - Control files
RA-MICRO
C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-E
C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO
C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO Software GmbH
C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA- MICRO_Software_GmbH
C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA-MICRO
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RA-MICRO
SAP
SAP ABAP or Java installs:
\usr\sap\
SAP Content Server Install:
\SAPDB\
SAP Printer Server:
146 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
SAPSprint.exe
Servers where are SAPGui is installed:
lsagent.exe
During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and subdirectories:
..\Program Files\SAPinst_instdir\
ScanMail for Exchange (SMEX) 7.0
..\Smex\Temp
..\Smex\Storage
..\Smex\ShareResPool\
SMART Notebook Express
File Exclusions:
java.exe
notebook-express.exe
C:\WINDOWS\Prefetch\NOTEBOOK-EXPRESS.EXE*
C:\WINDOWS\Prefetch\JAVA.EXE*
Folder Exclusions:
*\smarttech
*\notebook-express-server
C:\Documents and Settings\*\Local Settings\Temp\Jetty*
C:\Program Files\SMART Technologies
Symantec Backup Exec
~\Symantec\Backup Exec\beremote.exe
~\Symantec\Backup Exec\beserver.exe
~\Symantec\Backup Exec\bengine.exe
~\Symantec\Backup Exec\benetns.exe
~\Symantec\Backup Exec\pvlsvr.exe
~\Symantec\Backup Exec\BkUpexec.exe
VMWare
Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading
147 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
performance and the ability interact with the virtual machine. Exclusions can be configured for the directories that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files.
Volume Shadow Copies
Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access.
You can refer to the Knowledgebase article: Excluding Volume Shadow copies from OfficeScan agent real-time scans.
It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003.
Other Trend Micro Products
Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed." is enabled in WFBS’s Exclusion List settings (Security Settings>Antivirus/Anti-spyware>Exclusions).
7.7 > Some Common Server Ports
Application Ports Protocol
FTP 21 TCP
Telnet 23 TCP
SMTP 25 TCP
WINS Replication 42 TCP
DNS 53 TCP/UDP
Web server 80 TCP
Kerberos Authentication 88 TCP/UDP
POP3 110 TCP
Windows Time Synchronization Protocol – NTP 123 UDP
RPC 135 TCP
NetBIOS Name, Netlogon and Browsing 137,138 TCP
148 | O F F I C E S C A N C O R P O R A T E E D I T I O N © 2013 Trend Micro Inc.
TECHNICAL SUPPORT Best Practice Guide
NetBIOS Session 139 UDP
IMAP4 143 TCP
IMAP3 220 TCP
LDAP 389 TCP/UDP
SSL (Secure Sockets Layer) Web server 443 TCP
Server message block (SMB) for Netlogon, LDAP conversion, and Microsoft Distributed File System (DFS) discovery
445
TCP
SQL Server 1433 TCP
PPTP 1723 TCP
Global Catalog LDAP 3268 TCP/UDP
Remote Desktop (Terminal Services) 3389 TCP
Citrix Server 1494,2598 TCP
Note: It is advisable to disable the firewall of the OSCE agents that are installed on the server platform.
Date Revision Editor
10/19/2011 Document created Alp Deveci, Jill Maceda, Jessie Prevost, Alwin Yu
2/5/2014 Updated for Sp3 Alp Deveci