OfficeScan 10 TM For Enterprise and Medium Business Administrator’s Guide es Endpoint Security
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: http://www.trendmicro.
The user documentation for Trend Micro OfficeScan introduces the main features of the software and installation instructions for your production environment. Read through it before installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro’s Web site. Trend Micro always seeks to improve its documentation.
Contents Contents Preface OfficeScan Documentation ............................................................................xvi Audience ...........................................................................................................xvii Document Conventions ................................................................................xvii Terminology ....................................................................................................
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Section 1: Protecting Networked Computers Chapter 3: Installing the OfficeScan Client Installation Requirements .............................................................................. 3-2 Installation Methods .....................................................................................3-11 Installing from the Web Install Page .....................................................3-13 Initiating Browser-based Installation ......................
Contents Chapter 4: Keeping Protection Up-to-Date OfficeScan Components and Programs ...................................................... 4-2 Antivirus Components .............................................................................. 4-2 Damage Cleanup Services Components ................................................ 4-5 Anti-spyware Components ....................................................................... 4-6 Firewall Components .......................................................
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Update Source for Update Agents .........................................................4-39 Update Agent Customized Update Source ......................................4-39 Update Agent Standard Update Source ...........................................4-41 Update Agent Component Duplication ...........................................4-42 Update Methods for Update Agents .....................................................4-42 Component Update Summary ...
Contents Security Risk Notifications for Administrators ................................... 5-45 Security Risk Notifications for Client Users ........................................ 5-46 Security Risk Logs ......................................................................................... 5-48 Virus/Malware Logs ................................................................................ 5-48 Spyware/Grayware Logs ........................................................................
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Chapter 7: Using the OfficeScan Firewall About the OfficeScan Firewall ...................................................................... 7-2 Firewall Policies and Profiles ......................................................................... 7-4 Firewall Policies .......................................................................................... 7-5 Adding and Modifying a Firewall Policy ............................................
Contents OfficeScan Database Backup ...................................................................... 8-21 OfficeScan Web Server Information ......................................................... 8-23 Web Console Password ............................................................................... 8-23 Quarantine Manager ..................................................................................... 8-24 Server Tuner .........................................................................
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Client Self-protection ...............................................................................9-27 Reserved Disk Space ................................................................................9-28 Network Virus Log Consolidation ........................................................9-29 Virus/Malware Log Bandwidth Setting ................................................9-29 Automatic Proxy Configuration .....................................
Contents Default Policies ...................................................................................... 10-16 Synchronization ........................................................................................... 10-17 Certificates ................................................................................................... 10-17 The CA Certificate ................................................................................. 10-19 Policy Server System Requirements ..................
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Chapter 11: Configuring OfficeScan with Third-party Software Overview of Check Point Architecture and Configuration ....................11-2 OfficeScan Integration ............................................................................11-3 Check Point for OfficeScan Configuration ...............................................11-4 SecureClient Support Installation ...............................................................
Contents Contacting Trend Micro ............................................................................ 12-15 Technical Support .................................................................................. 12-15 The Trend Micro Knowledge Base ..................................................... 12-16 TrendLabs ............................................................................................... 12-17 Security Information Center ..........................................................
Trend Micro™ OfficeScan™ 10 Administrator’s Guide xii
List of Tables List of Tables Table P-1. OfficeScan documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvi Table P-2. Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Table P-3. OfficeScan terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xviii Table 1-1. Client features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Table 1-1.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Table 3-14. Software/Hardware specifications . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32 Table 3-15. Domain structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32 Table 3-16. Network traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33 Table 3-17. Network size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33 Table 3-18.
List of Tables Table 5-2. Files that OfficeScan can decrypt and restore . . . . . . . . . . . . . . . . . . 5-36 Table 5-32. Restore parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39 Table 5-33. Token variables for security risk notifications . . . . . . . . . . . . . . . . . 5-45 Table 5-34. Token variables for outbreak notifications . . . . . . . . . . . . . . . . . . . 5-59 Table 5-35. Device permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trend Micro™ OfficeScan™ 10 Administrator’s Guide xiv
Preface Preface Welcome to the Trend Micro™ OfficeScan™ Administrator’s Guide. This document discusses getting started information, client installation procedures, and OfficeScan server and client management.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Documentation OfficeScan documentation includes the following: TABLE P-1.
Preface Audience OfficeScan documentation is intended for the following users: • OfficeScan Administrators: Responsible for OfficeScan management, including server and client installation and management. These users are expected to have advanced networking and server management knowledge. • Cisco NAC administrators: Responsible for designing and maintaining security systems with Cisco NAC servers and Cisco networking equipment. They are assumed to have experience with this equipment.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE P-2. Document conventions (Continued) C ONVENTION D ESCRIPTION Provides configuration notes or recommendations Note: text Tip: text Provides best practice information and Trend Micro recommendations WARNING! text Provides warnings about activities that may harm computers on your network Terminology The following table provides the official terminology used throughout the OfficeScan documentation: TABLE P-3.
Preface TABLE P-3. OfficeScan terminology (Continued) TERMINOLOGY D ESCRIPTION Administrator (or OfficeScan administrator) The person managing the OfficeScan server Console The user interface for configuring and managing OfficeScan server and client settings The console for the OfficeScan server program is called "Web console", while the console for the client program is called "client console".
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE P-3. OfficeScan terminology (Continued) TERMINOLOGY Server installation folder D ESCRIPTION The folder on the computer that contains the OfficeScan server files.
Chapter 1 Introducing OfficeScan Topics in this chapter: • About OfficeScan on page 1-2 • New in this Release on page 1-2 • Key Features and Benefits on page 1-5 • The OfficeScan Server on page 1-7 • The OfficeScan Client on page 1-9 • Smart Scan Server on page 1-10 1-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide About OfficeScan Trend Micro™ OfficeScan™ protects enterprise networks from malware, network viruses, Web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of a client program that resides at the endpoint and a server program that manages all clients. The client guards the endpoint and reports its security status to the server.
Introducing OfficeScan For smart scan deployment information, refer to the Trend Micro Smart Scan for OfficeScan Getting Started Guide. Active Directory Integration OfficeScan leverages Microsoft™ Active Directory™ services to enforce security compliance within the organization. By polling Active Directory regularly, OfficeScan can detect computers without security software and install the client to the computer.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Platform Support This product release supports server and client installations on Windows Server™ 2008 and virtualization applications such as VMware™. See Installation Requirements on page 3-2 for a list of client installation requirements and the Installation and Upgrade Guide for a list of server installation requirements.
Introducing OfficeScan Key Features and Benefits OfficeScan provides the following features and benefits: Security Risk Protection OfficeScan protects computers from security risks by scanning files and then performing a specific action for each security risk detected. An overwhelming number of security risks detected over a short period of time signals an outbreak. To contain outbreaks, OfficeScan enforces outbreak prevention policies and isolates infected computers until they are completely risk-free.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Because Damage Cleanup Services runs automatically in the background, you do not need to configure it. Users are not even aware when it runs. However, OfficeScan may sometimes notify the user to restart their computer to complete the process of removing a Trojan. OfficeScan Firewall The OfficeScan firewall protects clients and servers on the network using stateful inspections, high performance network virus scans, and elimination.
Introducing OfficeScan and delivers comprehensive reporting. Administrators can perform remote administration, set customized policies for individual desktops or groups, and lock client security settings. Plug-in Manager and Plug-in Programs Plug-in programs, along with new product versions, service packs, and patches, are designed to add new features and security capabilities into OfficeScan, and enhance the product's performance.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide The OfficeScan server downloads components from the ActiveUpdate server. Internet OfficeScan server Web console Manage the OfficeScan server and clients through the Web console. OfficeScan clients FIGURE 1-1. How the OfficeScan server works The OfficeScan server is capable of providing real-time, bidirectional communication between the server and clients.
Introducing OfficeScan The OfficeScan Client Protect Windows computers from security risks by installing the OfficeScan client on each computer. The client provides three methods of scanning: Real-time Scan, Scheduled Scan, and Manual Scan. The client reports to the parent server from which it was installed. Configure clients clients to report to another server by using the Client Mover tool. The client sends events and status information to the server in real time.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 1-1.
Introducing OfficeScan There are no component download overlaps between the Smart Scan Server and the OfficeScan server because each server downloads a specific set of components. A Smart Scan Server only downloads the Smart Scan Pattern while the OfficeScan server downloads all the other components. See OfficeScan Components and Programs on page 4-2 for more information on components.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Smart Scan Server Types The Smart Scan Server to which a client connects depends on the client’s location. Internal smart scan clients connect to a local Smart Scan Server, while external smart scan clients connect to the Trend Micro Global Smart Scan Server. The following table provides a comparison between the two Smart Scan Server types: TABLE 1-1.
Chapter 2 Getting Started with OfficeScan Topics in this chapter: • The Web Console on page 2-2 • Security Summary on page 2-5 • The OfficeScan Client Tree on page 2-11 • OfficeScan Domains on page 2-20 • Security Compliance on page 2-22 2-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide The Web Console The Web console is the central point for monitoring OfficeScan throughout the corporate network. The console comes with a set of default settings and values that you can configure based on your security requirements and specifications. The Web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.
Getting Started with OfficeScan On the Web browser, type one of the following in the address bar based on the type of OfficeScan server installation: TABLE 2-1.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide The Web Console Banner The banner area of the Web console provides you the following options: FIGURE 2-1.
Getting Started with OfficeScan Security Summary The Summary screen appears when you open the OfficeScan Web console or click Summary in the main menu. View the current status of your product licenses and the overall security risk protection, and take action on items that require immediate intervention, such as outbreaks or outdated components. Tip: Refresh the screen periodically to get the latest information. Product License Status View the status of your product licenses in this section. FIGURE 2-2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide If you have obtained an Activation Code, renew a license by going to Administration > Product License. Networked Computers The All tab displays the following information: FIGURE 2-3.
Getting Started with OfficeScan The Conventional Scan tab displays the following information: FIGURE 2-4.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide The Smart Scan tab displays the following information: FIGURE 2-5. Summary screen - Smart Scan tab • The connection status of smart scan clients with the OfficeScan server • The connection status of online smart scan clients with Smart Scan Servers Note: Only online clients can report their connection status with Smart Scan Servers.
Getting Started with OfficeScan Top 10 Security Risk Statistics A link on the Detection Status table opens a screen containing top 10 security risk statistics. FIGURE 2-6. Top 10 Security Risks screen Tasks on this screen: • View detailed information about a security risk by clicking the security risk name. • View the overall status of a particular computer by clicking the computer name. • View security risk logs for that computer by clicking View corresponding to a computer name.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Outbreak Status The Outbreak Status table provides the status of any current security risk outbreaks and the last outbreak alert. FIGURE 2-7. Summary screen - Outbreak Status section View outbreak details by clicking the date/time link of the alert. Reset the status of the outbreak alert information and immediately enforce outbreak prevention measures when OfficeScan detects an outbreak.
Getting Started with OfficeScan For each program, view the clients that have not been upgraded by clicking the number link corresponding to the program. Note: To upgrade Cisco Trust Agent, go to Cisco NAC > Agent Deployment. The OfficeScan Client Tree The Java-based client tree displays all the clients (grouped into OfficeScan Domains) that the server currently manages. Clients are grouped into domains so you can simultaneously configure, manage, and apply the same configuration to all domain members.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Client Tree General Tasks Below are the general tasks you can perform when the client tree displays: • 2-12 Click the root icon to select all domains and clients. When you select the root icon and then choose a task above the client tree, a screen for configuring settings displays.
Getting Started with OfficeScan • Refresh the client tree by clicking . • View client statistics below the client tree, such as the total number of clients, number of smart scan clients, and number of conventional scan clients. Advanced Search Options Search for clients based on the following criteria: • Basic: Includes basic information about the computers such as IP address, operating system and MAC address.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Networked Computers > Client Management Manage general client settings on this screen. FIGURE 2-10. Client Management screen Tasks: TABLE 2-2. Client management tasks M ENU B UTTON Status Tasks TASK View detailed client information. For details, see Client Information on page 9-43. • Run Manual Scan on client computers. For details, see Initiating Scan Now on page 5-24. • Uninstall the client.
Getting Started with OfficeScan TABLE 2-2. Client management tasks (Continued) M ENU B UTTON Settings TASK • Choose from the available scan methods. For details, see Scan Methods on page 5-8. • Configure settings for each scan type. For details, see the following topics: • Manual Scan on page 5-21 • Real-time Scan on page 5-19 • Scheduled Scan on page 5-22 • Scan Now on page 5-23 • Assign clients as Update Agents. For details, see Update Agent Configuration on page 4-38.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 2-2. Client management tasks (Continued) M ENU B UTTON Logs TASK View the following logs: • Virus/Malware Logs on page 5-48 • Spyware/Grayware Logs on page 5-54 • Firewall Logs on page 7-17 • Web Reputation Logs on page 6-7 • Device Control Logs on page 5-67 Manage logs. For details, see Log Maintenance on page 8-18. 2-16 Manage Client Tree Manage OfficeScan domains. For details, see OfficeScan Domains on page 2-20.
Getting Started with OfficeScan Networked Computers > Outbreak Prevention Task: Specify and activate outbreak protection settings. FIGURE 2-11. Outbreak Prevention screen Updates > Networked Computers > Manual Update > Manually Select Clients Task: Initiate manual update on clients. FIGURE 2-12.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Updates > Rollback > Synchronize with Server Task: Perform component rollback. FIGURE 2-13.
Getting Started with OfficeScan Logs > Networked Computer Logs > Security Risks View and manage logs on this screen. FIGURE 2-14. Security Risk Logs screen Tasks: • • View the following logs: • Virus/Malware Logs • Spyware/Grayware Logs • Firewall Logs • Web Reputation Logs • Device Control Logs Perform log maintenance.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Cisco NAC > Agent Deployment Task: Perform Cisco Trust Agent Deployment. FIGURE 2-15. Agent Deployment screen OfficeScan Domains A domain in OfficeScan is a group of clients that share the same configuration and run the same tasks. By grouping clients into domains, you can simultaneously configure, manage, and apply the same configuration to all domain members. For ease of management, group clients based on their departments or the functions they perform.
Getting Started with OfficeScan To add a domain: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > M ANAGE C LIENT TREE > A DD D OMAINS 1. Type a name for the domain you want to add. 2. Click Add. The new domain appears in the client tree. To delete a domain or client: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > M ANAGE C LIENT TREE > R EMOVE D OMAIN /C LIENT 1. To delete a domain, delete or move all clients under it.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To move a client: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > M ANAGE C LIENT TREE > M OVE C LIENT 1. Select whether to move clients to another domain or OfficeScan server. a. Tip: b. 2. To move clients to another domain, select Move selected client(s) to another domain, choose the domain from the drop-down list, and decide whether or not to apply the settings of the new domain to the clients.
Getting Started with OfficeScan Active Directory Scope and Query When using Security Compliance for the first time, define the Active Directory scope, which includes Active Directory objects that the OfficeScan server will query on demand or periodically. After defining the scope, start the query process. To configure the Active Directory scope and start the query process: P ATH : S ECURITY C OMPLIANCE 1. On the Active Directory Scope section, click Define. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4. Choose whether to check a computer’s connectivity using a particular port number. When connection is not established, OfficeScan immediately treats the computer as unreachable. The default port number is 135. Tip: 5. Enabling this setting speeds up the Active Directory query.
Getting Started with OfficeScan TABLE 2-3. Computer protection status (Continued) S TATUS Unreachable D ESCRIPTION The OfficeScan server cannot connect to the computer and therefore cannot determine whether there is no client installed on the computer or, if a client is installed, whether the client is managed by another OfficeScan server or is unmanaged. Note: The OfficeScan server database contains a list of clients that the server manages.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Client Installation Before installing the client, take note of the following: 1. Record the logon credentials for each computer. OfficeScan will prompt you to specify the logon credentials during installation. 2. The OfficeScan client will not be installed on a computer if: 3. • The OfficeScan server is installed on the computer. • The computer runs Windows XP Home, Windows Vista™ Home Basic, and Windows Vista Home Premium.
Getting Started with OfficeScan To install the OfficeScan client: P ATH : S ECURITY C OMPLIANCE 1. Click Install on top of the client tree. If an earlier OfficeScan client version is already installed on a computer and you click Install, the installation will be skipped and the client will not be upgraded to this version. To upgrade the client, see Update Settings on page 9-15. 2. Specify the administrator logon account for each computer and click Log on.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 2-28
Section 1 Protecting Networked Computers
Trend Micro™ OfficeScan™ 10 Administrator’s Guide
Chapter 3 Installing the OfficeScan Client Topics in this chapter: • Installation Requirements on page 3-2 • Installation Methods on page 3-11 • Migrating to the OfficeScan Client on page 3-44 • Post-installation on page 3-48 • Uninstalling the Client on page 3-50 3-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Installation Requirements The OfficeScan client can be installed on computers running the following platforms: • Windows 2000 • Windows XP/2003, 32-bit version • Windows XP/2003, 64-bit version • Windows Vista, 32-bit and 64-bit versions • Windows 2008, 32-bit version • Windows 2008, 64-bit version TABLE 3-4.
Installing the OfficeScan Client TABLE 3-4.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 3-5.
Installing the OfficeScan Client TABLE 3-5. Windows XP/2003, 32-bit version (Continued) R ESOURCE Others R EQUIREMENT • Microsoft Internet Explorer 6.0 or later if performing Web setup • Disable Simple File Sharing on Windows XP computers so users can successfully install the OfficeScan client program (see the Windows documentation for instructions). TABLE 3-6.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 3-6. Windows XP/2003, 64-bit version (Continued) R ESOURCE Hardware R EQUIREMENT Processor • Intel x64 processor • AMD64 processor RAM 256MB minimum, 512MB recommended Available disk space 350MB minimum Others Monitor that supports 800 x 600 resolution at 256 colors Others • Microsoft Internet Explorer 6.
Installing the OfficeScan Client TABLE 3-7.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 3-7. Windows Vista, 32-bit and 64-bit versions (Continued) R ESOURCE Others TABLE 3-8. R EQUIREMENT Windows Internet Explorer 7.
Installing the OfficeScan Client TABLE 3-8. Windows 2008, 32-bit version (Continued) R ESOURCE Others TABLE 3-9. R EQUIREMENT Windows Internet Explorer 7.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 3-9. Windows 2008, 64-bit version (Continued) R ESOURCE Others R EQUIREMENT Windows Internet Explorer 7.0 or later if performing Web setup Compatibility List OfficeScan is compatible with the following third-party products: 3-10 • Citrix XenApp™ Server 4.5 & 5.0 (32-bit and 64-bit) • Microsoft ActiveSync™ 4.2, 4.
Installing the OfficeScan Client Installation Methods This section provides a summary of the different client installation methods to perform fresh installation of the OfficeScan client. All installation methods require local administrator rights on the target computers. TABLE 3-10.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 3-10.
Installing the OfficeScan Client TABLE 3-10.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Send the following instructions to users to install the OfficeScan client from the Web install page. To send a client installation notification through email, see Initiating Browser-based Installation on page 3-15. To install from the Web install page: 1. Log on to the computer using a built-in administrator account. 2. If installing to a computer running Windows XP, Vista, and 2008, perform the following steps: 3. a.
Installing the OfficeScan Client Initiating Browser-based Installation Set up an email message that instructs users on the network to install the OfficeScan client. Users click the client installer link provided in the email to start the installation. Before you install clients: • Check the client installation requirements. • Identify which computers on the network currently do not have protection against security risks. Perform the following tasks: • Run the Trend Micro Vulnerability Scanner.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide For remote desktop installation using AutoPcc.exe: • The computer must be run in Mstsc.exe /console mode. This forces the AutoPcc.exe installation to run in session 0. • Map a drive to the "ofcscan" folder and execute AutoPcc.exe from that point. Program and Component Updates AutoPcc.exe updates the program files and the antivirus, anti-spyware, and Damage Cleanup Services components.
Installing the OfficeScan Client To add AutoPcc.exe to the login script using Login Script Setup: 1. On the computer you used to run the server installation, click Programs > Trend Micro OfficeScan Server > Login Script Setup from the Windows Start menu. The Login Script Setup utility loads. The console displays a tree showing all domains on the network. 2. Locate the server whose login script you want to modify, select it, and then click Select.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Installing with Client Packager Client Packager can compress Setup and update files into a self-extracting file, which you can then send to users using conventional media such as CD-ROM. When users receive the package, all they have to do is run the Setup program on the client computer. Client Packager is especially useful when deploying the client program or components to clients in low-bandwidth remote offices.
Installing the OfficeScan Client TABLE 3-11. Client package types (Continued) P ACKAGE TYPE MSI 4. 5. D ESCRIPTION Select MSI to create a package that conforms to the Microsoft Installer Package format. The package also installs the OfficeScan client program with the components currently available on the server. If the target computer has an earlier OfficeScan client version installed, running the MSI file upgrades the client.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Package deployment guidelines: 1. Send the package to users and ask them to run the client package on their computers by double-clicking the .exe or .msi file. WARNING! Send the package only to users whose OfficeScan client will report to the server where the package was created. 2. If you have users who will install the .exe package on computers running Windows Vista and 2008, instruct them to right-click the .exe file and select Run as administrator.
Installing the OfficeScan Client • If you will use the package to upgrade a client to this OfficeScan version, check the domain level scan method on the Web console. On the console, go to Networked Computers > Client Management, select the client tree domain to which the client belongs, and click Settings > Scan Methods. The domain level scan method should be consistent with the scan method for the package.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 2. The OfficeScan server that manages the Update Agent will not be able to synchronize or deploy the following settings to the agent: • Update Agent privilege • Client scheduled update • Update from Trend Micro ActiveUpdate server • Updates from other update sources Therefore, deploy the client package only to computers that will not be managed by an OfficeScan server.
Installing the OfficeScan Client Check Point SecureClient Support This tool adds support for Check Point™ SecureClient™ for Windows 2000/XP/Server 2003. SecureClient verifies the Virus Pattern version before allowing connection to the network. For details, see Overview of Check Point Architecture and Configuration on page 11-2. Note: SecureClient does not verify the virus pattern versions on clients using smart scan. Components Select the components to include in the package.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 7. Select a deployment method and then click OK. • Assigned: The MSI package is automatically deployed the next time a user logs on to the computer (if you selected User Configuration) or when the computer restarts (if you selected Computer Configuration). This method does not require any user intervention.
Installing the OfficeScan Client 6. Browse and select the MSI package file created by Client Packager, and then click Open. The MSI package name appears on the Package Definition screen. The package shows "Trend Micro OfficeScan Client" and the program version. 7. Click Next. The Source Files screen appears. 8. Click Always obtain files from a source directory, and then click Next. The Source Directory screen appears, displaying the name of the package you want to create and the source directory. 9.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To distribute the package to target computers: 1. On the Tree tab, click Advertisements. 2. On the Action menu, click All Tasks > Distribute Software. The Welcome screen of the Distribute Software Wizard appears. 3. Click Next. The Package screen appears. 4. Click Distribute an existing package, and then click the name of the Setup package you created. 5. Click Next. The Distribution Points screen appears. 6.
Installing the OfficeScan Client 17. Click Yes, assign the program, and then click Next. Microsoft SMS creates the advertisement and displays it on the SMS Administrator console. 18. When Microsoft SMS distributes the advertised program (that is, the OfficeScan client program) to target computers, a screen displays on each target computer. Instruct users to click Yes and follow the instructions provided by the wizard to install the OfficeScan client to their computers.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. Select the target computers. • The Domains and Computers list displays all the Windows domains on the network. To display computers under a domain, double-click the domain name. Select a computer, and then click Add. • If you have a specific computer name in mind, type the computer name in the field on top of the page and click Search. OfficeScan prompts you for the target computer’s user name and password.
Installing the OfficeScan Client Installing from a Client Disk Image Disk imaging technology allows you to create an image of an OfficeScan client using disk imaging software and make clones of it to other computers on the network. Each client installation needs a Globally Unique Identifier (GUID) so that the server can identify clients individually. Use an OfficeScan program called ImgSetup.exe to create a different GUID for each of the clones.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Using Vulnerability Scanner Use Vulnerability Scanner to detect installed antivirus solutions, search for unprotected computers on the network, and install OfficeScan™ clients to computers. To determine if computers are protected, Vulnerability Scanner pings ports normally used by antivirus solutions.
Installing the OfficeScan Client TABLE 3-12. Network administration (Continued) S ETUP E FFECTIVENESS OF VULNERABILITY S CANNER Centralized administration Moderately effective Outsource service Moderately effective Users administer their own computers Not effective. Because Vulnerability Scanner scans the network for antivirus installation, it is not feasible to have users scan their own computers. Network Topology and Architecture TABLE 3-13.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Software/Hardware Specifications TABLE 3-14. Software/Hardware specifications S ETUP E FFECTIVENESS OF VULNERABILITY S CANNER Windows NT-based operating systems Very effective. Vulnerability Scanner can easily install the OfficeScan client remotely to computers running NT-based operating systems, except Windows XP Home. Mixed operating systems Moderately effective.
Installing the OfficeScan Client Network Traffic TABLE 3-16. Network traffic S ETUP E FFECTIVENESS OF VULNERABILITY S CANNER LAN connection Very effective 512 Kbps Moderately effective T1 connection and higher Moderately effective Dialup Not effective. It will take a long time to finish installing the OfficeScan client. Network Size TABLE 3-17. Network size S ETUP E FFECTIVENESS OF VULNERABILITY S CANNER Very large enterprise Very effective.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide User Tasks Perform the following tasks from Vulnerability Scanner: • Installing the OfficeScan Client on page 3-34 • Managing General Settings on page 3-36 • Running Vulnerability Scan on page 3-40 • Creating a Scheduled Task on page 3-42 • Configuring Other Vulnerability Scanner Settings on page 3-43 Launching Vulnerability Scanner on Another Computer You can launch Vulnerability Scanner on a computer other than the OfficeScan server computer.
Installing the OfficeScan Client To install OfficeScan client with Vulnerability Scanner: 1. If running Windows Vista Business, Enterprise, or Ultimate Edition, perform the following steps: a. Enable a built-in administrator account and set the password for the account. b. Click Start > Programs > Administrative Tools > Windows Firewall with Advanced Security. c. For Domain Profile, Private Profile, and Public Profile, set the firewall state to "Off". d.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Managing General Settings To configure and manage the following Vulnerability Scanner settings, navigate to \PCCSRV\Admin\Utility\TMVS and double-click TMVS.exe: Product Query Select the products to check on the network. To prevent false alarms, select all check boxes. Click Settings next to the product name to verify the port number that Vulnerability Scanner will check.
Installing the OfficeScan Client TABLE 3-18. Security products checked by Vulnerability Scanner (Continued) P RODUCT D ESCRIPTION ServerProtect for Linux If the target computer does not run Windows, Vulnerability Scanner checks if it has ServerProtect for Linux installed by trying to connect to port 14942. ScanMail™ for Microsoft Exchange™ Vulnerability Scanner loads the Web page http://ipaddress:port/scanmail.html to check for ScanMail installation. By default, ScanMail uses port 16372.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 3-18. Security products checked by Vulnerability Scanner (Continued) P RODUCT D ESCRIPTION McAfee VirusScan ePolicy Orchestrator Vulnerability Scanner sends a special token to TCP port 8081, the default port of ePolicy Orchestrator for providing connection between the server and client. The computer with this antivirus product replies using a special token type. Vulnerability Scanner cannot detect the standalone McAfee VirusScan.
Installing the OfficeScan Client Notifications To automatically send the results to yourself or to other administrators in your organization, select Email results to the system administrator, and then click Configure to specify email settings. 1. In To, type the email address of the recipient. 2. In From, type an email address to let the recipient know who sent the message. 3. In SMTP server, type the SMTP server address. For example, type smtp.company.com. The SMTP server information is required. 4.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Server Settings Type the OfficeScan server name and port number. Vulnerability Scanner can auto-install the OfficeScan client on unprotected computers. Click Install to Account to configure the account. In the Account Information screen, type a user name and password that permits installation. Click OK. Vulnerability Scanner can also send logs to the OfficeScan server.
Installing the OfficeScan Client To run a vulnerability scan on computers requesting IP addresses from a DHCP server: 1. Configure DHCP settings in the TMVS.ini file found under the following folder: \PCCSRV\Admin\Utility\TMVS. TABLE 3-19. DHCP settings in the TMVS.ini file S ETTING D ESCRIPTION DhcpThreadNum=x Specify the thread number for DHCP mode. The minimum is 3, maximum is 100. The default value is 3.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4. Click Start. Vulnerability Scanner begins listening for DHCP requests and performing vulnerability checks on computers as they log on to the network. When it detects an unprotected computer and verifies that the computer's IP address belongs to the defined IP address range, Vulnerability Scanner runs remote installation to install the OfficeScan client. 5.
Installing the OfficeScan Client Configuring Other Vulnerability Scanner Settings Some Vulnerability Scanner settings can be configured only from the TMVS.ini file. To modify settings on the TMVS.ini file: 1. Navigate to \PCCSRV\Admin\Utility\TMVS and open TMVS.ini. using a text editor such as Notepad. 2. To set the number of computers that Vulnerability Scanner simultaneously pings, change the value for EchoNum. Specify a value between 1 and 64.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Migrating to the OfficeScan Client Migrate endpoint security software installed on a target computer to the OfficeScan client. Migrating from Other Endpoint Security Software When you install the OfficeScan client, the installation program checks for any Trend Micro or third-party endpoint security software installed on the target computer. The installation program can automatically uninstall the software and replace it with the OfficeScan client.
Installing the OfficeScan Client Migrating from ServerProtect Normal Servers The ServerProtect™ Normal Server Migration Tool is a tool that helps migrate computers running Trend Micro ServerProtect Normal Server to OfficeScan client. The ServerProtect Normal Server Migration Tool shares the same hardware and software specification as the OfficeScan server. Run the tool on Windows 2000, 2003, and 2008 computers.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. Select the OfficeScan server. The path of the OfficeScan server appears under OfficeScan server path. If it is incorrect, click Browse and select the PCCSRV folder in the directory where you installed OfficeScan. To enable the tool to automatically find the OfficeScan server again the next time you open the tool, select the Auto Find Server Path check box (selected by default). 4.
Installing the OfficeScan Client 8. 9. Click the computers on which to perform the migration. a. To select all computers, click Select All. b. To deselect all computers, click Unselect All. c. To export the list to a comma-separated value (CSV) file, click Export to CSV. If logging on to the target computers requires a user name and password, do the following: a. Select the Use group account/password check box. b. Click Set Logon Account. The Enter Administration Information window appears. c.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Post-installation After completing the installation, verify the following: OfficeScan client shortcut The Trend Micro OfficeScan Client shortcuts appear on the Windows Start menu on the client computer. FIGURE 3-16. OfficeScan client shortcut Programs list Trend Micro OfficeScan Client is listed on the Add/Remove Programs list on the client computer’s Control Panel.
Installing the OfficeScan Client Recommended Post-installation Tasks Trend Micro recommends performing the following post-installation tasks: Component Updates Notify clients to update their components to ensure that they have the most up-to-date protection from security risks. See Client Update on page 4-23 for details.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4. To test other computers on the network, attach the EICAR.com file to an email message and send it to one of the computers. Tip: Trend Micro recommends packaging the EICAR file using compression software (such as WinZip) and then performing another test scan.
Installing the OfficeScan Client 5. Check the notification status and verify if there are clients that did not receive the notification. a. Click Select Un-notified Computers and then Initiate Uninstallation to immediately resend the notification to un-notified clients. b. Click Stop Uninstallation to prompt OfficeScan to stop notifying clients currently being notified. Clients already notified and already performing uninstallation ignore this command.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Manually Uninstalling the Client Perform manual uninstallation only if you encounter problems uninstalling the client from the Web console or after running the uninstallation program. To perform manual uninstallation: 1. Log on to the client computer using an account with Administrator privileges. 2. Right-click the OfficeScan client icon on the system tray and select Unload OfficeScan.
Installing the OfficeScan Client 6.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Keys: 9. • ntrtscan • tmcfw • tmcomm • TmFilter • Tmlisten • tmpfw • TmPreFilter • TmProxy • tmtdi • VSApiNt • tmlwf (For Windows Vista/2008 computers) • tmwfp (For Windows Vista/2008 computers) • tmactmon • TMBMServer • tmevtmgr Close Registry Editor. 10. Click Start > Settings > Control Panel and double-click System. 11. Click the Hardware tab and then click Device Manager. 12. Click View > Show hidden devices. 13.
Installing the OfficeScan Client 14. Uninstall the Common Firewall Driver. a. Right-click My Network Places and click Properties. b. Right-click Local Area Connection and click Properties. c. On the General tab, select Trend Micro Common Firewall Driver and click Uninstall. On Windows Vista computers, do the following: a. Right-click Network and click Properties. b. Click Manage network connections. c. Right-click Local Area Connection and click Properties. d.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3-56
Chapter 4 Keeping Protection Up-to-Date Topics in this chapter: • OfficeScan Components and Programs on page 4-2 • Update Overview on page 4-10 • OfficeScan Server Update on page 4-13 • Smart Scan Server Update on page 4-21 • Client Update on page 4-23 • Update Agents on page 4-37 • Component Update Summary on page 4-43 4-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Components and Programs OfficeScan makes use of components and programs to keep client computers protected from the latest security risks. Keep these components and programs up-to-date by running manual or scheduled updates. In addition to the components, OfficeScan clients also receive updated configuration files from the OfficeScan server. Clients need the configuration files to apply new settings.
Keeping Protection Up-to-Date Download the Virus Pattern and other OfficeScan pattern files from the following Web site, where you can also find the current version, release date, and a list of all the new virus definitions included in the file: http://www.trendmicro.com/download/pattern.asp Smart Scan When in smart scan mode, OfficeScan clients use two lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Virus Scan Engine At the heart of all Trend Micro products lies the scan engine, which was originally developed in response to early file-based computer viruses. The scan engine today is exceptionally sophisticated and capable of detecting different types of viruses and malware. The scan engine also detects controlled viruses that are developed and used for research.
Keeping Protection Up-to-Date Virus Scan Driver The Virus Scan Drive monitors user operations on files. Operations include opening or closing a file, and executing an application. There are three versions for this driver. One version is for Windows 2000 and its name is TmFilter.sys. The other two versions, TmXPFlt.sys and TmPreFlt.sys, are for operating systems other than Windows 2000. TmXPFlt.sys is used for real-time configuration of the Virus Scan Engine and TmPreFlt.sys for monitoring user operations.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Anti-spyware Components Spyware Pattern The Spyware Pattern identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts. Spyware Scan Engine The Spyware Scan Engine scans for and performs the appropriate scan action on spyware/grayware. This engine supports 32-bit and 64-bit platforms. Spyware Active-monitoring Pattern Spyware Active-monitoring Pattern is used for real-time spyware/grayware scanning.
Keeping Protection Up-to-Date Behavior Monitoring Components Behavior Monitoring Driver This kernel mode driver monitors system events and passes them to Behavior Monitoring Core Service for policy enforcement.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Programs Client Program The OfficeScan client program provides the actual protection from security risks. Cisco Trust Agent The Cisco Trust Agent enables communication between the client and routers that support Cisco NAC. This agent will only work if you install Policy Server for Cisco NAC.
Keeping Protection Up-to-Date This feature is available starting in OfficeScan 8.0 Service Pack 1 with patch 3. • Clients upgraded from version 8.0 Service Pack 1 with patch 3 or later record installed hot fixes and patches for versions 8 and 10. • Clients upgraded from versions earlier than 8.0 Service Pack 1 with patch 3 record installed hot fixes and patches for version 10 only.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Update Overview All component updates originate from the Trend Micro ActiveUpdate server. When updates are available, the OfficeScan server and Smart Scan Server (local or global) download the updated components. There are no component download overlaps between the two servers because each one downloads a specific set of components.
Keeping Protection Up-to-Date TABLE 4-20. Server-client update options (Continued) U PDATE O PTION D ESCRIPTION R ECOMMENDATION ActiveUpdate server The OfficeScan server receives updated components from the ActiveUpdate server (or other update source) and initiates component update on clients. Clients acting as Update Agents then notify clients to update components.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Smart Scan Server Update A Smart Scan Server downloads the Smart Scan Pattern. Smart scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the Smart Scan Server. Note: See Smart Scan Server on page 1-10 for more information about Smart Scan Servers and Smart Scan Server Update on page 4-21 for server update details. The following table describes the update process for Smart Scan Servers.
Keeping Protection Up-to-Date OfficeScan Server Update The OfficeScan server downloads the following components and deploys them to clients: TABLE 4-22.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 4-22. Components downloaded by the OfficeScan server (Continued) C OMPONENT D ISTRIBUTION C ONVENTIONAL S CAN C LIENTS S MART S CAN C LIENTS Behavior Monitoring Core Service Yes Yes Behavior Monitoring Configuration Pattern Yes Yes Digital Signature Pattern Yes Yes Policy Enforcement Pattern Yes Yes To enable the server to deploy the updated components to clients, configure automatic update settings.
Keeping Protection Up-to-Date Server Update Source Configure the OfficeScan server to download components from the Trend Micro ActiveUpdate server or from another source. After the server downloads any available updates, it can automatically notify clients to update their components based on the settings you specified in Updates > Networked Computers > Automatic Update. If the component update is critical, let the server notify the clients at once by going to Updates > Networked Computers > Manual Update.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Proxy for Server Update Configure server programs hosted on the server computer to use proxy settings when downloading updates from the Trend Micro ActiveUpdate server. Server programs include the OfficeScan server and the integrated Smart Scan Server. To configure proxy settings: P ATH : A DMINISTRATION > P ROXY S ETTINGS > E XTERNAL P ROXY TAB 1.
Keeping Protection Up-to-Date Component duplication applies to the following components: • Virus Pattern • Smart Scan Agent Pattern • Virus Cleanup Template • IntelliTrap Exception Pattern • Spyware Pattern • Spyware Active-monitoring pattern Component Duplication Scenario To explain component duplication for the server, refer to the following scenario: TABLE 4-1.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 2. The server merges the incremental pattern with its current full pattern to generate the latest full pattern. To illustrate based on the example: 3. • On the server, OfficeScan merges version 171 with incremental pattern 171.175 to generate version 175. • The server has 1 incremental pattern (171.175) and the latest full pattern (version 175). The server generates incremental patterns based on the other full patterns available on the server.
Keeping Protection Up-to-Date To illustrate based on the example: • • The ActiveUpdate server has 14 incremental patterns: 173.175 171.175 169.175 167.175 165.175 163.175 161.175 159.175 157.175 155.175 153.175 151.175 149.175 147.175 161.175 159.175 The OfficeScan server has 7 incremental patterns: 171.175 • 173.175 • 5. 169.175 167.175 165.175 163.175 The OfficeScan server downloads an additional 7 incremental patterns: 157.175 155.175 153.175 151.175 149.175 147.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To configure server update schedule: P ATH : U PDATES > S ERVER > S CHEDULED U PDATE 1. Select Enable scheduled update of the OfficeScan server. 2. Select the components to update. 3. Specify the update schedule. For daily, weekly, and monthly updates, the period of time is the number of hours during which OfficeScan will perform the update. OfficeScan updates at any given time during this time period. 4. Click Save.
Keeping Protection Up-to-Date Smart Scan Server Update This section discusses how to update components in the integrated Smart Scan Server. For details on updating components in a standalone server, see the Trend Micro Smart Scan for OfficeScan Getting Started Guide. The Smart Scan Server downloads the Smart Scan Pattern. Clients verify potential threats against the pattern by sending scan queries to the Smart Scan Server. Clients do not download the Smart Scan Pattern.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide When clients connect using a specific protocol, they identify the integrated server by its server address. Tip: Clients managed by another OfficeScan server can also connect to the integrated server. On the other OfficeScan server’s Web console, add the integrated server’s address to the Smart Scan Server list. 3. View the Smart Scan Pattern version. To update the pattern manually, click Update Now. The update result displays on top of the screen. 4.
Keeping Protection Up-to-Date Client Update To ensure that clients stay protected from the latest security risks, update client components regularly. Before updating the clients, check if their update source has the latest components. For information on how to update the typical update source (OfficeScan server), see OfficeScan Server Update on page 4-13. The following table lists all components that clients store on computers and the components in use when using a particular scan method.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 4-23.
Keeping Protection Up-to-Date Customized Update Source Aside from the OfficeScan server, clients can update from custom update sources. Custom update sources help reduce client update traffic directed to the OfficeScan server and allows clients that cannot connect to the OfficeScan server to get timely updates. Specify the custom update sources on the Customized Update Source List, which can accommodate up to 1024 update sources.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide If the option is disabled, the client then tries connecting directly to the Trend Micro ActiveUpdate server if any of the following is true: 4. • In Networked Computers > Client Management > Settings > Privileges and Other Settings > Other Settings tab > Update Settings, the option Clients download updates from the Trend Micro ActiveUpdate Server is enabled. • The ActiveUpdate server (http://osce10-p.activeupdate.trendmicro.
Keeping Protection Up-to-Date Client Update Methods Clients that update components from the OfficeScan server or a customized update source can use the following update methods: Automatic Update Client update runs automatically when certain events occur or based on a schedule. For details, see Automatic Update on page 4-27. Manual Update When an update is critical, use manual update to immediately notify clients to perform component update. For details, see Manual Update on page 4-31.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide There are two types of automatic update: Event-triggered Update The server can notify online clients to update components after it downloads the latest components, and offline clients when they restart and then connect to the server. Optionally initiate Scan Now (manual scan) on client computers after the update.
Keeping Protection Up-to-Date To update networked computer components automatically: P ATH : U PDATES > N ETWORKED C OMPUTERS > A UTOMATIC U PDATE 1. Select the events that will trigger component update. TABLE 4-24. Event-triggered update options O PTION D ESCRIPTION Initiate component update on clients immediately after the OfficeScan server downloads a new component The server notifies clients to update as soon as it completes an update.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide If you have not granted clients scheduled update privilege, perform the following steps first: a. Go to Networked Computers > Client Management and select the clients that you want to have the privilege. b. Click Settings > Privileges and Other Settings. Option 1: Under the Privileges tab, go to the Component Update Privileges section. You will see the Enable scheduled update option.
Keeping Protection Up-to-Date b. 4. If you select Daily or Weekly, specify the time of the update and the time period the OfficeScan server will notify clients to update components. For example, if the start time is 12pm and the time period is 2 hours, OfficeScan randomly notifies all online clients to update components from 12pm until 2pm.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 2. Choose the clients you want to update. Update clients with outdated components or select specific clients from the client tree. • Select clients with outdated components: The server searches for clients whose component versions are earlier than the versions on the server and then notifies these clients to update. If you want the server to also search for roaming clients with functional connection to the server, select Include roaming client(s).
Keeping Protection Up-to-Date b. Instruct users to manually update components on the client computer (by right-clicking the OfficeScan icon in the system tray and clicking "Update Now") to obtain the updated configuration settings. When clients update, they will receive both the updated components and the configuration files. Update Privileges Grant client users certain privileges, such as performing manual updates and enabling scheduled update. For details, see Component Update Privileges on page 9-15.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Proxy for Client Component Update OfficeScan clients can use proxy settings during automatic update or if they have the privilege to perform "Update Now". TABLE 4-25. Proxy settings used during client component update U PDATE M ETHOD Automatic update For details, see Automatic Update on page 4-27. P ROXY S ETTINGS U SED U SAGE • Automatic proxy settings. • OfficeScan clients will first For details, see Automatic Proxy Configuration on page 9-29.
Keeping Protection Up-to-Date Client Update Logs Check the client update logs to determine if there are problems updating the Virus Pattern on clients. Note: In this product version, only logs for Virus Pattern updates can be queried from the Web console. To keep the size of logs from occupying too much space on the hard disk, manually delete logs or configure a log deletion schedule. For more information about managing logs, see Managing Logs on page 8-16.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Component Rollback Rollback refers to reverting to the previous version of the Virus Pattern, Smart Scan Agent Pattern, and Virus Scan Engine. If these components do not function properly, roll them back to their previous versions. OfficeScan retains the current and the previous versions of the Virus Scan Engine, and the last five versions of the Virus Pattern and Smart Scan Agent Pattern. Note: Only the above-mentioned components can be rolled back.
Keeping Protection Up-to-Date Update Agents To distribute the task of deploying components to OfficeScan clients, assign some OfficeScan clients to act as Update Agents, or update sources for other clients. This helps ensure that clients receive component updates in a timely manner without directing a significant amount of network traffic to the OfficeScan server.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 4-26. Update Agent system requirements (Continued) R ESOURCE R EQUIREMENT Dependent on the computer's hardware specifications Update request capacity Update Agent Configuration Update Agent configuration is a 2-step process: 1. Assign a client as an Update Agent. 2. Specify the clients that will update from this Update Agent.
Keeping Protection Up-to-Date Update Source for Update Agents Update Agents can obtain updates from various sources, such as the OfficeScan server or a customized update source. Configure the update source from the Web console’s Update Source screen. To configure the update source for the Update Agent: P ATH : U PDATES > N ETWORKED C OMPUTERS > U PDATE S OURCE 1. Select whether to update from the update agent standard update source (OfficeScan server) or update agent customized update source. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4. If unable to update from all possible sources, the Update Agent quits the update process. The update process is different if the option Update agent: always update from standard update source (OfficeScan server) is enabled and the OfficeScan server notifies the agent to update components. The process is as follows: 1. The agent updates directly from the OfficeScan server and disregards the update source list. 2.
Keeping Protection Up-to-Date Update Agent Standard Update Source The OfficeScan server is the standard update source for Update Agents. If you configure agents to update directly from the OfficeScan server, the update process proceeds as follows: 1. The Update Agent obtains updates from the OfficeScan server. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Update Agent Component Duplication Like the OfficeScan server, Update Agents also use component duplication when downloading components. See Server Component Duplication on page 4-16 for details on how the server performs component duplication. The component duplication process for Update Agents is as follows: 1. The Update Agent compares its current full pattern version with the latest version on the update source.
Keeping Protection Up-to-Date To use the Scheduled Update Configuration tool: 1. On the Update Agent computer, navigate to . 2. Double-click SUCTool.exe to run the tool. The Schedule Update Configuration Tool console opens. 3. Select Enable Scheduled Update. 4. Specify the update frequency and time. 5. Click Apply.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4-44
Chapter 5 Protecting Computers from Security Risks Topics in this chapter: • About Security Risks on page 5-2 • Scan Methods on page 5-8 • Scan Types on page 5-19 • Settings Common to All Scan Types on page 5-25 • Scan-related Privileges on page 5-43 • Global Scan Settings on page 5-43 • Security Risk Notifications on page 5-44 • Security Risk Logs on page 5-48 • Outbreak Protection on page 5-57 • Device Control on page 5-65 5-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide About Security Risks Security risk is the collective term for viruses/malware and spyware/grayware. OfficeScan protects computers from security risks by scanning files and then performing a specific action for each security risk detected.
Protecting Computers from Security Risks Virus A virus is a program that replicates. To do so, the virus needs to attach itself to other program files and execute whenever the host program executes. • ActiveX malicious code: Code that resides on Web pages that execute ActiveX™ controls • Boot sector virus: A virus that infects the boot sector of a partition or a disk • COM and EXE file infector: An executable program with .com or .
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Network Virus A virus spreading over a network is not, strictly speaking, a network virus. Only some virus/malware types, such as worms, qualify as network viruses. Specifically, network viruses use network protocols, such as TCP, FTP, UDP, HTTP, and email protocols to replicate. They often do not alter system files or modify the boot sectors of hard disks.
Protecting Computers from Security Risks Dialer A dialer changes client Internet settings and can force a computer to dial pre-configured phone numbers through a modem. These are often pay-per-call or international numbers that can result in a significant expense for an organization. Joke Program Joke programs cause abnormal computer behavior, such as closing and opening the CD-ROM tray and displaying numerous message boxes. Hacking Tool A hacking tool helps hackers enter a computer.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Potential Risks and Threats The existence of spyware and other types of grayware on the network have the potential to introduce the following: Reduced Computer Performance To perform their tasks, spyware/grayware applications often require significant CPU and system memory resources. Increased Web Browser-related Crashes Certain types of grayware, such as adware, often display information in a browser frame or window.
Protecting Computers from Security Risks Guarding Against Spyware/Grayware There are many ways to prevent the installation of spyware/grayware to a computer. Trend Micro suggests adhering to the following standard practices: • • Configure all types of scans (Manual Scan, Real-time Scan, Scheduled Scan, and Scan Now) to scan for and remove spyware/grayware files and applications. See Scan Types on page 5-19 for more information.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Scan Methods OfficeScan clients can use either conventional scan or smart scan when scanning for security risks. Conventional Scan Conventional scan is the scan method used in all earlier OfficeScan versions. A conventional scan client stores all OfficeScan components on the client computer and scans all files locally. Smart Scan Smart scan is a next-generation, in-the-cloud based endpoint protection solution.
Protecting Computers from Security Risks TABLE 5-27. Comparison between conventional scan and smart scan (Continued) B ASIS OF C OMPARISON Scanning behavior C ONVENTIONAL S CAN The conventional scan client performs scanning on the local computer. S MART S CAN • The smart scan client performs scanning on the local computer. • If the client cannot determine the risk of the file during the scan, the client verifies the risk by sending a scan query to a Smart Scan Server.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 5-27. Comparison between conventional scan and smart scan (Continued) B ASIS OF C OMPARISON C ONVENTIONAL S CAN Typical update source OfficeScan server S MART S CAN OfficeScan server Switching From Conventional Scan to Smart Scan If you are switching clients from conventional scan to smart scan, take note of the following: 1.
Protecting Computers from Security Risks Local Smart Scan Server OfficeScan provides two types of local Smart Scan Servers. Both servers have the same functions. • Integrated: Setup includes an integrated Smart Scan Server that installs on the same computer where the OfficeScan server installed. If you installed the integrated server during OfficeScan server installation, configure the update settings for this server and ensure the server has the latest updates.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. Smart Scan Server list Add the Smart Scan Servers you have set up to the Smart Scan Server list. Clients refer to the list to determine which Smart Scan Server to connect to. The client tries connecting to other servers on the list if it cannot connect to a particular server. For details on configuring the list, see Smart Scan Source on page 5-15. 4.
Protecting Computers from Security Risks 8. Timing When switching to smart scan for the first time, clients need to download the full version of the Smart Scan Agent Pattern from the OfficeScan server. The Smart Scan Pattern is only used by smart scan clients. Consider switching during off-peak hours to ensure the download process finishes within a short amount of time. Also consider switching when no client is scheduled to update from the server.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Switching From Smart Scan to Conventional Scan When you switch clients back to conventional scan, consider the following: 1. Number of clients to switch Switching a relatively small number of clients at a time allows efficient use of OfficeScan server and Smart Scan Server resources. These servers can perform other critical tasks while clients change their scan methods. 2.
Protecting Computers from Security Risks To change the scan method: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > S CAN M ETHODS 1. Select to use conventional scan or smart scan. 2. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s).
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To configure the Smart Scan Server list: P ATH : S MART S CAN > S CAN S OURCE > I NTERNAL C LIENTS 1. Select whether clients will use the standard list or custom lists. 2. Click Notify All Clients. Smart scan clients automatically refer to the list you have configured. Standard List The standard list is used by all internal smart scan clients. You can configure clients to use proxy settings when connecting to the Smart Scan Servers on the list.
Protecting Computers from Security Risks 5. 6. To open the console of a local Smart Scan Server, click Launch console. • For the integrated Smart Scan Server, the server’s configuration screen displays. • For standalone Smart Scan Servers and the integrated Smart Scan Server of another OfficeScan server, the console logon screen displays. To delete an entry, select the check box for the server and click Delete. 7. To export the list to a .dat file, click Export and then click Save. 8.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To obtain the Smart Scan Server address: • For the integrated Smart Scan Server, open the OfficeScan Web console and go to Smart Scan > Integrated Server. • For the standalone Smart Scan Server, open the standalone server's console and go to the Summary page. Tip: Because the integrated Smart Scan Server and the OfficeScan server run on the same computer, the computer’s performance may reduce significantly during peak traffic for the two servers.
Protecting Computers from Security Risks Scan Types OfficeScan provides the following scan types to protect client computers from security risks: TABLE 5-28. Scan types S CAN TYPE Real-time Scan D ESCRIPTION Automatically scans a file on the computer as it is received, opened, downloaded, copied, or modified See Real-time Scan on page 5-19 for details. Manual Scan A user-initiated scan that scans a file or a set of files requested by the user See Manual Scan on page 5-21 for details.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Configure and apply Real-time Scan settings to one or several clients and domains, or to all clients that the server manages. To configure Real-time Scan settings: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > R EAL - TIME S CAN S ETTINGS 1. On the Target tab, select the check boxes to enable real-time scanning for virus/malware and spyware/grayware.
Protecting Computers from Security Risks Manual Scan Manual Scan is an on-demand scan and starts immediately after a user runs the scan on the client console. The time it takes to complete scanning depends on the number of files to scan and the client computer's hardware resources. Configure and apply Manual Scan settings to one or several clients and domains, or to all clients that the server manages.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Scheduled Scan Scheduled Scan runs automatically on the appointed date and time. Use Scheduled Scan to automate routine scans on the client and improve scan management efficiency. Configure and apply Scheduled Scan settings to one or several clients and domains, or to all clients that the server manages. To configure Scheduled Scan settings: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > S CHEDULED S CAN S ETTINGS 1.
Protecting Computers from Security Risks Scan Now Scan Now is initiated remotely by an OfficeScan administrator through the Web console and can be targeted to one or several client computers. Configure and apply Scan Now settings to one or several clients and domains, or to all clients that the server manages. To configure Scan Now settings: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > S CAN N OW S ETTINGS 1.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Initiating Scan Now Initiate Scan Now on computers that you suspect to be infected. To initiate Scan Now: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > TASKS > S CAN N OW S CAN N OW SHORTCUT ( ON TOP OF THE MAIN MENU ) 1. To change the pre-configured Scan Now settings before initiating the scan, click Settings. The Scan Now Settings screen opens. See Scan Now on page 5-23 for details. 2.
Protecting Computers from Security Risks 5. Click Stop Notification to prompt OfficeScan to stop notifying clients currently being notified. Clients already notified and in the process of scanning will ignore this command. 6. For clients already in the process of scanning, click Stop Scan Now to notify them to stop scanning. Settings Common to All Scan Types For each scan type, configure three sets of settings: scan criteria, scan exclusions, and scan actions.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Files to Scan Select from the following options: • All scannable files: Scan all files • File types scanned by IntelliScan: Only scan files known to potentially harbor malicious code, including files disguised by a harmless extension name. See IntelliScan on page A-4 for details. • Files with certain extensions: Only scan files whose extensions are included in the file extension list. Add new extensions or remove any of the existing extensions.
Protecting Computers from Security Risks CPU Usage OfficeScan can pause after scanning one file and before scanning the next file. This setting is used during Manual Scan, Scheduled Scan, and Scan Now.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide When you enable scan exclusion, OfficeScan will not scan a file under the following conditions: • The file is found under a specific directory. • The file name matches any of the names in the exclusion list. • The file extension matches any of the extensions in the exclusion list. Scan Exclusion List (Directories) OfficeScan will not scan all files found under a specific directory on the computer. You can specify a maximum of 250 directories.
Protecting Computers from Security Risks Also configure OfficeScan to exclude Microsoft Exchange 2000/2003 directories by going to Networked Computers > Global Client Settings > Scan Settings. If you use Microsoft Exchange 2007, manually add the directory to the scan exclusion list. Refer to the following site for scan exclusion details: http://technet.microsoft.com/en-us/library/bb332342.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Scan Actions Specify the action OfficeScan performs when a particular scan type detects a security risk. OfficeScan has a different set of scan actions for virus/malware and spyware/grayware. Virus/Malware Scan Actions The scan action OfficeScan performs depends on the virus/malware type and the scan type that detected the virus/malware.
Protecting Computers from Security Risks Clean OfficeScan cleans the infected file before allowing full access to the file. If the file is uncleanable, OfficeScan performs a second action, which can be one of the following actions: Quarantine, Delete, Rename, and Pass. To configure the second action, go to Networked Computers > Client Management > Settings > {Scan Type} > Action tab. Rename OfficeScan changes the infected file's extension to "vir".
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Deny Access This scan action can only be performed during Real-time Scan. When OfficeScan detects an attempt to open or execute an infected file, it immediately blocks the operation. Users can manually delete the infected file. Scan Action Options When configuring the scan action, select from the following options: Use ActiveAction ActiveAction is a set of pre-configured scan actions for specific types of viruses/malware.
Protecting Computers from Security Risks TABLE 5-30.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Quarantine Directory If the action for an infected file is "Quarantine", the OfficeScan client encrypts the file and moves it to a temporary quarantine folder located in \SUSPECT and then sends the file to the designated quarantine directory.
Protecting Computers from Security Risks TABLE 5-31. Quarantine directory (Continued) Q UARANTINE D IRECTORY A CCEPTED F ORMAT E XAMPLE A directory on another OfficeScan server computer (if you have other OfficeScan servers on the network) URL http:// UNC path \\\ ofcscan\Virus Another computer on the network UNC path \\\temp A different directory on the client computer Absolute path C:\temp N OTES Ensure that clients can connect to this directory.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Back Up Files Before Cleaning If OfficeScan is set to clean an infected file, it can first back up the file. This allows you to restore the file in case you need it in the future. OfficeScan encrypts the backup file to prevent it from being opened, and then stores the file on the \Backup folder. To restore encrypted backup files, see Restoring Encrypted Files on page 5-36.
Protecting Computers from Security Risks TABLE 5-2. Files that OfficeScan can decrypt and restore (Continued) F ILE Backed up encrypted files D ESCRIPTION These are the backup of infected files that OfficeScan was able to clean. These files are found in the \Backup folder. To restore these files, users need to move them to the \SUSPECT\Backup folder.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide If the file is on the OfficeScan server or a custom quarantine directory: 1. If the file is on the OfficeScan server computer, open a command prompt and navigate to \PCCSRV\Admin\Utility\VSEncrypt. If the file is on a custom quarantine directory, navigate to \PCCSRV\Admin\Utility and copy the VSEncrypt folder to the computer where the custom quarantine directory is located. 2.
Protecting Computers from Security Risks 6. Use the other parameters to issue various commands. TABLE 5-32. Restore parameters P ARAMETER D ESCRIPTION None (no parameter) Encrypt files /d Decrypt files /debug Create a debug log and save it to the computer. On the client computer, the debug log VSEncrypt.log is created in the .
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Spyware/Grayware Scan Actions The scan action OfficeScan performs depends on the scan type that detected the spyware/grayware. While specific actions can be configured for each virus/malware type, only one action can be configured for all types of spyware/grayware (for information on the different type of spyware/grayware, see Spyware and Grayware on page 5-4).
Protecting Computers from Security Risks Spyware/Grayware Approved List OfficeScan provides a list of "approved" spyware/grayware, which contains files or applications that you do not want treated as spyware or grayware. When a particular spyware/grayware is detected during scanning, OfficeScan checks the approved list and performs no action if it finds a match in the approved list. Apply the approved list to one or several clients and domains, or to all clients that the server manages.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. To remove names from the approved list, select the names and click Remove. To select multiple names, hold the Ctrl key while selecting. 4. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon following options: , choose from the • Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain.
Protecting Computers from Security Risks Scan-related Privileges Users with scan privileges have greater control over how files on their computers get scanned. Scan privileges allow users to perform the following tasks: • Configure Manual Scan, Scheduled Scan, and Real-time Scan settings. For details, see Scan Privileges on page 9-7. • Postpone, stop, or skip Scheduled Scan. For details, see Scheduled Scan Privileges on page 9-8.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Security Risk Notifications OfficeScan comes with a set of default notification messages to inform you, other OfficeScan administrators, and client users of detected security risks or any outbreak that has occurred. Modify these messages to suit your requirements.
Protecting Computers from Security Risks 6. Specify a community name that is difficult to guess. 7. Click Save. Security Risk Notifications for Administrators Configure OfficeScan to send a notification when it detects a security risk, or only when the action on the security risk is unsuccessful and therefore requires your intervention. Note: To configure notification settings that display on client computers, see Security Risk Notifications for Client Users on page 5-46.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 5-33. Token variables for security risk notifications (Continued) VARIABLE D ESCRIPTION %m Domain of the computer %p Location of virus/malware %y Date and time of virus/malware detection %a Action performed on the security risk %n Name of the user logged on to the infected computer Spyware/Grayware detections e.
Protecting Computers from Security Risks 2. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon following options: , choose from the • Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Security Risk Logs OfficeScan generates logs when it detects virus/malware or spyware/grayware, and when it restores spyware/grayware. To keep the size of logs from occupying too much space on the hard disk, manually delete logs or configure a log deletion schedule. For more information about managing logs, see Managing Logs on page 8-16. Virus/Malware Logs OfficeScan generates logs when it detects viruses and malware.
Protecting Computers from Security Risks Virus/Malware Scan Results A. If Scan Action is Successful The following results display if OfficeScan was able to perform the configured scan action: Deleted • First action is Delete and the infected file was deleted. • First action is Clean but cleaning was unsuccessful. Second action is Delete and the infected file was deleted. Quarantined • First action is Quarantine and the infected file was quarantined.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Passed • First action is Pass. OfficeScan did not perform any action on the infected file. • First action is Clean but cleaning was unsuccessful. Second action is Pass so OfficeScan did not perform any action on the infected file. Passed a potential security risk This scan result only displays when OfficeScan detects "probable virus/malware" during Manual Scan, Scheduled Scan, and Scan Now.
Protecting Computers from Security Risks Unable to quarantine the file/Unable to rename the file Explanation 1 The infected file may be locked by another application, is executing, or is on a CD. OfficeScan will quarantine/rename the file after the application releases the file or after it has been executed. Solution For infected files on a CD, consider not using the CD as the virus may infect other computers on the network.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Solution For infected files on a CD, consider not using the CD as the virus may infect other computers on the network. Explanation 3 The infected file is in the Temporary Internet Files folder of the client computer. Since the computer downloads files while you are browsing the Web, the Web browser may have locked the infected file. When the Web browser releases the file, OfficeScan will delete the file.
Protecting Computers from Security Risks 3. If you use UNC path, ensure that the quarantine directory folder is shared to the group "Everyone" and that you assign read and write permission to this group. Also check if the quarantine directory folder exists and if the UNC path is correct. If the quarantine directory is on another computer on the network (You can only use UNC path for this scenario): 1. Check if the client can connect to the computer. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Explanation 2 The infected file is in the Temporary Internet Files folder of the client computer. Since the computer downloads files while you are browsing the Web, the Web browser may have locked the infected file. When the Web browser releases the file, OfficeScan will clean the file. Solution: None Explanation 3 The file may be uncleanable. For details and solutions, see Uncleanable File on page A-13.
Protecting Computers from Security Risks Spyware/Grayware Scan Results A. If Scan Action is Successful The first level result is Successful, no action required. The second level results are as follows: Cleaned OfficeScan terminated processes or deleted registries, files, cookies and shortcuts. Passed OfficeScan did not perform any action but logged the spyware/grayware detection for assessment. Access denied OfficeScan denied access (copy, open) to the detected spyware/grayware components. B.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Spyware/Grayware cleaned, restart required. Please restart the computer. OfficeScan cleaned spyware/grayware components but a computer restart is required to complete the task. Solution: Restart the computer immediately. Spyware/Grayware cannot be cleaned. Spyware/Grayware was detected on a CD-ROM or network drive. OfficeScan cannot clean spyware/grayware detected on these locations. Solution: Manually remove the infected file.
Protecting Computers from Security Risks Outbreak Protection An outbreak occurs when incidents of virus/malware or spyware/grayware detections over a particular period of time exceed a certain threshold.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To configure the outbreak criteria and notifications: P ATH : N OTIFICATIONS > A DMINISTRATOR N OTIFICATIONS > O UTBREAK N OTIFICATIONS N OTIFICATIONS > A DMINISTRATOR N OTIFICATIONS > O UTBREAK N OTIFICATIONS > S HARED F OLDER S ESSION LINK 1. In the Criteria tab, specify the number of detections and detection period for each security risk. Tip: Trend Micro recommends accepting the default values in this screen.
Protecting Computers from Security Risks d. Use token variables to represent data in the Message and Subject fields. TABLE 5-34.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Outbreak Prevention When an outbreak occurs, enforce outbreak prevention measures to respond to and contain the outbreak. Configure prevention settings carefully because incorrect configuration may cause unforeseen network issues. To configure and activate outbreak prevention settings: P ATH : N ETWORKED C OMPUTERS > O UTBREAK P REVENTION > START O UTBREAK P REVENTION 1. 2.
Protecting Computers from Security Risks Outbreak Prevention Policies When outbreaks occurs, enforce any of the following policies: • Limit/Deny Access to Shared Folders • Block Ports • Deny Write Access to Files and Folders Limit/Deny Access to Shared Folders During outbreaks, limit or deny access to shared folders on the network to prevent security risks from spreading through the shared folders.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Block Ports During outbreaks, block vulnerable ports that viruses/malware might use to gain access to client computers. WARNING! Configure Outbreak Prevention settings carefully. Blocking ports that are in use makes network services that depend on them unavailable. For example, if you block the trusted port, OfficeScan cannot communicate with the client for the duration of the outbreak.
Protecting Computers from Security Risks b. To edit settings for the blocked port(s), click the port number. c. In the screen that opens, modify the settings and click Save. d. To remove a port from the list, select the check box next to the port number and click Delete. 3. Click Save. The Outbreak Prevention Settings screen displays again. Deny Write Access to Files and Folders Viruses/Malware can modify or delete files and folders on the host computers.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Disabling Outbreak Prevention When you are confident that an outbreak has been contained and that OfficeScan already cleaned or quarantined all infected files, restore network settings to normal by disabling Outbreak Prevention. To manually disable outbreak prevention: P ATH : N ETWORKED C OMPUTERS > O UTBREAK P REVENTION > R ESTORE S ETTINGS 1. To inform users that the outbreak is over, select Notify client users after restoring the original settings.
Protecting Computers from Security Risks Device Control OfficeScan provides a device control feature that regulates access to external storage devices and network resources connected to computers. Device control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks. Device Control is available only on computers running x86 type platforms.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 5-35. Device permissions (Continued) P ERMISSIONS Read only F ILES ON THE D EVICE I NCOMING F ILES Operations allowed: Copy, Open Operations blocked: Save, Move, Copy Operations blocked: Save, Move, Delete, Execute No access Note: Any attempt to access the device or network resource is automatically blocked. Operations blocked: Save, Move, Copy The scanning function in OfficeScan complements and may override the device permissions.
Protecting Computers from Security Risks Device Control Logs Clients log unauthorized device access instances and send the logs to the server. A client that runs continuously aggregates the logs and sends them after a 24-hour time period. A client that got restarted checks the last time the logs were sent to the server. If the elapsed time exceeds 24 hours, the client sends the logs immediately.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 5-68
Chapter 6 Protecting Computers from Web-based Threats Topics in this chapter: • About Web Threats on page 6-2 • Web Reputation on page 6-2 • Location Awareness on page 6-3 • Web Reputation Policies on page 6-3 • Approved URLs on page 6-5 • Proxy for Web Reputation on page 6-5 • Web Threat Notifications for Client Users on page 6-6 • Web Reputation Logs on page 6-7 6-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide About Web Threats Web threats encompass a broad array of threats that originate from the Internet. Web threats are sophisticated in their methods, using a combination of various files and techniques rather than a single file or approach. For example, Web threat creators constantly change the version or variant used.
Protecting Computers from Web-based Threats Location Awareness In many organizations, employees use both desktop and notebook computers to perform their tasks. Since notebook computers connect to multiple networks and employees physically carry them past the organization's premises, OfficeScan needs to extend protection to these computers when they disconnect from the network. Web Reputation Policies ensure client computers are protected regardless of location.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To configure a Web reputation policy: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > W EB R EPUTATION S ETTINGS 1. Configure a policy for External Clients and Internal Clients. 2. Select the check box to enable/disable the Web reputation policy. Tip: 3.
Protecting Computers from Web-based Threats Approved URLs Approved URLs bypass Web Reputation policies. OfficeScan does not block these URLs even if the Web Reputation policy is set to block them. Add URLs that you consider safe to the approved URL list. To configure the approved URL list: P ATH : N ETWORKED C OMPUTERS > G LOBAL C LIENT S ETTINGS 1. Go to the Web Reputation Approved URL List section and click the link below it. 2. Select whether to configure the list for external or internal clients.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Web Threat Notifications for Client Users OfficeScan can display a notification message on a client computer immediately after it blocks a URL that violates a Web reputation policy. You need to enable the notification message and optionally modify the content of the notification message. To enable the notification message: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > P RIVILEGES O THER S ETTINGS > O THER S ETTINGS TAB AND 1.
Protecting Computers from Web-based Threats Web Reputation Logs Configure both internal and external clients to send Web reputation logs to the server. Do this if you want to analyze URLs that OfficeScan blocks and take appropriate action on URLs you think are safe to access. To keep the size of logs from occupying too much space on the hard disk, manually delete logs or configure a log deletion schedule. For more information about managing logs, see Managing Logs on page 8-16.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 6-8
Chapter 7 Using the OfficeScan Firewall Topics in this chapter: • About the OfficeScan Firewall on page 7-2 • Firewall Policies and Profiles on page 7-4 • Firewall Privileges on page 7-16 • Firewall Violation Notifications for Client Users on page 7-16 • Firewall Logs on page 7-17 • Testing the OfficeScan Firewall on page 7-18 • Disabling the OfficeScan Firewall on page 7-19 7-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide About the OfficeScan Firewall The OfficeScan firewall protects clients and servers on the network using stateful inspection, high performance network virus scanning, and elimination. Through the central management console, you can create rules to filter connections by IP address, port number, or protocol, and then apply the rules to different groups of users.
Using the OfficeScan Firewall Intrusion Detection System The OfficeScan firewall also includes an Intrusion Detection System (IDS). When enabled, IDS can help identify patterns in network packets that may indicate an attack on the client. The OfficeScan firewall can help prevent the following well-known intrusions: • Too Big Fragment: A Denial of Service Attack where a hacker directs an oversized TCP/UDP packet at a target computer.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide • LAND Attack: A type of attack that sends IP synchronization (SYN) packets with the same source and destination address to a computer, causing the computer to send the synchronization acknowledgment (SYN/ACK) response to itself. This can freeze or slow down the computer.
Using the OfficeScan Firewall Firewall Policies Firewall policies allow you to block or allow certain types of network traffic not specified in a policy exception. A policy also defines which firewall features get enabled or disabled. Assign a policy to one or multiple firewall profiles. OfficeScan comes with a set of default policies, which you can modify or delete. The default firewall policies are as follows: TABLE 7-36.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 7-36. P OLICY N AME InterScan Messaging Security Suite (IMSS) console Default firewall policies (Continued) S ECURITY L EVEL C LIENT S ETTINGS Low Enable firewall E XCEPTIONS Allow all incoming and outgoing TCP traffic through port 80 R ECOMMENDED U SE Use when clients need to access the IMSS console Also create new policies if you have requirements not covered by any of the default policies.
Using the OfficeScan Firewall Adding and Modifying a Firewall Policy Configure the following for each policy: • Security level: A general setting that blocks or allows all inbound and/or all outbound traffic on the client computer • Firewall features: Specify whether to enable or disable the OfficeScan firewall, the Intrusion Detection System (IDS), and the firewall violation notification message. See Intrusion Detection System on page 7-3 for more information on IDS.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4. Under Exception, select the firewall policy exceptions. The policy exceptions included here are based on the firewall exception template. See Editing the Firewall Exception Template on page 7-9 for details. • Modify an existing policy exception by clicking the policy exception name and changing the settings in the page that opens. Note: • Click Add to create a new policy exception. Specify the settings in the page that opens. Note: 5.
Using the OfficeScan Firewall Editing the Firewall Exception Template The firewall exception template contains policy exceptions that you can configure to allow or block different kinds of network traffic based on the client computer's port number(s) and IP address(es). After creating a policy exception, edit the policies to which the policy exception applies. Decide which type of policy exception you want to use.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 7-37.
Using the OfficeScan Firewall 3. Select the type of network protocol: TCP, UDP, or ICMP. 4. Specify ports on the client computer on which to perform the action. 5. Select client computer IP addresses to include in the exception. For example, if you select Deny all network traffic (Inbound and Outbound) and type the IP address for a single computer on the network, then any client that has this exception in its policy will not be able to send or receive data to or from that IP address. 6. Click Save.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide • Save Template Changes: Saves the exception template with the current policy exceptions and settings. This option only applies the template to policies created in the future, not existing policies. • Save and Apply to Existing Policies: Saves the exception template with the current policy exceptions and settings. This option applies the template to existing and future policies.
Using the OfficeScan Firewall OfficeScan comes with a default profile named "All clients profile", which uses the "All access" policy. You can modify or delete this default profile. You can also create new profiles. All default and user-created firewall profiles, including the policy associated to each profile and the current profile status, display on the firewall profile list on the Web console. Manage the profile list and deploy all profiles to OfficeScan clients.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 5. 6. To save the current settings and assign the profiles to clients: a. Select whether to Overwrite client security level/exception list. This option overwrites all user-configured firewall settings. b. Click Assign Profile to Clients. OfficeScan assigns all profiles on the profile list to all the clients. c. To save the current settings, click Save Profile List Changes. To verify that you successfully assigned profiles to clients: a.
Using the OfficeScan Firewall • Computer name: Click the button to open, and select client computers from, the client tree. • Platform • Logon name • Client connection status 5. Select whether to grant users the privilege to change the firewall security level or edit a configurable list of exceptions to allow specified types of traffic. See Adding and Modifying a Firewall Policy on page 7-7 for more information about these options. 6. Click Save.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Firewall Privileges Grant users the following privileges: • View the Firewall tab on the client console • Enable or disable the OfficeScan firewall and firewall features • Allow the client to send firewall logs to the server See OfficeScan Firewall Privileges on page 9-10 for details about these privileges.
Using the OfficeScan Firewall To modify the content of the notification message: P ATH : N OTIFICATIONS > C LIENT U SER N OTIFICATIONS 1. Click the Firewall Violations tab. 2. Modify the default messages in the text box provided. 3. Click Save. Firewall Logs Firewall logs available on the server are sent by clients with the privilege to send firewall logs. Grant specific clients this privilege to monitor and analyze traffic on the client computers that the OfficeScan firewall is blocking.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 4. • Description: Specifies the actual security risk (such as a network virus or IDS attack) or the firewall policy violation • Direction: If inbound (Receive) or outbound (Send) traffic violated a firewall policy • Process: The executable program or service running on the computer that caused the firewall violation To save the log to a comma-separated value (CSV) file, click Export to CSV. Open the file or save it to a specific location.
Using the OfficeScan Firewall c. Select Firewall view from the client tree view. d. Check if there is a green check mark under the Firewall column of the client tree. If you enabled the Intrusion Detection System for that client, check that a green check mark also exists in the IDS column. e. Verify if the client applies the correct firewall policy. The policy appears under the Firewall Policy column in the client tree. 5.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To disable the OfficeScan firewall on all client computers: 7-20 1. On the Web console, go to Administration > Product License > Additional Services section. 2. On the Firewall for networked computers row, click Disable.
Section 2 Managing the OfficeScan Server and Clients
Trend Micro™ OfficeScan™ 10 Administrator’s Guide
Chapter 8 Managing the OfficeScan Server Topics in this chapter: • Role-based Administration on page 8-2 • Trend Micro Control Manager on page 8-10 • Reference Servers on page 8-14 • System Event Logs on page 8-15 • Managing Logs on page 8-16 • Licenses on page 8-19 • OfficeScan Database Backup on page 8-21 • OfficeScan Web Server Information on page 8-23 • Web Console Password on page 8-23 • Quarantine Manager on page 8-24 • Server Tuner on page 8-25 • The World Virus Tracking Program
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Role-based Administration Use the role-based administration feature to grant and control access to OfficeScan Web console menu and submenu items. If there are multiple OfficeScan administrators in your organization, this feature helps you delegate server management tasks to the administrators and manage the menu items accessible to each administrator. In addition, you can grant non-administrators "view only" access to the Web console.
Managing the OfficeScan Server Power User Delegate this role to administrators with specific administrative tasks on the Web console. 1. Users with the Power User role can configure the following menu items and sub-items: Networked Computers > Client Installation This menu item provides users with two methods of installing the OfficeScan client. For details, see Installing from the OfficeScan Web Console on page 3-27 and Initiating Browser-based Installation on page 3-15.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Guest User Delegate this role to users who want to view the Web console for reference purposes. 1. 2. Users with the Guest User role have no access to the following menu items: • Plug-in Manager • Administration > User Roles • Administration > User Accounts Users have view access to all other menu items. To configure the User Roles list: P ATH : A DMINISTRATION > U SER R OLES 1. To add a custom role, click Add.
Managing the OfficeScan Server Adding and Modifying a Custom Role To add a custom role: P ATH : A DMINISTRATION > U SER R OLES > A DD A DMINISTRATION > U SER R OLES > C OPY 1. Type a name for the role and optionally provide a description. 2. On the Available Menu Items list, the Web console main menu and submenu items display. Configure the role to have "view" or "configure" access to one or several menu items.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide User Accounts Set up user accounts and assign a particular role to each user. The user role determines the Web console menu items a user can view or configure. During OfficeScan server installation, Setup automatically creates a built-in account called "root". Users who log on using the root account can access all menu items. You cannot delete the root account but you can modify account details, such as the password and display name.
Managing the OfficeScan Server To use OfficeScan user accounts in Control Manager: Refer to the Control Manager documentation for the detailed steps. 1. Create a new user account in Control Manager. When specifying the user name, type the account name that appears on the OfficeScan Web console. 2. Assign the new account "access" and "configure" rights to the OfficeScan server.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 2. Select whether to add a custom account or an Active Directory account. • For custom account, type the user name, full name, and password (which you need to confirm). Optionally type an email address for the account. Note: • The email address is only used as reference. The owner of the email account does not get an email notifying him or her of the account you created.
Managing the OfficeScan Server To modify a custom account: P ATH : A DMINISTRATION > U SER A CCOUNTS > 1. Enable or disable the account using the check box provided. Note: 2. 3. Active Directory group accounts cannot be disabled. If you do not want users on the group to access the Web console, delete the group from the user accounts list. Modify the following: • Full name • Password • Email address • Role Click Save.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide If you specify an Active Directory group, all members belonging to a group get the same role. If a particular account belongs to at least two groups and the role for both groups are different: • The permissions for both roles are merged. If a user configures a particular setting and there is a conflict between permissions for the setting, the higher permission applies. • All user roles display in the System Event logs.
Managing the OfficeScan Server Control Manager allows system administrators to monitor and report on activities such as infections, security violations, or virus entry points. System administrators can download and deploy components throughout the network, helping ensure that protection is consistent and up-to-date. Control Manager allows both manual and pre-scheduled updates, and the configuration and administration of products as groups or as individuals for added flexibility.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide • Replicate the following settings from one OfficeScan server to another from the Control Manager console: • Scan settings for all scan types (Real-time Scan, Manual Scan, Scheduled Scan, and Scan Now) • Client Privileges and Other Settings • Web Reputation Policies • Firewall Policies • Firewall Profiles Note: If these settings are replicated to an OfficeScan server where a particular service license has not been activated, the settings will on
Managing the OfficeScan Server 4. If you will use a proxy server to connect to the Control Manager server, specify the following proxy settings: • Proxy protocol • Server FQDN or IP address and port • Proxy server authentication user ID and password 5. Decide whether to use one-way communication or two-way communication port forwarding, and then specify the IP address and port. 6.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Reference Servers One of the ways the OfficeScan client determines which of the firewall profiles or Web Reputation Policies to use is by checking its connection status with the OfficeScan server. If an internal client (or a client within the corporate network) cannot connect to the server, the client status becomes offline. The client then applies a firewall profile or Web reputation policy intended for external clients.
Managing the OfficeScan Server b. Type the port through which clients communicate with this computer. Specify any open contact port (such as ports 20, 23 or 80) on the reference server. Note: c. To specify another port number for the same reference server, repeat steps 2a and 2b. The client uses the first port number on the list and, if connection is unsuccessful, uses the next port number. Click Save. 3. To edit the settings of a computer on the list, click the computer name.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Outbreak Prevention: • Outbreak Prevention enabled • Outbreak Prevention disabled • Number of shared folder sessions in the last Database backup: • Database backup successful • Database backup unsuccessful Role-based Web console access: 2.
Managing the OfficeScan Server Firewall Logs OfficeScan generates logs when it detects violations to firewall policies. For details, see Firewall Logs on page 7-17. Web Reputation Logs OfficeScan generates logs when it blocks known or potentially malicious Web sites. For details, see Web Reputation Logs on page 6-7. Connection Verification Logs OfficeScan generates connection verification logs to allow you to determine whether or not the OfficeScan server can communicate with all of its registered clients.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Debug Logs Use debug logs to troubleshoot problems with the OfficeScan server and client. For more information about debug logs, see the following topics: • OfficeScan Server Logs on page 12-2 • OfficeScan Client Logs on page 12-9 Log Maintenance To keep the size of logs from occupying too much space on the hard disk, manually delete logs or configure a log deletion schedule from the Web console.
Managing the OfficeScan Server Licenses View, activate, and renew OfficeScan product service licenses on the Web console, and enable/disable the OfficeScan firewall. The OfficeScan firewall is part of the Antivirus service, which also includes support for Cisco NAC and outbreak prevention. Note: You can enable the OfficeScan firewall during installation. If you disable firewall, OfficeScan hides all firewall features on the server and client.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide If you have an evaluation version license • 2. When the license expires. During this time, OfficeScan disables component updates, scanning, and all client features. View license information. The License Information section provides you the following information: • Services: Includes all the OfficeScan product services • Status: Displays either "Activated", "Not Activated" or "Expired".
Managing the OfficeScan Server 3. In the screen that opens, type the Activation Code and click Save. Note: 4. Register a service before activating it. Contact your Trend Micro representative for more information about the Registration Key and Activation Code. Back in the Product License Details screen, click Update Information to refresh the screen with the new license details and the status of the service.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To back up the OfficeScan database: P ATH : A DMINISTRATION > D ATABASE B ACKUP 1. Type the location where you want to save the database. If the folder does not exist yet, select Create folder if not already present. Include the drive and full directory path, such as C:\OfficeScan\DatabaseBackup. By default, OfficeScan saves the backup in the following directory: \DBBackup OfficeScan creates a subfolder under the backup path.
Managing the OfficeScan Server OfficeScan Web Server Information During OfficeScan server installation, Setup automatically sets up a Web server (IIS or Apache Web server) that enables networked computers to connect to the OfficeScan server. Configure the Web server to which networked computer clients will connect.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To change the Web console password: P ATH : A DMINISTRATION > C ONSOLE P ASSWORD 1. Type the current and new passwords in the text boxes provided. Note: The new password must have at least 1 and at most 128 alphanumeric characters. 2. Confirm the new password. 3. Click Save.
Managing the OfficeScan Server To configure quarantine directory settings: P ATH : A DMINISTRATION > Q UARANTINE M ANAGER 1. Accept or modify the default capacity of the quarantine folder and the maximum size of an infected file that OfficeScan can store on the quarantine folder. The default values display on the screen. 2. Click Save Quarantine Settings. 3. To remove all existing files in the quarantine folder, click Delete All Quarantined Files.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Network Traffic The amount of network traffic varies throughout the day. To control the flow of network traffic to the OfficeScan server and to other update sources, specify the number of clients that can simultaneously update at any given time of the day. Server Tuner requires the following file: SvrTune.exe To run Server Tuner: P ATH : TOOLS > A DMINISTRATIVE TOOLS > S ERVER TUNER 1.
Managing the OfficeScan Server 4. Under Buffer, modify the following settings: Event Buffer Type the maximum number of client event reports to the server (such as updating components) that OfficeScan holds in the buffer. The connection to the client breaks while the client request waits in the buffer. OfficeScan establishes a connection to a client when it processes the client report and removes it from the buffer.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide connection closes (due to either the completion of the update or the client response reaching the timeout value you specified in the Timeout for client or Timeout for Update Agent field). 6. Click OK. A prompt appears asking you to restart the OfficeScan Master Service. Note: 7. Only the service restarts, not the computer. Click Yes to save the Server Tuner settings and restart the service. The settings take effect immediately after restart.
Chapter 9 Managing Clients Topics in this chapter: • Computer Location on page 9-2 • Client Privileges and Other Settings on page 9-5 • Global Client Settings on page 9-18 • Client Connection with Servers on page 9-30 • Client Proxy Settings on page 9-39 • Client Mover on page 9-41 • Touch Tool on page 9-42 • Client Information on page 9-43 • Importing and Exporting Client Settings on page 9-44 • Managing Inactive Clients on page 9-45 9-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Computer Location OfficeScan provides a location awareness feature that determines the Web reputation policy applied to clients and the Smart Scan Server clients connect to. OfficeScan clients that can connect to the OfficeScan server or any of the reference servers are located internally, which means: • These clients will apply the Web reputation policy for internal clients.
Managing Clients 2. If you choose Client connection status, decide if you want to use a reference server. See Reference Servers on page 8-14 for details. a. b. 3. If you did not specify a reference server, the client checks the connection status with the OfficeScan server when the following events occur: • Client switches from roaming to normal (online/offline) mode. • Client switches from one scan method to another. See Scan Methods on page 5-8 for details.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Gateway Settings Importer OfficeScan checks a computer's location to determine the Web reputation policy to use and the Smart Scan Server to connect to. One of the ways OfficeScan identifies the location is by checking the computer's gateway IP address and MAC address. Configure the gateway settings on the Computer Location screen or use the Gateway Settings Importer tool to import a list of gateway settings to the Computer Location screen.
Managing Clients Client Privileges and Other Settings Grant users the privileges to modify certain settings and perform high level tasks on the OfficeScan client. Tip: To enforce uniform settings and policies throughout the organization, grant limited privileges to users. To configure privileges and other settings: P ATH : N ETWORKED C OMPUTERS > C LIENT M ANAGEMENT > S ETTINGS > P RIVILEGES O THER S ETTINGS 1. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon following options: , choose from the • Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.
Managing Clients Scan Privileges These privileges allow users to configure their own Manual Scan, Real-time Scan and Scheduled Scan settings by opening the client console and selecting Settings > {Scan Type}. FIGURE 9-17.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Scheduled Scan Privileges Clients set to run Scheduled Scan can have the privileges to postpone and skip/stop Scheduled Scan. To allow users to take advantage of these privileges, remind them about the privileges you have granted them by configuring OfficeScan to display a notification message before Scheduled Scan runs.
Managing Clients Skip and Stop Scheduled Scan Enabling this option allows users to perform the following actions: • Skip Scheduled Scan before it runs • Stop Scheduled Scan when it is in progress To postpone/skip and stop Scheduled Scan on the client computer: If Scheduled Scan has not started: 1. Right-click the OfficeScan client icon on the system tray and select Scheduled Scan Advanced Settings. Note: 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Firewall Privileges Firewall privileges allow users to configure their own firewall settings. All user-configured settings cannot be overridden by settings deployed from the OfficeScan server. For example, if the user disables Intrusion Detection System (IDS) and you enable IDS on the OfficeScan server, IDS remains disabled on the client computer.
Managing Clients Allow Users to Enable/Disable the OfficeScan Firewall, the Intrusion Detection System, and the Firewall Violation Notification Message The OfficeScan firewall protects clients and servers on the network using stateful inspection, high performance network virus scanning, and elimination.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Mail Scan Privileges When clients have the Mail Scan privileges, the Mail Scan tab displays on the client console. Mail scan includes Outlook mail scan and POP3 mail scan. FIGURE 9-19. Mail Scan tab on the client console OfficeScan clients do not display mail scan results on the client console’s Logs screen and do not send mail scan logs to the server. Outlook and POP3 mail scan logs are stored in separate log files on the client computer.
Managing Clients Outlook Mail Scan When the Mail Scan tab displays on the client console, client users can immediately configure Outlook mail scan settings and then run Manual Scan to scan Microsoft Outlook email messages and attachments for viruses/malware. Note: Outlook mail scan does not scan for spyware/grayware. Outlook mail scan is a user-initiated scan, which means that scanning only occurs when users run Manual Scan from the Mail Scan tab.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Toolbox Privilege When you enable this privilege, the Toolbox tab displays on the client console. The Toolbox tab allows users to install Check Point SecureClient Support. OfficeScan provides a tool that allows Check Point SecureClient to check if the client Virus Pattern and Virus Scan Engine are current. FIGURE 9-20. Toolbox tab on the client console Proxy Configuration Privilege This privilege allows client users to configure proxy settings.
Managing Clients Component Update Privileges Update privileges allow client users to configure their own update settings. Perform "Update Now" Users with this privilege can update components on demand by right-clicking the OfficeScan icon on the system tray and selecting Update Now. You can configure clients to use proxy settings during "Update Now". See Automatic Proxy Configuration on page 9-29 for details. Enable Scheduled Update This privilege allows clients users to enable/disable scheduled update.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Enable Scheduled Update Selecting this option forces the selected clients to always run scheduled update except when users have the privilege to enable/disable scheduled update and the user disables scheduled update. See Component Update Privileges on page 9-15 for details about the privilege. Specify the update schedule in Updates > Networked Computers > Automatic Update > Schedule-based Update.
Managing Clients Client Security This setting allows or restricts users from accessing OfficeScan client files and registries. If you select High, the access permission settings of the OfficeScan folders, files, and registries will be the same as the Program Files folder settings of client computers running Windows 2000/XP/Server 2003.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Global Client Settings OfficeScan applies global client settings to all clients or only to clients with certain privileges. To configure global client settings: P ATH : N ETWORKED C OMPUTERS > G LOBAL C LIENT S ETTINGS 1. 2.
Managing Clients In a Compressed File, Scan Only the First __ Files After decompressing a compressed file, OfficeScan scans the specified number of files and ignores any remaining files, if any. Scan Up to __ OLE Layer(s) When a file contains multiple Object Linking and Embedding (OLE) layers, OfficeScan scans up to the number of layers you specify and skips the remaining layers. All clients managed by the server check this setting during Manual Scan, Real-time Scan, Scheduled Scan, and Scan Now.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Exclude Microsoft Exchange Server Folders from Scanning If the OfficeScan client and a Microsoft Exchange 2000/2003 server exist on the same computer, OfficeScan will not scan the Exchange server folders for virus/malware and spyware/grayware during Manual Scan, Real-time Scan, Scheduled Scan and Scan Now. For Microsoft Exchange 2007 folders, you need to manually add the folders to the scan exclusion list.
Managing Clients The following table describes what happens if any of the conditions is not met. TABLE 9-38. S TATUS OF "C LEAN / D ELETE INFECTED FILES WITHIN COMPRESSED FILES " Enabled Disabled Compressed file scenarios and results A CTION O FFICE S CAN IS SET TO PERFORM C OMPRESSED FILE FORMAT Clean or Delete Not supported Clean or Delete Supported/Not supported Example: def.rar contains an infected file 123.doc. Example: abc.zip contains an infected file 123.doc.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 9-38. S TATUS OF "C LEAN / D ELETE INFECTED FILES WITHIN COMPRESSED FILES " Enabled/ Disabled Compressed file scenarios and results (Continued) A CTION O FFICE S CAN IS SET TO PERFORM Not Clean or Delete (in other words, any of the following: Rename, Quarantine, Deny Access or Pass) C OMPRESSED FILE FORMAT Supported/Not supported Example: abc.zip contains an infected file 123.doc.
Managing Clients Enable Assessment Mode When in assessment mode, all clients managed by the server will log spyware/grayware detected during Manual Scan, Scheduled Scan, Real-time Scan, and Scan Now but will not clean spyware/grayware components. Cleaning terminates processes or deletes registries, files, cookies, and shortcuts. Trend Micro provides assessment mode to allow you to evaluate items that Trend Micro detects as spyware/grayware and then take appropriate action based on your evaluation.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide The notification message can be enabled/disabled by going to Networked Computers > Client Management > Settings > Privileges and Other Settings > Other Settings tab > Scheduled Scan Settings. If disabled, no reminder displays. Postpone Scheduled Scan for Up to __ Hour(s) and __ Minute(s) Only users with the "Postpone Scheduled Scan" privilege can perform the following actions: • Postpone Scheduled Scan before it runs and then specify the postpone duration.
Managing Clients Firewall Log Settings You can grant certain clients the privilege to send firewall logs to the OfficeScan server. Configure the log sending schedule in this section. Only clients with the privilege to send firewall logs will use the schedule. See OfficeScan Firewall Privileges on page 9-10 for information on firewall privileges available to selected clients.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Service Restart OfficeScan restarts client services that stopped responding unexpectedly and were not stopped by a normal system process. Configure the following settings to enable client services to restart: Automatically Restart an OfficeScan Client Service if the Service Stops OfficeScan restarts the following services: • OfficeScan NT Listener (tmlisten.
Managing Clients Client Self-protection Client self-protection provides ways for the OfficeScan client to protect the processes and other resources required to function properly. Client self-protection helps thwart attempts by programs or actual users to disable anti-malware protection.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Protect OfficeScan Client Processes OfficeScan blocks all attempts to terminate the following processes: • tmlisten.exe: Receives commands and notifications from the OfficeScan server and facilitates communication from the client to the server • ntrtscan.exe: Performs Real-time, Scheduled, and Manual Scan on OfficeScan clients • TmProxy.exe: Scans network traffic before passing it to the target application • TmPfw.
Managing Clients Network Virus Log Consolidation When you enable this option, OfficeScan clients only send network virus logs to the server once every hour. For more information about network viruses, see Network Virus on page 5-4. Virus/Malware Log Bandwidth Setting OfficeScan consolidates virus log entries when detecting multiple infections from the same virus/malware over a short period of time.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Use Automatic Configuration Script OfficeScan uses the proxy auto-configuration (PAC) script set by the network administrator to detect the appropriate proxy server. Client Grouping This setting is used only during client installation. The installation program checks the network domain to which a target computer belongs.
Managing Clients Online Clients Online clients maintain a continuous connection with the server. The OfficeScan server can initiate tasks and deploy settings to these clients. TABLE 9-39. I CON Online client icons S CAN M ETHOD D ESCRIPTION Conventional scan All components are up-to-date and services work properly. Conventional scan The pattern file has not been updated for a while. Conventional scan Real-time Scan is disabled. Conventional scan The pattern file has not been updated for a while.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 9-39. Online client icons (Continued) S CAN M ETHOD I CON Smart scan D ESCRIPTION The client cannot connect to a Smart Scan Server. Real-time Scan is disabled. Smart scan The client cannot connect to a Smart Scan Server. Real-time Scan Service was stopped. Offline Clients Offline clients are disconnected from the server. The OfficeScan server cannot manage these clients. TABLE 9-40.
Managing Clients TABLE 9-40. I CON Offline client icons (Continued) S CAN M ETHOD Smart scan D ESCRIPTION The client can connect to a Smart Scan Server. Real-time Scan is enabled. Smart scan The client can connect to a Smart Scan Server. Real-time Scan is disabled. Smart scan The client can connect to a Smart Scan Server. Real-time Scan Service was stopped. Smart scan The client cannot connect to a Smart Scan Server. Smart scan The client cannot connect to a Smart Scan Server.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Updates to roaming clients occur only on the following occasions: • When the client user performs manual update • When you set an automatic update deployment that includes roaming clients • When you grant clients the privilege to enable scheduled update For more information on how to update clients, see Client Update on page 4-23. TABLE 9-41. I CON Roaming client icons S CAN M ETHOD D ESCRIPTION Conventional scan Real-time Scan is enabled.
Managing Clients TABLE 9-41. I CON Roaming client icons (Continued) S CAN M ETHOD Smart scan D ESCRIPTION The client cannot connect to a Smart Scan Server. Real-time Scan is disabled. Smart scan The client cannot connect to a Smart Scan Server. Real-time Scan is disabled. Smart scan The client cannot connect to a Smart Scan Server. Real-time Scan Service was stopped.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide A Client Within the Corporate Network is Disconnected from the Server Verify the connection from the Web console (Networked Computers > Connection Verification) and then check connection verification logs (Logs > Networked Computer Logs > Connection Verification). If the client is still disconnected after verification: 1. If the connection status on both the server and client is offline, check the network connection. 2.
Managing Clients 5. Verify from the registry whether or not a client is connected to the corporate network. Key: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\Curr entVersion\iCRC Scan\Scan Server 6. • If LocationProfile=1, the client is connected to the network and should connect to a local Smart Scan Server. • If LocationProfile=2, the client is not connected to the network and should connect to the Global Smart Scan Server.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Verify client-server connection manually or let OfficeScan perform scheduled verification. You cannot select specific domains or clients and then verify their connection status. OfficeScan verifies the connection status of all its registered clients. To verify client-server connection: P ATH : N ETWORKED C OMPUTERS > C ONNECTION VERIFICATION 1. To verify client-server connection manually, go to the Manual Verification tab and click Verify Now. 2.
Managing Clients Client Proxy Settings Configure OfficeScan clients to use proxy settings when connecting to internal and external servers. Internal Proxy Clients can use internal proxy settings to connect to the following servers on the network: OfficeScan server computer The server computer hosts the OfficeScan server and the integrated Smart Scan Server. Clients connect to the OfficeScan server to update components, obtain configuration settings, and send logs.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide External Proxy The OfficeScan server and client can use external proxy settings when connecting to servers hosted by Trend Micro. This topic discusses external proxy settings for clients. For external proxy settings for the server, see Proxy for Server Update on page 4-16. Clients use the proxy settings configured in Internet Explorer to connect to the Trend Micro Global Smart Scan Server and Web Reputation servers.
Managing Clients Client Mover If you have more than one OfficeScan server on the network, use the Client Mover tool to transfer clients from one OfficeScan server to another. This is especially useful after adding a new OfficeScan server to the network and you want to transfer existing OfficeScan clients to the new server. Note: The two servers must be of the same language version. If you use Client Mover to move an OfficeScan client running an earlier version (such as version 7.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 5. To confirm the client now reports to the other server, do the following: a. On the client computer, right-click the OfficeScan client program icon in the system tray. b. Select OfficeScan Console. c. Click Help in the menu and select About. d. Check the OfficeScan server that the client reports to in the Server name/port field.
Managing Clients 4. Type the following: TmTouch.exe Where: is the name of the hot fix file whose time stamp you want to change is the name of the file whose time stamp you want to replicate Note: If you do not specify a source file name, the tool sets the destination file time stamp to the system time of the computer. Use the wild card character (*) for the destination file, but not for the source file name. 5.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Importing and Exporting Client Settings You may want many OfficeScan clients to have the same scan and/or client privilege settings. OfficeScan allows you to save (export) a specific client’s scan settings and privileges and then replicate (import) them to multiple clients. This provides an easy way to configure identical settings on many clients. You cannot export the scan and privilege settings of multiple clients.
Managing Clients Managing Inactive Clients When you use the client uninstallation program to remove the client program from a computer, the program automatically notifies the server. When the server receives this notification, it removes the client icon in the client tree to show that the client does not exist anymore.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 9-46
Section 3 Providing Additional Protection
Trend Micro™ OfficeScan™ 10 Administrator’s Guide
Chapter 10 Policy Server for Cisco NAC Topics in this chapter: • About Policy Server for Cisco NAC on page 10-2 • Components and Terms on page 10-2 • Cisco NAC Architecture on page 10-6 • The Client Validation Sequence on page 10-7 • The Policy Server on page 10-9 • Synchronization on page 10-17 • Certificates on page 10-17 • Policy Server System Requirements on page 10-19 • Cisco Trust Agent (CTA) Requirements on page 10-20 • Supported Platforms and Requirements on page 10-21 • Policy S
Trend Micro™ OfficeScan™ 10 Administrator’s Guide About Policy Server for Cisco NAC Trend Micro Policy Server for Cisco Network Admission Control (NAC) evaluates the status of antivirus components on OfficeScan clients. Policy Server configuration options give you the ability to configure settings to perform actions on at-risk clients to bring them into compliance with the organization’s security initiative.
Policy Server for Cisco NAC TABLE 10-42. Policy Server for Cisco NAC components (Continued) C OMPONENT Network Access Device D ESCRIPTION A network device that supports Cisco NAC functionality. Supported Network Access Devices include a range of Cisco routers, firewalls, and access points, as well as third-party devices with Terminal Access Controller Access Control System (TACACS+) or the Remote Dial-In User Service (RADIUS) protocol.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Terms Become familiar with the following terms related to Policy Server for Cisco NAC: TABLE 10-43. Terms related to Policy Server for Cisco NAC 10-4 TERM D EFINITION Security posture The presence and currency of antivirus software on a client.
Policy Server for Cisco NAC TABLE 10-43. Terms related to Policy Server for Cisco NAC (Continued) TERM D EFINITION Authentication, Authorization, and Accounting (AAA) Describes the three main services used to control end-user client access to computer resources. Authentication refers to identifying a client, usually by having the user enter a user name and password. Authorization refers to the privileges the user has to issue certain commands.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Cisco NAC Architecture The following diagram illustrates a basic Cisco NAC architecture. Cisco Secure Access Control Server Trend Micro Policy Server for Cisco NAC OfficeScan server Cisco NAC-supported Network Access Device OfficeScan client with CTA installation FIGURE 10-22.
Policy Server for Cisco NAC The Client Validation Sequence Client validation refers to the process of evaluating an OfficeScan client’s security posture and returning instructions for the client to perform if the Policy Server considers it to be at-risk. The Policy Server validates an OfficeScan client by using configurable rules and policies. Below is the sequence of events that occurs when an OfficeScan client attempts to access the network: 1.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 6. The client performs the actions configured in the posture token.
Policy Server for Cisco NAC The Policy Server The Policy Server is responsible for evaluating the OfficeScan client’s security posture and for creating the posture token. It compares the security posture with the latest versions of the Virus Pattern and Virus Scan Engine received from the OfficeScan server to which the client is a member. It returns the posture token to the Cisco Secure ACS server, which in turn passes it to the client from the Cisco Network Access Device.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Policy Server Policies and Rules Policy Servers use configurable rules and policies to help enforce your organization’s security guidelines. Rules include specific criteria that Policy Servers use to compare with the security posture of OfficeScan clients.
Policy Server for Cisco NAC Security Posture Criteria Rules include the following security posture criteria: • Client machine state: If the client computer is in the booting state or not • Client Real-time Scan status: If Real-time Scan is enabled or disabled • Client scan engine version currency: If the Virus Scan Engine is up-to-date • Client virus pattern file status: How up-to-date the Virus Pattern is.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Policy Server and OfficeScan Client Actions If the client security posture matches the rule criteria, the Policy Server can carry out the following action: • Creates an entry in a Policy Server client validation log (see Client Validation Logs on page 10-39 for more information) If the client security posture matches the rule criteria, the OfficeScan client can carry out the following actions: • Enable client Real-time Scan so the OfficeScan client can s
Policy Server for Cisco NAC TABLE 10-44. Default rules (Continued) R ULE N AME Checkup M ATCHING C RITERIA Virus Pattern version is at least one version older than the version on the OfficeScan server to which the client is registered.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 10-44. Default rules (Continued) R ULE N AME Quarantine M ATCHING C RITERIA Virus Pattern version is at least five versions older than the version on the OfficeScan server to which the client is registered.
Policy Server for Cisco NAC Policy Composition Policies include of any number of rules and default responses and actions. Rule Enforcement Policy Server enforces rules in a specific order, which allows you to prioritize rules. Change the order of rules, add new ones, and remove existing ones from a policy. Default Responses for Policies As with rules, policies include default responses to help you understand the condition of OfficeScan clients on the network when client validation occurs.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Default Policies Policy Server provides default policies to give you a basis for configuring settings. Two policies are available, one for normal mode and one for outbreak mode. TABLE 10-45.
Policy Server for Cisco NAC Synchronization Regularly synchronize the Policy Server with registered OfficeScan servers to keep the Policy Server versions of the Virus Pattern, Virus Scan Engine, and server outbreak status (normal mode or outbreak mode) up-to-date with those on the OfficeScan server. Use the following methods to perform synchronization: • Manually: Perform synchronization at any time on the Summary screen (see Summary Information for a Policy Server on page 10-36).
Trend Micro™ OfficeScan™ 10 Administrator’s Guide The figure below illustrates the steps involved in creating and deploying ACS and CA certificates: Certificate Authority (CA) server ACS certificate CA certificate CA certificate OfficeScan server Cisco Secure ACS server CA certificate with CTA OfficeScan client FIGURE 10-25. ACS and CA certificate creation and deployment 1. After the ACS server issues a certificate signing request to the CA server, the CA issues a certificated called ACS certificate.
Policy Server for Cisco NAC The CA Certificate OfficeScan clients with CTA installations authenticate with the ACS server before communicating client security posture. Several methods are available for authentication (see the Cisco Secure ACS documentation for details).
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Hardware • 300MHz Intel Pentium II processor or equivalent • 128MB of RAM • 300MB of available disk space • Monitor that supports 800 x 600 resolution at 256 colors or higher Web Server • Microsoft Internet Information Server (IIS) versions 5.0 or 6.0 • Apache Web server 2.
Policy Server for Cisco NAC Hardware • 200MHz single or multiple Intel Pentium processors • 128MB of RAM for Windows 2000 • 256MB of RAM for Windows XP and 2003 • 5MB of available disk space (20MB recommended) Others • Windows Installer 2.0 or later Supported Platforms and Requirements The following platforms support the Cisco NAC functionality: TABLE 10-47.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE 10-47. Supported platforms and requirements (Continued) S UPPORTED P LATFORM M ODELS IOS I MAGES M INIMUM M EMORY /F LASH Cisco 3600 series 3640/3640A, 3660-ENT series IOS 12.3(8) or later 48MB/16MB Cisco 3700 series 3745, 3725 IOS 12.3(8) or later 128MB/32MB Cisco 3800 series 3845, 3825 IOS 12.3(8) or later 256MB/64MB Cisco 7200 series 720x, 75xx IOS 12.
Policy Server for Cisco NAC Policy Server for NAC Deployment The following procedures are for reference only and may be subject to change depending on updates to either the Microsoft and/or Cisco interfaces. Before performing any of the tasks, verify that the Network Access Device(s) on the network are able to support Cisco NAC (see Supported Platforms and Requirements on page 10-21). See the device documentation for set up and configuration instructions. Also, install the ACS server on the network.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Cisco Secure ACS Server Enrolment Enroll the Cisco Secure ACS server with the Certificate Authority (CA) server to establish a trust relationship between the two servers. The following procedure is for users running a Windows Certification Authority server to manage certificates on the network. Refer to the vendor documentation if using another CA application or service and see the ACS server documentation for instructions on how to enroll a certificate.
Policy Server for Cisco NAC g. Click Close to close the Add Standalone Snap-in screen. h. Click OK to close the Add/remove Snap-in screen. i. In the tree view of the console, click Certificates > Trusted Root > Certificates. j. Select the certificate to distribute to clients and the ACS server from the list. k. Click Action > All Tasks > Export... The Certificate Export Wizard opens. l. Click Next. m. Click DER encoded binary x.509 and click Next. n.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. Copy the certificate (.cer file) to the OfficeScan server computer to deploy it to the client with the CTA (see Cisco Trust Agent Deployment on page 10-26 for more information). Note: Store the certificate on a local drive and not on mapped drives. Cisco Trust Agent Deployment Cisco Trust Agent (CTA), a program hosted within the OfficeScan server and installed to clients, enables the OfficeScan client to report antivirus information to Cisco ACS.
Policy Server for Cisco NAC Deploying CTA from the OfficeScan Web Console If you did not select the option to install/upgrade CTA during server installation, you can do so from the Web console. Before installing/upgrading CTA, deploy the client certificate to clients. Note: A Certificate Authority (CA) server generates the client certificate file. Request a certificate file from your Trend Micro representative.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Cisco Trust Agent Version Before installing CTA to clients, check the CTA version (Cisco Trust Agent or Cisco Trust Agent Supplicant) to install. The only difference between these two versions is that the Supplicant package provides layer 2 authentication for the computer and end user. If the Cisco NAC Access Control Server (ACS) is version 4.0 or later, upgrade the Cisco Trust Agent on the clients to version 2.0 or later. To check the CTA version: 1.
Policy Server for Cisco NAC To deploy CTA to clients from the OfficeScan Web console: 1. Open the OfficeScan server Web console and click Agent Deployment. The client tree appears. Note: If you did not accept the terms of the Cisco License Agreement during installation of the OfficeScan server, you cannot deploy the agent. When you click Agent Deployment, the license information appears again. Read the license agreement and click Yes to agree to the terms. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Cisco Trust Agent Installation Verification After deploying the CTA to clients, verify successful installation by viewing the client tree. The client tree contains a column titled CTA Program, which is visible in the Update, View All, or Antivirus views. Successful CTA installations contain a version number for the CTA program. Also verify if the following processes are running on the client computer: • ctapsd.exe • ctaEoU.exe • ctatransapt.
Policy Server for Cisco NAC To install Policy Server for Cisco NAC using the Policy Server installer: 1. Log on to the computer to which you will install Policy Server for Cisco NAC. 2. Locate the Policy Server for Cisco NAC installer package on the Enterprise CD. 3. Double-click setup.exe to run the installer. 4. Follow the installation instructions. You can install the Policy Server to the OfficeScan server computer.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide b. c. Next to Port, type a port that will serve as the server listening port. When the Policy Server and OfficeScan server are on the same computer and uses the same Web server, the port numbers are as follows: • Apache Web server/IIS Web server on default Web site: Policy Server and OfficeScan server share the same port • Both on IIS Web server on virtual Web site: Policy Server default listening port is 8081 and the SSL port is 4344.
Policy Server for Cisco NAC Policy Server SSL Certificate Preparation To establish a secure SSL connection between the ACS server and the Policy Server, prepare a certificate especially for use with SSL. Setup automatically generates the SSL certificate. To prepare the Policy Server SSL certificate for distribution: 1. Export the certificate from the Certification Store on mmc. If the Policy server runs IIS: a. On the Policy Server, click Start > Run. The Run screen opens. b. Type mmc in the Open box.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide m. Click Next. n. Click DER encoded binary x.509 or Base 64 encoded X.509 and click Next. o. Enter a file name and browse to a directory to which to export the certificate. p. Click Next. q. Click Finish. A confirmation window displays. r. Click OK. If the Policy server runs Apache 2.0: a. b. 2. Obtain the certificate file server.cer.
Policy Server for Cisco NAC ACS Server Configuration To allow Cisco Secure ACS to pass authentication requests to the Policy Server for Cisco NAC, add the Policy Server for Cisco NAC in External Policies for the external user database to use for authentication. See the ACS server documentation for instructions on how to add the policy server in a new external policy. Note: Configure the ACS server to perform tasks such as blocking client access to the network.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Policy Server Configuration from OfficeScan The first step in configuring Policy Servers is to add the installed Policy Servers to the OfficeScan server. This allows you to open the Policy Server Web console from the OfficeScan Web console. To add a Policy Server: 1. On the main menu of the OfficeScan Web console, click Cisco NAC > Policy Servers. The Policy Servers screen appears displaying a list of all Policy Servers. 2. Click Add.
Policy Server for Cisco NAC The Configuration Summary table displays the number of OfficeScan servers registered to the Policy Server, the Policy Server policies, and the rules that compose the policies. To view and modify Configuration Summary details for a Policy Server: 1. On the main menu of the OfficeScan Web console, click Cisco NAC > Policy Servers. The Policy Servers screen appears displaying a list of all Policy Servers. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Policy Server Registration Register the Policy Server with at least one OfficeScan server so the Policy Server can obtain Virus Pattern and Virus Scan Engine version information. See The Client Validation Sequence on page 10-7 for information on the role the OfficeScan server performs in the validation process. Note: For Policy Server to validate all clients on the network, add all OfficeScan servers to at least one Policy Server.
Policy Server for Cisco NAC Client Validation Logs Use the client validation logs to view detailed information about clients when they validate with the Policy Server. Validation occurs when the ACS server retrieves client security posture data and sends it to the Policy Server, which compares the data to policies and rules (see The Client Validation Sequence on page 10-7).
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 10-40
Chapter 11 Configuring OfficeScan with Third-party Software Topics in this chapter: • Overview of Check Point Architecture and Configuration on page 11-2 • Check Point for OfficeScan Configuration on page 11-4 • SecureClient Support Installation on page 11-6 11-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Overview of Check Point Architecture and Configuration Integrate OfficeScan installations with Check Point™ SecureClient™ using Secure Configuration Verification (SCV) within the Open Platform for Security (OPSEC) framework. Refer to the Check Point SecureClient OPSEC documentation before reading this section. Documentation for OPSEC can be found at: http://www.opsec.
Configuring OfficeScan with Third-party Software OfficeScan Integration OfficeScan client periodically passes the Virus Pattern number and Virus Scan Engine number to SecureClient for verification. SecureClient then compares these values with values in the client local.scv file. This is what the local.scv file looks like if you open it in a text editor: (SCVObject :SCVNames ( : (OfceSCV :type (plugin) :parameters ( :CheckType (OfceVersionCheck) :LatestPatternVersion (701) :LatestEngineVersion (7.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide In this example, the SCV check will allow connections through the firewall if the pattern file version is 701 or later, and the scan engine number is 7.1 or later. If the scan engine or pattern file is earlier, all connections through the Check Point firewall get blocked. Modify these values using the SCV Editor on the local.scv file on the Policy Server.
Configuring OfficeScan with Third-party Software 5. Add a parameter by clicking Edit > Parameters > Add, and then typing a Name and Value in the corresponding boxes. The following table lists the parameter names and values. Parameter names and values are case-sensitive. Type them in the order given in the table. TABLE 11-48.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide SecureClient Support Installation If users connect to the office network from a Virtual Private Network (VPN), and they have both Check Point SecureClient and the OfficeScan client installed on their computers, instruct them to install SecureClient support. This module allows SecureClient to perform SCV checks on VPN clients, ensuring that only securely configured systems are allowed to connect to the network.
Chapter 12 Getting Help Topics in this chapter: • Troubleshooting Resources on page 12-2 • Contacting Trend Micro on page 12-15 12-1
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Troubleshooting Resources This section provides a list of resources you can use to troubleshoot OfficeScan server and client issues. • Case Diagnostic Tool • OfficeScan Server Logs • OfficeScan Client Logs Case Diagnostic Tool Trend Micro Case Diagnostic Tool (CDT) collects necessary debugging information from a customer’s product whenever problems occur.
Getting Help Server Debug Log Using LogServer.exe Use LogServer.exe to collect debug logs for the following: • OfficeScan server basic logs • Trend Micro Vulnerability Scanner • OfficeScan features that leverage Active Directory • Role-based administration • Smart scan • Policy Server To enable debug logging: 1. Log on to the Web console. 2. On the banner of the Web console, click the first "c" in "OfficeScan". 3. Specify debug log settings. 4. Click Save. 5.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Perform the following steps: 1. Copy the LogServer folder located in \PCCSRV\Private to C:\. 2. Create a file named ofcdebug.ini with the following content: [debug] debuglevel=9 debuglog=c:\LogServer\ofcdebug.log debugLevel_new=D debugSplitSize=10485760 debugSplitPeriod=12 debugRemoveAfterSplit=1 3. Save ofcdebug.ini to C:\LogServer. 4.
Getting Help Component Update Log File name: TmuDump.txt Location: \PCCSRV\Web\Service\AU_Data\AU_Log To get detailed server update information: 1. Create a file named aucfg.ini with the following content: [Debug] level=-1 [Downloader] ProxyCache=0 2. Save the file to \PCCSRV\Web\Service. 3. Restart the OfficeScan Master Service. To stop collecting detailed server update information: 1. Delete aucfg.ini. 2.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide ServerProtect Normal Server Migration Tool Log To enable debug logging for ServerProtect Normal Server Migration Tool: 1. Create a file named ofcdebug.ini file with the following content: [Debug] DebugLog=C:\ofcdebug.log DebugLevel=9 2. Save the file to C:\. 3. Check ofcdebug.log in C:\. To disable debug logging for ServerProtect Normal Server Migration Tool: Delete ofcdebug.ini.
Getting Help To enable debug logging for the MCP Agent: 1. Modify product.ini in \PCCSRV\CmAgent as follows: [Debug] debugmode = 3 debuglevel= 3 debugtype = 0 debugsize = 10000 debuglog = C:\CMAgent_debug.log 2. Restart the OfficeScan Control Manager Agent service from Microsoft Management Console. 3. Check CMAgent_debug.log in C:\. To disable debug logging for the MCP Agent: 1. Open product.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Virus Scan Engine Log To enable debug logging for the Virus Scan Engine: 1. Open the Registry Editor (regedit.exe). 2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TMFilter\ Parameters. 3. Change the value of "DebugLogFlags" to "00003eff". 4. Perform the steps that led to the scanning issue you encountered. 5. Check TMFilter.log in %windir%.
Getting Help World Virus Tracking Log File name: wtc.log Location: \PCCSRV\Log\temp OfficeScan Client Logs Use client logs (such as debug logs) to troubleshoot client issues. WARNING! Debug logs may affect client performance and consume a large amount of disk space. Enable debug logging only when necessary and promptly disable it if you no longer need debug data. Remove the log file if the file size becomes huge. Client Debug Log using LogServer.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide To disable debug logging for the OfficeScan client: Delete ofcdebug.ini. Fresh Installation Log File name: OFCNT.LOG Locations: • %windir% for all installation methods except MSI package • %temp% for the MSI package installation method Upgrade/Hot Fix Log File name: upgrade.log Location: \Temp Damage Cleanup Services Log To enable debug logging for Damage Cleanup Services: 1. Open TSC.ini in .
Getting Help Client Connection Log File name: Conn_YYYYMMDD.log Location: \ConnLog Client Update Log File name: Tmudump.txt Location: \AU_Data\AU_Log To get detailed client update information: 1. Create a file named aucfg.ini with the following content: [Debug] level=-1 [Downloader] ProxyCache=0 2. Save the file to . 3. Reload the client. To stop collecting detailed client update information: 1. Delete aucfg.ini.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide OfficeScan Firewall Log To enable debug logging for the Common Firewall Driver on Windows Vista/2008 computers: 1. Add the following data in: a. b. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tmwfp\Par ameters: • Type: DWORD value (REG_DWORD) • Name: DebugCtrl • Value: 0x00001111 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tmlwf\Para meters: • Type: DWORD value (REG_DWORD) • Name: DebugCtrl • Value: 0x00001111 2.
Getting Help To enable debug logging for the OfficeScan NT Firewall service: 1. Edit TmPfw.ini located in as follows: [ServiceSession] Enable=1 2. Reload the client. 3. Check TmPfw.log in C:\temp. To disable debug logging for the OfficeScan NT Firewall service: 1. Open TmPfw.ini and change the "Enable" value from 1 to 0. 2. Reload the client. Web Reputation and POP3 Mail Scan Log To enable debug logging for the Web reputation and POP3 Mail Scan features: 1.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Transport Driver Interface (TDI) Log To enable debug logging for TDI: 1. Add the following data in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\tmtdi\Para meters: Key 1 • Type: DWORD value (REG_DWORD) • Name: Debug • Value: 1111 (Hexadecimal) Key 2 • Type: String value (REG_SZ) • Name: LogFile • Value: C:\tmtdi.log 2. Restart the computer. 3. Check tmtdi.log in C:\. To disable debug logging for TDI: 1.
Getting Help Contacting Trend Micro Technical Support Trend Micro provides technical support, pattern downloads, and program updates for one year to all registered users, after which you must purchase renewal maintenance. If you need help or just have a question, please feel free to contact us. We also welcome your comments. Trend Micro Incorporated provides worldwide support to all registered users. • Get a list of the worldwide support offices at: http://www.trendmicro.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Speeding Up Your Support Call When you contact Trend Micro, to speed up your problem resolution, ensure that you have the following details available: • Microsoft Windows and Service Pack versions • Network type • Computer brand, model, and any additional hardware connected to your computer • Amount of memory and free hard disk space on your computer • Detailed description of the install environment • Exact text of any error message given • Ste
Getting Help TrendLabs TrendLabsSM is the global antivirus research and support center of Trend Micro. Located on three continents, TrendLabs has a staff of more than 250 researchers and engineers who operate around the clock to provide you, and every Trend Micro customer, with service and support.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Sending Suspicious Files to Trend Micro If you think you have an infected file but the scan engine does not detect it or cannot clean it, Trend Micro encourages you to send the suspect file to us. For more information, refer to the following site: http://subwiz.trendmicro.
Appendix A Glossary ActiveUpdate ActiveUpdate is a function common to many Trend Micro products. Connected to the Trend Micro update Web site, ActiveUpdate provides up-to-date downloads of pattern files, scan engines, programs, and other Trend Micro component files through the Internet. Compressed File A single file containing one or more separate files plus information for extraction by a suitable program, such as WinZip.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Denial of Service Attack A Denial of Service (DoS) attack refers to an attack on a computer or network that causes a loss of "service", namely a network connection. Typically, DoS attacks negatively affect network bandwidth or overload system resources such as the computer’s memory. DHCP Dynamic Host control Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices in a network.
Glossary End User License Agreement An End User License Agreement or EULA is a legal contract between a software publisher and the software user. It typically outlines restrictions on the side of the user, who can refuse to enter into the agreement by not clicking "I accept" during installation. Clicking "I do not accept" will, of course, end the installation of the software product.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide HTTP Hypertext Transfer Protocol (HTTP) is a standard protocol used for transporting Web pages (including graphics and multimedia content) from a server to a client over the Internet. HTTPS Hypertext Transfer Protocol using Secure Socket Layer (SSL). HTTPS is a variant of HTTP used for handling secure transactions.
Glossary IntelliTrap Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering the network by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting or cleaning) files when you enable IntelliTrap.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide MCP Agent Trend Micro Management Communication Protocol (MCP) is Trend Micro's next generation agent for managed products. MCP replaces Trend Micro Management Infrastructure (TMI) as the way Control Manager communicates with OfficeScan.
Glossary query or log transmission. To reduce the network impact, the MCP agent keeps connection alive and open as much as possible. A subsequent request uses an existing open connection. If the connection breaks, all SSL connections to the same host benefit from session ID cache that drastically reduces re-connection time. Patch A patch is a group of hot fixes and security patches that solve multiple program issues. Trend Micro makes patches available on a regular basis.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide POP3 Post Office Protocol 3 (POP3) is a standard protocol for storing and transporting email messages from a server to a client email application. Proxy Server A proxy server is a World Wide Web server which accepts URLs with a special prefix, used to fetch documents from either a local cache or a remote server, then returns the URL to the requester.
Glossary SNMP Trap A Small Network Management Protocol (SNMP) trap is a method of sending notifications to network administrators that use management consoles that support this protocol. OfficeScan can store notification in Management Information Bases (MIBs). You can use the MIBs browser to view SNMP trap notification. OfficeScan, however, does not maintain a local MIB file.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide SSL Secure Socket Layer (SSL) is a protocol designed by Netscape for providing data security layered between application protocols (such as HTTP, Telnet, or FTP) and TCP/IP. This security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL Certificate This digital certificate establishes secure HTTPS communication.
Glossary Trojan Port Trojan ports are commonly used by Trojan horse programs to connect to a computer. During an outbreak, OfficeScan blocks the following port numbers that Trojan programs may use: TABLE A-49.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide TABLE A-49. Trojan ports (Continued) P ORT N UMBER TROJAN H ORSE P ROGRAM P ORT N UMBER TROJAN H ORSE P ROGRAM 6267 GW Girl 6711 Sub Seven 25 Jesrto 6776 Sub Seven 25685 Moon Pie 27374 Sub Seven 68 Mspy 6400 Thing 1120 Net Bus 12345 Valvo line 7300 Net Spy 1234 Valvo line Trusted Port The server and the client use trusted ports to communicate with each other.
Glossary To determine the trusted ports: 1. Access \PCCSRV. 2. Open the ofcscan.ini file using a text editor such as Notepad. 3. For the server trusted port, search for the string "Master_DomainPort" and then check the value next to it. For example, if the string appears as Master_DomainPort=80, this means that the trusted port on the server is port 80. 4. For the client trusted port, search for the string "Client_LocalServer_Port" and then check the value next to it.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Files Infected with Worms A computer worm is a self-contained program (or set of programs) able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place through network connections or email attachments. Worms are uncleanable because the file is a self-contained program. Solution: Trend Micro recommends deleting worms.
Glossary 3. Open the command prompt, and type the following to delete the files: cd \ cd recycled del *.* /S The last command deletes all files in the Recycle Bin. 4. Check if the files were removed. For computers running other operating systems (or NT platforms without NTFS), perform the following steps: 1. Restart the computer in MS-DOS mode. 2. Open a command prompt, and type the following to delete the files: cd \ cd recycled del *.* /S The last command deletes all files in the Recycle Bin. 3.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide 3. If the infected file is in the Windows Temp folder: a. Open the command prompt and go to the Windows Temp folder (located at C:\Windows\Temp for Windows XP/Server 2003 computers and at C:\WinNT\Temp for Windows NT/2000 computers by default). b. Type the following to delete the files: cd temp attrib -h del *.* /S The last command deletes all files in the Windows Temp folder. 4. If the infected file is in the Internet Explorer temporary folder: a.
Glossary For computers running other operating systems (or those without NTFS): 1. Restart the computer in MS-DOS mode. 2. If the infected file is in the Windows Temp folder: a. At the command prompt, go to the Windows Temp folder. The default Windows Temp folder in Windows XP/Server 2003 is C:\Windows\Temp. The default Windows Temp folder in Windows 2000 is C:\WinNT\Temp. b. Open the command prompt, and type the following to delete the files: cd temp attrib –h del *.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide A-18
Index A Access Control Server (ACS) 10-3 ACS certificate 10-17 Active Directory 1-3, 2-22, 3-12, 3-23, 8-9 query results 2-24 scheduled query 2-27 scope and query 2-23 ActiveAction 5-32 adware 5-4 approved list 5-41 approved URLs 6-5 assessment mode 9-23 Authentication, Authorization, and Accounting (AAA) 10-5 AutoPcc.
Trend Micro™ OfficeScan™ 10 Administrator’s Guide client security level 9-17 client self-protection 1-3, 9-27 client tree 2-11 advanced search 2-13 general tasks 2-12 specific tasks 2-13 client uninstallation 3-50 client update automatic 4-27 event-triggered 4-28 from the ActiveUpdate server 9-15 manual 4-31 privileges 4-33 scheduled update 4-28, 9-15–9-16 scheduled update with NAT 4-32 client upgrade disable 9-16 client validation 10-4 Common Firewall Driver 4-6, 12-12 Common Firewall Pattern 4-6, 5-4 com
Manual Name profiles 7-2, 7-12 tasks 7-4 testing 7-18 Fragmented IGMP 7-3 G gateway IP address 9-2 gateway settings importer 9-4 global client settings 9-18 Global Smart Scan Server 1-12, 9-40 grace period 2-5, 8-19 H hacking tools 5-5 hot fixes 4-8, 9-42 I ICSA certification 4-4 IDS 7-3 import settings 9-44 inactive clients 9-45 incremental pattern 4-16 installation client 3-2 Policy Server 10-30 IntelliScan 5-26 IntelliTrap 5-26 IntelliTrap Exception Pattern 4-5 IntelliTrap Pattern 4-5 Intrusion Detectio
Trend Micro™ OfficeScan™ 10 Administrator’s Guide MSI package 3-11–3-12, 3-23–3-24 N Network Access Device 10-3 network virus 5-4, 7-2, 9-29 new features 1-2 notifications client update 4-35 computer restart 9-17, 9-25 firewall violations 7-16 for administrators 5-44 for client users 5-46 outbreaks 5-57 outdated Virus Pattern 9-25 Scheduled Scan 9-16 spyware/grayware detection 5-40 virus/malware detection 5-36 Web threat detection 6-6, 9-16 O OfficeScan about 1-2 client 1-9 client services 9-26 component u
Manual Name P packer 5-3 password 2-3, 8-23 password cracking applications 5-5 patches 4-8 performance control 1-4, 5-27 phishing A-7 Ping of Death 7-3 Plug-in Manager 1-7, 1-10 policies firewall 7-2, 7-5 Web reputation 6-3 Policy Enforcement Pattern 4-7 Policy Server for Cisco NAC 10-3 CA certificate 10-19 certificates 10-17 client validation process 10-7 default policies 10-16 default rules 10-12 deployment overview 10-23 policies 10-38 policies and rules 10-10 policy composition 10-15 Policy Server inst
Trend Micro™ OfficeScan™ 10 Administrator’s Guide user accounts 8-6 user roles 8-2 rootkit protection 4-7 S scan actions 5-30 spyware/grayware 5-40 virus/malware 9-20 scan criteria CPU usage 5-27 file compression 5-26 files to scan 5-26 schedule 5-27 user activity on files 5-25 Scan Engine ICSA certification 4-4 scan exclusions 5-27 directories 5-28 file extensions 5-29 files 5-29 scan method 3-20, 5-8 switching 5-10, 5-14 Scan Now 5-23 scan privileges 5-43 scan types 1-9, 5-19 Scheduled Scan 5-22 postpone
Manual Name Smart Scan Agent Pattern 4-3 Smart Scan Pattern 1-10, 4-3 Smart Scan Server 1-10, 4-21, 5-10 scheduled updates 4-21 types 1-12 update source 4-21 Smart Scan Server list 5-12, 5-15 custom 5-17 standard 5-16 spyware 5-4 Spyware Active-monitoring Pattern 4-6 Spyware Pattern 4-6 Spyware Scan Engine 4-6 spyware/grayware guarding against 5-7 potential threats 5-6 restoring 5-42 spyware/grayware scan actions 5-40 approved list 5-41 results 5-55 SSL Certificate 10-33 standalone Smart Scan Server 5-11 s
Trend Micro™ OfficeScan™ 10 Administrator’s Guide Update Agent 4-37 URL Filtering Engine 4-6 user role administrator 8-2 guest user 8-4 power user 8-3 V Virus Cleanup Engine 4-5 Virus Cleanup Template 4-5 Virus Pattern 4-2, 4-36, 9-25 Virus Scan Driver 4-5 Virus Scan Engine 4-4, 12-8 updating 4-4 virus/malware 5-3 virus/malware scan global settings 5-43 results 5-49 VSEncode.
