OfficeScan Best Practice Guide


Information in this document is subject to change without notice. The names of companies, products, people,
characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual,
company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility
of the user.
Copyright © 2015 Trend Micro Incorporated. All rights reserved.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the
express prior written consent of Trend Micro Incorporated.
All other brand and product names are trademarks or registered trademarks of their respective companies or
organizations.
Released: September 2015



There are four major OSCE environment components that should be identified when designing the
deployment. Each component is described below.
OfficeScan Server: A server that provides the OSCE management console and stores
information in a local CodeBase® database, or a local or remote SQL. It uses standard HTTP or HTTPS
protocols for communication and for managed agent updates. The three basic functions of an OfficeScan
server are:

Agent configuration (Privileges and Policy settings)

Program, scan engine, and virus pattern file update provider

Centralized logs, report, and quarantine functionality
OfficeScan Agent: A host reporting to a particular OSCE server. It can be configured to get
update information from an OfficeScan server, an update agent, or directly from the internet via Trend
Micro ActiveUpdate server. Moreover, the OfficeScan agent has the function to protect the system where
it is installed. It can be configured to use a standalone or Integrated Smart Protection Server for Smart
Scan instead of conventional scan. Through cloud technology, this method minimizes the total amount of
pattern download.
Update Agent: A regular OfficeScan agent that is designated to copy update information from an
OfficeScan server to distribute these information to other OfficeScan agents. Any OfficeScan agent can
be configured as an update agent using the OfficeScan server management console. OfficeScan agent IP
address ranges are then assigned to get update information from specific update agents. Update agents can
push component updates, setting updates, and program/hotfix updates to agents. Older agent versions can
receive program upgrades from OSCE 11.0 update agents as long as they report to the OSCE 11.0 update
agents.
Smart Protection Server (SPS): The Smart Protection Server provides the file reputation and
web reputation through a local cloud service. When users opt to employ Smart Scan technology, agents
send a query to SPS in their scanning files. When they use web reputation protection, agents send URLs to
SPS. Thus, SPS works as a local file reputation server and as a local web rating server as well.
These are the two types of Smart Protection Server:

Integrated Smart Protection Server: Installed as part of the OfficeScan server,
Integrated Smart Protection Server is managed through OfficeScan management console.

Standalone Smart Protection Server: This server is installed on a VMware or Hyper-V
host.

The following sections show the recommended software and hardware specifications for an
OfficeScan environment.
For the full list of minimum system requirements, refer to the Installation and Deployment Guide
or OfficeScan Readme. For the recommended set up based on number of agents, check the sizing
section in Chapter 3.
The OfficeScan agent with the best available resources at a particular site should be designated as
an update agent. Since this agent will serve updates to the other agents in the remote office, it
must be reliable. This can be a domain controller on the site, a file server, print server, or any type
of server that is always online. To serve its function, this agent should have an additional 700 MB
of free disk space for engines and patterns storage, an additional 160 MB for programs/hot fix
updates, and an additional 20 KB for every domain setting updates. Minimum requirements for
update agents should follow the minimum hardware requirements of OfficeScan agents.

The minimum hardware specifications for this server are the same as the recommended
requirements for the OfficeScan server.
The minimum hardware specifications for standalone Smart Protection Server:

Dual 2.0 GHz Intel Core 2 Duo 64-bit processor supporting Intel Virtualization
Technology, or equivalent

2 GB of RAM

30 GB for virtualization requirements (35 GB recommended)



Microsoft Windows Server 2003 (Standard, Enterprise, and Datacenter Editions) with Service
Pack 2 or later, 32-bit and 64-bit versions

Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter Editions) with
Service Pack 2 or later, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup
Editions) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup
Editions) with Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Compute Cluster Server 2003

Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, and Web Editions) with
Service Pack 1 or 2, 32-bit and 64-bit versions

Windows Server 2008 R2 (Standard, Enterprise, Datacenter, and Web Editions), 64-bit
version

Windows Storage Server 2008 (Basic, Standard and Enterprise Edition), 32-bit version

Windows Storage Server 2008 (Basic, Standard, Enterprise and Workgroup Edition), 64-bit
version

Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64bit version

Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions

Microsoft Windows HPC Server 2008 R2, 64-bit version

Windows MultiPoint Server 2010, 64-bit version

Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit version

Windows Server 2012 (Standard and Datacenter Editions), 64-bit version

Windows Server 2012 R2 (Standard and Datacenter Editions), 64-bit version

Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit version

Windows Storage Server 2012 (Standard and Workgroup Editions), 64-bit version


OfficeScan supports server installation on guest operating systems hosted on the following
virtualization applications:

ESX/ESXi Server (Server Edition) 3.5, 4.0, 4.1, 5.0, 5.15.x

Server (Server Edition) 1.0.3, 2

Workstation and Workstation ACE Edition 7.0, 7.1, 8.0, 9.0

vCenterTM 4, 4.1, 5.0, 5.1,5.5

ViewTM 4.5, 5.0, 5.1

XenDesktop 5.0, 5.5, 5.6, 7.0

XenServer 5.5, 5.6, 6.0, 6.1, 6.2

XenApp 4.5, 5.0, 6.0, 6.5

XenClient 2.1

VDI-in-a-Box 5.1

Windows Server 2008 64-bit Hyper-V

Windows Server 2008 R2 64-bit Hyper-V

Hyper-V Server 2008 64-bit

Hyper-V Server 2008 R2 64-bit

Windows 8 Pro/Enterprise 64-bit Hyper-V

Windows 8.1 Pro/Enterprise 64-bit Hyper-V

Windows Server 2012 64-bit Hyper-V

Windows Server 2012 R2 64-bit Hyper-V



Microsoft Windows XP (Home, Professional, Professional for Embedded Systems Editions, and
Tablet PC) with Service Pack 3, 32-bit version

Microsoft Windows XP Professional with Service Pack 2, 64-bit version

Microsoft Windows Vista (Business, Enterprise, Ultimate, Home Premium, Home Basic, Business
for Embedded Systems, and Ultimate for Embedded Systems) with Service Pack 1 or Service Pack
2, 32-bit and 64-bit versions

Microsoft Windows 7 (Home Basic, Home Premium, Ultimate, Professional, Enterprise,
Professional for Embedded Systems, and Ultimate for Embedded Systems) with or without
Service Pack 1, 32-bit and 64-bit versions

Microsoft Windows Embedded POSReady 2009, 32-bit version

Microsoft Windows Embedded POSReady 7, 32-bit and 64-bit versions

Microsoft Windows 8 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions

Microsoft Windows 8.1 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions

Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter, and Web Editions) with
Service Pack 2, 32-bit and 64-bit version

Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter) with Service Pack 2,
32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup) with
Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise, and Workgroup) with
Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Compute Cluster Server 2003 (Active/Passive), 32-bit and 64-bit versions

Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, Web Editions, and Server
Core) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions

Microsoft Windows Storage Server 2008 (Basic Edition), 32-bit and 64-bit versions

Microsoft Windows Storage Server 2008 (Standard, Enterprise, and Workgroup Editions) with or
without Service Pack 1, 64-bit version

Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter, Web Editions, and Server
Core), 64-bit version

Microsoft Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup
Editions), 64-bit version

Microsoft Windows HPC Server 2008, 32-bit and 64-bit versions

Microsoft Windows HPC Server 2008 R2, 64-bit version

Microsoft Windows Server 2008 Failover Clusters (Active/Passive), 32-bit and 64-bit versions


Microsoft Windows Server 2008 R2 Failover Clusters (Active/Passive), 64-bit version

Microsoft Windows MultiPoint Server 2010, 64-bit version

Microsoft Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit
version

Microsoft Windows Server 2012 (Standard, Datacenter, and Server Core Editions), 64-bit
version

Microsoft Windows Storage Server 2012 (Workgroup and Standard Editions), 64-bit
version

Microsoft Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit
version

Microsoft Windows Server 2012 Failover Clusters, 64-bit version

Microsoft Windows Server 2012 R2 (Standard, Datacenter, and Server Core Editions), 64bit version

The administrator will not be able to remotely install OfficeScan agent to Windows 7 x86
platforms without enabling the default administrator account. Use the systematic guide below to
resolve this issue:
1. Enable the Remote Registry service on the Windows 7 machine. By default, Windows 7
machines disable this feature.
2. Use the domain administrator account to remotely install OfficeScan 10.6 Service Pack 1
agents into Windows 7 computers. As another option, use the default administrator
account:
a.
Type the “net user administrator/active: yes” command on the command
console to enable the default administrator account.
b. Use the default administrator account to remotely install the OfficeScan agent
into the Windows 7 machine.
Smart Protection Server has the following virtualization platform requirements:

VMware ESX 4.1 Update 1

VMware ESX 4.0 Update 3

VMware ESX 3.5 Update 4

VMware ESXi 5.5


VMware ESXi 5.1 Update 1

VMware ESXi 5.0 Update 3

VMware ESXi 4.1 Update 1

VMware ESXi 4.0 Update 3

Microsoft Windows Server 2008 R2 with Hyper-V

Microsoft Windows Server 2012 with Hyper-V

Citrix XenServer 6.2, 6.0, 5.6

The following requirements are recommended for Trend Micro Smart Protection Server as a virtual
machine:

If you are using VMware, use CentOS 5 64-bit (Guest Operating System).

If you are using a VMware version, such as 3.5 and 4.0, that does not support CentOS, use Red
Hat® Enterprise Linux® 5 64-bit.

If you are using Citrix XenServer, create a new virtual machine using the “Other install media”
template.

If you are using Hyper-V, create a new virtual machine and add a Legacy Network Adapter.

Allocate at least 2 GB RAM and two (2) virtual processors for the virtual machine.

Create a new virtual disk image that will be sufficient for the logging requirements (specify at
least 30 GB of disk space).

Allocate one (1) physical network card for the virtual switch where Trend Micro Smart
Protection Server is connected.


Account
Administrator or domain admin account to log-in to target hosts for installation
Ports
NetBIOS (445, 137,138,139) for NT Remote Install
OfficeScan agent port, which is defined during OfficeScan server installation and is
saved under Client_LocalServer_Port parameter on Ofcscan.ini
OfficeScan virtual directory port as defined in Apache or IIS. This value needs to be
consistent with what is defined in the OfficeScan management console under
Administration > Settings > Agent Connection Settings > Port
Bandwidth
Approximately 50 MB, which may vary depending on current virus pattern file size
Others
Remote Registry service is enabled on target host
System partition of the target host is administratively shared (C$)
Windows XP Simple File Sharing must be disabled on the agent machines. SFS is a
Microsoft feature that forces all network connections to login as guest even if
alternative credentials are provided. When SFS is enabled, OSCE cannot login to the
machine using the credentials specified, so the installation fails. SFS can be disabled
via GPO or a registry hack. It can be individually disabled in the target machines
under My Computer > Tools > Folder Options > View > Use Simple File Sharing
(Recommended) option.
The OfficeScan server may receive and establish multiple HTTP sessions to communicate with its
agents. The TCP properties of Windows can be modified to prevent delays and slowdowns caused
by TCP time-wait accumulation and port exhaustion.
Add or modify the following registry keys to improve TCP performance:
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
Data type: REG_DWORD
Default value: 5000
Range: 5,000 - 65,534 (port number)
Purpose: Determines the highest port number TCP can assign when an application requests
an available user port from the system
Trend Recommendation: 65,534

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
Data type: REG_DWORD
Default value: 0xF0 (240 seconds = 4 minutes)
Range: 0x1E 0x12C (30–300 seconds)
Purpose: Determines the time that must elapse before TCP can release a closed connection and
reuse its resources
Trend Recommendation: 30

The OfficeScan server uses either Apache or Windows IIS to communicate with its agents. The
application’s CGI timeout can be increased to allow more time for the server and agent communication.
The Remote Install deployment method is dependent on this timeout as well. Copying the installation files
over a slow link may cause installation failures.
To modify IIS CGI settings, download and install MetaEdit or Metabase Explorer depending on the
version of IIS in use.
For Microsoft IIS 6
1. Download the Metabase Explorer from
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628ade629c89499&DisplayLang=en.
2. Install MetaEdit or Metabase Explorer.
3. For MetaEdit, navigate to Start > All Programs > Administrative Tools > MetaEdit.
For Metabase Explorer, go to Start > All Programs > IIS Resources > Metabase Explorer.
4. In the MetaEdit or Metabase Explorer console, locate the key [ LM | W3SVC | 6033 ]. This
corresponds to the CGITimeout key.
5. Double-click the 6033 key to edit its properties.
6. Set the data parameter to 3600.
7. Click OK to save changes.
8. Restart the World Wide Web Publishing Service.

For Microsoft IIS 7 on Windows 2008

1. Download and install the Microsoft Administration Pack for IIS 7.0 using this link:
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682
As an option, use the default IIS Manager that comes with IIS 7.0.
2. Open the IIS Manager.
3. In Connections view, select the server and select the OfficeScan site.
4. In Features view, double-click CGI.
5. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER,
and click Apply.
For Microsoft IIS 7.5, 8.0, 8.5
1. Open the IIS Manager.
2. In the Connections view, select the server and select the OfficeScan site.
3. In Features view, double-click CGI.
4. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER,
and click Apply.
Apache
Follow the procedure below to modify the Apache’s CGI timeout:
1. Open <drive>: \Program Files\Trend Micro\OfficeScan\PCCSRV\apache2\conf
\httpd.conf configuration file.
2. Set Timeout 300 to Timeout 600.
3. Restart the Apache service.


The following are recommended permission settings to the OfficeScan folders and files. These are
already set as default during installation:
There are times when the permission might have been changed accidentally.
To reset the permissions back to default:
1. Open the command prompt.
2. Browse to the OfficeScan Server’s PCCSRV folder (i.e drive:\Program Files\Trend
Micro\OfficeScan\PCCSRV).
3. Run the following command:
SVRSVCSETUP.EXE –setprivilege

OfficeScan 11.0 enhances the server-agent communications by authenticating the notifications
and data sent in order to protect against man-in-the-middle attacks. Authentication is
implemented using a public-key infrastructure (PKI) where the agent only accepts commands
from a trusted server.

To perform authentication, OfficeScan server signs its data using a private key while the
OfficeScan agent decrypts this data using a public key. These keys are uniquely generated during
the installation or upgrade of any OfficeScan server.
If for some reason, the OfficeScan server and agents have mismatched keys, agents will reject the
notification from this server. This may happen if the OfficeScan server had an irrecoverable crash
and needs to be replaced.

To simplify the management of keys regarding OfficeScan encrypted communication:

When managing multiple OfficeScan servers, it is recommended to use one key for all to
simplify and lessen the complexity in management.

On the original OfficeScan server, keep a secure copy of the key (C:\Program
Files\Trend Micro\OfficeScan\AuthCertBackup\OfficeScanAuth.dat). Whenever you
upgrade or install an OfficeScan 11.0 server, import the same file.

For more details on generating and restoring certificates, refer to OfficeScan 11.0 Admin
Guide: http://docs.trendmicro.com/all/ent/officescan/v11.0/en-us/osce_11.0_ag.pdf.

OfficeScan 11.0 has new features that will assist the user in migration or upgrade.
Hot Fix Detection: When upgrading from a previous OfficeScan server version, installation process will
check and prompt you for hot fixes that are currently installed, but are not merged to OfficeScan 11.0.

If you see the pop-up message above, review the hotfix list under ...\PCCSRV\TEMP\RollbackHotfix.txt.
If you have important hotfixes in the list, you can consider delaying the upgrade, or requesting for an
OfficeScan 11.0 equivalent hot fix(es) before proceeding.
Patch Availability Notifications: OfficeScan 11.0 will prompt new updates that are available. It is
advisable to update to the latest patch or service pack once available on the management console.


The recommendations below can be used as a guideline to determine the location and number of
OfficeScan servers needed to effectively manage the LAN or WAN.
A single OfficeScan server can manage up to 30,000 agents depending on the machine
specifications. Below is a quick summary.
Recommended Setups
CPU: 4 Cores
RAM: 8 GB
CPU: 8 Cores
RAM: 16 GB
CPU: 12 Cores*
RAM: 32 GB
10,000
15,000
15,000
15,000
20,000
20,000
15,000
20,000
30,000
All in one Server
(OSCE+iSPS+CodeBase)
(2 Servers)
OSCE with iSPS + SQL(standalone)
(3 Servers)
OSCE + TMSPS + SQL(standalone)


Another point for consideration is the database size. Depending on the number of logs generated, disk
space usage increases as well.
Here is a quick reference for SQL database size given the certain number of logs and agent counts:

The table above helps to determine the initial database size of OfficeScan. These estimates are based on
following assumptions:

Default log maintenance is applied while the log deletion is performed on 7-day older logs on a
weekly basis.

Behavior Monitoring and DLP features are enabled.

The above log types are generally major contributors in terms of the log count and data sizes.
OfficeScan servers that manage agents across the WAN is recommended to be installed on sites with the
healthiest bandwidth, which are typically datacenters or head offices.
Consider installing a local OfficeScan server for sites with approximately 500 or more agents. This is highly
recommended if the WAN bandwidth is limited for a particular site.

An update agent is a regular OfficeScan agent that is designated to replicate update information
from an OfficeScan server for the purpose of distributing the update information to other
OfficeScan agents.
Here is a reference on the number of agents that an update agent can handle:


This table can be used as a template to scope the different sites and generate architecture proposal:

Smart Protection Servers are placed in the local network, making them available to users who have
access to their local corporate network. These servers are designed to localize operations within
the corporate network to optimize efficiency. This network-based solution hosts majority of the
malware pattern definitions and web reputation scores. The Smart Protection Server makes these
definitions available to other endpoints on the network for verifying potential threats.
Queries are only sent to Smart Protection Servers if the risk of the file or URL cannot be
determined at the endpoint.
Endpoints leverage file reputation and web reputation technology to query the Smart Protection
Servers and Trend Micro Smart Protection Network as part of their regular system protection
activities. In this solution, agents only send identification details determined by Trend Micro
technology to Smart Protection Servers. Agents never send the entire file when using file
reputation technology. Risk is determined using the file identification details only.
The integrated Smart Protection Server can be pre-installed in the OfficeScan server if the user
included it during the OfficeScan server installation. These are the main reasons to install a
Standalone Smart Protection Server:

If the number of smart agents is more than 20,000

If they don’t want to use Integrated Smart Protection Server
Load can be distributed by adding more Standalone Smart Protection Servers. Check the load
balancing section below for more details:

If the latency is huge between the branch office and the main office, it is recommended to install a
Standalone Smart Protection Server on the branch office. If the Standalone Smart Protection Server
cannot be installed, or there is no available hardware, it is best to switch the agents to conventional scan.

Below are the hardware specifications used to install virtualization platforms and the guest virtual machine
resource allocation for the Standalone Smart Protection Server:

The following table and graph show the number of agents handled by an individual Standalone
Smart Protection Server meeting these performance criteria:

Average latency time is less than 100 ms (0.1 second)

Total HTTP request failed rate is under 0.05%

Total mean value of CPU usage is under 80%
The amount of endpoints shows the maximum supported iCRC v2.0 agents for one (1) TMSPS,
taking into consideration that there are two (2) other TMSPS with the same load running within
the same virtualized host.
The transaction rate is the sum of the FRS transaction rate and the WRS transaction rate per
second.


The performance of TMSPS 3.0 has improved dramatically compared to the previous version. TMSPS 3.0
has increased the scalability by reducing the traffic between agents and TMSPS. Under the same test
scenario, with three (3) TMSPS running on the same host, it could support more than twice the number of
agents compared to the previous release, TMSPS 2.5.
For organizations desiring the maximum transaction rate from FRS and WRS and can accept 100% of
CPU usage, the CPU capability becomes the bottleneck.
Disk I/O speed is another important factor. Currently, the pattern updates will cause a lot of disk I/O
operations. Therefore, if the customer’s environment uses external storage and shares the disk I/O
bandwidth with many other VMs (or the disk I/O bandwidth is poor), the overall performance may suffer.
The disk could be monitored using performance counter provided by virtualization platform. The ESXi
Server provides the following disk-related performance counters:

Kernel Latency: 0-1 ms is ideal. If > 4 ms, check the CPU usage and queue latency

Device Latency: If > 15 ms, check for a storage array problem

Queue Latency: 0 ms is ideal. If > 0 ms, check the storage array

If the TMSPS virtual machine shares resources with many other VMs on the same VM host, then
TMSPS must compete with other VMs for disk I/O, network traffic, CPU, and memory. TMSPS
performance will suffer as a result.
Despite the competition for resources, hypervisors from different vendors can deliver different
performance. This might be caused by emulated device drivers that are required to provide an
interface between the physical hardware and the virtual machine. Generally speaking, TMSPS
running on ESXi server has the best performance, compared to Xen Server and Hyper-V.
Smart Protection Servers can be setup in order to achieve load balancing. Load balancing will help
ensure that HTTP requests are distributed among the Smart Protection Servers.
There are two (2) ways to achieve load balancing using the OfficeScan web console:

Random –OfficeScan agent randomly chooses a Smart Protection Server from the Smart
Protection Server list.

Based on IP range – OfficeScan agent connects to its assigned server from the Smart
Protection Server list.

Smart Protection Servers should always be installed in redundant pairs to avoid WAN saturation during a
hardware failure.
Initial scans require more requests to the Smart Protection Server. Agents should set their first scheduled
scan in phases, especially when their Smart Protection Server is centrally located. Running scheduled scans
in batches will increase capacity and normalize iCRC network utilization.
Use this table as a guideline to determine how many Smart Protection Server you need inside your
environment. Even when one (1) Smart Protection Server is more than enough to cater to all agents, it is
still a best practice to install at least two (2) standalone Smart Protection Server for redundancy and load
balancing purposes.
One of the new features in OfficeScan 11.0 is the ability to migrate an existing database (CodeBase) to an
SQL server database. This is done using the SQL Server Migration tool.
The migration tool currently supports three (3) types of migrations:

OfficeScan CodeBase database to new SQL Server express database


OfficeScan CodeBase database to a pre-existing SQL server database

OfficeScan SQL database (previously migrated) that was moved to another location

When you choose to migrate to a new SQL server express database, note that OfficeScan will
install SQL Server 2008 R2 SP2 Express. This is required to be installed in a Windows 2003 or
Windows 2008 SP2 server. Installing it on a Windows 2003 SP1 server would result in failure.
Refer to this Microsoft article for more details: http://msdn.microsoft.com/enus/library/ms143506(v=sql.105).aspx
OfficeScan 11.0 supports both SQL 2008 and SQL 2012. For SQL 2008, note that
Microsoft .NET Framework 3.5 SP1 is required and that Microsoft .NET Framework 4.0 is not
compatible with SQL Server 2008.
Microsoft SQL server cannot be installed on Domain Controller machines. Consider this before
choosing the server to install the database or OfficeScan. For more information, refer to this link:
http://support.microsoft.com/kb/2032911.
“User Account Control” needs to be turned off before running the SQL migration tool on
Windows Server 2008 or later, when using Windows Authentication credentials. Refer to this
article for more details on disabling this option: http://windows.microsoft.com/enus/windows/turn-user-account-control-on-off#1TC=windows-7.
Make sure that the OfficeScan Master Service is not running using the same domain user account
used to log on to the SQL server. This could cause the service to fail in starting after the
migration.
Back up the existing OfficeScan CodeBase database for recovery in case there are problems
encountered during the migration. Refer to this article for more details:
http://esupport.trendmicro.com/solution/en-US/1039284.aspx
OfficeScan automatically creates the new database on the SQL server, there is no need to precreate a blank database.
Make sure to click the Test Connection option on the SQL migration tool before proceeding. This
confirms that the settings entered are correct and verifies that the connection is possible.
When using the Windows Account to log on to the server:
For a default domain administrator account
User name format: domain_name\administrator
The account requires the following:
•
Groups: Administrators Group
•
User roles: Log on as a service and Log on as a batch job
•
Database roles: dbcreator, bulkadmin, and db_owner

For a domain user account
User name format: domain_name\user_name
The account requires the following:
•
Groups: Administrators Group and Domain Admins
•
User roles: Log on as a service and Log on as a batch job
•
Database roles: dbcreator, bulkadmin, and db_owner
To verify the type of database used, check the ofcserver.ini file under the OfficeScan server’s Private
directory (Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private).
Look for [INI_DBE_ENGINE_SECTION] and note the value defined for DBE_ENGINE.
DBE_ENGINE=1001
; CodeBase
DBE_ENGINE=1002
; SQL Server
When opting to use the Integrated Smart Protection Server, make sure that it is actually installed and
running. If the Integrated Smart Protection Server is not properly installed, Smart Scan agents disconnect
and cannot utilize the cloud technology properly.
The integrated server is intended for mid-scale deployments of OfficeScan, in which the number of agents
does not exceed 20,000. For larger deployments, the standalone Smart Protection Server is recommended.
In OfficeScan11.0, the Integrated Smart Protection Server (ISPS) ports have changed. Note the new ports
used below:

Make sure the setting “Do not save encrypted pages to disk” is not enabled in IE in order to
check for whether Integrated Smart Protection Server is running or not.
After checking the setting above, type the URL below into your browser:
https://OfficeScan_server:port/tmcss/?LCRC=08000000BCB3080092000080C4F01936DD
430000
You should see the following pop-up window, which will confirm that the Integrated Smart
Protection Server is running.

Ensure that OfficeScan agents can query at least two (2) scan servers. This prevents having a single point
of failure in the event that the Smart Protection Server is unreachable. In order to take full advantage of
the cloud technology, all agents must be online and connected to a Smart Protection Server.
To add Smart Protection Servers:
1. Go to Administration > Smart Protection > Smart Protection Sources.
2. Choose Internal Agents tab and select the standard list or custom list based on IP address.
3. Click Notify All Agents to push this setting.
Because the integrated server and the OfficeScan server run on the same computer, the computer’s
performance may reduce significantly during peak traffic. When possible, consider using a standalone
Smart Protection Server as the primary source for agents and the integrated server as a backup.
Do not use Smart Scan as the default scanning method at the root level. Always use Conventional
Scan as the root level scanning method. When selecting OfficeScan agents to use Smart Scan, always
choose a regular domain instead of a root level. If the root level is defined to use the Smart Scan method,
and if it is placed in a domain where it uses Conventional Scan, it will download Conventional Scan
components.
Make sure Computer Location settings have correct settings defined. Computer Location setting can be
reached under Agents > Endpoint Location.
The default setting is “Agent connection status”. This means that OfficeScan agents use the reference
server list defined to determine if it is an external or internal agent.
An agent that can connect to the OfficeScan server or any of the reference servers listed, is recognized as
internal agent. Therefore, this agent connects to the Smart Protection Server defined under Internal
Agents for Smart Protection Sources.
If a connection cannot be established, the agent is classified as an external agent. This agent uses the
settings set under External Agents for Smart Protection Sources. By default, external agent uses the global
Smart Protection Network (https://osce11.icrc.trendmicro.com/tmcss).
If Gateway IP address setting is applied, and the client computer’s gateway IP address matches any of the
gateway IP addresses specified on the Endpoint Location screen, the computer’s location will be classified
as internal. Otherwise, the computer’s location is external.

Optimize the performance of Smart Protection Servers by doing the following:
•
Avoid performing Manual Scans and Scheduled Scans simultaneously. Stagger the scans in
groups.
•
Avoid configuring all endpoints from performing Scan Now simultaneously.
•
Customize Smart Protection Servers for slower network connections, about 512Kbps, by
making changes to the ptngrowth.ini file.
1. Open the ptngrowth.ini file in <Server installation folder>\PCCSRV\WSS\.
2. Modify the ptngrowth.ini file using the recommended values below:
[COOLDOWN]
ENABLE=1
MAX_UPDATE_CONNECTION=1
UPDATE_WAIT_SECOND=360
3. Save the ptngrowth.ini file.
4. Restart the Trend Micro Smart Protection Server service.
Majority of the product default configurations provide substantial security with a consideration on
server or network performance. The information noted below are different recommendations,
and can be used as an additional reference to either enhance security or achieve better
performance.
The following notifications in the UI shows these features are turned off by default.

To turn on these features, administrators should go to Agents > Agent Management > Settings >
Additional Service Settings and enable the service for the feature they intend to use.

Administrators can enable the Unauthorized Change Prevention Service on a single server
platform through Additional Service Settings. Administrators can also enable or disable the
Unauthorized Change Prevention Service on workstations by selecting a root/domain/single
agent/multi-select agent.
To turn on this feature:
1. Enable the Unauthorized Change Prevention Service (TMBMSRV.EXE) to monitor the
process launch.
Path: Agents> Agent Management > Settings > Additional service settings >
Unauthorized Change Prevention Service.
2. Enable the Web Reputation (tmproxy.exe) to monitor the file download.
Path: Agents > Agent Management > Settings > Web Reputation Settings
Meerkat is used to prevent zero-day attack from a software program. It pops out a notification or
alert if a user downloads a zero-day program through HTTP channel or email applications and
then executes the program within 24 hours.

To enable the Meerkat function:
1. Go to Agent Management > Global Agent Settings > Behavior Monitoring Settings.
2. Check the option “Prompt users before executing newly encountered programs
downloaded through HTTP or email applications” and click Save.

Defer scan improves the performance of file copy operations. This feature is integrated with VSAPI
9.713 or higher version. Originally, OfficeScan’s scan engine performs two (2) scans during a file copy
operations. The defer scan option adds one file scanning into the scan queue, and defer the other file
scanning. File copy performance will improve by enabling this.
To enable defer scan function:
1. Navigate to Agent Management > Global Agent Setting > Scan Settings.
2. Select the option “Enable deferred scanning on file operations”.
3. Click Save.
Select an OfficeScan domain to run compliance report on the
agents to see which agents are incompatible with server. In
Scan Compliance view, specify one or both of the following:
Manual Report


SECURITY
COMPLIANCE
Number of days a agent has not performed Scan Now
or Scheduled Scan
Number of hours the remote or scheduled scan task has
been running
Enabled
Scheduled Report
Report can show status of OfficeScan agent services,
components, scan compliance, and settings to find
incompliant agents. This can be run on daily basis if needed.
Trend Micro recommends enabling on-demand assessment to
perform real-time queries for more accurate results. You can
also disable on-demand assessment wherein OfficeScan
queries the database instead of each agent. This option may
be quicker but produces less accurate results.

SECURITY
COMPLIANCE
The SMTP setting in notification page is needed for sending
the scheduled compliance report to user. Go to Notification
> Administrator Notifications > General Settings page, fill
out the fields SMTP server, Port number, and From in
Email Notification section and click Save.
Scheduled Report
Scan Compliance view uses the configuration that are used
to do manual assessment last time.
Define
Scope
UNMANAGED
Advanced
ENDPOINTS
Settings
Active
Directory
Scope
Select OU’s containing less than 1000 account of computers
for performance baseline, then increase and decrease the
number of computers according to performance.
IP Address
Scope
Choose an IP range to scan for unmanaged endpoints.
Specify
Ports
Make sure to add all OfficeScan server communication
ports.
Declare a
computer
unreachable
by checking
port
Port 135
Another port can be chosen but make sure it is a common
port that will be available on all the computers.
Enabled
Settings
Conventional Scan
SCAN
METHOD
Smart Scan
Enable scheduled query for once a week to find out agents
that do not have OfficeScan agent.
Conventional Scan leverages anti-malware and anti-spyware
components stored locally on endpoints.
Smart Scan now is default at the ROOT domain level. Smart
Scan method should be selected at the Domain level so this way if
a user installs a agent it is easier to move from conventional scan
to Smart scan.
Smart Scan leverages anti-malware and anti-spyware signatures
stored in-the-cloud.

Enabled
Selecting All Scannable Files improves security by only
scanning all known to potentially carry malicious code.
Using this setting also allows you to utilize True File Type
scanning.
Files to scan:
All Scannable
Scan Hidden
Folders
Enabled
Enabled
Scan Network
Drive
Scan
Settings
Enabled
Scan compressed
files
Scan OLE objects
MANUAL
SCAN
SETTINGS
This function is not needed if the remote PC already has
antivirus protection. Enabling this may cause redundant
scanning and performance issues.
Scanning within 2 layers is recommended. Increasing the
level may cause performance issues. Compressed files are
scanned in real-time when extracted.
Enabled
Scanning 3 layers is reasonable.
Enabled
Detect exploit
code in OLE files
Virus/Malware Settings only |
Scan Boot Area
This setting heuristically identifies malware by checking
Microsoft Office files for exploit code.
Enabled
Enabled
CPU Usage | Medium
Scan
Exclusions
Minimizes the slowdown of PCs when a scan is initiated.
It is not recommended to run manual scan during
working hours due to high CPU usage.
Enable Scan
Exclusion
Enabled
Apply scan
exclusion settings
to all scan types
Disabled
Exclude
directories where
Trend Micro
products are
installed
Enabled

Enabled
Use Active Action
Virus/
Malware
MANUAL
SCAN
SETTINGS
Damage
Cleanup
Services
Customize action
for probable
virus/malware
This setting will utilize the Trend Micro recommended
settings for each type of virus/malware.
Enabled
Select Quarantine to have the ability to restore any files
that are needed.
Back up files
before cleaning
Enabled
Advanced cleanup
Enabled
Run cleanup when
probable
virus/malware is
detected
Enabled
Spyware/Grayware | Clean
Enabled
Enable virus / malware scan
Enabled
Enable spyware / grayware scan
Enabled
Created/modified and retrieved
REALTIME
SCAN
SETTING
User Activity on Files | Scan
files being created/modified
and retrieved
In cases where the system is heavily accessed such as File
servers, it may be advisable to select Scan files being
created / modified but only use this option if the server
performance is affected.
Enabled
Files to scan | File types
scanned by Intelliscan
Selecting Intelliscan slightly improves performance by
only scanning types known to potentially carry malicious
code. Using this setting also allows you to utilize True
File Type scanning.

Scan floppy disk
during system
shutdown
Disabled
Scan Network
Drive
Enabled
Enabled
Scan
Settings
Scan Compressed
Files
Scanning 2 layers is reasonable. Increasing the level may
cause performance issues. Compressed files are scanned
in real-time when extracted.
Enabled
Scan OLE Objects
Scanning 3 layers is reasonable.
Enabled
REALTIME
SCAN
SETTING
Detect exploit
code in OLE files
This setting heuristically identifies malware by checking
Microsoft Office files for exploit code.
Enabled
Virus/Malware Scan Settings
Only | Enable Intellitrap
Scan
Exclusion
Turn off this setting on special cases if users regularly
exchange/access compressed executable files in real-time.
Enable Scan
Exclusion
Enabled
Apply scan
exclusion settings
to all scan types
Disabled
Exclude
directories where
Trend Micro
products are
installed
Enabled

Enabled
Use Active Action
Customize action
for probable
virus/malware
Virus/
Malware
Display a
notification
message on the
agent computer
when
virus/malware is
detected
Display a
notification
message on the
agent computer
when probable
virus/malware is
detected
REALTIME
SCAN
SETTING
This setting will utilize the Trend Micro recommended
settings for each type of virus/malware.
Enabled
Select Quarantine to be able to restore any files that are
needed
Disabled
Turn off this setting to avoid end users to see popup
messages, which can generate helpdesk calls.
Disabled
Turn off this setting to avoid end users to see popup
messages, which can generate helpdesk calls.
Back up files before
cleaning
Enabled
Damage Cleanup Services | Run
Cleanup when probable
virus/malware is detected
Enabled
Clean
Enabled
Spyware/
Grayware
Display a
notification
message on the
agent computer
when
virus/malware is
detected
Disabled
Turn off this setting to avoid end users to see popup
messages, which can generate helpdesk calls.

Enabled
Enable Virus / Malware Scan
Turn on Scheduled scan-to-scan systems on a
regular basis.
Enabled
Enable spyware/grayware scan
Turn on Scheduled scan to scan systems on a
regular basis
Schedule| Weekly on Friday
12pm
Suggested to scan during lunch time or after office
hours if machine remain turned on.
Enabled
Files to scan | All Scannable Files
Selecting All Scannable Files improves security by
only scanning all known to potentially carry
malicious code. Using this setting also allows you to
utilize True File Type scanning.
Enabled
SCHEDULED
SCAN
SETTINGS
Scan compressed
files
Scan
settings
Scanning 2 layers is reasonable. Increasing the level
may cause performance issues. Compressed files are
scanned in real-time when extracted.
Enabled
Scan OLE objects
Scanning 3 layers is reasonable.
Enabled
Detect exploit code
in OLE files
Virus/Malware Settings Only |
Scan Boot Area
This setting heuristically identifies malware by
checking Microsoft Office files for exploit code.
Enabled
Enabled
CPU Usage | Medium
Prevent slowdown of PCs when a scheduled scan
kicks off. Scan will finish longer if the setting is set
to Low.

Scan
Exclusions
Enable Scan Exclusion
Enabled
Apply scan exclusion
settings to all scan types
Disabled
Exclude directories where
Trend Micro products are
installed
Enabled
Enabled
Use Active Action
This setting will utilize the Trend Micro
recommended settings for each type of
virus/malware.
Enabled
Customize action for
probable virus/malware
SCHEDULED
SCAN
SETTINGS
Virus/
Malware
Display a notification
message on the agent
computer when
virus/malware is detected
Display a notification
message on the agent
computer when probable
virus/malware is detected
Damage
Cleanup
Services
Select Quarantine to be able to restore any
files that are needed
Disabled
Turn off this setting to avoid end users to
see pop-up messages which can generate
help desk calls.
Disabled
Turn off this setting to avoid end users to
see pop-up messages which can generate
help desk calls.
Back up files before
cleaning
Enabled
Advanced cleanup
Enabled
Run cleanup when
probable virus/malware
is detected
Enabled

SCHEDULED
SCAN
SETTINGS
Spyware/
Grayware
Clean
Enabled
Display a notification
message on the agent
computer when
virus/malware is
detected
Enabled
Turn off this setting to avoid end users to see
popup messages which can generate helpdesk
calls.
Enable Virus / Malware Scan
Enabled
Enable Spyware/Grayware Scan
Enabled
Enabled
Files to Scan | File Type scanned by
Intelliscan
Selecting Intelliscan slightly improves
performance by only scanning types known to
potentially carry malicious code. Using this
setting also allows you to utilize True File Type
scanning.
Enabled
Scan compressed files
SCAN NOW
SETTINGS
Scan
Settings
Scanning within 2 layers is recommended.
Increasing the level may cause performance
issues. Compressed files are scanned in realtime when extracted.
Enabled
Scan OLE objects
Scanning 3 layers is reasonable
Enabled
Detect exploit code in
OLE files
Virus/Malware Settings Only | Scan
Boot Area
This setting heuristically identifies malware by
checking Microsoft Office files for exploit
code.
Enabled
Enabled
CPU Usage |Medium
Minimizes the slowdown of PCs when a scan is
initiated. It is not recommended to run manual
scan during working hours due to high CPU
usage.

Scan
Exclusion
Enable Scan Exclusion
Enabled
Apply scan exclusion
settings to all scan types
Disabled
Exclude directories
where Trend Micro
products are installed
Enabled
Enabled
Use Active Action
SCAN NOW
SETTINGS
Virus/
Malware
Enabled
Customize action for
probable virus/malware
Damage
Cleanup
Services
UPDATE
AGENT
SETTINGS
This setting will utilize the Trend Micro
recommended settings for each type of
virus/malware.
Select Quarantine to be able to restore any files
that are needed
Advanced Cleanup
Enabled
Run cleanup when
probable virus/malware
is detected
Enabled
Spyware/Grayware |Clean
Enabled
OfficeScan agents can act as Update
Agent
Component Updates, Domain Settings, and
Agent programs and hotfixes should be
selected to take full advantage of Update
Agents to save bandwidth and to speed up
deployment.
Component Updates
Enabled
Domain Settings
Enabled
OfficeScan agent programs and hot
fixes
Enabled

Disabled
Roaming
Enable Scan Exclusion | Enable
Roaming mode
It is highly recommended to disable this
function as it will allow users to stop
communication between OfficeScan Server and
agent. This Roaming privilege allows users to
isolate their systems to avoid getting notified by
the server for scans or updates. This function
has nothing to do with the ability to update
when the machine is off the network, such as
taking a laptop home.
Disabled
Configure Manual Scan
Settings
Enable this to allow users to configure their
own scan setting.
Disabled
Scans
Configure Real-time Scan
Settings
Configure Scheduled Scan
Settings
PRIVILEGES
AND
OTHER
SETTINGS
Enable this to allow users to configure their
own scan setting.
Disabled
Enable this to allow users to configure their
own scan setting.
Disabled
Postpone Scheduled Scan
Scheduled
Scans
Disabled
Skip and stop scheduled
Scan
Firewall
(if you
have
firewall
activated)
Enable this to allow users to stop the
Scheduled scan when it is triggered.
Enable this to allow users to stop the
Scheduled scan when it is triggered.
Display the Firewall tab on
the Agent console
Enabled
Allow users to
enable/disable the firewall,
Intrusion Detection
System, and the firewall
violation notification
message
Disabled
Allow agents to send
firewall logs to the
OfficeScan Server
Enable this to allow users to configure their
own firewall settings other than what is set on
the OfficeScan server.
Disabled
Keep this disabled unless necessary as it
increases traffic between the server and agents.

Behavior Monitoring | Display the
Behavior Monitoring tab on the agent
console.
Disabled
Disabled
Mail Scan | Display the Mail Scan tab
on the agent console
Toolbox | Display the Toolbox tab on
the agent console and allow users to
install Check Point Secure Agent
Support
Since most enterprises do not use POP3, this
tab can be hidden to users to avoid confusion.
If this setting is allowed then users can install
this tool using OSCE agent GUI.
Disabled
Unless Checkpoint Secure Agent is used, this
should be turned off to avoid confusion to
users.
Enabled
PRIVILEGES
AND
OTHER
SETTINGS
Proxy Settings | Allow the Agent user
to Configure proxy Settings
Enable this to allow users to configure proxy to
update from internet; otherwise this can be
turned off.
Enabled
Perform Update Now
Component
Updates
Enabled to Allow users to initiate an update
manually by right clicking on the OSCE icon
on their system tray.
Disabled
Enable Scheduled Update
Unloading | Unloading the OfficeScan
agent and unlocking advanced agent
settings
Leave this option disabled so users cannot turn
off scheduled update. This will keep users upto-date with the latest signature.
Enabled
Enable this to prevent users from unloading
OfficeScan agent from their system.
Enabled
Uninstallation | Uninstalling the
OfficeScan agent
Enable this to prevent users from uninstalling
OfficeScan agent from their system.

Enabled
Update Settings
OfficeScan agents
download updates
from the Trend
Micro ActiveUpdate
Server
Enable this function to allow agents to update
from Trend Micro Active Update servers
whenever the OfficeScan agent cannot contact
the OfficeScan server or the Update Agents.
This is especially helpful for users who travel
with their laptop or bring their laptops home,
keeping them up-to-date all the time.
Enabled
Enable Scheduled
Updates on
OfficeScan agents
PRIVILEGES
AND
OTHER
SETTINGS
OfficeScan agents
can update
components but not
upgrade the agent
program or deploy
hot fixes
Aside from notification from the OfficeScan
Server for updates, this function is used to
allow OfficeScan to check for updates on
scheduled basis. Update checking is done in the
background and no user intervention is
required.
Disabled
Enable this function in environments where
bandwidth is limited. This allows agent to
update their regular signatures and engines and
avoid downloading hotfixes or program
updates from the OfficeScan Server.
Enabled
Web Reputation Settings | Display a
Notification when a web site is blocked
Behavior Monitoring Settings | Display
a notification when a program is
blocked
C&C Contact Alert Settings | Display a
notification when a C&C callback is
detected
Central Quarantine Restore Alert
Settings | Display a notification when a
quarantine file is Restored
Turn this off to avoid getting popups when
websites are blocked.
Enabled
Enable this function to avoid confusion on the
users as to why a certain program won’t run.
Enabled
Enable this function to receive notifications on
C&C callbacks
Disabled
Enable this function to get notifications when
quarantined files are restored.

OfficeScan
agent Selfprotection
Protect OfficeScan
agent services
Enabled
Protect files in the
OfficeScan agent
installation folder
Enabled
Protect OfficeScan
agent registry keys
Enabled
Protect OfficeScan
agent processes
Enabled
Scheduled Scan Settings | Display a
notification before a scheduled scan
occurs
PRIVILEGES
AND
OTHER
SETTINGS
Enable the digital
signature cache
Cache Settings
for Scans
Disabled
Enabled and set to 28 days.
Disabled
Enable the ondemand scan cache
If the on-demand scans seldom run, then
enabling this is not necessary since the console
settings are satisfactory. If you want to enable
this, extend the expiration would be better
option.
Enabled
OfficeScan agent Security Settings |
High: Restrict users from accessing
OfficeScan agent files and registries
Setting this option to high prevents regular
users from deleting OfficeScan files and
registry entries.
Disabled
POP3 Email Scan Settings | Scan POP3
email
Enable this only when using POP3 mail in the
network. When selected, this setting enabled
POP3 mail scan on the agent console.
Note that this setting only applies to agents
with the mail scan privileges.

Disabled
PRIVILEGES
AND OTHER
SETTINGS
OfficeScan Agent Console Access
Restriction | Do not allow users to
access the agent console from the
system tray or Windows Start menu
Restart Notification | Display a
notification message if the agent
computer needs to restart to finish
cleaning infected files.
In some environment where any user changes
are prohibited, this function allows
administrators to restrict users from accessing
the OfficeScan agent console.
Enabled
Enabled
Unauthorized Change Prevention
Service
Unauthorized Chang Prevention Service
regulates application behavior and verifies
program trustworthiness. Behavior
Monitoring, Device Control, Certified Safe
Software Service, and Agent Self-protection all
require this service. If an Administrator wants
to allow this service on a server then a single
server must be chosen to view the option to
enable this service.
This setting will turn on the firewall service on
the OfficeScan agents.
Firewall Service
ADDITIONAL
SERVICES
WARNING: Enabling this service will
temporarily disconnect the OfficeScan agent
from the network.
The Suspicious Connection Service provides
advanced protection against Command &
Control callbacks through the following
features:
Suspicious Connection Service



Advanced Protection Service
User-defined IP Approved and Blocked
lists
Global C&C IP List
Malware network fingerprinting
Advanced Protection Service facilitates
advanced scanning and protection features.
Behavior Monitoring and Browser Exploit
Prevention require this service.

Enabled
Enable Web
Reputation Policy
on the following
operating systems
Enable this feature to protect agents from web
threats when they are not connected to the
internal network. Enabling this will provide them
protection from accessing malicious sites.
Disabled
External
Agents Tab
Enable
assessment
Administrator can enable assessment to monitor
the type of detections before deploying Web
Reputation. When assessment is turned on
OfficeScan will not take any action.
Check HTTPS
URLs
Enabled
Disabled
WEB
REPUTATION
SETTINGS
Scan common
HTTP ports only
Security Level | Medium
Untested URLs | Block pages that
have not been tested by Trend
Micro
Browser Exploit Prevention | Block
pages containing malicious script
When disabled, WRS will scan all HTTP URLs
regardless of their port information. If enabled,
only URLs with no port information or those that
point to ports 80, 81, or 8080 will be scanned.
Enabled
Enabled
Note that any website that has not been tested by
Trend Micro will be blocked if it’s enabled.
Enabled
Enabled
Agent Log | Allow agents to Send
Logs to the OfficeScan Server
Depending on security requirements, you may or
may not want to monitor what sites are being
blocked on the agent side. On the other hand,
turning this on will generate traffic between
server and agents.

Internal
Agents
Tab
WEB
REPUTATION
SETTINGS
Enable Web
Reputation Policy
on the operating
systems
Enabled
If there is already a web security on the gateway, this may
be turned off.
Enable assessment
Disabled
Administrator can enable assessment to monitor the type
of detections before deploying Web Reputation. When
assessment is turned on OfficeScan will not take any
action.
Check HTTPS URL
Enabled
Scan common
HTTP ports only
Disabled
When disabled, WRS will scan all HTTP URLs regardless
of their port information. If enabled, only URLs with no
port information or those that point to ports 80, 81, or
8080 will be scanned.
Send queries to
Smart Protection
Servers
Enabled
Agents will send queries to Smart Protection Servers.
Make sure they are available. If this option is disabled
then agents will need internet access to reach Trend
Micro Smart Protection Network, if agent does not have
web access then it will use approved/blocked web site list
as the only web reputation date.
Security Level | Low
Enabled
Internet traffic usage is lowest and browsing info is kept
in house. When combine with “Use only Smart
Protection Servers, do not send queries to Smart
Protection Network” checked, Security level is always
‘Low’.
Untested URLs | Block pages
that have not been tested by
Trend Micro
Enabled
Browser Exploit Prevention |
Block pages containing
malicious script
Enabled
Approved/Blocked URL List |
Allow agents to Send Logs to
the OfficeScan Server
Enabled
Agent Log | Allow agents to
Send Logs to the OfficeScan
Server
Enabled
Depending on security requirements, you may or may not
want to monitor what sites are being blocked on the agent
side. On the other hand, turning this on will generate
traffic between server and agents.

Log network connections made to addresses in
the Global C&C IP list
Enabled
Disabled
Log and allow access to User-defined Blocked IP
list addresses
Enable this feature to perform assessment of the
violations first, and then set to Disable.
Enabled
Log connections using malware network
fingerprinting
OfficeScan performs pattern matching on packet headers.
OfficeScan logs all connections made by packets with
headers that match known malware threats using the
Relevance Rule pattern.
Enabled
Clean suspicious connections when a C&C
callback is detected
OfficeScan uses GeneriClean to clean the malware threat
and terminate the connection to the C&C server.
Known Threats
Enable Malware Behavior Blocking for known
and potential threats
Enable this setting to protect your agents from specific
threats, threat types and threat families through behavior
analysis.
Enabled
Enable Event Monitoring
Enable this to monitor system events to filter potentially
malicious actions. Refer to list below for recommended
settings if this is enabled.
Exceptions (Approve/Block)
Enter the full path of programs you would want to
exempt from Behavior Monitoring or directly Block.
Policies (Under Event Monitoring if Enabled)
The Assess action will log events that violate the policy
but will not take action. To avoid interfering with normal
activity, it is recommended that administrators start with
this action set for all policies. This would help them
define the proper action they need to take once data is
available.

Duplicated System File
Assess
Hosts File Modification
Assess
Suspicious Behavior
Assess
New Internet Explorer Plugin
Assess
Internet Explorer Setting Modification
Assess
Security Policy Modification
Assess
Program Library Injection
Assess
Shell Modification
Assess
New Service
Assess
System File Modification
Assess
Firewall Policy Modification
Assess
System Process Modification
Assess
New Startup Program
Assess
Enabled
Enabled Device Control
Apply all settings to internal agents
External
Agents
Tab
Block auto-run function on USB
storage devices
Storage
Devices
Enable this setting to take advantage of the “Block auto-run
function on USB devices” but leave Full Access permissions
for the devices unless there is a need to control them due to
virus outbreaks/data leak prevention.
Disabled
Enabled
Enable this to prevent the potential threat auto-run can cause.
CD/DVD
Full Access
Floppy Disks
Full Access
Network Drives
Full Access
USB storage devices
Full Access

Program
Lists
External
Agents
Tab
Programs with read
and write access to
storage devices
Enter the full path of programs to allow write
access to storage devices.
Programs on storage
devices that are
allowed to execute
Enter the full path of programs to allow execution.
Notification | Display a notification
message on the agent computer
when OfficeScan detects
unauthorized event
Enabled
Enable this when Device Control Access is not set
to Full Access to avoid causing confusion to users
as to why they cannot access their drives fully.
Enabled
Enabled Device Control
Apply all settings to external agents
Enable this setting to take advantage of the “Block
auto-run function on USB devices” but leave Full
Access permissions for the devices unless there is a
need to control them due to virus outbreaks/data
leak prevention.
Disabled
Enabled
Block auto-run function on USB
storage devices
Internal
Agents
Tab
Storage
Devices
Program Lists
Enable this to prevent the potential threat auto-run
can cause.
CD/DVD
Full Access
Floppy Disks
Full Access
Network Drives
Full Access
USB storage
devices
Full Access
Programs with read
and write access to
storage devices
Enter the full path of programs to allow write
access to storage devices.
Programs on
storage devices that
are allowed to
execute
Enter the full path of programs to allow execution.
Notification | Display a notification
message on the agent computer
when OfficeScan detects
unauthorized event
Enabled
Enable this when Device Control Access is not set
to Full Access to avoid causing confusion to users
as to why they cannot access their drives fully.

Below are the available Agent Grouping:

NetBIOS domain (only used during agent installation)

Active Directory domain

DNS domain

Custom agent groups (can be used anytime to group the agents)
o
Automatic Agent Grouping
o
Schedule Domain Creation
In Automatic Agent Grouping, administrators can create agent grouping according to Active Directory or
IP. On the other hand, performing scheduled domain creation creates a domain in the agent tree. This may
take a long time to complete, especially if the scope is broad. However, this does not move existing agents
to this domain. Custom agent grouping must be used.
To move the agents, refer to manual sort agent or OfficeScan can automatically move agents when the
following events occur:

Agent installation

Agent reload

Change of agent’s IP addresses

Agent enabling or disabling roaming mode
Scan
Settings
Add Manual Scan to the Windows
shortcut menu on agent computers
Disabled
Enable this function to allow users to right-click on files or
folders to perform a manual scan.
Exclude the OfficeScan server
database folder from Real-time Scan
Enabled
Prevent OfficeScan database from getting corrupted.
Exclude Microsoft Exchange server
folders from scanning
Enabled
Prevent OfficeScan from interfering with the mails being
processed by the Exchange server and the antivirus that
scans the mail traffic.
Enabled deferred scanning on file
operations
Disabled
This option can be enabled to help improve performance
of file copy operation.

Enabled
Configure scan settings for large
compressed files
Real-time scan
Manual Scan/
Scheduled Scan/
Scan Now
Scan
Settings for
Large
Compressed
Files
This option will skip files within the
compressed files from being scanned to
improve on performance.
Do not Scan files (in a
compressed file) if size
exceeds
2 MB
In a compressed file,
scan only the first X
files
10 files
Do not Scan files (in a
compressed file) if size
exceeds
30 MB
In a compressed file,
scan only the first X
files
100 files
Virus/Malware Scan Settings only |
Clean/Delete infected files within
compressed files
Enabled
Enabled
Spyware/Grayware Scan Settings Only |
Enable Assessment Mode
Turn this on with a recommended of at
least 3 weeks to allow administrator to
assess the detection of spyware in the
network. Any detection will not have any
action taken on them. This allows admin
to monitor and verify if there is any false
positive detection especially on home
grown applications.
Enabled
Scan for Cookies
Turn on to allow cookie scanning and
cleaning.
Disabled
Count Cookie into spyware log
Turn this off to prevent logs generated
from cookie detection to overpopulate
the virus log database.

10 minutes before it runs
Remind users of the Scheduled Scan
This setting only applies to users who
have the privilege to control Scheduled
Scans.
1 hour
Scheduled
Scan
Settings
Postpone Scheduled Scan for up to
***This setting only applies to users who
have the privilege to control Scheduled
scans.
Automatically stop Scheduled Scan when
scanning lasts more than
Disabled
Enabled
Skip Scheduled Scan when a wireless
computer’s battery life is less than
Enable this setting to 20 percent when
there are a number of laptop users in your
environment to save battery life.
Resume a missed scheduled scan
Enabled
Enabled
Virus/Malware Log Bandwidth Settings | Enable
OfficeScan agents to consolidate network virus logs and
send them to the OfficeScan Server hourly
This allows agents to send only a single
log to a server about multiple detections
of viruses detected on the same location
and same virus for a period of time.
4 hours
Send firewall logs to the server every
Firewall
Settings (If
you have
firewall
activated)
If it is really needed, set this to Daily or
every 4 to 8 hours to prevent agents from
saturating the network by sending logs at
short intervals regularly.
Enabled
Update the OfficeScan firewall driver only
after a system reboot
Send firewall log information to the
OfficeScan Server hourly to determine the
possibility of a firewall outbreak.
This setting will let agents update the
firewall driver settings during reboot. This
way, there will be no loss of network
connectivity. This setting applies only to
updates/upgrades done through
OfficeScan server.
Enabled

30
Automatically allow program if agent
does not respond within X seconds.
If the timeout is reached, BM will allow the
program.
Enabled
Behavior
Monitoring
Settings
Prompt users before executing newly
encountered programs downloaded
through HTTP or email applications
(Server platforms excluded)
Help prevent zero-day attack by monitoring
applications that are downloaded through
HTTP channel/email. Administrators should
enable ‘Unauthorized Change Prevention
Service’ and ‘Web Reputation’ to have this
feature.
Certified Safe Software Service
Settings | Enable the Certified Safe
Software Service for Behavior
Monitoring, Firewall, and antivirus
scans
Disabled
C&C Contact Alert Settings | Define customized
Approved and Blocked IP lists used to detect C&C
callbacks
When enabled, the OfficeScan agent will query
the Trend Micro back-end servers via Internet
to reduce BM false alarms.
Define approved or blocked IP, IP range or
subnets for C&C callback
Disabled
Updates| Download only the pattern files from the
Active Update server when performing updates
Administrators can use this setting to let
OfficeScan agents to update only patterns from
the Trend Micro Active Update site.
Reserved Disk Space | Reserve 60 MB of disk space
for updates
Enabled
Unreachable Network | Server Polling
Select the IP range of unreachable network and
how often the agents should poll to the server.
Enabled
Allow agents to send heartbeat to the
server
Only agents in the unreachable network should
send heartbeats since other agents would be
connected to the server.
Agent send heartbeat every
10
The agent is offline if there is no
heartbeat after X minutes
60
Heartbeat

Enabled
Show the alert icon on the Windows
taskbar if the virus pattern file is not Only agents in the unreachable network should
send heartbeats since other agents would be
updated after X days
connected to the server.
Enabled
Alert Settings
Display a notification message if the
agent computer needs to restart to
load a kernel mode driver
OfficeScan
Service
Restart
When firewall is enabled, it is suggested to have
this turned on so that whenever the firewall
driver is updated, the agent may be notified to
reboot for the update to take effect, otherwise,
without reboots, the firewall may not function
properly with the updated component.
Automatically restart an OfficeScan
agent service if the service
terminates unexpectedly
Enabled
Restart the service after
1 minute
If the first attempt to restart the
service fails, retry
6 times
Reset the restart failure count after
1 hour
Enabled
Automatically detect settings
Proxy
Configuration
Preferred IP Address | Agents with
IPv4 and IPv6 addresses register to
the server using
To allow auto detection of proxy for updates,
this can be enabled.
IPv4 first then IPv6
Disabled
Endpoint
Location
Agent Connection status (edit
reference server list)
Gateway addresses can be entered instead of
reference list to determine whether OfficeScan
agents are online or offline.
Gateway IP address | Mac address
Optional
Enabled Daily at 10:30am
Connection
Verification
Scheduled Verification | Enable
Scheduled Verification
This allows the server to recheck the status of
the agents that are in the network, it is ideal to
set it to run on a schedule where most agents
are already online.

Enable
Enable Scheduled Deletion
Log
Maintenance
Enable this to maintain a manageable size of log
and prevent performance issue on the OSCE
server when retrieving logs. If Control Manager is
used the logs are also sent to Control Manager,
hence there is no need to keep 2 copies of logs.
You can get reports from Control Manager.
Ensure all Log types are selected.
Logs older than 7 days
Logs to Delete
Delete old logs to keep the log database small
enough for efficiency.
Daily at 2 AM
Log Deletion Schedule
Enable scheduled update of the
OfficeScan server
Updates |
Server
It is advisable to have this checked every day. The
time suggested is 2 AM so that the traffic to server
is low and can be purged before the system
backup kicks off. OfficeScan server automatically
does database maintenance during midnight, so
avoid scheduling during this time.
Enabled
Hourly
Update Schedule
Initiate component
update on agents
immediately after
the OfficeScan
Server downloads a
new component
It is best to check on a more regular basis to get
the latest updates.
Enabled
Disabled
Updates |
Agents
Agent
Automatic
Updates
Include roaming
agent(s)
Let agents initiate
component update
when they restart
and connect to the
OfficeScan Server
(roaming agents are
excluded)
It is unnecessary if the agents are offline and
unreachable.
Enabled
There are instances where the agents are offline
when the server updated from the internet. This
function will allow agents to get their updates
from the server when they are back online.

Enabled Disabled
Perform Scan Now after update
(excluding roaming agents)
It is not extremely necessary to do a full scan right
after performing an update. The scheduled scan is
normally sufficient.
Enabled
Schedule-based Update
Depending on the number of agents that the
server manages, you can set this from 2 hours to
every 4 hours. This is the setting to configure
agents on how often they will check for updates
from the OfficeScan Server, the Update Agent or
the Internet.
Enabled
Standard Update
Source
Customized Update
Source | Update
Agents update
components, domain
settings, and agent
programs and hot fixes,
only from the
OfficeScan server
Updates |
Agents
Agent
Update
Source
Enable this if No Update Agents will be used.
Administrators can allow agents to get updates
from OfficeScan Servers if Update Agents are not
available.
Enabled
Enable this to have Update Agents always update
from the OfficeScan server.
Disabled
Components
To allow OfficeScan agents to strictly update from
Update Agents for pattern and engine updates.
Enabled
Domain Settings
Domain settings are small enough to allow agents
to go to OfficeScan Server to get updates from as
long as Update Agents are not available.
Disabled
OfficeScan agent
programs and hot fixes
This setting should not be turned on unless
OfficeScan agents are allowed to upgrade from
OfficeScan server. This might cause bandwidth
problems depending on the network.

Standard
Notifications
Virus/Malware | Send
notifications only when the
action on the virus/malware is
unsuccessful
Enable
Spyware/Grayware | Send
notifications only when the
action on the virus/malware is
unsuccessful
Enable
Virus/
Malware
Spyware/
Grayware
Outbreak
Notifications
Firewall
Violations
Shared Folder
Session
Enable this to only notify when an action failed
on the virus/malware.
Enable this to only notify when an action failed
on the spyware/grayware.
Unique Sources
1
Detections
100
Time Period
24 hrs.
Unique Sources
1
Detections
100
Time Period
24 hrs.
Monitor
Firewall
violations on
networked
computers
Enabled
IDS Logs
100
Firewall Logs
100
Network Virus
Logs
100
Time Period
1 hr.
Monitor Shared
Folder session
on your
network
Enabled
Shared Folder
Sessions
100
Time Period
3 min
Enable this to alert administrators when there are
suspicious firewall violations.
Enable this to alert administrators of suspicious
network sessions being generated.

User Accounts are used to logon to OfficeScan web console. These accounts are assigned privileges
as deemed appropriate. Use this section to add custom accounts or Active Directory accounts.
User Roles define a list of operations that a user can perform. These operations are roughly tied to
the navigation menu. Use this section to assign/create/modify roles for a user or a windows group.
This would give the account permission to perform operations defined in that group.
Internal
Agents
Use standard list (for all
Internal Agents)
The settings configure the agents to check the Scan
Servers in the order specified on the list. Integrated Smart
Protection Server will always be the last.
Use customer lists based on
agent IP address
Use this setting to customize which Smart Protection
Server the agents will use. It is recommended that each
sub site has its own Smart Protection Server.
Enabled
Use standard list if customer
list becomes unavailable
To help ensure full redundancy in situations where the
customer Smart Protection Server list is unavailable, the
agent should check the standard list.
Integrated Server
Check box should be enabled if the Integrated Smart
Protection Server will be used. The Integrated Smart
Protection Server should not be used to support more
than 20,000 agents in a primary role. If more than 20,000
agents need to be supported a Standalone Smart
Protection Server should be installed in the environment
and the Integrated Smart Protection Server should be
used for backup purposes only.
Enable File Reputation Service
Enabled
Use HTTP for scan queries
Enabled
Enable Web Reputation Service
Enabled
Enable scheduled updates
Enabled

Enabled
Update Settings | Enable scheduled updates
When enabled, Smart Feedback shares threat details with
the Smart Protection Network, allowing Trend Micro to
rapidly identify and address new threats.
Smart Feedback | Smart Protection Network
Disabled
Active
Directory
Integration
Active Directory Domains
Add Active Directory domains OfficeScan will associate
with the agent tree.
Encrypt Active Directory
Credentials
Specify an encryption key and file path to ensure an
additional layer of protection for your Active Directory
credentials.
Enabled
Scheduled Synchronization | Enable
Scheduled Active Directory synchronization
Internal
Proxy
Settings
Administrators can set the scheduled synchronization
daily.
Agent Connection with the
OfficeScan server computer | Use
the following proxy settings when
agents connect to the OfficeScan
Server and the Integrated Smart
Protection Server.
Agent Connection with the Local
Smart Protection Servers | Use
the following proxy settings when
agents connect to the local Smart
Protection Servers.
Disabled
This should be disabled all the time unless the
OfficeScan agents require connection to an intranet
proxy to communicate with the OfficeScan server.
Disabled
This should be disabled all the time unless the
OfficeScan agents require connection to an intranet
proxy to communicate with the local Smart
Protection Server.

OfficeScan Server Computer
Updates | Use a proxy server for
pattern, engine, and license
updates
External
Proxy
Settings
Agent Connection with Trend
Micro Servers | Specify proxy
server authentication credentials
the agent will use to connect to
the Trend Micro Global Smart
Protection Server and Web
reputation servers.
Enabled
Enable this option and fill out the fields when a proxy
server is required to download updates from the
internet.
Enabled
Fill this out if the proxy server used requires
authentication credentials.
Enabled
Inactive
Agents
Enable automatic removal of
inactive agents
Enable this function to allow OfficeScan to remove
old agents that are inactive for X days. Whenever
these agents come back online, they will automatically
be added and show up in the console.
Automatically remove a agent if
inactive for X days
7 days
10240 MB
Quarantine folder capacity
Note that the Quarantine folder on the OfficeScan
server does not cleanup by itself. It is important to
clean the folder up on a regular basis.
Maximum size for a single file
5 MB
Quarantine
Manager
Web
Console
Settings
Auto Refresh Settings |
Enable Auto Refresh
Timeout Settings |
Enable Timeout Setting
Enabled
Set it for 30 seconds.
Enabled
Set it for 30 minutes.
Daily at 3 AM
Database
Backup
Enable Scheduled Database
Backup
OfficeScan server does database maintenance usually
at midnight, and it is best not to interfere with the
maintenance. Therefore, it is recommended either to
set the time few hours before or few hours after
midnight after log purging.

OfcScan.ini
Add/Change value to “1” to disable the Damage
Cleanup Service from executing whenever the
OfficeScan Real-Time Scan starts up. This is
helpful for systems with low resource to speed
up the bootup/startup time.
Enable this feature to allow Update Agents to
download only one incremental file from the
OfficeScan server and allow it to automatically
generate full pattern and the rest of the
incremental files. This will help minimize
bandwidth usage.
If the remote PC does not have an antivirus, this
function enables scheduled scans for network
drives.
This function is not needed if the remote PC
already has antivirus function. Enabling this may
cause redundant scheduled scanning and
performance issues.
If this function is turned on by setting the value
to “1”, USB will be scanned by Real-Time Scan.
If this function is turned on by setting the value
to “1”, USB will give a pop-up message asking
the users if they want to scan the device.
Device Control Settings take higher priority than
USB scan insertion.
Manual scan supports switching to Intensive
Scan which is a higher detecting mode once the
detected virus number is over a certain
threshold. To enable, set a value. For a sample
value, “5” means using “5” as the intensive
threshold. Ideal threshold value should be 100.
This setting enables admin to select multiple
servers at once when enabling WRS function on
server platforms.

Enable this option to resolve IP from FQDN. If this is set to “0”,
OfficeScan resolves IP from NetBIOS first and then resolves IP from
FQDN. If this is set to “1”, OfficeScan resolves IP from FQDN first
and then resolves IP from NetBIOS.
When this option is set to “1”, it allows Active Directory Integration
to query all objects including containers.
The parameters below can be added or edited to further improve the performance of the OSCE server.
This OfficeScan server parameter controls the number of threads
responsible for receiving agent communications. Default value is 20.
Add the parameter under [INI_SERVER_SECTION] of ofcscan.ini
to modify default setting. Recommended value is 20 multiplied by the
number of CPUs.
NOTE: The word “Maxium” is intentionally misspelled.
Increase the server database cache to improve performance.
Recommended value is at 10% of available memory.
Increase the number of Command Handler threads
1. Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini.
2. Add the parameter Command_Handler_Maximum_Thread_Number= under
[INI_SERVER_SECTION] and set its value to 20 x Number of CPUs.
3. Restart the OfficeScan Master Service.
Increase Database Cache to improve performance
1. Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini.
2. Locate the entry DB_MEM_OPT_MAX = 10240 and set its value to at least 10% of available
memory.
3. Restart the OfficeScan Master Service.
4. Verify the Connection Thread Count Parameter.
5. Go to [INISERVER_SECTION] and look for the VerifyConnectionThreadCount=16
parameter.
This value is dependent on the network capacity. If you have a 100 MBPS intranet, entering a
value of 64 or 128 is acceptable.

The following sections only apply to OfficeScan itself. This does not include plug-ins and
Integrated Scan Server backup. Customers who have OfficeScan with Integrated Scan Server
should not follow these steps.
The OfficeScan server can be set to automatically back up the agent database information. This is
configurable via web-based management console under Administration > Database Backup
section. This process copies all database files under [ <drive>: \ Program Files \ Trend Micro \
OfficeScan \ PCCSRV \ HTTPDB ] to either a local or remote location.
It is recommended to do a daily back up especially during agent deployment. The schedule can be
changed to weekly after the deployment is complete. It is also recommended to configure the
back up to start at 2:00 AM when agent interaction is minimal and the process does not coincide
with other OfficeScan scheduled tasks. It is recommended to use the OfficeScan built-in backup
function to back up the database. Using third-party application to back up the database may cause
system instability or database corruption.
It is also recommended to manually back up the OfficeScan server configuration files which can
be used to recover from a server disaster.
1. Stop the OfficeScan Master Service.
2. Manually Back up the OfficeScan server and Firewall configuration files:

\ PCCSRV \ Ofcscan.ini – Server configuration information

\ PCCSRV \ Private \ Ofcserver.ini – Server and Update Source configuration

\ PCCSRV \ Ous.ini – Agent update source configuration


\ PCCSRV \ Private \ PFW folder – Firewall profiles / policies

\ Private \ SortingRuleStore \ SortingRule.xml

\ Private \ AuthorStore folder – RBA User Profile

\ Private \ vdi.ini – vdi settings
3. Start the OfficeScan Master Service.
4. Run the Certificate Manager tool to back up the certificate used for OfficeScan communication
with its agents.
5. Open cmd prompt with administrator privileges and go to [ <drive>: \ Program Files \ Trend
Micro \ OfficeScan \ PCCSRV \ ADMIN \ UTILITY \ CERTIFICATE MANAGER ]
folder.
6. Run the following commands to back up the certificate:
CertificateManager.exe –b [Password] [Certificate Path]
For example, CertificateManager.exe –b mypassword c:\certificate.zip
7. Make a backup copy of c:\certificate.zip along with other OfficeScan server configurations.
In an event of server corruption, the OfficeScan server settings can be restored by following the procedure
below. This procedure assumes that the OfficeScan server is being restored to the same host, using the
same FQDN and IP address.
1. Stop the OfficeScan Master Service and WWW Publishing Service.
2. Restore the backup database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \
PCCSRV \ HTTPDB ].
3. Restore the OfficeScan server and Firewall policy configurations:

\ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ofcscan.ini

\ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ Ofcserver.ini

\ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Ous.ini

\ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Private \ PFW directory

\ Private \ SortingRuleStore \ SortingRule.xml

\ Private \ AuthorStore folder – RBA User Profile

\ Private \ vdi.ini
4. On the command prompt, go to \Program Files\Trend Micro\ OfficeScan folder and run the
command srvsvcsetup.exe –setprivilege.
5. Restart the OfficeScan Master Service and WWW Publishing Service. Restore OfficeScan
certificate by importing it during installation. In the example above, certificate.zip is the file that
needs to be selected to import the certificates.

Saving the Agent Configuration Settings
1. Log on to the OfficeScan management console.
2. Go to Networked Computers > Agent Management.
3. To save the Global Domain settings, highlight the OfficeScan server domain.
To save just the domain level setting, highlight only the subdomain.
To save only a specific agent’s setting, highlight the agent.
4. Once highlighted, select Settings > Export Settings.
5. Click the Export button and save the file.
Restoring the Agent Configuration Settings
1. Log on to the OfficeScan management console.
2. Go to Networked Computers > Agent Management.
3. To restore the Global Domain settings, highlight the OfficeScan server domain.
To restore just the domain level setting, highlight only the subdomain.
To restore only a specific agent’s setting, highlight the agent.
4. Once highlighted, select Settings > Import Settings.
5. Browse to the DAT file saved previously that you want to restore, then click Import.
6. Check the option Apply to all Domains or Apply to all computers belonging to the
selected domain(s).
7. Click the Apply to Target button.

Trend Micro OfficeScan protects enterprise networks from malware, network viruses, web-based
threats, spyware, and mixed threat attacks. Behavior Monitoring and Device Control are some of
the new OfficeScan features that proactively aim to prevent malware attacks.
This document aims to increase knowledge about Behavior Monitoring and Device Control and
help readers avoid potential issues during deployment.
Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating
system or installed software. Behavior Monitoring is composed of the following sub-features:

Malware Behavior Blocking

Event Monitoring
Malware Behavior Blocking provides a necessary layer of additional threat protection from
programs that exhibit malicious behavior. It observes system events over a period of time and as
programs execute different combinations or sequences of actions, Malware Behavior Blocking
detects known malicious behavior and blocks the associated programs. Use this feature to ensure
a higher level of protection against new, unknown, and emerging threats.
A new option, Known and potential threats, provides a more aggressive scan mode to detect
malwares which has higher detection rate.
Under this mode, system will query DCE and Census. The product calls DCE to perform
memory scan and decides the scan action. It also queries the Census backend server and then
feedbacks the action.

Path: \PC-cillinNTCorp\CurrentVersion\AEGIS
Key: EnableTDC (Value: 1-Aggressive; 0-Normal)
Event Monitoring provides a more generic approach in protecting against unauthorized software
and malware attacks. It uses a policy-based approach where system areas are monitored for certain
changes, allowing administrators to regulate programs that cause such changes.
If attempts to change the system are made, Event Monitoring will:

Refer to the Event Monitoring policies and perform the configured action

Notify the user or administrator

Use the Event Monitoring if you have specific system protection requirements that are
above and beyond what is provided by Malware Behavior Blocking

Administrators can choose to perform one of the following actions to respond to monitored
events:
Assess: Always allow processes associated with an event but record this action in the logs for
assessment

Allow: Always allow processes associated with an event.
Ask When Necessary: Prompts users to allow or deny processes that may have violated
Behavior Monitoring policies. If selected, a prompt asking users to allow or deny the process and
add to the Allowed Programs or Blocked Programs appears. If users do not respond within the
time period specified in the Behavior Monitoring settings screen, OfficeScan automatically allows
the process to continue.
Deny: Always block processes associated with an event and record this action in the logs.
Here is s a sample log while Shell Modification event was violated by a process:
2012/2/12 12:31 ComputerName Shell Modification Assess Process Low C:\kh\notes\nlnotes.exe
Create HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer



The BM function works depending on the options below:

Settings/Behavior Monitoring Settings/ Enable Malware Behavior Blocking or Enable
Event Monitoring

Additional Service /Enable Unauthorized Change Prevention Service
Enabling the Malware Behavior Blocking setting

1. Go to Agent > Agent Management > Settings > Behaviors Monitoring Settings.
2. Select the following options to enable Malware Behavior Blocking or Event Monitoring:


Enable Malware Behavior Blocking for known and potential threats (workstation
default: on; server default: off )

Known threats, default option as provided by previous OfficeScan versions

Known and potential threats, a more aggressive scan mode
Enable Event Monitoring (workstation default: on; server default: off)
3. Behavior Monitoring settings can be applied to specific entities in the client tree or all entities
(root). If you are applying settings to the root, select one of the following options:

Apply to All Clients: Applies settings to all existing clients and to any new client
added to an existing/future domain (domains not yet created during configuration).

Apply to Future Domains Only: Applies settings only to clients added to future
domains. This option will not apply settings to new clients added to an existing
domain.
Enabling Unauthorized Change Prevention Service
1. Go to Agent > Agent Management > Settings > Additional Services Settings.
2. Under Unauthorized Change Prevention Service section, tick the option Enable service on
the following operating systems.


To enable this feature on a server computer, select an individual server and go to Agent > Agent
Management > Settings > Additional Services Settings.
In OfficeScan 11.0, AEGIS provides an enhancement called Light-Weight Solution which focuses
on all agents’ self-protection including agent’s services, processes and registry keys.
The protection is enabled on OfficeScan 11.0 server by default.

Device Control regulates access to external storage devices and network resources. Device
Control helps prevent the propagation of malware on removable drives and network shares. As
combined with file scanning, it helps guard against security risks.
Notification messages are displayed on the endpoints when device control violations occur.
Administrators can modify the default notification message.
In OfficeScan 11.0 , Device Control function integrates both AEGIS feature and DLP feature to
control storage devices. AEGIS device control and DLP device control play different roles. For
instance, different privileges can be set on USB storage devices. AEGIS device control handles
the following privileges: Modify, Read and execute, Read, and List device content only. The block
privilege is handled by DLP Device Control.
Furthermore, DLP Device Control supports one more device type: mobile devices. This
includes smartphones and pads, sync app such as iTunes and htcsync.

Device Control supports several kinds of devices, here takes USB as sample to introduce how it
works in the following environments:

Only Aegis Device Control enabled

Aegis +DLP Device Control

Only DLP Device control enabled
To activate this feature, user must enable the Unauthorized Change Prevention Service (Agents >
Agent Management > Ssettings > Additional Service Settings) and Device Control (Settings >
Device Control Settings) for the OfficeScan agent. OfficeScan only monitors USB storage devices
when DLP module is not activated.
Here are what Device Control can do with an USB device:
Enabled “Block the auto-run function on USB storage devices” option could let OfficeScan
prohibits USB storage auto-run. It does not permit USB storage to execute autorun.inf and pop
the content of the storage. Some virus could use autorun.inf to infect the system.
Select the permission for accessing USB storage devices, Device Control only provides Full
access, Modify, Read and execute, Read and List device content only access permissions to
choose.
For detailed information about the action of different permission, refer to Permissions for storage
devices in OfficeScan Online Help.

Use Program List to exempt the permission to some specified programs and certificate providers.
Put local programs on storage devices into “Programs with read and write access to storage
devices” to give them read and write access permission. For example, add
“c:\windows\system32\notepad.exe” into “Programs with read and write access to storage
devices” list so users could open and modify it.
For detailed usage of this functionality and how users could add the file path, refer to Advanced
Permissions for Storage Devices Parent topic and Specifying a Program Path and Name in
OfficeScan Online Help.
Put programs on storage devices into “Programs on storage devices that are allowed to execute”
so that users or the system can execute.

Select whether to display a notification message on the client computer when OfficeScan detects
unauthorized device access.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the
domain(s) or client(s). If you selected the root icon, choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an
existing/future domain. Future domains are domains not yet created at the time you configure
the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains.
This option will not apply settings to new clients added to an existing domain.

To enable this feature, user must install OfficeScan Data Protection plug-in and activate it, then
enable the Unauthorized Change Prevention Service and Device Control for the OfficScan agent.
The UI of Device Control Settings is different from the previous one.
Block permission is activated by iDLP. This sector focuses on the function that iDLP has added
to Device Control Settings for USB devices.
With Data Protection (iDLP) installed, OfficeScan offers more functionality for USB access.
Besides keeping the function of Device Control, iDLP add the following items.
Allow or block access to mobile devices. It means that iDLP adds one control item for
smartphone and pad. The major purpose of adding mobile device is to allow iDLP to disable the
access when people use sync app (or not use any sync tools) to connect smartphone or pad.
豌豆荚,
For detailed support mobile device list, refer to Device Control Settings console and click the
Supported Device Models > Data Protection List.

Allow or block access to non-storage devices that UI lists.
Permissions for USB storage devices allows to block the access to USB Storage devices.
However, two permissions in this list, the Read and Block permissions, are controlled by iDLP.
Since iDLP takes the control of these two permissions, users can add whitelist into them.
Select Read permission and click Advanced permissions and notifications.
It provides the user a way to add a specified device by using its vendor, model, and serial ID from
the system device management to iDLP whitelist. If the device is in the whitelist, all the access
action for this device will be allowed.

Trend Micro also provides a tool called listDeviceInfo.exe containing the parameters for a USB storage
device. It shows the device information on a pop-up web page. Users can find the listDeviceInfo.exe on
the server folder ..\pccsrv\admin\utility.
To add the specified device, vendor parameter is required on the page. However, if the system cannot read
the device’s vendor information, add “*” and other parameter that listDeviceInfo provides. It also helps to
put the device in the whitelist.
If users choose the Block permission, users can add specified USB storage devices into whitelist by
clicking Approved devices on the right side.
Users can configure the permission (except Full access) they want for a device by clicking Advanced
permissions and notifications. It also has Program lists function for the devices.

When the Unauthorized Change Prevention Service is disabled while the Device Control is
enabled, only the functionality of iDLP will work.
For USB storage devices, the following permissions in the list work: Full access, Read, and Block.
The “Advanced permissions and notifications” of the Read permission will all work properly.
The “Approved devices” of Block permission will partly work. It means that users can add the
specified device to whitelist (vendor, model, and serial ID). However, user cannot assign other
permissions to this device except Full access.
Since other permissions are controlled by Unauthorized Change Prevention Service, Program list
under “Advanced permissions and notifications” cannot also work.

If OfficeScan encounters a violation of USB access and “Display a notification on endpoints when
OfficeScan detects unauthorized device access” is checked, OfficeScan agent will pop an alert for this
access action.
The alert message looks similar to the following image:
Logs of the USB access violation will appear similar to the image below:

The Behavior Monitoring and Device Control features both use the Trend Micro Unauthorized
Change Prevention Service (running under the process name TMBMSRV.EXE). These features
use TMBMSRV.EXE to monitor for system events and check these events against rules to
determine whether certain application activities are unwanted.
TMBMSRV.EXE delivers highly beneficial behavior-based security functionality, particularly the
capability to check applications for suspicious behavior (Behavior Monitoring) and control access
to storage devices (Device Control). Its monitoring mechanism, however, can strain system
resources, especially when the computer is running applications that cause numerous system
events. To prevent impacting system performance, Trend Micro recommends configuring
OfficeScan so that these system-intensive applications are not monitored by TMBMSRV.EXE.
Running TMBMSRV.EXE and system-intensive applications on the same computer can affect
system performance and disrupt critical applications. Thus, a properly managed deployment of
Behavior Monitoring and Device Control is recommended.
To ensure smooth deployment of OfficeScan with Behavior Monitoring and Device Control:
•
Set up and deploy a pilot environment.
•
Identify system-intensive applications.
•
Add system-intensive applications to the Behavior Monitoring exception list.
Before performing a full-scale deployment, conduct a pilot deployment in a controlled
environment. A pilot deployment provides opportunity to determine how features work and, most
importantly, how Behavior Monitoring and Device Control can affect your endpoints.
The pilot process should result in:

Better understanding of the implications of deploying the new Behavior Monitoring and
Device Control features

Better understanding of applications that may conflict with these features

List of applications that can be added to the Behavior Monitoring exception list
When setting up the pilot environment, prepare an environment that matches the production
environment as closely as possible.

Ensure that the following are included in the pilot environment:

Business applications

Custom applications

All network applications used by groups or individuals (such as payroll, inventory, accounting,
and database applications)
Deploy the OfficeScan agents into the pilot environment with the features intended to be enabled. For
example, Behavior Monitoring and Device Control may both be enabled.
Allow the pilot environment to run for a reasonable amount of time (give sufficient “soak time”) with the
standard applications running and with average daily use.
Trend Micro provides a standalone performance tuning tool to help identify applications that could
potentially cause a performance impact. The TMPerfTool tool, available from Trend Micro Technical
Support, should run on a standard workstation image and/or a few target workstations during the pilot
process to preempt performance issues in the actual deployment of Behavioral Monitoring and Device
Control.
To identify system intensive applications:
1. Unzip the TMPerfTool.zip file.
2. Place the TMPerfTool.exe file in the OfficeScan default installation folder
(%ProgramDir%/Trend Micro/OfficeScan agent) or in the same folder as the TMBMCLI.dll file.
3. Double-click TMPerfTool.exe.
4. Click Analyze when the system or applications start to slow down. If a red highlighted row
appears, it means that the TMPerfTool found the system-intensive process.
5. Select the highlighted row and click Exclude.
6. After excluding the process, verify if the system or application performance improves. If the
performance improves, select the process row again and click Include.
7. If the performance drops again, it means you found a system-intensive application. Perform the
following:
a) Note the name of the application.
b) Click Stop.
c) Click Report and save the .xml file in your specified folder.
d) Review the applications that have been identified as conflicting and add the applications
to the Behavior Monitoring exception list.

The Behavior Monitoring exception list is a user-configurable list of approved and blocked
programs that are not monitored by Behavior Monitoring and Device Control. These features
automatically allow approved programs to continue. Approved programs are still checked by other
OfficeScan features. Blocked programs are never allowed to run.
Trend Micro strongly recommends adding system-intensive applications to the Behavior
Monitoring exception list to reduce the likelihood of performance issues from occurring. Systemintensive applications can cause TMBMSRV.EXE to consume very high amounts of CPU
resources and disrupt critical applications.
To add programs to the exception list:
1. Go to Agents > Agent Management > Settings > Behavior Monitoring Settings.
2. Type the full path of the program under Exceptions.

3. Click Approved Programs or Blocked Programs.

4. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the
domain(s) or client(s). If you selected the root icon, choose from the following options:
 Apply to All Clients: Applies settings to all existing clients and to any new client
added to an existing/future domain. Future domains are domains not yet created at
the time you configure the settings.
 Apply to Future Domains Only: Applies settings only to clients added to future
domains. This option will not apply settings to new clients added to an existing
domain.

To prevent TMBMSRV.EXE from affecting performance, disable the service itself or disable both
Behavior Monitoring and Device Control.
1. Go to Agents > Agent Management > Settings > Behavior Monitoring Settings.
2. Deselect the following options:
 Enable Malware Behavior Blocking for known and potential threats.
 Enable Event Monitoring
3. If you selected domains or clients on the client tree, click Save to apply settings to those. If
you selected the root icon, choose from the following options:


Apply to All Clients
Apply to Future Domains Only
1. Go to Agents > Agent Management > Settings > Device Control.
2. Deselect Enable Device Control.
3. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the
domain(s) or client(s). If you selected the root icon, choose from the following options:


Apply to All Clients
Apply to Future Domains Only
Disable Behavior Monitoring and Device Control by stopping the Trend Micro Unauthorized
Change Prevention Service (TMBMSRV.EXE). Perform this task directly on each endpoint.


DLP agents should be deployed without any policies enabled. Proper testing of policies is suggested
before pushing it out to production environment. Poorly configured and tested policies may lead to
disruption of daily work routine and might end up in computers flooding OfficeScan server with large
numbers of false positives.
To determine the amount of disk space needed for the server, you must decide if there is a need to
capture the files when a policy violation occurs. The files captured during the violation are referred as
forensic data. The benefit of capturing forensic data allows you to identify quickly why the alert
occurred and if it was a false positive. While the forensic data function is helpful when tuning policies,
user can still gather this information by reviewing the alerts. The alerts contain the path to the file that
triggered it.

The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However, only the Device
Control feature can be deployed to pure IPv6 agents. The Data Loss Prevention feature does not work on
pure IPv6 agents.

To download and install the Data Protection using Plug-in Manager:
1. On the Plug-in Manager screen, go to the OfficeScan Data Protection section and click
Download.

2. Once downloaded, click Install Now, or to install at a later time.

3. On the Plug-in Manager screen, go to the plug-in program section and click Manage Program.
The Product License New Activation Code screen appears. Activating the OfficeScan Data
Protection License is required right after the installation.
1. Go to Agents > Agent Management.
2. Select a domain or a specified agent and click Settings.
3. Deploy the module in two different ways:

Click Settings > DLP Settings.

Click Settings > Device Control Settings.
4. A message displays, indicating the number of agents that have not installed the module.
Click Yes to start the deployment. OfficeScan agents start to download the module.


By default, the module is disabled on Windows Server 2003, Windows Server 2008, and Windows Server
2012 to prevent affecting the performance of the host machine.
Data Protection now supports x64 environment.
Online agents install the Data Protection module immediately. Offline and roaming agents install the
module when they become online.
Users must restart their computers to finish installing Data Loss Prevention drivers. Inform users about
the restart ahead of time.
In the agent tree, select a domain or an agent, check the Data Protection Status column. The deployment
status should be "Running".
Exercise 1: On the OfficeScan client, open CMD with an administrator privilege and run the command "sc
query dsasvc", the state should be "Running".

Configure data identifiers first, then define your own Templates. Navigate to Agents > Agent
Management > Select the targets > Settings > DLP settings.
Data identifiers include the following:



Expressions are predefined regular expressions, like credit card number.
File Attributes include File Type and File Size. For File Type, use true file type
recognition or define extension. For File Size, it supports up to 2 GB; minimum must
be over 0 bytes.
Keywords can be added or imported.
Choose a data identifier or use a pre-defined data identifier. Afterwards, OfficeScan can
import or export templates by doing any of the following:


Go to Agents > Agent Management > Select the targets > DLP settings > Templates
> Add > Add Template.
Go Agents > Data Loss Prevention > DLP Templates > Add.

DLP policy is based on Templates, which is defined in the previous section.
1. Navigate to Agents > Agent Management > Select the targets > Settings > DLP settings
> Policies.
2. Take the actions: Add a policy select your template > Choose Channel.

3. Define an action for a policy.

Policy Block/Pass Logical. Given target may meet multiple policies
conditions, during the scan if any policy with Block action defined, target is
blocked even if it meets other policies with Pass action defined.

Policy Additional Action. Each defined policy has respective “Additional
Action” applied by administrator. If a target document meets “n” number of
policy criteria, all respective “n” “Additional Action” will be applied on the
target.
4. Click Save and Apply the settings to Agents button.

To investigate the forensic data blocked by OfficeScan, a Control Manager 6.0 server is required.
Only users who have appropriate permission in Control Manager server have access to forensic
data.
Follow the Control Manager Administrator’s Guide to setup a Control Manager server.
1. Register OfficeScan 11.0 to Control Manager server via Administration > Settings > Control
Manager. A successful OfficeScan registration should show a page similar to the following:
2. In Control Manager, go to Direcotry > Products.
3. Expand the Local Folder > New Entity. The registered OfficeScan server should be displayed
under the product tree:
4. Allow OfficeScan to record forensic data.
a.
Create a DLP policy by following the OfficeScan Online Help section about Creating a
Data Loss Prevention Policy.
b. Under Action tab, make sure Record data option is checked.

5. Check the forensic data.
6. Assign users who will have access to the DLP data by enabling the option Monitor, review,
and investigate DLP incidents triggered by all users.
In Active Directory, refer to the following to create user accounts:
http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack1/dlp_investigation_abt/dlp_inv_admin_tasks/dlp_roles_abt.aspx
7. Log on with an account with DLP review permission to check the forensic data.
Forensic data in OfficeScan server is encrypted and placed in the folder
..\PCCSRV\Private\DLPForensicData. The data will also be uploaded in DLP Incident
Investigation tab on Control Manager Dashboard.
8. Widgets show a number of incidents detected. Click the number to see the details.
9. Click Edit on the Incident Information pop-up that you want to investigate.

You can view the details of the incidents and download the blocked file:
10. Click the Incident Information link, which leads to the detailed logs of the incidents.


IPv6 support for OfficeScan starts in this version. Previous OfficeScan versions do not support IPv6
addressing. IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and
agents that satisfy the IPv6 requirements.
The IPv6 requirements for the OfficeScan Server are as follows:
The server must be installed on Windows Server 2008 or higher. It cannot be installed on Windows Server
2003 because this operating system only supports IPv6 addressing partially.
The server must use an IIS web server. Apache web server does not support IPv6 addressing.
If the server will manage IPv4 and IPv6 agents, it must have both IPv4 and IPv6 addresses and must be
identified by its host name. If a server is identified by its IPv4 address, IPv6 agents cannot connect to the
server. The same issue occurs if pure IPv4 agents connect to a server identified by its IPv6 address.
If the server will manage only IPv6 agents, the minimum requirement is an IPv6 address. The server can be
identified by its host name or IPv6 address. When the server is identified by its host name, it is preferable to
use its Fully Qualified Domain Name (FQDN). This is because in a pure IPv6 environment, a WINS server
cannot translate a host name to its corresponding IPv6 address.

The agent must be installed on: Windows 7, Windows 8 or 8.1, Windows Server 2008, Windows Server 2008
R2, Windows Server 2012 , Windows Server 2012 R2, and Windows Vista.
It cannot be installed on Windows Server 2003 and Windows XP because these operating systems only
support IPv6 addressing partially.

The process starts with the OfficeScan server downloading update packages. The server can be configured to
get updates from several locations:
Trend Micro Active Update Server (Internet) – This is the default method. It uses standard HTTP GET
request to download update packages from the Internet. This only requires the HTTP port (80) to be open
from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly,
Daily, Weekly, or Monthly). Recommended setting is Hourly.
Trend Micro Control Manager (TMCM) server – Control Manager notifies the OfficeScan server when
an update is available for download. OfficeScan will then check its Update Source (Updates > Server Update
> Update Source ) setting to know where it should download the package via HTTP. By default, the Update
Source is set to the Internet (Trend Micro Active Update server). This can be pointed to the Control
Manager server if desired (i.e. http://<server fqdn or ip address>/tvcsdownload/activeupdate).
Custom Update Source (Other update source). This is similar to the Internet update method, except that
the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP
location (i.e. http://<server fqdn or ip address>/activeupdate). Control Manager and peer OfficeScan
servers can service such request.
When the update package has been downloaded, the OfficeScan server notifies its Update Agents first that a
new package is available. The Update Agents would then compare version information and download the
package from its designated OfficeScan server as needed. The server waits for an acknowledgement
command to verify or download/update process. If no acknowledgement is received, the OfficeScan server
will wait to reach a timeout value before notifying the rest of its clients. Default timeout is 10 minutes and is
configurable in Timeout for Update Agent parameter using SvrTune.exe. All communications are done
through CGI commands via HTTP protocol. The OfficeScan server listens on its web server management
port (typically 80 or 8080) while the Update Agents listen on its pre-configured port (randomly generated or
manually defined during the OfficeScan Server installation).

Once the Update Agent notification process is completed, the OfficeScan Server notifies the rest of its
clients. Notification process is done by batches. The number by batch is configurable in Maximum Client
Connections using SvrTune.exe ( Tools | Administrative Tools | Server Tuner ) utility. Once notified,
clients would check for updates in the following order:
1. Update Agent
2. OfficeScan server
3. Trend Micro Active Update Server (Internet)
Privileges can be set to allow clients to update from the OfficeScan server when its Update Agent is
unavailable. This setting is global and can be enabled under Updates > Client Deployment > Update Source
> Update from OfficeScan server if all customized sources are not available or not found.
SvrTune.exe only controls the number of clients notified by the OfficeScan server at a given time after the
OfficeScan server completed an update. When OfficeScan agents are the ones who initiated the update, for
example via Scheduled Update, the OfficeScan server handles the client update request and the ones it cannot
is queued in IIS for later processing. IIS can process concurrently 256 CGI requests at a time, this is the
default configuration.
Individual or group of clients (OfficeScan domain) can also be given privileges to download updates directly
from the Internet. Highlight the client or domain from the Clients main window and enable the option under
Clients > Client Privileges/Settings > Update Settings > Download from the ActiveUpdate Server.
Trend Micro Active Update Server (Internet) – This is the default method. It uses standard HTTP GET
request to download update packages from the Internet. This only requires the HTTP port (80) to be open
from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly or
every 15 minutes). Recommended setting is Hourly.
Trend Micro Control Manager (TMCM) server – Control Manager notifies the OfficeScan server when
an update is available for download. OfficeScan will then check its Update Source setting to know where it
should download the package via HTTP. By default, the Update Source is set to the Internet (Trend’s Active
Update server). This can be pointed to the Control Manager server if desired (i.e. http://<server fqdn or ip
address>/tvcsdownload/activeupdate).
Custom Update Source (Other update source) – Similar to the Internet update method, except that the
admin recreates an Active Update (web) server and sets the OfficeScan Server to point to the HTTP location
(i.e. http://<server fqdn or ip address>/OfficeScan/download).

OfficeScan generates network traffic when the server and client communicate with each other. Serverinitiated communications are mainly CGI commands sent through HTTP protocol and are only a few
kilobytes in size. The clients, on the other hand, generate traffic as they upload information and pull
component updates. Below is a summary of the different types of communications within OfficeScan.


Notification on configuration changes
Notification on component updates




Client start-up information
Uploading virus, event, firewall, and web reputation logs
Infected files to be quarantined on the OfficeScan server (depends on quarantined file size)
Downloading program and pattern file updates
Probably, the most significant data transfer is when a client performs a pattern file update. To reduce
network traffic generated during this process, OfficeScan uses a feature called incremental updates. Instead
of downloading the full pattern every time, only the differences (deltas) are downloaded for up to 14 previous
versions for virus definitions and 7 previous versions for spyware, network, and damage cleanup patterns.
These new patterns are merged with the old pattern file as they are received by the OfficeScan agent. An
incremental pattern may range from 1 kilobyte to several megabytes (i.e. 3 MB) depending on version
increment or how far the delta is to the latest version.
To further save WAN bandwidth, specific clients can be promoted as an Update Agent to service peer clients.
This implies that each client won’t have to individually pull incremental updates from the OfficeScan server.
The Update Agent host replicates the complete engine and pattern packages (full version and increments).
The engine and pattern packages are downloaded every time an update is available. To verify the latest size,
simply log in to the OfficeScan server and view the size property of the folders below:


<drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Engine
<drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ Download \ Pattern

The Engine and Pattern subfolders in the OfficeScan server are copied over to the Update Agent host under
the <drive> : \ Program Files \ Trend Micro \ OfficeScan agent \ ActiveUpdate folder.
For locations with limited bandwidth connectivity, ini flag (UADuplicationOptValue) can be enabled in the
OfficeScan server to change the behavior of the Update Agent. Instead of downloading the complete engine
and pattern packages, only the latest increment (one version older) is downloaded. The Update Agent then
generates its own full pattern file as well as the 7 incremental files.
1. Edit <drive>: \ Program Files \ Trend Micro \ OfficeScan \ PCCSRV \ ofcscan.ini.
2. Locate the parameter UADuplicationOptValue and set value to “128”.
3. Save the changes on the INI file.
4. Go to OfficeScan management console > Clients > Global Client Settings.
5. Click Save.
Given: Incremental update is 300 KB
Full compressed pattern is 45 MB
For an Update Agent using regular incremental updates, it downloads the full pattern file and 7 incremental
files from the OfficeScan server.
Total size downloaded = 7x(300kb incremental) + 45Mb full Pattern
= 2.1MB + 45Mb
= 47.1Mb
For an Update Agent configured for Smart Duplicate, it downloads only one incremental the full pattern file
and generates its own full pattern and incremental. Therefore, it saves 46.8 MB of transfer over the WAN
link.
Total size download = 300Kb

OfficeScan 10.6 supports three types of VDI environment: Citrix XenServer, VMWare VCenter Server, and
Microsoft Hyper-V Platform. In OfficeScan 11.0, the following features have been added:

VM Awareness – This prevents all VM clients in the same physical machine to do on-demand scan
or component update at the same time.

Whitelist Cache Mechanism – This reduces scan time of on-demand scan.
When deploying VDI, the following tasks need to be completed on the Golden Image.
1. Copy the TcacheGen.exe utility to the Golden Image.
2. Use TcacheGen to create a whitelist of files and folders in the Golden Image. The tool scans the
files and folders in the Golden Image and add them into the OfficeScan Whitelist to reduce scanning
load on the machine.
3. Use TcacheGen to clear the GUID key found in the OfficeScan agent registry hive:
HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\GUID.
4. Set the value of VDIEnabled=1 in OfficeScan registry hive:
HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\MISC\.
5. Proceed to complete the Golden Image creation.
1. Open the OfficeScan console and click Plug-in Manager.
2. Download and install the VDI Support component.

3. Click the Manage Program button to configure VDI Support.
4. Choose between VMWare vCenter Server, Citrix XenServer, Microsoft Hyper-V Platform, or Other
virtualization application. This will only simulate a virtual hypervisor.
5. Enter the server connection information.
6. Click the Save button.
7. Check the vdi_list.ini to confirm the setting is applied correctly.
8. Adjust the VDI parameters depending on the actual need.
We can control every resource intensive actions from the OfficeScan agent namely On-Demand Scan and
Component Updates.

VDI.ini parameter’s description and their recommended values are:

To mitigate performance issue, comply with the best practices below when running OfficeScan 11.0 agents in
VDI environment.
Suggest to first set scan mode to Smart Scan, and then deploy OfficeScan agent to VDI.
Do not switch between Conventional Scan and Smart Scan on VDI guest environment. This is because scan
type change will trigger full pattern update immediately on the guest environment causing Disk I/O
congestion if occurring on multiple VM images at the same time.
When Smart Protection Server is offline, OfficeScan agents will add files into a queue list (suspicious list).
When the Smart Protection Server comes back online, all the machines will perform a scan base on this list
and can cause performance issue. Make sure to have a backup Smart Protection Server to ensure the Smart
Scanning is available at all times.
Pattern Update rollback is very Disk I/O intensive and should be done as seldom as possible.
Take special caution deploying program updates or hotfix to VDI Agents. Deploy to few machines at a time
to minimize performance impact.
AEGIS should be disabled in VDI environment and this should be done when the golden image is prepared.
This improves the performance in VDI environment.
Enable/Disable firewall should not be performed on all agents at the same time, otherwise it will cause heavy
disk I/O usage.
If many agents are enabled to act as Update Agent at the same time, it will have heavy disk I/O and CPU,
and will need a long time to enable. It is recommended to avoid enabling many agents to act as Update
Agents at the same time.
Newly installed agent might not appear in the server console agent tree because the GUID has a duplicate.
To prevent this, log on to the OfficeScan console and perform Connection Verification under Networked
Computers.
Disable the Scheduled Scan because simultaneous scanning in several guest OS will cause the host machine
performance drop.
In the OfficeScan console, go to Tools > Administrative Tools and use Server Tuner to configure the
allowed concurrent pattern Update Agents to a small number. The suitable value depends on the HDD
speed. Trend Micro recommends setting this value to “3” and then increasing it if the I/O usage is low
during pattern update.

Central Quarantine Restore triggers the restoration of the quarantined files from the OfficeScan server.
Below are some considerations:

The quarantined viruses need to be available in the …\Suspect\Backup folder of the OSCE agent
program folder.

You have to determine the file name, security threat, or path of file from the virus logs.
The following sample shows the mask for file name of several files to restore.


Central restore works from single machine up to domains/root level of the OfficeScan server.

When selecting a file to restore, put the file in the exclusion list of the respective domain level.
If you do NOT select this, the file will be restored properly but redetected at next trigger.
Installing OfficeScan agent on Citrix server
1. Disable the Tray Icon.
Many instances of the PccNTMon process will be created in the memory for each user logged in
where the agent is installed.
2. On the OfficeScan management console, go to Agents > Agent Management.
3. Create a group for all Citrix Servers.

4. Click Manage Agent Tree > Add Domain. Move the Citrix servers to the group.
5. Select the group and click Settings > Privileges and other Settings > Other Settings tab.
6. Under Agent Access Restriction, select Do not allow users to access the agent console from the
system tray or Windows Start menu.
7. Click Save.

Setting up TmPreFilter to run in MiniFilter-Mode
1. Open the Registry Editor.
2. Go to HKLM\ SYSTEM\CurrentControlSet\Services\TmPreFilter\Parameters.
3. Change the value of the key "EnableMiniFilter" (REG_DWORD) key to "1".
4. Close the Registry Editor and then restart the computer.
Changing the memory usage of the PagedPool
1. Open the Registry Editor.
2. Go to HKEY_LOCAL_MACNE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management.
3. Change the value of the "PagedPoolSize" (REG_DWORD) key to "FFFFFFFF".
4. Close the Registry Editor and then restart the computer.
Excluding the files and folders
Exclude the following file extensions from scanning on a Citrix or Terminal server:

*.LOG

*.DAT

*.TMP

*.POL

*.PF

Excluding IIS and Citrix Receiver processes
1. Open the Registry Editor.
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList.
3. Create a new key named "Citrix ICA". This is the Citrix ICA Client remote desktop tool. Under this new
key, create:
Type: String value
Name: ProcessImageName
Value: wfica32.exe
4. Create a new key named "IIS". Under this new key, create:
Type: String value
Name: ProcessImageName
Value: w3wp.exe
5. Close the Registry Editor.
6. Restart the OfficeScan NT Listener service.
To allow users to access the OfficeScan agent, publish the Citrix Server desktop through the Citrix Access
Management Console (CMC). When published, users need to:
1. Launch the desktop from the Citrix client web interface.
2. In the Citrix desktop session, open the OfficeScan agent program from Start > Programs >
Trend Micro OfficeScan Agent > OfficeScan Agent.
3. Launch the OfficeScan agent console from the system tray icon.

CSA installs drivers (Scan Engine, Firewall, TDI driver) and its services need to collaborate with these drivers.
This means that some functions may appear to execute properly from the client console but may actually not
run anything in the backend. This does not affect other programs published and streamed on Citrix server.
A drive or folder on a computer running Windows 2003 contains a file infected with virus/malware and the
drive or folder is mapped to the Citrix Server. When the infected file is opened during a Citrix client session,
Real-time Scan may be unable to detect the virus/malware on the file if the mapped drive has the same drive
name, for example (C:), in a multi-user environment.
To resolve this issue:
1. Launch the desktop from the Citrix client Web interface.
2. Open the Registry Editor and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the
following value:
Type: Multi-string value (REG_MULTI_SZ)
Name: DependOnService
Value: Cdm
3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter\Parameters
and add the following value:
Type: DWORD value (REG_DWORD)
Name: CitrixOn2003Support
Value: Any number except zero
4. If you are using remote desktop, add the following value to the same key:
Type: DWORD value (REG_DWORD)
Name: MsRemoteDesktopSupport
Value: Any number except zero
5. Restart the computer for the changes to take effect.

In a Citrix environment, when the OfficeScan agent detects a security risk during a particular user session, the
notification message for the security risk displays on all active user sessions.
Security risk can be any of the following:

Virus/Malware

Spyware/Grayware

Firewall policy violation

Web Reputation policy violation

Unauthorized access to external devices
Trend Micro recommends disabling Update Now privileges from the OfficeScan web console. This prevents
users from manually starting an update. Make sure, however, that scheduled updates and event-triggered
updates are still in place. To disable Update Now privileges, do the following:
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the group, go to Settings > Privileges and other Settings > Privileges tab.
3. Under Component Updates, uncheck Perform Update Now and click Save.
Refer to section 7.6 Recommended Scan-Exclusion List for suggested files and directories to exclude.
Refer to section 7.7 Some Server Common Ports for recommendations on Citrix ports to open.

The following are needed to be configured as recommended to support Cisco Callmanager:
Configure Real-time Scan Settings
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings.
3. In the Target tab, under the Scan Settings, configure Scan compressed files > Maximum layers = 1.
4. In the Action tab, uncheck the following:
 Display a notification message on the client computer when virus/malware is detected
 Display a notification message on the client computer when spyware/grayware is detected
5. Click Save.
Configure Client Privileges and Settings
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the Cisco Callmanager Agents, go to Settings > Privileges and Other Settings.
3. In the Privileges tab, uncheck the Display the Mail Scan tab on the client console and allow users to
install/upgrade Outlook mail scan.
4. Click Save.
Configure Scan Exclusions
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Real-time Scan Settings.
3. In the Target tab, under the Scan Exclusion, enable the following:

Enable scan exclusion

Apply scan exclusion settings to all scan types
4. Add the following folders to the Scan Exclusion List (Directories)

Drive:\Program Files\Call Manager

Drive:\Program Files\Call Manager Serviceability

Drive:\Program Files\Call Manager Attendant
5. Click Save.

Configure Update Settings
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the Cisco Callmanager Agents, go to Updates > Agents > Automatic Update.
3. Uncheck Perform Scan Now after update (roaming agents excluded).
4. Click Save.
Turn off Scheduled Scan for Virus/Malware and Spyware/Grayware
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the Cisco Callmanager Agents, go to Settings > Scan Settings > Scheduled Scan Settings.
3. Uncheck the following:

Enable virus/malware scan

Enable spyware/grayware scan
4. Click Save.
Disable OfficeScan Firewall
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the Cisco Callmanager Agents, go to Settings > Additional Service Settings.
3. Under Firewall Service, uncheck Enable service on the following operating systems and click Save.
Delay the startup of Realtime Scan service by making it dependent on Call Manager service
1. Open the Registry Editor.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add
the follwing value:
Type: Multi-string value (REG_MULTI_SZ)
Name: DependOnService
Value: <Type the name or names of the services that you prefer to start before this service with
one entry for each line. The name of the service you would enter in the Data dialog box is the
exact name of the service as it appears in the registry under the Services key.>
3. Restart the computer for the changes to take effect.

Database and encrypted type files should generally be excluded from scanning to avoid performance and
functionality issues. Below are exclusions to consider depending on the type of machine you are installing the
OfficeScan agent on.
Pagefile.sys
*.pst
%systemroot%\System32\Spool (replace %systemroot% with actual directory)
%systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)
%allusersprofile%\NTUser.pol
%Systemroot%\system32\GroupPolicy\registry.pol
Refer to the Knowledgebase article: Appian Enterprise slows down or hangs when installed with OfficeScan
or ServerProtect (http://esupport.trendmicro.com/solution/en-US/1035660.aspx).
Refer to the Acronis article: Acronis Backup & Recovery: Exclude Program Folders and Executables from
Security Programs (https://kb.acronis.com/content/36429).
For more information, refer to the following ARCserver articles:

Antivirus Process and Folder Exclusions for ARCserve Backup (http://www.arcserveknowledgebase.com/index.php?View=entry&EntryID=3534)

CA ARCserve RHA best practices with regards to Anti-virus exclusion (http://arcserveknowledgebase.com/index.php?View=entry&EntryID=2494)

How to exclude Arcserve RHA spool folder from the antivirus scans (http://www.arcserveknowledgebase.com/index.php?View=entry&EntryID=2184)

ARCserve D2D (http://arcserve-knowledgebase.com/index.php?View=entry&EntryID=4159)

C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe
C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe
C:\Program Files\Autodesk\AutoCAD 2013\acad.exe
C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe
C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe
C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013\DesignReview.exe
C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe
For BlackBerry exlusions, refer to:

Anti-virus exclusions for the BlackBerry Enterprise Server
(http://www.blackberry.com/btsc/KB11573)

Anti-virus exclusions for BlackBerry Enterprise Service 10
(http://www.blackberry.com/btsc/KB34346)
Drive:\Program Files\Call Manager
Drive:\Program Files\Call Manager Serviceability
Drive:\Program Files\Call Manager Attendant
On Citrix systems, the following extensions have been causing performance problems. Exclude these file
extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.
Below are the general Citrix exclusions:
*\Users\*\ShareFile\
*\Citrix Resource Manager\LocalDB
*\ICAClient\Cache
*\SoftwareDistribution\Datastore

*\System32\Spool
*\Users\*\ShareFile
*\Program Files (x86)\Citrix\Deploy
*\Program Files (x86)\Citrix\Independent Management Architecture
*\Program Files (x86)\Citrix\RadeCache
*\Windows\System32\spool\PRINTERS
For more information, refer to the Citrix articles:


Citrix Guidelines for Antivirus Software Configuration
(http://support.citrix.com/article/CTX127030)
Citrix Consolidated List of Antivirus Exclusions (http://blogs.citrix.com/2013/09/22/citrixconsolidated-list-of-antivirus-exclusions/)
The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being
updated with new messages is not an efficient way to scan locally stored email. Use virus scanning
applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for
a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data.
Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications
like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive must also be excluded
to prevent the corruption of the Exchange Information Store.
Exchange 5.5
<drive>: \ EXCHSRVR \ IMCData
<drive>: \ EXCHSRVR \ MDBData
Exchange 2000
<drive>: \ EXCHSRVR \ MDBData
<drive>: \ EXCHSRVR \ MTAData
<drive>: \ EXCHSRVR \ Mailroot
<drive>: \ EXCHSRVR \ SrsData
<drive>: \ WINNT \ system32 \ InetSrv

Exchange 2003
<drive>: \ EXCHSRVR \ MDBData
<drive>: \ EXCHSRVR \ MTAData
<drive>: \ EXCHSRVR \ Mailroot
<drive>: \ EXCHSRVR \ SrsData
<drive>: \ WINNT \ system32 \ InetSrv
<drive>: \ EXCHSRVR \ MdbDataUtility
Exchange 2007
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx
Exchange 2010
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx
Exchange 2013
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/bb332342.aspx
Refer to this Microsoft article: Review hardware and software requirements FAST Search Server 2010 for
SharePoint (http://technet.microsoft.com/en-us/library/ff381239(v=office.14).aspx)
This option is best disabled. If it is enabled, it creates unnecessary network traffic when the end users access
remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this
function if all workstations have OfficeScan agent installed, and updated to the latest virus signature.

<drive>: \ WINNT \ SYSVOL
<drive>: \ WINNT \ NTDS
<drive>: \ WINNT \ ntfrs
<drive>: \ WINNT \ system32 \ dhcp
<drive> : \ WINNT \ system32 \ dns
Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
<drive>: \ WINNT \ system32 \ LogFiles
<drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files
Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
<drive>:\inetpub\logs\
<drive>: \ Program Files \ Microsoft ISA Server \ ISALogs
<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data
Microsoft Lync 2010
Refer to this article: Specifying Antivirus Scanning Exclusions (http://technet.microsoft.com/enus/library/gg195736(v=ocs.14).aspx)

Microsoft Lync 2013
Antivirus Scanning Exclusions for Lync Server 2013 (http://technet.microsoft.com/enus/library/dn440138.aspx)
<drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft
Operations Manager
<drive>: \ Program Files \ Microsoft Operations Manager 2005
<drive>: \ Program Files \ SharePoint Portal Server
<drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
<drive>: \ Windows \ Temp \ Frontpagetempdir
M:\
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
Drive:\Users\ServiceAccount\AppData\Local\Temp
Drive:\Users\Default\AppData\Local\Temp
Drive:\Users\the account that the search service is running as\AppData\Local\Temp
Drive:\WINDOWS\system32\LogFiles
Drive:\Windows\Syswow64\LogFiles
For more information, refer to this article: http://support.microsoft.com/kb/952167

Drive:\Program Files\Microsoft Office Servers
Drive:\Program Files\Common Files\Microsoft Shared\Web Service Extensions
Drive:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
Drive:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config
Drive:\Windows\Temp\WebTempDir
Drive:\Documents and Settings\the account that the search service is running as\Local Settings\Temp\
Drive:\WINDOWS\system32\LogFiles
Fore more information, refer to to http://support.microsoft.com/kb/952167.
Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL
Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is
necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.
<drive>:\ WINNT \ Cluster (if using SQL Clustering)
<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
Q:\ (if using SQL Clustering)
C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm
You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus
software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and
interoperability.
If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus
scanning:
Q:\ (Quorum drive)
C:\Windows\Cluster

%ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SMS \ Inboxes \ SMS_Executive Thread Name
SMS_CCM \ ServiceData
SMS \ Inboxes
<drive:>\ WSUS
<drive:>\ WsusDatabase
<drive:>\MSSQL$WSUS
You can refer to the following Microsoft article for additional information:
http://support.microsoft.com/kb/900638
MySQL main directory - <Drive>:\mysql\
MySQL Temporary Files - Uses the Windows system default, which is usually C:\windows\temp\
C:\Program Files\Novell\Zenworks
C:\Program Files\Novell\ZENworks\logs\ExternalStore
C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache\metaData
C:\Program Files\Novell\ZENworks\cache\zmd
Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi,
dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db
Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC
.dbf
- Database file

.log - Online Redo Log
.rdo - Online Redo Log
.arc - Archive log
.ctl - Control files
C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-E
C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO
C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO Software GmbH
C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RAMICRO_Software_GmbH
C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA-MICRO
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RA-MICRO
SAP ABAP or Java installs:
\usr\sap\
SAP Content Server Install:
\SAPDB\
SAP Printer Server:
SAPSprint.exe
Servers where are SAPGui is installed:
lsagent.exe
During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and
subdirectories:
..\Program Files\SAPinst_instdir\

..\Smex\Temp
..\Smex\Storage
..\Smex\ShareResPool\
File Exclusions:
java.exe
notebook-express.exe
C:\WINDOWS\Prefetch\NOTEBOOK-EXPRESS.EXE*
C:\WINDOWS\Prefetch\JAVA.EXE*
Folder Exclusions:
*\smarttech
*\notebook-express-server
C:\Documents and Settings\*\Local Settings\Temp\Jetty*
C:\Program Files\SMART Technologies
~\Symantec\Backup Exec\beremote.exe
~\Symantec\Backup Exec\beserver.exe
~\Symantec\Backup Exec\bengine.exe
~\Symantec\Backup Exec\benetns.exe
~\Symantec\Backup Exec\pvlsvr.exe
~\Symantec\Backup Exec\BkUpexec.exe

Other file extension types that should be added to the exclusion list include large flat and designed files, such
as VMware disk partition. Scanning VMware partitions while attempting to access them can affect session
loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the
directories that contain the virtual machines, or by excluding *.vmdk and *.vmem files.
Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time
scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume
shadow copies have read-only access.
You can refer to the Knowledgebase article: Excluding Volume Shadow copies from OfficeScan agent realtime scans (http://intkb.trendmicro.com/solution/en-US/1034730.aspx).
It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this
Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server
2003 (http://support.microsoft.com/kb/833167).
Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed" is
enabled in WFBS’s Exclusion List settings (Security Settings > Antivirus/Anti-spyware > Exclusions).


Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement