TREND MICRO
OfficeScan 7
TM
TM
Comprehensive Security Protection for the Corporate Desktop
Administrator's Guide
Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the
software, please review the readme files, release notes, and the latest version of the
applicable user documentation, which are available from the Trend Micro Web site
at:
http://www.trendmicro.com/download
Trend Micro, the Trend Micro t-ball logo, Control Manager, OfficeScan,
ServerProtect, TrendLabs, and Trend Micro Damage Cleanup Services are
trademarks or registered trademarks of Trend Micro, Incorporated. All other product
or company names may be trademarks or registered trademarks of their owners.
Copyright©2005-2006 Trend Micro Incorporated. All rights reserved.
Document Part No. OSEM72658/60206
Release Date: February, 2006
Protected by U.S. Patent No. 5,623,600; 5,889,943; 5,951,698; 6.119,165
The user documentation for Trend Micro OfficeScan is intended to introduce the
main features of the software and installation instructions for your production
environment. You should read through it prior to installing or using the software.
Detailed information about how to use specific features within the software are
available in the online help file and the online Knowledge Base at Trend Micro’s
Web site.
Trend Micro is always seeking to improve its documentation. Your feedback is
always welcome. Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Contents
Chapter 1:
Introducing OfficeScan
What’s New in OfficeScan 7.3 .......................................................... 1-2
New Client-Side Features .............................................................. 1-2
New Server-Side Features ............................................................. 1-3
Key Features and Benefits ................................................................. 1-3
Integrated Virus and Spyware Protection ...................................... 1-3
Enhanced Anti-spyware Capabilities ............................................. 1-3
Centralized Management ............................................................... 1-4
Security and Policy Enforcement .................................................. 1-4
Enterprise Client Firewall .............................................................. 1-4
Trend Micro Damage Cleanup Services (DCS) 3 ......................... 1-5
OfficeScan Technology ...................................................................... 1-5
OfficeScan Server Architecture ..................................................... 1-5
Understanding OfficeScan Components ...................................... 1-11
Understanding Viruses and Malware ............................................... 1-14
Understanding Spyware and Other Types of Grayware .............. 1-15
Using the OfficeScan Documentation .............................................. 1-16
Documentation Feedback ............................................................ 1-17
Chapter 2:
Getting Started with OfficeScan
Exploring the Web Console ............................................................... 2-2
Getting Around the Web Console .................................................. 2-2
Working with OfficeScan Domains ............................................... 2-3
Setting the Intranet Proxy .................................................................. 2-4
i
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Updating OfficeScan ..........................................................................2-4
Choosing an Update Source ...........................................................2-5
Updating the Server ........................................................................2-6
Using Update Agent .......................................................................2-9
Updating Clients ...........................................................................2-12
Using Scheduled Update with NAT .............................................2-20
Rolling Back Components ...........................................................2-21
Verifying Client-Server Connection .................................................2-22
Setting Scan Options ........................................................................2-23
Scan Options ................................................................................2-25
Excluding Files and Folders from Scans ......................................2-27
Configuring Client Privileges and Settings ......................................2-28
Configuring Global Settings .............................................................2-29
Importing and Exporting Policies .....................................................2-30
Chapter 3:
Eliminating Spyware, other Grayware, and Trojan
Threats
Potential Risks and Threats of Spyware and Other Grayware ...........3-2
The Trend Micro Solution ..............................................................3-3
Unknown Grayware .......................................................................3-3
How Damage Cleanup Services Works .............................................3-3
Trojans ............................................................................................3-3
The Damage Cleanup Services Solution ........................................3-4
Running Cleanup Now .......................................................................3-5
Configuring Anti-Spyware Settings ...................................................3-6
Viewing the Spyware Protection Ratio ..........................................3-8
Guarding Against Spyware .................................................................3-8
Chapter 4:
Performing Additional Administrative Tasks
Changing the Web Console Password ................................................4-2
Configuring Standard Alerts ...............................................................4-2
Configuring Outbreak Alerts ..............................................................4-2
Modifying Client Alert Messages ......................................................4-3
Setting the Intranet Proxy ...................................................................4-3
Changing OfficeScan Web Server Information .................................4-3
Removing Inactive Clients .................................................................4-4
Configuring the Quarantine Manager .................................................4-4
ii
Contents
Participating in the World Virus Tracking Program .......................... 4-5
Backing up the OfficeScan Database ................................................. 4-5
Chapter 5:
Managing Outbreaks
Using Outbreak Prevention ................................................................ 5-2
Blocking Shared Folders ................................................................ 5-2
Blocking Ports ............................................................................... 5-3
Denying Write Access to Files and Folders .................................. 5-5
Configuring Client Notification for Outbreaks .............................. 5-7
Disabling Outbreak Prevention ...................................................... 5-7
Configuring Virus Outbreak Monitor ................................................ 5-8
Chapter 6:
Configuring Enterprise Client Firewall
Enterprise Client Firewall Features .................................................... 6-2
Traffic Filtering ............................................................................. 6-2
Scanning for Network Viruses ....................................................... 6-2
Customized Profiles and Policies .................................................. 6-2
Stateful Inspection ......................................................................... 6-2
Intrusion Detection System ............................................................ 6-3
Firewall Outbreak Monitor ............................................................ 6-3
Client firewall Privileges ............................................................... 6-3
Understanding Enterprise Client Firewall .......................................... 6-4
Understanding Policies, Exceptions, and Profiles ......................... 6-5
Firewall Defaults ........................................................................... 6-7
Deploying the Firewall ....................................................................... 6-8
Verifying Deployment ..................................................................... 6-11
Configuring Enterprise Client Firewall ............................................ 6-12
Configuring Policies .................................................................... 6-12
Configuring Exceptions ............................................................... 6-12
Configuring Profiles .................................................................... 6-13
Configuring Firewall Outbreak Monitor ..................................... 6-13
Testing the Firewall ......................................................................... 6-14
Disabling the Firewall ...................................................................... 6-15
Chapter 7:
Viewing and Interpreting Logs
Log Types .......................................................................................... 7-2
Virus Logs ..................................................................................... 7-2
iii
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Server Update Logs ........................................................................7-3
Client Update Logs ........................................................................7-3
System Event Logs .........................................................................7-3
Verify Connection Logs .................................................................7-4
Enterprise Client Firewall Logs .....................................................7-4
Deleting Logs .....................................................................................7-5
Chapter 8:
Using Administrative and Client Tools
Summary of Tools ..............................................................................8-2
Administrative Tools ..........................................................................8-3
Login Script Setup ..........................................................................8-3
Vulnerability Scanner .....................................................................8-3
Server Tuner ...................................................................................8-8
Client Tools ........................................................................................8-9
Client Packager ..............................................................................8-9
Image Setup Utility ........................................................................8-9
Restore Encrypted Files .................................................................8-9
Client Mover I ..............................................................................8-11
Touch Tool ...................................................................................8-13
ServerProtect Normal Server Migration Tool ..............................8-14
Integrated Tools ................................................................................8-17
Client Mover II .............................................................................8-17
Database Backup ..........................................................................8-17
Database Packer ...........................................................................8-17
Icon Cleaner .................................................................................8-17
Network Scan Switch ...................................................................8-18
Register Shell ...............................................................................8-18
Remote Agent ...............................................................................8-18
GUID Changer .............................................................................8-19
Chapter 9:
FAQs, Troubleshooting and Technical Support
Frequently Asked Questions (FAQs) .................................................9-2
Installation and Upgrade ................................................................9-2
Registration ....................................................................................9-2
Compatibility ..................................................................................9-2
Enterprise Client Firewall ..............................................................9-3
Updating the Server and Clients ....................................................9-3
iv
Contents
Alert Messages ............................................................................... 9-5
Scanning ........................................................................................ 9-5
Policy Server for Cisco Network Admission Control (NAC) ....... 9-6
Web Console .................................................................................. 9-7
Documentation ............................................................................... 9-7
Troubleshooting ................................................................................. 9-8
Client-server Communication ........................................................ 9-8
OfficeScan Client will not Install on Windows XP Computers .... 9-8
Some OfficeScan Components are not Installed ........................... 9-9
Unable to Access the Web Console ............................................... 9-9
Incorrect Number of Clients on the Web Console ....................... 9-10
Incorrect Client Status on the Web Console ................................ 9-11
Incorrect Component Versions .................................................... 9-11
Unsuccessful Installation from Web page or Remote Install ...... 9-13
Client Icon Does Not Appear on Web Console After Installation ......
9-13
Issues During Migration from Third-party Antivirus Software .. 9-14
Clients Are Not Sending their Antivirus Information to the Policy
Server for Cisco NAC .................................................................. 9-16
Client Connection Time-out Occurs Frequently .......................... 9-16
Issues in environments using Network Address Translation (NAT) ...
9-17
Contacting Trend Micro ................................................................... 9-18
The Trend Micro Security Information Center ............................... 9-18
Known Issues ................................................................................... 9-19
Contacting Technical Support .......................................................... 9-20
The Trend Micro Knowledge Base .................................................. 9-20
Sending Suspicious Files to Trend Micro ........................................ 9-21
About TrendLabs ............................................................................. 9-22
Appendix A: Policy Server for Cisco™ NAC Primer
Introducing Trend Micro Policy Server for Cisco NAC ................... A-2
Understanding Components and Terms ............................................ A-2
Components .................................................................................. A-2
Terms ............................................................................................ A-3
Cisco NAC Architecture ................................................................... A-5
The Client Validation Sequence ....................................................... A-6
v
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Understanding the Policy Server ....................................................... A-8
Understanding Policy Server Policies and Rules .......................... A-9
Understanding Synchronization ...................................................... A-14
Understanding Certificates .............................................................. A-14
Understanding the CA Certificate ............................................... A-16
Policy Server System Requirements ............................................... A-16
Cisco Trust Agent (CTA) Requirements ......................................... A-18
Accepted Cisco Device Models .................................................. A-18
Appendix B: Deploying Policy Server for Cisco NAC
Policy Server for NAC Deployment Overview ................................. B-2
Enrolling the Cisco Secure ACS server ............................................. B-3
Exporting and Installing the CA Certificate ...................................... B-3
Preparing the Policy Server SSL Certificate ..................................... B-5
Deploying the Cisco Trust Agent ...................................................... B-7
Upgrading and Deploying Cisco Trust Agent 2.0 ......................... B-9
Verifying Cisco Trust Agent Installation .................................... B-10
Installing the Policy Server for Cisco NAC .................................... B-10
Configuring the ACS Server ........................................................... B-12
Configuring the Policy Server for Cisco NAC ................................ B-13
Adding and Removing Policy Servers ........................................ B-13
Viewing Summary Information for a Policy Server ................... B-14
Adding or Editing OfficeScan Servers ........................................ B-16
Configuring Rules ....................................................................... B-16
Configuring Policies .................................................................... B-16
Using the Client Validation Logs ................................................ B-17
Performing Administrative Tasks ............................................... B-17
Appendix C: Using Control Manager™ with OfficeScan
Introducing Control Manager ............................................................ C-2
What You Can do with Control Manager and OfficeScan ................ C-2
What is a Control Manager Agent? ................................................... C-3
Requirements for Installing the Agent .............................................. C-3
Required Information for Agent Installation ..................................... C-3
Obtaining the Public Encryption Key ................................................ C-4
Installing the Control Manager Agent ............................................... C-4
Removing the Agent .......................................................................... C-6
vi
Contents
Appendix D: Configuring OfficeScan with Add-ons and Third-party
Software
About Wireless Protection Manager ................................................. D-2
PDA System Requirements .......................................................... D-2
Installing Wireless Protection Manager ............................................ D-3
Using Wireless Protection Manager ................................................. D-4
Updating OfficeScan for Wireless ................................................ D-4
Downloading Update Components ............................................... D-5
Enabling and Configuring Proxy Settings .................................... D-6
Synchronizing with Your PDA ..................................................... D-6
Working with Logs ....................................................................... D-7
Overview of Check Point Firewall Architecture and Configuration D-9
Integrating with OfficeScan .......................................................... D-9
Configuring Check Point for OfficeScan ........................................ D-11
Installing SecureClient Support on the OfficeScan Client .............. D-12
Appendix E: Glossary of Terms
vii
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
viii
Chapter 1
Introducing OfficeScan
Trend Micro™ OfficeScan™ Client/Server Edition protects enterprise networks
from viruses, Trojans, worms, hackers, and network viruses, plus spyware and mixed
threat attacks. As an integrated solution, it guards desktops, laptops, and network
servers, while the Web-based management console makes it easy to set coordinated
security policy and deploy automatic updates on every client and server. By
integrating with Trend Micro™ Network VirusWall™ or any Network Admission
Control (NAC) device, OfficeScan can enforce policy on non-compliant computers,
and then remedy, redirect, restrict, deny, or permit network access.
The chapter provides an overview of OfficeScan features, functionality, and
technology.
1-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
What’s New in OfficeScan 7.3
This version of OfficeScan inherits all the features of previous versions and provides
the following new features:
New Client-Side Features
1-2
•
Protection against spyware and other types of grayware: OfficeScan can help
protect your computers from a variety of potential threats and nuisances that
Trend Micro classifies as grayware, including the most notorious type—spyware
(see Understanding Spyware and Other Types of Grayware on page 1-15 for
more information). OfficeScan scans for and cleans spyware and other grayware
just as it does viruses and Trojans. However, you may want to allow clients to
keep certain applications that OfficeScan classifies as grayware. To prevent
OfficeScan from continually labeling these applications as grayware, you can
configure a grayware-specific exception list.
•
Support for Windows server platforms on different processor architectures:
Run OfficeScan on Windows 2000, NT, and Server 2003 platforms. OfficeScan
supports Windows XP/Server 2003 computers that use both x86 and Itanium 2
Architecture-64 (IA-64) processor architectures. See Features for 32-bit and
64-bit Clients on page 1-10 for more information.
•
Critical Spyware/Grayware exclusion list: OfficeScan might identify certain
types of files as grayware, though legitimate applications on your computer
might need to use these files. To prevent OfficeScan from identifying these files
as grayware, configure the Critical Spyware/Grayware exclusion list, which
applies to all types of scans. Configuring Anti-Spyware Settings on page 3-6 for
more information.
•
Alternate servers for firewall policy application: Client computers might not
be connected to an OfficeScan server but still connected to other computers that
you identify as alternate OfficeScan servers. In this case, the OfficeScan client
program considers these clients to be "online" and firewall policies applied only
to online clients can still apply to these clients. See Enterprise Client Firewall
Features on page 6-2 for more information.
•
Support for Cisco NAC version 2.0: With a simple upgrade of the Cisco Trust
Agent, OfficeScan clients can continue sending their antivirus information to
Access Control Servers and Policy Servers in a Cisco NAC version 2.0 system.
Introducing OfficeScan
See Introducing Trend Micro Policy Server for Cisco NAC on page A-2 for more
information.
New Server-Side Features
•
Database backup integration: Back up the OfficeScan database manually at
any time or configure a schedule for automatic backup through the Web console.
If there is ever an issue with the integrity of your OfficeScan database, you can
recover your settings from the backup. See Backing up the OfficeScan Database
on page 4-5 for more information.
•
Multiple update sources: Configure up to 10 update sources for both manual
and scheduled updates. See Updating OfficeScan on page 2-4 for more
information.
•
Support for multi-server and remote server installation: Install or upgrade
OfficeScan server on several remote server machines at the same time. See the
Installation and Deployment Guide for more information.
Key Features and Benefits
The main features of OfficeScan include the following:
Integrated Virus and Spyware Protection
Trend Micro™ OfficeScan™ Client/Server Edition blocks viruses, worms, Trojans,
hackers, and network viruses, plus inbound spyware and other forms of
grayware—before they can enter the network. As a single, integrated solution, it
enables administrators to set coordinated security policy—for a unified defense
against mixed threat attacks that blend spyware and virus tactics to propagate.
Network servers (including 32- and 64-bit Windows servers), corporate desktops,
laptops, and tablet PCs are more fully protected.
Enhanced Anti-spyware Capabilities
OfficeScan protects against the wide variety of spyware, including adware, dialers,
joke programs, remote-access tools, and password cracking applications. Using an
extensive, up-to-date spyware database and customized exclusion lists, it minimizes
1-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
the risk of spyware-related slowdowns, crashes, and support calls. It also prevents
key loggers from stealing confidential information, preserves bandwidth, and secures
business productivity. These capabilities complement the anti-spyware functionality
in Trend Micro InterScan™ Web Security Suite—together providing end-to-end
spyware protection from the Web gateway to client/server networks.
Centralized Management
A Web-based management console gives administrators transparent access to all
clients and servers on the network. It coordinates automatic deployment of security
policies, pattern files, and software updates on every client and server. And with
optional Trend Micro™ Outbreak Prevention Services, it shuts down infection
vectors and rapidly deploys attack-specific security policies to prevent or contain
outbreaks before pattern files are available. OfficeScan also performs real-time
monitoring, provides event notification, and delivers comprehensive reporting.
Administrators can perform remote administration, set customized policy for
individual desktops or groups, and lock client security settings.
Security and Policy Enforcement
OfficeScan provides seamless integration of the Cisco™ Trust Agent, enabling the
most effective policy enforcement within a Cisco Self-Defending Network. It also
includes a policy server for automated communication with Cisco Access Control
Servers. When integrated with Trend Micro™ Network VirusWall or any Network
Admission Control (NAC) device, it can check clients trying to enter the network and
then remedy, redirect, restrict, deny, or permit access. If a PC is vulnerable or
becomes infected, OfficeScan can automatically isolate it and its network segments
until all PCs are updated or cleanup is complete.
For more information on Enterprise Protection Strategy, go to the following Web site:
http://www.trendmicro.com/en/products/network/nvw2500/evaluate/
overview
Enterprise Client Firewall
The Enterprise Client Firewall protects clients and servers on the network—using
stateful inspection, high performance network virus scanning, and elimination.
1-4
Introducing OfficeScan
Through the central management console, rules can be created to filter connections
by IP address, port number, or protocol, and then applied to different groups of users
based on their profiles.
Trend Micro Damage Cleanup Services (DCS) 3
With optional Trend Micro™ Damage Cleanup Services 3, OfficeScan cleans clients
and servers of file-based and network viruses plus virus and worm remnants
(Trojans, registry entries, viral files)—through a fully-automated process. It also
removes spyware and grayware running in memory or residing on disk, and it allows
administrators to choose which programs to detect and remove. OfficeScan and
Damage Cleanup Services are key components of Trend Micro™ Enterprise
Protection Strategy (EPS)—designed to proactively manage the outbreak
lifecycle—from vulnerability prevention to malicious code elimination.
For more information on Enterprise Protection Strategy, go to the following Web site:
http://www.trendmicro.com/en/products/eps/eps/evaluate/overview
.htm
OfficeScan Technology
OfficeScan uses a reliable scanning and removal technology with the capabilities to
help protect your network environment from malicious code. See Understanding
OfficeScan Components on page 1-11 for details on the items OfficeScan uses and
Understanding Viruses and Malware on page 1-14 for information on the kinds of
security risks that can harm the computers on your network.
OfficeScan Server Architecture
OfficeScan is a two-tier application consisting of the following parts:
•
The server, which hosts the Web console, downloads updates from an update
source (such as the Trend Micro ActiveUpdate server), and provides updated
components to clients.
•
The client, which protects Windows NT/2000/XP/Server 2003 and Windows
95/98/Me computers from viruses, Trojans, and other malicious programs
1-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Note:
See the Installation and Deployment Guide or the readme file for the specific
system requirements for OfficeScan server and client.
OfficeScan Server
The OfficeScan server is the central repository for all client configurations, virus
logs, and client software and updates.
The server performs these important functions:
•
It installs, monitors, and manages clients on the network
•
It downloads virus pattern files, scan engines, and program updates from the
Trend Micro update server, and then distributes them to clients (see
Understanding OfficeScan Components on page 1-11 for more information)
HTTP-based Server
The HTTP-based server is installed on a Windows NT, Windows 2000, or Windows
Server 2003 with Internet Information Server™ (IIS) 4.0 or later. You may also
install Apache Web server 2.0 or later on Windows 2000/Server 2003 machines. The
HTTP-based server is capable of providing real-time, bidirectional communication
between the server and clients.
You can manage the clients from a Web browser-based Web console, which you can
access from virtually anywhere on the network.
The server communicates with the client (and vice versa) via HyperText Transfer
Protocol (HTTP). The HTTP-based server can only install HTTP-based clients. You
cannot install an HTTP-based client if the client computer does not support TCP/IP
(see Figure 1-1).
1-6
Introducing OfficeScan
Internet
The OfficeScan server
downloads the pattern file
and scan engine from the
update source.
Web console
OfficeScan
server
Manage the OfficeScan
server and clients
through the Web console.
OfficeScan clients
FIGURE 1-1
How the HTTP-based server works
OfficeScan Client
Protect Windows computers from viruses, malware, spyware and other grayware by
installing the OfficeScan client on each computer. The client provides three methods
of scanning – Real-time Scan, Scheduled Scan, and Manual Scan.
The client reports to the parent server from which it was installed. You can have
clients report to another server by using the Client Mover tool (see Client Mover I on
page 8-11 for more information). The client sends events and status information to
the server in real time to provide you with updated client information. Examples of
events are virus detection, client startup, client shutdown, start of a scan, and
completion of an update.
Configure scan settings on clients from the client console (if you grant users this
privilege) and the server Web console. To enforce uniform desktop protection across
the network, choose not to grant the clients privileges to modify the scan settings or
1-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
to remove the client program (see Configuring Client Privileges and Settings on page
2-28 for more information).
There are two types of OfficeScan clients:
•
Normal clients
•
Roaming clients
Normal Clients
Normal clients are computers with the OfficeScan client installations and are
stationary computers that maintain a continuous network connection with the server.
Icons that appear in a client’s system tray indicate the status of the normal client. See
Table 1-1 for a list of icons that appear on the normal client.
Icon
Description
Normal client
Enabled
Pattern file is outdated
Enabled
Scan Now, Manual Scan, or Scheduled
Scan is running
Enabled
Real-time Scan is disabled
Disabled
Real-time Scan is disabled and the pattern
file is outdated
Disabled
Real-time Scan Service is not running (red
icon)
Disabled
Real-time Scan Service is not running and
the pattern file is outdated (red icon)
Disabled
Disconnected from the server
Enabled
Disconnected from the server and the pattern file is outdated
Enabled
Disconnected from the server and
Real-time Scan is disabled
Disabled
TABLE 1-1.
1-8
Real-time Scan
Icons that appear on a normal client
Introducing OfficeScan
Roaming Clients
Roaming clients are computers with the OfficeScan client installations and do not
always maintain a constant network connection with the server (for example,
notebook computers). These clients continue to provide antivirus protection, but have
delays in sending their status to the server.
Assign roaming privileges to clients that are disconnected from the OfficeScan server
for an extended period of time.
Roaming clients get updated only on these occasions:
•
When the client performs Update Now
•
When you configure automatic update deployment and select Include roaming
clients on the Automatic Deployment screen
For more information on how to update clients, see Updating Clients on page 2-12.
The status of a roaming client is indicated by icons that appear in its system tray. See
Table 1-2 for a list of icons that appear on roaming clients.
Icon
Description
Real-time Scan
Roaming client (blue icon)
Enabled
Real-time Scan is disabled
Disabled
Pattern file is outdated
Enabled
Real-time Scan is disabled and the
pattern file is outdated
Disabled
Real-time Scan Service is not running
(red icon)
Disabled
Real-time Scan Service is not running
and the pattern file is outdated (red
icon)
Disabled
TABLE 1-2.
Icons that appear on roaming clients
1-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Features for 32-bit and 64-bit Clients
OfficeScan supports Windows XP/Server 2003 computers that use both x86 and
Itanium 2 Architecture-64 (IA-64) processor architectures. The table below shows a
comparison between OfficeScan features for both 32-bit and 64-bit client computers:
Feature
32-bit clients
64-bit clients
Manual, Real-time, and Scheduled
Scan for viruses, spyware, and
other types of grayware
Roaming mode
Damage Cleanup Services 3
n/a
Mailscan
n/a
Wireless Protection Manager
n/a
SecureClient Support
n/a
Web Console
The Web console is the central point for monitoring OfficeScan across the entire
network, as well as for configuring server and client settings.
It gives you complete control over desktop and notebook computer antivirus settings.
Open the Web console from any computer on the network that has the required Web
browser and communication protocols (see the Installation and Deployment Guide).
1-10
Introducing OfficeScan
Understanding OfficeScan Components
OfficeScan uses the following components to scan for, identify, and perform damage
cleanup tasks to help protect and clean OfficeScan clients:
•
Client program: the OfficeScan client program, which uses the virus pattern file
and scan engine to identify infections and perform actions on infected files
•
Scan engine: the engine OfficeScan uses to scan for viruses
•
Virus pattern file: a file that helps OfficeScan identify virus signatures– unique
patterns of bits and bytes that signal the presence of a virus (see About the Virus
Pattern File on page 1-12 for more information)
•
Damage cleanup engine: the engine Damage Cleanup Services 3 uses to scan
for and remove Trojans and Trojan processes
•
Damage cleanup template: used by the damage cleanup engine, this template
helps identify Trojan files and processes so the engine can eliminate them
•
Spyware/Grayware scan pattern: a file that helps OfficeScan identify unique
patterns of bits and bytes that signal the presence of a certain types of potentially
undesirable files and programs, such as adware and spyware
•
Spyware/Grayware cleanup pattern: a file the damage cleanup engine uses to
help eliminate spyware/adware files and processes
•
Common firewall driver: the driver the Enterprise Client Firewall uses with the
network virus pattern file to scan client machines for network viruses
•
Network virus pattern file: like the virus pattern file, this file helps OfficeScan
identify virus signatures
•
Cisco Trust Agent (if Policy Server for Cisco NAC is installed): the program
that enables communication between the OfficeScan client and routers
supporting Cisco NAC
•
Hot fixes and security patches: workaround solutions to customer related
problems or newly discovered security vulnerabilities that you can download
from the Trend Micro Web site and deploy to the OfficeScan server and/or client
program
In addition to these components, OfficeScan clients also receive updated
configuration files from the OfficeScan server. Clients need the configuration files to
apply new settings. Each time you modify OfficeScan settings through the Web
console, the configuration files change.
1-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
About the Virus Pattern File
The Trend Micro scan engine uses an external data file, called the virus pattern file. It
contains information that helps OfficeScan identify the latest viruses and other
malware such as Trojan horses, mass mailers, worms, and mixed attacks. New virus
pattern files are created and released several times a week, and any time a particularly
threat is discovered.
All Trend Micro antivirus programs using the ActiveUpdate function can detect the
availability of a new virus pattern file on the Trend Micro server, and/or can be
scheduled to automatically poll the server every week, day, or hour to get the latest
file.
Tip:
Trend Micro recommends scheduling automatic updates at least weekly, which is
the default setting for all shipped products.
You can download virus pattern files from the following Web site, where you can
also find the current version, release date, and a list of all the new virus definitions
included in the file:
http://www.trendmicro.com/download/pattern.asp
About the Trend Micro Scan Engine
At the heart of all Trend Micro products lies a scan engine. Originally developed in
response to early file-based computer viruses, the scan engine today is exceptionally
sophisticated and capable of detecting Internet worms, mass-mailers, Trojan horse
threats, phish sites, spyware, and network exploits as well as viruses. The scan engine
detects two types of threats:
•
“in the wild”– actively circulating
•
“in the zoo” – controlled viruses not in circulation, but are developed and used
for research
Rather than scan every byte of every file, the engine and pattern file work together to
identify not only tell-tale characteristics of the virus code, but the precise location
within a file that the virus would hide. If OfficeScan detects a virus, it can remove it
and restore the integrity of the file.
1-12
Introducing OfficeScan
The Trend Micro scan engine is certified annually by international computer security
organizations, including ICSA (International Computer Security Association).
Updating the Scan Engine
By storing the most time-sensitive virus information in the virus pattern file, Trend
Micro is able to minimize the number of scan engine updates while at the same time
keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new
scan engine versions available. Trend Micro releases new engines under the
following circumstances:
•
New scanning and detection technologies are incorporated into the software
•
A new, potentially harmful virus is discovered that the scan engine cannot handle
•
Scanning performance is enhanced
•
Support is added for additional file formats, scripting languages, encoding,
and/or compression formats
About Hot Fixes, Patches, and Service Packs
After an official product release, Trend Micro often develops hot fixes, patches, and
service packs to address issues, enhance product performance, or add new features.
The following is a summary of the items Trend Micro may release:
•
Hot fix: a workaround or solution to a single customer-reported issue. Hot fixes
are issue-specific, and therefore not released to all customers. Windows hot fixes
include a Setup program, while non-Windows hot fixes don't (typically you need
to stop the program daemons, copy the file to overwrite its counterpart in your
installation, and restart the daemons).
•
Security Patch: a hot fix focusing on security issues that is suitable for
deployment to all customers. Windows security patches include a Setup program,
while non-Windows patches commonly have a setup script.
•
Patch: a group of hot fixes and security patches that solve multiple program
issues. Trend Micro makes patches available on a regular basis. Windows patches
include a Setup program, while non-Windows patches commonly have a setup
script.
•
Service Pack: a consolidation of hot fixes, patches, and feature enhancements
significant enough to be considered a product upgrade. Both Windows and
non-Windows service packs include a Setup program and setup script.
1-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
You can obtain hot fixes from your Technical Account Manager.
You can check the Trend Micro Web site regularly to download patches and service
packs:
http://www.trendmicro.com/download
All releases include a readme file with the information you need to install, deploy,
and configure your product. Read the readme file carefully before installing the hot
fix, patch, or service pack file(s).
Note:
By default, the OfficeScan clients are allowed to receive hot fix deployments. To
forbid clients from receiving hot fix deployments, change client update settings on
the Client Privileges and Settings screen (see Configuring Client Privileges
and Settings on page 2-28).
Understanding Viruses and Malware
Tens of thousands of viruses and malware exist, with more being created each day. In
the past, most viruses were file-based and spread through the exchange of floppy
disks. Today viruses commonly spread through the Internet, exploiting vulnerabilities
in corporate networks, email systems and applications such as Web browsers.
Most computer viruses and malware fall into the following categories:
1-14
•
ActiveX malicious code – resides in Web pages that execute ActiveX controls
•
Boot sector viruses – infects the boot sector of a partition or a disk
•
COM and EXE file infectors – executable programs with .com or .exe
extensions
•
Java malicious code – operating system-independent virus code written or
embedded in Java
•
Macro viruses – encoded as an application macro and often included in a
document
•
Trojans– executable programs that do not replicate but instead reside on systems
to perform malicious acts, such as open ports for hackers to enter
•
HTML, VBScript, or JavaScript viruses – reside in Web pages and are
downloaded through a browser
Introducing OfficeScan
•
Worms – a self-contained program (or set of programs) that is able to spread
functional copies of itself or its segments to other computer systems, often by
email
•
Packer – a compressed and/or encrypted Windows or Linux executable program,
often a Trojan. Compressing executables makes them more difficult for antivirus
products to detect.
Network Viruses
A virus spreading over a network is not, strictly speaking, a network virus. Only
some of the security risks mentioned above, such as worms, qualify as network
viruses. Specifically, network viruses use network protocols, such as TCP, FTP, UDP,
HTTP, and email protocols to replicate. They often do not alter system files or
modify the boot sectors of hard disks. Instead, network viruses infect the memory of
client machines, forcing them to flood the network with traffic, which can cause
slowdowns and even complete network failure. Because network viruses remain in
memory, they are often undetectable by conventional disk-based file I/O scanning
methods.
Enterprise Client Firewall works with a network virus pattern file to identify and
block network viruses (see Configuring Enterprise Client Firewall on page 6-1 for
more information on Enterprise Client Firewall).
Understanding Spyware and Other Types of Grayware
Your computers are at risk from potential threats other than viruses. Grayware refers
to applications or files that are not classified as viruses or Trojans, but can still
negatively affect the performance of the computers on your network and introduce
significant security, confidentiality, and legal risks to your organization. Often
grayware performs a variety of undesired and threatening actions such as irritating
users with pop-up windows, logging user keystrokes, and exposing computer
vulnerabilities to attack.
1-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Types of Grayware
OfficeScan can detect several types of grayware, including the following:
•
Spyware: gathers data, such as account user names, passwords, credit card
numbers, and other confidential information, and transmits it to third parties
•
Adware: displays advertisements and gathers data, such as Web surfing
preferences that could be used for targeting future advertising at the user
•
Dialers: change client Internet settings and can force a computer to dial
pre-configured phone numbers through a modem. These are often pay-per-call or
international numbers that can result it a significant expense for your
organization.
•
Joke Programs: cause a computer to behave abnormally, such as making the
screen shake or modifying the appearance of the curser
•
Hacking Tools: help malicious hackers enter a computer
•
Remote Access Tools: help malicious hackers remotely access and control a
computer
•
Password Cracking Applications: help decipher account user names and
passwords
•
Others: other types of programs that are potentially malicious
Using the OfficeScan Documentation
The documentation set for OfficeScan includes the following:
1-16
•
Installation and Deployment Guide – This guide helps you plan for and install
the OfficeScan server program, modify important default client settings, and roll
out your clients.
•
Administrator’s Guide – This guide helps you configure OfficeScan options.
•
Online help – The purpose of online help is to provide descriptions for
performing the main tasks, usage advice, and field-specific information, such as
valid parameter ranges and optimal values. Online help is accessible from the
OfficeScan Web console.
Introducing OfficeScan
•
Readme file – The Readme file contains late-breaking product information that
is not found in the online or printed documentation. Topics include a description
of new features, installation tips, known issues and product release history.
•
Knowledge Base – The Knowledge Base is an online database of
problem-solving and troubleshooting information. It provides the latest
information about known product issues. To access the Knowledge Base, go to
the following Web site:
http://esupport.trendmicro.com/support/supportcentral/suppor
tcentral.do?id=m1
The latest version of the Installation and Deployment Guide and the Administrator’s
Guide is available in electronic form at the following location:
http://www.trendmicro.com/download/
Documentation Feedback
Trend Micro is always seeking to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please go to the
following site:
www.trendmicro.com/download/documentation/rating.asp
1-17
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
1-18
Chapter 2
Getting Started with OfficeScan
This chapter explains how to use the OfficeScan Web console and how to configure
basic settings.
The topics in this chapter include:
•
Exploring the Web Console on page 2-2
•
Updating OfficeScan on page 2-4
•
Verifying Client-Server Connection on page 2-22
•
Setting Scan Options on page 2-23
•
Configuring Client Privileges and Settings on page 2-28
•
Configuring Global Settings on page 2-29
•
Importing and Exporting Policies on page 2-30
2-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Exploring the Web Console
When you install OfficeScan server, you also install the Web console. This section
explains how to navigate the console.
To open the Web console:
1.
On any computer on the network, open a Web browser and type
http://{OfficeScan_Server_Name}:{port number}/officescan in
the address bar.
If using SSL, type https://{OfficeScan_Server_Name}:{port
number}/officescan in the address bar.
2.
The browser displays the OfficeScan login screen.
3.
Type your password in the Password text box, and then click Enter. The browser
displays the Summary screen of the Web console.
Note:
If you upgraded from a previous version of OfficeScan, Web browser and
proxy server cache files may prevent the OfficeScan Web console from
loading properly. Clear the cache memory on your browser and on any proxy
servers located between the OfficeScan server and the computer you use to
access the Web console.
Getting Around the Web Console
There are two main parts to the Web console: the sidebar and the main frame. The
sidebar groups tasks that you perform into sections (except for the Toolbox section).
Cleanup Now and Scan Now, for example, are tasks you can perform under Clients.
When you click a task on the sidebar, the main frame displays the information that
you need to perform the task.
See the online help for further instructions on getting around the Web console.
2-2
Getting Started with OfficeScan
Working with OfficeScan Domains
A domain in OfficeScan is a group of clients that share the same configuration and
run the same tasks. By grouping your clients into domains, you can simultaneously
configure, manage, and apply the same configuration to all domain members. You
can also group you clients by existing NetBIOS domains, Windows Active Directory
domains, or DNS domains.
For ease of management, group clients based on the departments to which they
belong or the functions they perform. Also group clients that are at a greater risk of
infection to apply a more secure configuration to all of them in just one setting.
An OfficeScan domain is different from a Windows NT/2000/Server 2003 domain.
There can be several OfficeScan domains in one Windows NT/2000/Server 2003
domain.
By default, OfficeScan creates domains based on your existing Windows
NT/2000/Server 2003 domains and refers to each client according to its computer
name. Delete or rename the domains that OfficeScan has created for you, create a
new domain, or transfer clients from one domain to another.
To add an OfficeScan domain:
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Click Add in the main frame. The Add Domain screen appears.
3.
Type a name for the OfficeScan domain to add, and then click OK. The new
OfficeScan domain appears in the domain tree.
To move OfficeScan client:
1.
On the sidebar, click Clients. The domain tree appears.
2.
Select the client that you want to move, and then click Move. The Move Clients
screen appears. Alternatively, drag and drop the client to another OfficeScan
domain.
3.
Do one of the following:
•
To move clients to another OfficeScan domain:
i.
Select the OfficeScan domain to move the client under Move selected
client(s) to another Domain.
ii.
Click OK. The client appears under the OfficeScan domain you have
selected.
2-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
•
To move clients to another OfficeScan server:
i.
Enter the server name and port number under Move selected client(s) to
another OfficeScan Server.
Setting the Intranet Proxy
The Web console uses two proxy settings: one for server-client communication on
the intranet and one for the server when it connects to the Internet to download
updates from the Trend Micro update server.
Server-client communications on the intranet do not normally require a proxy server.
However, if your network uses a proxy server for internal communications, you can
also set OfficeScan to use an intranet proxy.
To set the intranet proxy:
1.
On the sidebar, click Administration > Intranet Proxy. The Intranet Proxy
screen appears.
2.
Select the Enable Intranet Proxy check box.
3.
Type the name of the proxy server and its port number. If the proxy uses the
SOCKS 4 protocol, click the check box next to Use SOCKS 4.
4.
If the proxy server requires a user name and password, type them in the fields
provided.
5.
Click Save.
Updating OfficeScan
To help ensure that clients stay protected against the latest threats, regularly update
the OfficeScan components. Do the following to configure OfficeScan to perform
updates:
2-4
1.
Configure the OfficeScan server for updates.
2.
If you are using Update Agents, specify which clients act as agents and configure
agent settings (see Using Update Agent on page 2-9 for more information).
3.
Configure OfficeScan clients to receive updates from an update source.
Getting Started with OfficeScan
Choosing an Update Source
When choosing the location(s) where to update clients, consider the bandwidth of the
sections of your network that are between clients and the update source(s) (see the
Installation and Deployment Guide for more information on how updates affect
network traffic). The following table describes different component update options
and recommends when to use them.
Update option
Description
Recommendation
ActiveUpdate
server >
OfficeScan
server > clients.
The OfficeScan server receives updated
components from the ActiveUpdate server
(or other update source) and deploys them
directly to clients.
Use this method if there are
no sections of your network
between the OfficeScan
server and clients you identify
as ’low-bandwidth’.
ActiveUpdate
server >
OfficeScan
server > Update
Agents > clients
The OfficeScan server receives updated
components from the ActiveUpdate server
(or other update source) and deploys them
directly to Update Agents, which deploy the
components to clients.
Use this method to balance
the traffic load on your
network if there are sections
of your network between the
OfficeScan server and clients
you identify as
’low-bandwidth’.
ActiveUpdate
server > Update
Agents > clients
Update Agents receive updated components
directly from the ActiveUpdate server (or
other update source) and deploy them to
clients.
Use this method only if you
are experiencing problems
updating Update Agents from
the OfficeScan server or from
other Update Agents.
Under most circumstances,
Update Agents receive
updates faster from the
OfficeScan server or from
other Update Agents than
from an external update
source.
ActiveUpdate
server > clients
OfficeScan clients receive updated
components directly from the ActiveUpdate
server (or other update source).
Use this method only if you
are experiencing problems
updating clients from the
OfficeScan server or from
Update Agents.
Under most circumstances,
your clients receive updates
faster from the OfficeScan
server or from Update Agents
than from an external update
source.
2-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Updating the Server
To ensure that your clients stay protected from the latest viruses/malware and from
spyware and other types of grayware, you need to update your OfficeScan
components at least daily. Configure the server to download OfficeScan components
from the Trend Micro ActiveUpdate server. After the server downloads any available
updates, it deploys these to the clients based on the deployment schedule you
specified on the Automatic Deployment screen under Client Deployment.
Trend Micro updates the scan engine or program generally only during the release of
a new OfficeScan version. However, Trend Micro releases pattern files every week to
keep your client protection current.
Tip:
Trend Micro recommends updating the server and client daily to help ensure
OfficeScan server has current component versions.
OfficeScan provides you these methods of updating your server:
•
Update your server manually, see Configuring Automatic Scheduled Updates on
page 2-7
•
Update your server based on a schedule, see Updating the Server Manually on
page 2-8
If you use a proxy server to connect to the Internet, make sure you properly configure
your proxy settings to download updates successfully. For information on how to
configure your proxy settings, see Setting the Internet Proxy on page 2-9.
For information on how to update an OfficeScan client acting as an Update Agent,
see Specifying a Client as an Update Agent on page 2-10.
2-6
Getting Started with OfficeScan
Configuring Automatic Scheduled Updates
Configure the server to regularly check its update source and automatically download
any available updates. Because clients normally get updates from the server, using
automatic scheduled update is an easy and effective way of ensuring that your
protection is always current.
To update the server based on a schedule:
1.
On the sidebar, click Updates > Server Update > Automatic Update. The
Automatic Update screen appears.
2.
Select the Enable scheduled update of the OfficeScan server check box.
3.
In the Components box, select the components to update (see Understanding
OfficeScan Components on page 1-11 for a detailed explanation of OfficeScan
components).
4.
Under Update schedule, specify a schedule when to perform scheduled update.
•
Hourly – click to perform scheduled updates every hour
•
Daily – click to perform scheduled updates every day
•
Weekly – click to perform scheduled updates once a week. You must select a
day from the list, a start time, and a period of time. The period of time is a
number of hours during which OfficeScan will perform the update.
OfficeScan performs the update at a random time during this time period,
which begins after the start time you specify.
•
Monthly – click to perform scheduled updates once a month. You must
select a date from the list.
Regardless of the selection, specify when to perform scheduled updates in the
Time lists.
5.
Under Update Source, select the location from where to download the update.
Select either the Trend Micro ActiveUpdate server or Other update source
and type in the source's URL.
2-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
6.
To have the server continue retrying if an update attempt fails, select the Retry
update if update attempt fails check box under Program Update Retry.
In the Number of attempts list, select the number of times that the server will
attempt the update.
In the Interval list, select the time interval, in minutes, before the server
continues to retry the update attempt.
7.
Click Save to save your settings.
Updating the Server Manually
Also update the components on the server manually. Trend Micro recommends
updating the server manually immediately after deploying OfficeScan and whenever
there is an outbreak.
To update the server manually:
1.
On the sidebar, click Updates > Server Update > Manual Update. The Manual
Update screen appears, showing your current components, their version
numbers, and the most recent update dates.
2.
Under Update Source, choose whether to receive updates from the
ActiveUpdate server or from another source and type the source URL.
3.
Click Update. The server checks the update source server for updated
components. If there are available updates, they appear on the Available Update
screen, with the component names and version numbers.
4.
Select the check boxes for the components to update.
5.
Click Update Now. The server downloads the updated components.
Note:
If you do not specify a deployment schedule on the Automatic Deployment
screen under Client Deployment, the server will download the updates but
will not deploy them to clients.
To check if you have specified a download schedule, click Updates > Server Update
> Automatic Update on the sidebar.
2-8
Getting Started with OfficeScan
Setting the Internet Proxy
The Web console uses two proxy settings: one for client-server communication on
the local area network and one for the server when it connects to the Internet to
download updates from the Trend Micro update server or other update source.
If your network uses a proxy server to connect to the Internet, you must configure the
OfficeScan Internet proxy settings for your server to download updates from the
Trend Micro ActiveUpdate server or other update source.
To set the Internet proxy:
1.
On the sidebar, click Updates > Server Update > Internet Proxy. The Internet
Proxy screen appears.
2.
Select the Enable Internet proxy check box.
3.
Type the address of the proxy server and its port number.
•
If the proxy server uses version 4 of the SOCKS protocol to handle
Transmission Control Protocol (TCP), select the Use SOCKS 4 check box.
4.
If the proxy server requires a password, type your user name and password in the
fields provided.
5.
Click Save.
Verifying Server Update
To verify that OfficeScan server updates are successful, check the Server Update
Logs.
Using Update Agent
If you identify sections of your network between clients and the OfficeScan server as
"low-bandwidth or "heavy traffic," you can specify OfficeScan clients to act as
update sources for other clients. This helps distribute the burden of deploying
components to all clients.
For example, if your network is segmented by location, and the network link between
segments experiences a heavy traffic load, Trend Micro recommends allowing at
least one client on each segment to act as an Update Agent.
2-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Note:
Only Windows NT/2000/XP/Server 2003 clients can act as Update Agents. Ensure
that Update Agent machines have at least 15 Megabytes of available disk space.
Configuring Update Agents is a three-step process:
1.
Grant clients the privilege to act as update agents (see Specifying a Client as an
Update Agent on page 2-10)
2.
Select an update source from which the Update Agent can receive updated
components (see Selecting an Update Agent Update Source on page 2-11)
3.
Select which clients you want to update from the Update Agent and set the
Update Agents as the client update source.
Note:
The maximum number of Update Agents allowed is 1024.
The maximum number of concurrent client update requests that an Update Agent
can handle is 250. This number may differ slightly depending on the hardware
specifications of the computer acting as an Update Agent.
Specifying a Client as an Update Agent
For clients to act as Update Agents, you must first grant them the privilege to do so.
To specify a client as an Update Agent:
2-10
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Click the domains or clients to which to grant Scheduled Update privileges by
clicking the corresponding icons in the domain tree. To select all domains and
clients, click the root icon
.
Getting Started with OfficeScan
3.
On the sidebar, click Client Privileges/Settings.
4.
Under Update, select the Act as Update Agent check box.
Note:
5.
If you select multiple clients, you cannot modify the Act as Update Agent
privilege. To change this privilege for multiple clients at one time, create and
export a policy for Client privilege settings (see Configuring Client
Privileges and Settings on page 2-28). Then select multiple clients and
import the policy. The client privilege settings, including the Act as Update
Agent privilege, are applied to all selected clients.
Click Save. Clients that act as update agents appear with the
domain tree.
icon in the
Selecting an Update Agent Update Source
Enable Update Agents to get their component updates from the OfficeScan server on
the Update Agent screen. If you do not enable Update Agents to get component
updates from the OfficeScan server, they receive updates from the source specified
on the Update Source screen.
To select where Update Agents get their updates:
1.
On the sidebar, click Updates > Client Deployment > Update Agent. The
Update Agent screen appears.
2.
Click the Always update from standard update source (OfficeScan server) to
have agents always get updates from the OfficeScan server.
To have agents get updates from the sources specified on the Update Source
screen, clear the check box (see Selecting an Update Source on page 2-13 for
more information).
3.
Click Save.
2-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Setting an Update Agent as a Client Update Source
To have OfficeScan clients get their updates from one or more Update Agents, add
the Update Agent(s) to the Customized update source list in the Update Source
screen. You can also specify (by IP address) which clients receive updates from any
update source.
To set an Update Agent as a client update source:
1.
On the sidebar, click Updates > Client Deployment > Update Source. The
Update Source screen appears.
2.
Click Customized Update Source.
3.
In the Customized Update Source list, click Add. The Add IP Range and
Update Source screen appears.
4.
Type a range of IP addresses of clients that you want to receive updates from an
Update Agent.
5.
Next to Update Source, click Update Agent and select an agent from the list.
Note:
6.
The clients you granted the privilege to act as Update Agents appear in the
list. If any Update Agents are missing, apply the Act as Update Agent
privilege to the clients in the Client Privileges and Settings screen (see
Specifying a Client as an Update Agent on page 2-10).
Click Save.
Updating Clients
To ensure that your clients stay protected from the latest viruses/malware and from
spyware and other types of grayware, you need to update your OfficeScan
components at least daily. The clients get updates from the server, which downloads
updates from the Trend Micro ActiveUpdate server or from a customizable update
source.
Before updating the clients, verify that the server has the latest components. For
information on how to update the server, refer to Updating the Server on page 2-6.
Trend Micro updates components on a daily (and in some cases hourly) basis to
endure that client protection stays current.
2-12
Getting Started with OfficeScan
Tip:
Trend Micro recommends updating the server and client daily to help ensure
OfficeScan server has current component versions.
OfficeScan provides the following methods of updating clients:
•
Automatic Deployment (event-triggered and by schedule)
•
Manual Deployment
•
Update Now on the client
Except for using Update Now on the client, these methods can update all components
on the client (see Understanding OfficeScan Components on page 1-11 for
descriptions of each component).
These methods can update the following components on the client:
•
Client program
•
Virus pattern file
•
Scan engine
•
Spyware/Grayware scan and cleanup pattern
•
Damage Cleanup template and engine
•
Configuration settings, including privileges, scan settings, and Outbreak
Prevention settings
•
Common firewall driver and network virus pattern file
•
The Cisco Trust agent
In addition to these components, OfficeScan clients also receive updated
configuration files from the OfficeScan server. Clients need the configuration files to
apply new settings. Each time you modify OfficeScan settings through the Web
console, the configuration files change.
Selecting an Update Source
You can choose the source from which clients receive their updates:
•
The OfficeScan server
•
A customized update source, such as an Update Agent
•
The Trend Micro ActiveUpdate server (see Configuring Client Privileges and
Settings on page 2-28 for instructions)
2-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Update Source Priority
If OfficeScan clients are unable to update from the selected update source, they will
try other sources. Update source priority is as follows:
1.
The first entry on the customized update source list (if updating from customized
sources), followed by the second entry, and so on.
2.
The OfficeScan server (if you select to update from the standard update source
directly or if you select to update from the OfficeScan Server if all customized
update sources are not available).
3.
The Trend Micro ActiveUpdate server. This is the last available update source.
To select a client update source:
1.
On the sidebar, select Updates > Client Deployment > Update Source. The
Update Source screen appears.
2.
Select an update source:
•
To make the OfficeScan server the source for all client updates, click
Standard update source (update from OfficeScan Server).
•
To have clients get updates from another source, click Customized Update
Source and configure the Customized update source list:
a.
Click Add. The Add IP Range and Update Source screen appears.
b.
Enter a range of client IP addresses that will receive updates from this
source.
c.
Click an Update Source:
d.
Update Agent: select the Update Agent from the list. Specify Update
Agents in the Client Privileges and Settings screen (see Configuring Client
Privileges and Settings on page 2-28).
e.
Specified: type the IP address or full path of an update source
f.
Click Save to save changes to the Customized update source list and return
to the Update Source screen.
Note:
2-14
You can add a maximum of 1024 update sources to the Customized update
source list.
Getting Started with OfficeScan
If clients are unable to update from sources in this list they can still attempt to
update from the OfficeScan server. To use the OfficeScan server as a backup
update source, select the Update from OfficeScan Server if all customized
update sources are not available or not found check box.
3.
Click Notify All Client(s).
Updating from the Trend Micro ActiveUpdate Server
If client computers are connected to the Internet, they can update components
directly from the Trend Micro ActiveUpdate server. There are two ways to
implement this option:
•
Use the ActiveUpdate server as a backup source for updates if clients are unable
to connect to the their primary update source
•
Force clients to update from the ActiveUpdate server (as the first choice)
Tip:
Trend Micro recommends using the ActiveUpdate server as the backup source.
Forcing all clients to continually update from the ActiveUpdate server (as the first
choice) could significantly consume network bandwidth between your local
network and the Internet. Trend Micro recommends this option only if you
experience problems updating from the OfficeScan server or Update Agents.
To allow clients to update from the ActiveUpdate server as a backup:
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Click the domains or clients by clicking the corresponding icons in the domain
tree. To select all domains and clients, click the root icon
.
3.
On the sidebar, click Client Privileges/Settings. The Client Privileges and
Settings screen appears.
4.
Under Update Privileges, select the Download from the Trend Micro
ActiveUpdate server check box.
5.
Click Save.
Note:
The clients you selected only update from the ActiveUpdate server if they are
unable to update from their primary update source. See Update Source
2-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Priority on page 2-14 for an explanation of the order in which clients update
from various sources.
To force clients to update from the ActiveUpdate server:
1.
On the sidebar, click Updates > Client Deployment, and then Update Source.
The Update Source screen appears.
2.
Click Customized Update Source. Clients will update from the first update
source on the Customized update source list. If the Trend Micro update server
is not on the list, you must add it by doing the following:
a.
Click Add. The Add IP Range and Update Source screen appears.
b.
Enter a range of client IP addresses that will receive updates from this
source.
c.
Click Specified.
d.
Add the following URL:
http://officescan-p.activeupdate.trendmicro.com/activeupdate
e.
Click Save.
Note:
3.
Ensure that the ActiveUpdate source is first on the Customized update
sources list.
Click Notify All Client(s).
Note:
The ActiveUpdate server must be first on the Customized update source
list to serve as the primary update source. See Update Source Priority on
page 2-14 for an explanation of the order in which clients update from various
sources.
Using Automatic Deployment
Triggering automatic client deployment and configuring an update schedule is an
easy and effective way of ensuring that clients always get the latest components from
the server.
2-16
Getting Started with OfficeScan
Trend Micro recommends always using Automatic Deployment. It removes the
Tip:
burden placed on clients of performing manual updates and eliminates the
risk of client computers not having up-to-date components.
When the OfficeScan server is ready to perform an automatic deployment, it sends
update notifications to clients, which informs them to check with the server for
updated components.
Note:
If the OfficeScan server is unable to successfully send an update notification to
clients, it automatically resends the notification after 30 minutes. The server will
continue to send update notifications up to a maximum of eight times until the
client responds.
If the eighth attempt is unsuccessful, the server can remove the client from the
notification queue and notify the client when it restarts and connects to the server.
To do this, you must select the Deploy to clients for OfficeScan clients only and
excluding roaming clients when they are restarted check box on the Automatic
Deployment screen (see Using Automatic Deployment on page 2-16).
Specifying a schedule to deploy lets clients check the server for updates based on the
schedule you specify. Using Automatic Deployment is a two-step process:
1.
Grant clients the privilege to enable a scheduled update.
2.
Configure settings for Schedule to deploy.
To update clients using Automatic Deployment:
1.
On the sidebar, click Updates > Client Deployment > Automatic Deployment.
The Automatic Deployment screen appears.
2.
Under Event-triggered Deployment, select when to deploy the updates and
whether to scan the client:
•
Deploy to clients immediately after the OfficeScan server downloads a
new component – the OfficeScan server initiates this update after it
downloads the updated component(s) (selected by default)
Also, decide whether to include roaming client(s).
•
Deploy to clients for OfficeScan clients only and excluding roaming
clients when they are restarted – the OfficeScan client (excluding roaming
2-17
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
clients) initiates this update after it restarts and connects to the OfficeScan
server (selected by default)
To scan the client after update, click the Scan the computer after update check
box and click one of the following:
3.
•
Perform Cleanup Now and Scan Now: perform Cleanup Now and Scan
Now on the client (selected by default)
•
Perform Cleanup Now: only perform Cleanup Now on the client
Under Deployment Schedule, select how often to perform scheduled
deployment:
•
Minutes – to deploy every { } minutes. Select a number of minutes.
•
Hours – to deploy every { } hours. Select a number of hours.
•
Daily – to deploy daily. Select the start time and the length of deployment
time
•
Weekly – to deploy weekly. Select a day.
If you select Minutes or Hours, the Update client configurations only once
per day check box appears.
If you do not select this check box, OfficeScan client retrieves both the updated
antivirus/anti-spyware components and any updated configuration files available
on the server at the interval specified.
If you select this checkbox, OfficeScan updates only the components at the
interval specified and the configuration files once per day.
Tip:
4.
2-18
Trend Micro often updates antivirus and anti-spyware components; however,
your OfficeScan configuration settings probably change less frequently.
Updating the configuration files with the components requires more
bandwidth and increases the time OfficeScan takes to complete the update.
Trend Micro recommends selecting the Update client configurations
only once per day check box to limit configuration file updates.
Ensure that you grant clients the privilege to enable a schedule update (see
Configuring Client Privileges and Settings on page 2-28).
Getting Started with OfficeScan
Tip:
5.
Trend Micro recommends specifying an update schedule. If you do not
specify a schedule, the clients will only be updated if you perform manual
deployment from the console.
Click Save.
Using Manual Deployment
Update clients manually by pushing the updated components on the server to the
clients using Manual Deployment.
To update clients using Manual Deployment:
1.
On the sidebar, click Updates > Client Deployment > Manual Deployment.
The Manual Deployment screen appears showing a summary of components,
versions, and the last time OfficeScan updated them.
2.
Under Update Target, choose to update all clients whose components are out of
date or choose specific clients:
3.
•
To update all online clients, including roaming clients with functional
connections to the server, click Select clients with out-of-date components
and select the Include roaming client(s) check box
•
To update specific clients, click Manually select clients and then click the
Select button to choose specific clients. The Manual Deployment screen
shows the client tree. Click the clients you want to update or click the root
icon
to update all clients.
After selecting all clients to update, click Notify. The server starts notifying each
client to download the updates.
Using Update Now on the Client
Users can update OfficeScan client components themselves by performing Update
Now on their client computers.
To perform Update Now on the client:
1.
Right-click the OfficeScan icon in the system tray of the OfficeScan client
machine. The OfficeScan shortcut menu appears.
2.
Click Update Now!. The Update Now Settings screen appears.
2-19
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
3.
If your network requires you to use a proxy server, click Use a proxy server
check box and enter the proxy server settings.
4.
Click Update Now. A status screen appears showing the progress of the
component download.
Note:
If you are downloading directly from the Trend Micro update server, you can only
update the virus pattern file, scan engine, Spyware/Grayware scan and cleanup
pattern, and Damage Cleanup Services 3 template and engine.
Verifying a Client Update
Check the client update logs to verify that an update has been successfully deployed.
To view the Client Update Logs:
1.
On the sidebar, click Logs > Update Logs > Client Update. The Client Update
Logs screen appears.
2.
Select the number of results to view on each page from the Display results per
page list.
3.
To sort the table, click the Time/Date or Update Components column headings.
4.
To view the progress of a particular update, click View under the Progress
column. The Client Update Progress screen appears, displaying the number of
clients updated for every 15-minute interval and the total number clients updated.
5.
To view the details of a particular update, click View under the Detail column.
The Client Update Detail screen appears.
Using Scheduled Update with NAT
The following issues may arise if your network uses Network Address Translation
(NAT):
•
Clients appear as offline on the Web console
•
The OfficeScan server is not able to successfully notify clients of updates and
configuration changes
You can work around these issues by pulling updated components and configuration
files from the server to the client with a scheduled update. You can give clients the
privilege to enable a scheduled update, which allows clients to automatically update
2-20
Getting Started with OfficeScan
both configuration files and antivirus components according to an Automatic
Deployment schedule you set (see Configuring Client Privileges and Settings on page
2-28 for information on enabling scheduled update and Using Automatic Deployment
on page 2-16 for information on setting an update schedule).
Do the following:
•
Before installing OfficeScan client on client machines, enable scheduled
deployment on the server and grant clients the privilege to enable scheduled
update.
If you do this after installing the OfficeScan client program, give clients the
privilege to perform Update Now, and then perform the update on the client
machine to obtain the updated configuration settings.
When clients perform a scheduled update, they will receive both the updated
components and the configuration files.
Rolling Back Components
Rolling back refers to reverting to the previous version of a virus pattern file or scan
engine. If the pattern file or scan engine that you are using is not functioning
properly, roll back these components to their previous versions.
Note:
You can roll back only the virus pattern file and scan engine. No other components
can be rolled back.
OfficeScan uses different scan engines for each of the following clients:
•
Windows 95/98/Me
•
Windows NT/2000/XP/Server 2003
•
Windows XP/Server 2003 on IA-64 architecture
You need to roll back these types of scan engines separately. The rollback procedures
for all types of scan engines is the same.
Note:
OfficeScan retains only the current and the previous versions of the scan engine
and the last five pattern files.
2-21
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
To roll back the pattern file or scan engine:
1.
On the sidebar, click Updates > Rollback. The Rollback screen appears
showing the current versions of your virus pattern file and scan engine, and the
previous versions of these components, if any.
2.
Click Synchronize with Server under the appropriate section. The Rollback
screen shows the client domain tree.
To select all domains and clients, click the root icon
. You can also search for
clients by selected criteria, as well as change the client tree view. To select
multiple, adjacent clients, click the first client in the range, hold down the SHIFT
key, and then click the last client in the range.
3.
Click Notify to roll back the pattern file or scan engine on the selected clients. A
confirmation screen appears.
4.
If an older version pattern file exists on the server, you can roll back both the
client and the server. Click Rollback server and clients. The Rollback screen
appears.
5.
Select the clients to roll back.
6.
Click Notify to roll back the pattern file on the selected clients.
Click Back to return to the original Rollback screen.
The server notifies the selected clients to roll back the pattern file to synchronize
with the server.
Verifying Client-Server Connection
OfficeScan represents the client connection status in the domain tree using icons.
However, certain conditions may prevent the domain tree from displaying the correct
client connection status. For example, if the network cable of a client is accidentally
unplugged, the client will not be able to notify the server that it is now offline. This
client will still appear as online in the domain tree.
You can verify client-server connection manually or by schedule from the Web
console.
Note:
2-22
Verify Connection does not allow the selection of specific domains or clients. It
verifies the connection to all clients registered with the OfficeScan server.
Getting Started with OfficeScan
To verify the client-server connection:
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Click the domains or clients to grant privileges by clicking the corresponding
icons in the domain tree. To select all domains and clients, click the root icon.
3.
On the sidebar, click Verify Connection. The Verify Connection screen
appears.
4.
Verify the connection manually or configure a verification schedule:
•
To verify client-server connection manually:
Click Verify Now under Manual Verification.
•
To verify client-server connection automatically:
a.
Click the Scheduled Verification tab and select the Enable scheduled
verification check box.
b.
Choose from these options:
c.
•
Once – click to perform only one connection verification
•
Hourly – click to verify the client-server connection every hour
•
Daily – click to verify the client-server connection every day
•
Weekly – click to verify the client-server connection every week and
select a day from the list
Select a time for the verification to begin under Start time.
5.
Click Save to save the verification schedule.
6.
Check the client tree again to verify that the client status changed. Also, view the
verify connection log for a summary of your connection verification. See Verify
Connection Logs on page 7-4 for more information.
Setting Scan Options
OfficeScan provides these types of scans to protect your clients from viruses,
malware, spyware, and other types of grayware:
•
Manual Scan: occurs after user execution and completely scans all specified
files. The length of the scan depends on the number of files and your hardware
resources.
2-23
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
•
Real-time Scan: You can set OfficeScan to scan a file in real time when opening
or saving a file. If OfficeScan does not detect a virus, malware, spyware other
grayware, the user can proceed with opening or saving the file. If OfficeScan
does detect one of these security risks, it displays an alert message, showing the
name of the infected file and the name of the security risk.
The speed of real-time scanning depends on its settings. You can increase the
performance of real-time scans by specifying certain file types that are vulnerable
to viruses or by limiting the maximum number of compression layers to scan.
•
Scheduled Scan: A scheduled scan completely scans all files at the time and
frequency configured. Use scheduled scans to automate routine scans on your
clients and improve risk-management efficiency.
Note:
•
Enabling the scanning of spyware and other types of grayware may generate a
large amount of incident logs and alerts. OfficeScan may frequently detect several
commonly used applications, such as Hotbar, and interpret them as
spyware/adware. To prevent OfficeScan from detecting commonly used
applications, add the application files to the Exclusion List for all types of scans
(see Understanding Viruses and Malware on page 1-14 and Understanding
Spyware and Other Types of Grayware on page 1-15 for more information on
the types of threats OfficeScan can recognize and Excluding Files and Folders
from Scans on page 2-27 for instructions on configuring the exclusions).
Scan Now: Scan Now and Manual Scan are the same type of scan. The only difference
is that you run Scan Now remotely from the Web console, while users run Manual Scan
locally on the clients.
To access the Web console screens for any scan, click Clients on the sidebar and
select clients from the client tree. Then click Scan Options > {scan type} on the
sidebar. Click the help icon
on any screen for specific configuration instructions.
2-24
Getting Started with OfficeScan
Scan Options
Table 2-1 outlines the different scan options available and the selections you can
make.
Scan Target
Description
Scan Type
All scannable files
Scan all files that the client opens or saves
All types
Use IntelliScan
Scan only files that are vulnerable to infection
All types
Scan files with the
following extensions
Scan only files with certain extensions that you can
select
All types
Scan compressed
files
Scan up to 20 layers of compression
All types
Enable Exclusion list
Exclude certain directories, files, and extensions from
scanning
All types
Scan memory
Scan the Random Access Memory (RAM) of the client
Manual and
Scheduled
Scan boot area
Scan the boot sector of the hard disk on the client
All types
Scan hidden folders
Include hidden folders in any scan
Manual
Scan for Spyware/
Grayware
Scan for common spyware and other grayware
applications, such as adware, dialers, and key-loggers
All types
Scan mapped drives
and shared folders
on the network
Scan any network drives or folders that are mapped to
the client computer
Manual and
Real-time
Scan incoming file
Scan files the client is saving
Real-time
Scan outgoing file
Scan files the client is opening
Real-time
Scan floppy during
system shutdown
Run Real-time Scan every time the client is shut down
Real-time
TABLE 2-1.
Scan Targets
2-25
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
.
Scan Action
Description
Scan Type
Display an alert
message on the
client when a virus is
detected
Have an alert message pop up on the client when a
security risk is detected
Real-time
and
Scheduled
Use ActiveAction
Preconfigured scan actions for viruses, malware and
other security risks from Trend Micro
All types
Use customized
scan action
Select from among the following actions for each type of
security risk:
• Pass: take no action on the file
All types
•
•
•
•
Delete: delete the file
Rename: give the file a new name
Quarantine: put the file in the quarantine folder
Clean: attempt to remove the virus or malware from
the file
You can select two actions. OfficeScan performs Action
2 only if Action 1 is not successful.
Use the same action
for all types
Select Pass, Delete, Rename, Quarantine, or Clean to
apply to all types of security risks
All types
Back up files before
cleaning
Save a copy of the file in the following directory on the
client computer: OfficeScan Client/Backup
All types
Quarantine directory
Type a Uniform Resource Locator (URL) or Universal
Naming Convention (UNC) path to store
the infected files. If an invalid quarantine directory is
specified, OfficeScan uses
the default quarantine directory on the client:
OfficeScan Client/SUSPECT
All types
CPU usage
Select one of the following:
• High: scan files one after another (without pausing
between scans)
Manual and
Scheduled
• Medium: pause slightly between file scans
• Low: increase pause between file scans
TABLE 2-2.
2-26
Scan Actions
Getting Started with OfficeScan
Excluding Files and Folders from Scans
To increase the performance of scanning and to skip files that are causing false
alarms, you can exclude certain files and folders from scanning. The files and folders
you add to the exclusion list will be skipped by Manual Scan, Real-time Scan, and
Scheduled Scan.
To exclude files and folders from scanning:
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Select the domains or clients on which to configure the scan options by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon.
3.
On the sidebar, click Scan Options. Next, click the type of scan to perform
(manual, real time, scheduled). The settings screen for that scan type appears.
4.
In that settings screen, select the check box next to Enable Exclusion list. Click
the Enable Exclusion list link. The Execution List screen appears.
5.
To exclude all folders containing Trend Micro products and components, select
the Exclude from scanning the directories where Trend Micro products are
installed check box.
6.
To exclude specific directories, type the directory names under Enter the
directory path (E.g. c:\temp\ExcludeDir) and click Add.
7.
To exclude specific files by file name, type the file names under Enter the file
name or file name with full path (E.g. ExcludeDoc.hlp;
c:\temp\excldir\ExcludeDoc.hlp) and click Add.
Note:
8.
All subdirectories in the directory path you specify will also be excluded.
Specify the files to exclude based on their extensions.
To use specified extensions, select the extensions to protect and click
.
To specify an extension that is not in the list, type it in the text box, and then click
Add.
Note:
Wildcard characters, such as "*", are not accepted for file extensions.
2-27
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
9.
To apply this setting to all future clients that will belong to the domain you
selected, click Save.
•
To apply this setting to all existing and future clients that belong and will
belong to the domain you selected, click Apply to All
•
If you only selected a client or clients in Step 1, only Save will appear
Note:
If Microsoft Exchange Server is running on your client machines, Trend
Micro recommends excluding all Microsoft Exchange Server folders from
scanning.
Configuring Client Privileges and Settings
You can grant users the privilege of modifying the following items from their
OfficeScan client main console:
2-28
•
Scan settings: configure settings for all types of scans (see Scan Options on page
2-25)
•
Firewall settings: enable or disable Enterprise Client Firewall, the Intrusion
Detection System, and the Enterprise Client Firewall (see Configuring Enterprise
Client Firewall on page 6-12)
•
Proxy settings: set proxy server settings for any intranet proxy server located
between the OfficeScan client and the OfficeScan server (see Setting the Intranet
Proxy on page 2-4)
•
Update privileges and settings: configure the source from which to obtain
updates and the update method (see Updating OfficeScan on page 2-4)
•
Uninstallation and unloading: allow the client user to remove or turn off the
OfficeScan client program
Getting Started with OfficeScan
To access the Web console screens for client privileges, click Clients on the sidebar
and select clients from the client tree. Then click Client Privileges on the sidebar.
Click the help icon
on any screen for specific configuration instructions.
Configuring Global Settings
OfficeScan provides several types of settings that apply to all clients registered to the
server.
•
Scan Settings: includes settings for scanning compressed files, cleaning active
spyware applications, and configuring Spyware/Grayware exclusion lists
•
Alert Settings: display the OfficeScan splash screen on the client computer
during startup and show an alert icon on your clients when the pattern file is
outdated
•
Scheduled Clean Settings: activate Damage Cleanup Services 3 automatic
cleaning (see How Damage Cleanup Services Works on page 3-3.)
•
Reserved Disk Space and Watchdog Settings: reserve a minimum amount of
disk space for updated components and protect client computers from hacker
attacks by enabling the Watchdog. If OfficeScan client unexpectedly terminates,
which could happen if the client is under attack from a hacker, the Watchdog
service restarts OfficeScan client.
•
Connection Settings: have your Windows 95/98/Me clients connect to the
OfficeScan server with the server’s fully qualified domain name (FQDN) if
clients are having problems connecting to the server using its domain or host
name.
•
Network Virus Log Consolidation: have clients send their network virus log to
the OfficeScan server, which will in turn send them to any registered Control
Manager server. Use this information with Control Manager to create reports for
network virus analysis.
•
Virus Log Bandwidth Settings: have OfficeScan consolidate virus log entries
when detecting multiple infections from the same virus or grayware application
over a short period of time. OfficeScan may detect a single virus or grayware
application multiple times, quickly filling the virus log and consuming network
bandwidth when the client sends virus log information to the server. Enabling
this feature helps reduce both the number of virus log entries made and the
2-29
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
amount of network bandwidth clients consume when they report virus log
information to the server.
•
Grouping Rule: select a domain type to group clients in the domain tree. You
can group by NetBIOS, Active Directory, or DNS domains.
To access the Web console screens for global settings, click Clients on the sidebar
and select clients from the client tree. Then click Global Settings on the sidebar.
Click the help icon
on any screen for specific configuration instructions.
Importing and Exporting Policies
You may want many OfficeScan clients to have the same scan and/or client privilege
settings. OfficeScan allows you to save (export) client scan and privilege policies and
later import them to multiple clients. This provides an easy way to configure identical
settings on many clients.
To access the Web console screens for importing and exporting policies, click
Clients > Import/Export on the sidebar. Click the help icon
on any screen for
specific configuration instructions.
2-30
Chapter 3
Eliminating Spyware, other Grayware,
and Trojan Threats
This chapter explains how to configure OfficeScan to help eliminate spyware, other
types of grayware, and Trojan threats from the client computers on your network.
The topics in this chapter include:
•
Potential Risks and Threats of Spyware and Other Grayware on page 3-2
•
How Damage Cleanup Services Works on page 3-3
•
Running Cleanup Now on page 3-5
•
Configuring Anti-Spyware Settings on page 3-6
•
Guarding Against Spyware on page 3-8
3-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Potential Risks and Threats of Spyware and
Other Grayware
Spyware and other types of grayware on your network have the potential to introduce
the following:
•
Reduced computer performance: To perform their tasks, grayware applications
often use significant CPU and system memory resources.
•
Increased Web browser-related crashes: Certain types of grayware, such as
adware, are often designed to create pop-up windows or display information in a
browser frame or bar. Depending on how the code in these applications interacts
with system processes, grayware can sometimes cause browsers to crash or
freeze and may even require a system reboot.
•
Reduced user efficiency: Grayware can unnecessarily distract users from their
main tasks by forcing them to close frequently occurring pop-up advertisements
and deal with the negative effects of joke programs.
•
Degradation of network bandwidth: Grayware often regularly transmits the
data it collects to other applications running on your network or to locations
outside of your network, using up your network bandwidth.
•
Loss of personal and corporate information: Not all data that grayware
applications collect is as simple as a list of Web sites users visited. Grayware can
also collect user names and passwords that allow access to both personal user
accounts, such as a bank account, and corporate accounts on your network.
•
Higher risk of legal liability: If computer resources on your network are
hijacked, hackers may be able to utilize your computers to launch attacks or
install grayware on computers outside your network. The participation of your
network resources in these types of activities could leave your organization
legally liable for damages incurred by third parties.
See Understanding Spyware and Other Types of Grayware on page 1-15 for a list of
spyware and other grayware types that OfficeScan can help eliminate.
3-2
Eliminating Spyware, other Grayware, and Trojan Threats
The Trend Micro Solution
This version of Trend Micro OfficeScan has the ability to scan for, detect, and
remove a multitude of spyware and other grayware files and applications.
For instructions on configuring OfficeScan anti-spyware/grayware settings, see
Configuring Anti-Spyware Settings on page 3-6.
Unknown Grayware
You can send your viruses, infected files, Trojans, suspected worms, spyware, and
other suspicious files to Trend Micro for evaluation. To do so, contact your support
provider or visit the Trend Micro Submission Wizard URL:
http://subwiz.trendmicro.com/SubWiz
If you prefer to communicate via email, send a message to the following address:
virusresponse@trendmicro.com
See Contacting Trend Micro on page 9-18 for more information.
How Damage Cleanup Services Works
OfficeScan uses Damage Cleanup Services (DCS) 3 to protect your Windows
computers against Trojans (or Trojan horse programs), and to help rid your clients of
potentially unwanted spyware and other types of grayware.
Trojans
A Trojan is a malicious program that masquerades as a harmless application. Unlike
viruses, Trojans do not replicate but can be just as destructive. An application that
claims to rid your computer of viruses when it actually introduces viruses onto your
computer is an example of a Trojan. Traditional antivirus solutions can detect and
remove viruses but not Trojans, especially those that are already running on the
system.
3-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
The Damage Cleanup Services Solution
To address the threats and nuisances posed by Trojans and grayware, DCS does the
following:
•
Detects and removes live Trojans and active grayware applications
•
Kills processes that Trojans and grayware applications create
•
Repairs system files that Trojans and grayware modify
•
Deletes files and applications that Trojans and grayware drop
To accomplish these tasks, DCS makes use of these components:
•
Damage cleanup engine: the engine Damage Cleanup Services uses to scan for
and remove Trojans and Trojan processes
•
Damage cleanup template: used by the damage cleanup engine, this template
helps identify Trojan files and processes so the engine can eliminate them
•
Spyware/Grayware cleanup pattern: a file the damage cleanup engine uses to
help eliminate spyware/adware files and processes
In OfficeScan, DCS runs on the client on these occasions:
•
Client users perform a manual cleanup from the OfficeScan client main console
•
You perform Cleanup Now on the client from the OfficeScan server Web console
•
Client users run Manual Scan, Scheduled Scan, or Scan now (and cleaning for
spyware and grayware is selected on the Global Client Settings screen for those
clients. See the OfficeScan server online help for details.)
•
After hot fix or patch deployment (see About Hot Fixes, Patches, and Service
Packs on page 1-13 for more information)
•
When the OfficeScan service is restarted (the OfficeScan client Watchdog service
must be selected to restart the client automatically if the client program
unexpectedly terminates. Enable this feature on the Global Client Settings
screen. See Configuring Global Settings on page 2-29 for details.)
Because DCS runs automatically, you do not need to configure it. Users are not even
aware when it is executed because it runs in the background (when the client is
running). However, OfficeScan may sometimes notify the user to restart their
computer to complete the process of removing a Trojan or grayware application.
3-4
Eliminating Spyware, other Grayware, and Trojan Threats
Running Cleanup Now
You can run Damage Cleanup Services (DCS) on your clients remotely by running
Cleanup Now. See Trend Micro Damage Cleanup Services (DCS) 3 on page 1-5 for
information on how DCS works.
To run Cleanup Now:
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Click the domains or clients on which you want to run Cleanup Now by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon
. You can also search for clients by selected criteria, such
as computer name, IP address, virus pattern file version, etc. You can also change
the client tree view.
3.
On the sidebar, click Cleanup Now. The Cleanup Now screen appears,
displaying the clients or domain members you selected.
4.
Under Computer, click the clients on which you want to run Cleanup Now, and
then click Start Notification. The server sends a request to the client to run
Cleanup Now using the latest damage cleanup template that OfficeScan server
received from TrendLabs.
Click Select Un-notified Computers to select all clients that have not yet been
notified.
To search for a specific computer, type all or part of its name in the Computer
Name field.
If you want to stop notifications to clients that have not yet started Cleanup Now, do
the following:
To stop notifications:
1.
Select the clients that you no longer want to run Cleanup Now.
2.
Click Stop Notification. Clients that have not yet started Cleanup Now will skip
the request. However, this will not affect clients that are already running Cleanup
Now.
3-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Configuring Anti-Spyware Settings
Configuring anti-spyware/grayware settings is a two-step process:
1.
Configure all types of scans (Manual Scan, Real-time Scan, Scheduled Scan, and
Scan Now) to scan for and remove spyware and other grayware files and
applications.
2.
Enable Damage Cleanup Services to clean up any remnants of spyware and other
grayware applications and terminate any processes that spyware and other
grayware applications may have executed.
To scan for and eliminate spyware and other types of grayware:
1.
On the sidebar, click Clients. The domain tree for the Client tree appears.
2.
Click the domains or clients to which to grant privileges by clicking the
corresponding icons in the domain tree. To select all domains and clients, click
the root icon.
3.
On the sidebar, click Scan Options.
4.
Click the type of scan settings to configure. The scan settings screen for that type
of scan appears.
5.
Select the Scan for Spyware/Grayware check box.
6.
Click Save.
7.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
8.
Click Global Client Settings. The Global Client Settings screen appears.
9.
Select the Enable Damage Cleanup Services to clean Spyware/Grayware
(running applications only) check box. This enables client computers to run
DCS to clean up spyware and other grayware applications and processes that are
currently running. This setting applies to all clients registered to the OfficeScan
server.
10. If you want to prevent OfficeScan from scanning certain files that OfficeScan
may consider grayware, select the Enable General Spyware/Grayware
exclusion list checkbox and click the link to configure the exclusion list:
a.
3-6
From the Type list box, select a type of spyware or other type of grayware.
Eliminating Spyware, other Grayware, and Trojan Threats
Note:
Click the Spyware/Grayware Encyclopedia link to go to the Trend
Micro Web site. Here you can view information about different types of
grayware, as well as different types of viruses and other security risks.
b.
Click the spyware or grayware applications or files.
c.
To add other known applications or files, click Search and find the relevant
file.
d.
Click the Add button. The application or file is added to the exclusion list.
e.
Click Save to close the exclusion list window.
11. If you want to prevent OfficeScan from scanning application and file types that
Trend Micro considers potentially legitimate and critical to the operation of your
client computers, select the Enable Critical Spyware/Grayware exclusion list
checkbox. By default, all of these items Trend Micro identifies are on the list.
Click the link to remove them.
a.
From the Exclusion List list box, select a type of spyware or other type of
grayware.
Note:
Click the Spyware/Grayware Encyclopedia link to go to the Trend
Micro Web site. Here you can view information about different types of
grayware, as well as different types of viruses and other security risks.
b.
Click the Remove button. The application or file is added to the exclusion
list.
c.
Click Save to close the exclusion list window.
12. Click Save on the Global Client Settings screen.
13. To analyze your anti-spyware/grayware protection, view the Virus log, which is
where OfficeScan records spyware and other grayware detections (see Virus Logs
on page 7-2).
3-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Tip:
Keep your OfficeScan anti-spyware/grayware components updated. View the
Spyware Protection Ratio screen to analyze the status of your
anti-spyware/grayware components (see Viewing the Spyware Protection Ratio
on page 3-8).
Note:
By default, OfficeScan includes detection for spyware and other types of grayware
when sending both standard and outbreak alerts (see Configuring Standard
Alerts on page 4-2 and Configuring Outbreak Alerts on page 4-2).
Viewing the Spyware Protection Ratio
To access the Web console screen for the Spyware Protection Ratio, click Summary
on the sidebar. Then click the number that represents the Spyware Protection Ratio
under Online Client Component Update Ratios.
The Spyware Protection Ratio is the number of clients with updated
anti-spyware/grayware components (damage cleanup engine and spyware/grayware
cleanup pattern) in relation to the total number of online clients. This ratio can help
you understand how up-to-date your anti-spyware/grayware cleanup capabilities are.
The Spyware Protection Ratio screen displays the number of up-to-date and
out-of-date client computers for online, offline, and roaming clients and for the total
number of clients.
Note:
Offline clients are not included in the ratio and are not represented in the graph.
Guarding Against Spyware
There are many steps you can take to prevent the installation of spyware and other
types of grayware onto your client computers. Trend Micro suggests making the
following standard practices part of the anti-spyware/grayware initiative in your
organization:
•
3-8
Follow the recommended OfficeScan configuration steps in this chapter (see
Configuring Anti-Spyware Settings on page 3-6)
Eliminating Spyware, other Grayware, and Trojan Threats
•
Educate your client users to do the following:
Read the End User License Agreement (EULA) and included documentation of
applications they download and install on their computers.
Click No to any message asking for authorization to download and install
software unless the client users are certain both the creator of the software and
the Web site they are viewing are trustworthy.
Disregard unsolicited commercial email (spam), especially if the spam asks users
to click a button or hyperlink.
•
Configure Web browser settings that ensure a strict level of security. Trend Micro
recommends requiring Web browsers to prompt users before installing ActiveX
controls. To increase the security level for Internet Explorer (IE), go to Tools >
Internet Options > Security and move the slider to a higher level. If this setting
causes problems with Web sites you want to visit, click Sites..., and add the sites
you want to visit to the trusted sites list.
•
If using Microsoft Outlook, configure the security settings so that Outlook does
not automatically download HTML items, such as pictures sent in spam
messages. Pictures are often used by creators of spyware and grayware.
•
Disallow the use of peer-to-peer file-sharing services. Spyware and other
grayware applications may be masked as other types of files your users may want
to download, such as MP3 music files.
•
Periodically examine the installed software on your client computers and look for
applications that may be spyware or other grayware. If you find an application or
file that OfficeScan cannot detect as grayware but you think is a type of
grayware, send it to Trend Micro:
http://subwiz.trendmicro.com/SubWiz.
Trend Labs will analyze the files and applications you submit.
If you prefer to communicate via email, send a message to the following address:
virusresponse@trendmicro.com
See Contacting Trend Micro on page 9-18 for more information.
•
Keep your Windows operating systems updated with the latest patches from
Microsoft. See the Microsoft Web site for details.
3-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
3-10
Chapter 4
Performing Additional Administrative
Tasks
During OfficeScan server installation, you configured settings such as the Web
console password and the Web server IP address. If the need arises, you can still
modify many of these settings through the Web console at any time.
The topics in this chapter include:
•
Changing the Web Console Password on page 4-2
•
Configuring Standard Alerts on page 4-2
•
Configuring Outbreak Alerts on page 4-2
•
Setting the Intranet Proxy on page 4-3
•
Changing OfficeScan Web Server Information on page 4-3
•
Removing Inactive Clients on page 4-4
•
Configuring the Quarantine Manager on page 4-4
•
Participating in the World Virus Tracking Program on page 4-5
•
Backing up the OfficeScan Database on page 4-5
4-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
To access the Web console screens for any administrative task, click Administration >
{task name} on the sidebar. Click the help icon
on any screen for specific
configuration instructions on the following:
Changing the Web Console Password
To prevent unauthorized users from modifying your settings or removing the client
program from your computers, the Web console is password-protected. The
OfficeScan master setup program requires you to specify a Web console password;
however, you can modify your password from the Web console.
Configuring Standard Alerts
Send alerts to yourself or other administrators in your organization whenever
OfficeScan detects a virus, spyware, or other type of grayware on any client.
Standard alerts keep you informed about infections and instances of grayware on
your network.
Alerts for spyware and other types of grayware detections are enabled by default.
Configuring Outbreak Alerts
An outbreak refers to a sudden increase in viruses or detections of spyware and other
types of grayware on the network. You define the criteria for outbreaks; that is, how
many virus incidents or grayware detections occur within a certain period of time.
Responding to a virus outbreak is very critical. Unless you take corrective action, an
outbreak can spread quickly throughout and beyond your network.
To help you respond to outbreaks that may be developing on your network, send
outbreak alerts to yourself or other administrators in your organization whenever
your system meets the outbreak criteria you have defined (alerts for spyware and
other types of grayware detections are enabled by default).
4-2
Performing Additional Administrative Tasks
Modifying Client Alert Messages
OfficeScan can display alert messages on client machines to inform users of the
following events on their computers:
•
Virus infections: appears on client machines when OfficeScan detects a virus
•
Firewall violations: appears on client machines when you enable the Enterprise
Client Firewall alert message and outbound traffic violates the firewall settings
(see Configuring Policies on page 6-12)
•
Infection source detections: appears on client machines when OfficeScan detects
that the machine is the source of a spreading virus infection
OfficeScan provides a default message for each; however, you can modify the
message if necessary.
Setting the Intranet Proxy
The Web console uses two proxy settings: one for server-client communication on
the intranet and one for the server when it connects to the Internet to download
updates from the Trend Micro update server.
Server-client communications on the intranet do not normally require a proxy server.
However, if your network uses a proxy server for internal communications, you can
also set OfficeScan to use an intranet proxy.
Changing OfficeScan Web Server Information
The Web server allows you to use the Web console to perform key administrative
tasks for OfficeScan. During master setup, the installation program automatically sets
up a Web server. As soon as master setup is complete, you can start using the Web
console to configure OfficeScan.
However, if you modify the Web server settings externally (for example, from the IIS
management console), you must also make the changes in OfficeScan to ensure it
maintains server-client communication and that you can still gain access to the Web
console. For example, if you change the IP address of the server manually or if you
assign a dynamic IP address to it, you need to reconfigure the Web server settings of
OfficeScan.
4-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Removing Inactive Clients
When you use the client uninstallation program to remove the client program from a
computer, the program automatically notifies the server. When the server receives
this notification, it removes the client icon in the domain tree to show that the client
does not exist anymore.
However, if the client is removed using other methods, such as reformatting the
computer hard drive or deleting the client files manually, OfficeScan will not be
aware of the removal and it will display the client as inactive. If a user unloads or
disables the client for an extended period of time, the server also displays the client
as inactive.
To have the domain tree only display active clients, you can configure OfficeScan to
automatically remove inactive clients from the domain tree.
Configuring the Quarantine Manager
Whenever a client detects a virus or other security risk in a file and the scan action is
quarantine, the OfficeScan client program encrypts the infected file, places it in the
OfficeScan client suspect folder, and sends it to the OfficeScan server quarantine
folder. OfficeScan encrypts the infected file to prevent it from infecting other files.
The default location of OfficeScan client suspect folder is as follows:
Program Files\Trend Micro\OfficeScan Client\SUSPECT
The default location of OfficeScan server quarantine folder is as follows:
OfficeScan\PCCSRV\Virus
Note:
If the OfficeScan client is unable to send the encrypted file to the OfficeScan
server for any reason, such as a network connection problem, the encrypted file
remains in the client’s suspect folder. The client attempts to resend the file when it
reconnects to the OfficeScan server.
For more information on configuring scan settings and to change the location of the
quarantine folder, see Setting Scan Options on page 2-23 and select any type of scan.
4-4
Performing Additional Administrative Tasks
From the Quarantine Manager screen, you can configure the capacity of the
quarantine folder and the maximum individual file size for every infected file that
can be stored in it.
Participating in the World Virus Tracking
Program
You can send scanning results from your OfficeScan installation to the World Virus
Tracking Program to better track trends in outbreaks. Your participation in this
program can benefit the attempt to better understand the development and spread of
threats.
When you installed OfficeScan, the OfficeScan installer asks you whether or not you
want to participate in the World Virus Tracking Program; however, you can change
this setting at any time.
To view the current Trend Micro virus map, click Virus Map or enter the following
address in your Web browser:
http://www.trendmicro.com/map
Backing up the OfficeScan Database
The database on the server contains all OfficeScan settings, including scan settings
and privileges. If the server database becomes corrupted, you can easily restore it if
you have a backup. You can back up the database manually at any time or configure a
schedule for automatic backup.
When you backing up the database, OfficeScan automatically helps defragment the
database and repairs any possible index file corruption.
Tip:
Trend Micro recommends configuring a schedule for automatic backup. Back up
the database during non-peak hours when demand on the server is low.
WARNING! Do not perform the backup with any other tool or software. Configure
database backup from the OfficeScan Web console only.
4-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
To restore the database backup files:
4-6
1.
Stop the OfficeScan Master Service.
2.
Overwrite the database files in \PCCSRV\HTTPDB with the backup files.
3.
Restart the OfficeScan Master Service.
Chapter 5
Managing Outbreaks
OfficeScan provides several methods to manage outbreaks on your network. These
include enabling OfficeScan to monitor the network for suspicious activity, blocking
critical client computer ports and folders, sending outbreak alert messages to clients,
and cleaning up infected machines.
The topics in this chapter include:
•
Using Outbreak Prevention on page 5-2
•
Configuring Virus Outbreak Monitor on page 5-8
5-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Using Outbreak Prevention
Use Outbreak Prevention to block specific shared folders, ports, and to deny write
access to specified files and folders on selected clients. Also configure an alert
message that appears on OfficeScan client machines.
WARNING! Enable Outbreak Prevention only when there is an outbreak. Configure the
Outbreak Prevention settings carefully. Incorrect configuration may cause
unforeseen network issues.
Once you enable Outbreak Prevention, verify that a green check mark appears in the
OPP column of the selected clients on the client tree.
After you disable Outbreak Prevention, Trend Micro recommends running Cleanup
Now to help rid your clients of Trojans and any running processes related to Trojans,
spyware, and other types of grayware (see Running Cleanup Now on page 3-5).
Blocking Shared Folders
During outbreaks, you can block shared folders on your network to prevent viruses
and other security risks from spreading through the shared folders.
To block shared folders:
5-2
1.
On the sidebar, click Outbreak Prevention. The domain tree for the Clients
screen appears.
2.
Click the domains or clients on which to enable Outbreak Prevention by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon. You can also search for clients by selected criteria, as well as
change the client tree view.
3.
On the sidebar, click Deploy Now. The Outbreak Prevention Settings screen
appears.
4.
Under Outbreak prevention settings, select Block shared folders.
5.
To configure the shared folder blocking settings, click Settings. The Shared
Folder Blocking screen appears.
6.
Under Shared Folder Blocking Settings, specify the access privilege to shared
folders when you enable Outbreak Prevention. Click one of the following:
Managing Outbreaks
•
Read access only
•
No read or write access
7.
Click Save to save your settings.
8.
Click OK.
9.
Click Back to return to the Outbreak Prevention Settings screen.
10. Click Activate Settings to enable Outbreak Prevention on the selected domains
or clients. The Outbreak Prevention screen appears, showing the current
outbreak prevention settings.
Blocking Ports
During outbreaks, you can block vulnerable ports that viruses and Trojans might use
to gain access to clients.
WARNING! Configure Outbreak Prevention settings carefully. Blocking ports that are in
use will make network services that depend on them unavailable. If you block
the Trusted port, OfficeScan cannot communicate with the client for the
duration of the outbreak.
The trusted port, set during OfficeScan server installation, is used for communication
between the OfficeScan server and clients. Only block it if absolutely necessary.
To block ports:
1.
On the sidebar, click Outbreak Prevention. The domain tree for the Clients
screen appears.
2.
Click the domains or clients on which to enable Outbreak Prevention by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon.
3.
On the sidebar, click Deploy Now. The Outbreak Prevention Settings screen
appears.
4.
Under Outbreak prevention settings, select the Block ports check box.
5.
To configure the port blocking settings, click Settings. The Port Blocking screen
appears.
6.
If you want to block the trusted port, which the server and client use for
communication, select Block trusted port.
5-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
7.
To add ports to block, click Add Ports. The Add Ports to Block screen appears.
8.
Specify which ports to block. Click one of the following:
•
Block all ports (Including ICMP) – click if you want to block all ports,
including those ports that handle Internet Control Message Protocol (ICMP)
communications.
Note:
•
9.
Clicking Block all ports (including ICMP) will block all ports except the
trusted port. To block the trusted port, select the Block trusted ports check
box on the Port Blocking screen.
Block specified ports – specify the ports to block.
Click OK. A confirmation screen appears.
10. Click OK. The Port Blocking screen appears, showing a summary of the port
blocking settings, including the blocked ports, protocol, comments, and traffic
direction.
11. Click Back to return to the Outbreak Prevention screen.
12. Click Activate Settings to enable Outbreak Prevention on the selected domains
or clients. The Outbreak Prevention screen appears, showing your current
outbreak prevention settings.
To modify existing port blocking settings, see the next section Changing Port
Blocking Settings on page 5-4.
Changing Port Blocking Settings
You can modify the following settings of entries on the Port Blocking Settings list:
•
Traffic direction – block incoming and/or outgoing traffic
•
Port number – modify the number of any port or enter a range of ports for each
entry in the list
•
Traffic protocol – specify TCP, UDP or both
•
Comments – add any comments to describe the entry on the list
To modify the existing settings of an individual port from the Port Blocking
screen:
1.
5-4
On the sidebar, click Outbreak Prevention. The domain tree for the Clients
screen appears.
Managing Outbreaks
2.
Click the domains or clients on which to enable Outbreak Prevention by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon.
3.
On the sidebar, click Deploy Now. The Outbreak Prevention Settings screen
appears.
4.
Under Outbreak prevention settings, select the Block ports check box.
5.
To configure the port blocking settings, click Settings. The Port Blocking screen
appears.
6.
Click the
icon under the Edit column for the port entry you want to edit.
The Port Blocking Settings screen appears.
7.
Select whether to block incoming and/or outgoing traffic.
8.
Click Port range and type the port numbers to block all ports within a range or
click Port number(s) and type one or more individual port numbers to block a
set of ports.
9.
Modify the protocol used by the port(s) by selecting TCP, UDP, or TCP/UDP
from the Protocol menu.
10. Type a description in the port(s) Comments field, which typically provides a
descriptive name for the port(s).
11. Click OK. A confirmation screen appears.
12. Click OK again to return to the Port Blocking screen.
Denying Write Access to Files and Folders
Viruses can modify or delete files and folders on their host computers. You can
configure OfficeScan to prevent viruses from modifying or deleting files and folders
on your clients during a virus outbreak.
To deny write access to files and folders:
1.
On the sidebar, click Outbreak Prevention. The domain tree for the Clients
screen appears.
2.
Click the domains or clients on which to enable Outbreak Prevention by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon.
3.
On the sidebar, click Deploy Now. The Outbreak Prevention Settings screen
appears.
5-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
4.
Under Outbreak prevention settings, select Deny write files and folders.
5.
To configure the shared folder blocking settings, click Settings. The Deny Write
Settings screen appears.
6.
To protect specific directories and file name extensions, type the path of the
directory to protect in Directory path. For example, you can type
C:\Windows\System32. Make sure you type the absolute path, not the virtual
path, for the directory. If you are typing multiple paths, separate entries with
semicolons (;).
When you finish typing the directory path you want to protect, click Add. The
path appears under Protected directories. Before continuing, make sure all the
directories that you want to protect appear under Protected directories.
Note:
OfficeScan protects all subdirectories in the directory path you specify.
Specify which files to protect in the Protected directories list based on their
extensions. Click one of the following:
•
All files in the protected directories
•
Files in the protected directories with the following extensions
To use specified extensions, select the extensions to protect from Extensions list
and click
.
To specify an extension that is not in the list, type it in the text box, and then click
Add. If typing multiple extensions, separate entries with semicolons (;).
To protect specific files, type the full file names under Files to Protect.
7.
Click Save to save the settings. A confirmation screen appears.
8.
Click OK. The directory path to protect is visible under Protected Directories in
the Deny Write Settings screen.
9.
Click Back to return to the Outbreak Prevention Settings screen.
10. Click Activate Settings to enable Outbreak Prevention on the selected domains
or clients. The Outbreak Prevention screen appears, showing the current
outbreak prevention settings.
5-6
Managing Outbreaks
Configuring Client Notification for Outbreaks
To inform users that Outbreak Prevention is active, you can display outbreak
notifications on OfficeScan client computers.
To display outbreak notifications on clients:
1.
On the sidebar, click Outbreak Prevention. The domain tree for the Clients
screen appears.
2.
Click the domains or clients on which to enable Outbreak Prevention by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon.
3.
On the sidebar, click Deploy Now. The Outbreak Prevention Settings screen
appears.
4.
Select the When OPP is enabled, display the following message on the
OfficeScan clients check box.
5.
Accept the default message or type a new message in the text box.
6.
Click Activate Settings to save your settings.
Note:
You can also configure outbreak alerts to send to yourself or OfficeScan
administrators via Email, pager, SNMP trap, or Windows NT event log
Configuring Outbreak Alerts on page 4-2).
Disabling Outbreak Prevention
When you are confident that an outbreak has been contained and that all infected files
are cleaned or quarantined, you can restore your network settings to normal by
disabling Outbreak Prevention.
To disable Outbreak Prevention:
1.
On the sidebar, click Outbreak Prevention. The domain tree for the Clients
screen appears.
2.
Click the domains or clients on which to enable Outbreak Prevention by clicking
the corresponding icons in the domain tree. To select all domains and clients,
click the root icon.
5-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
3.
On the sidebar, click Restore. The Restore Outbreak Prevention Settings
screen appears.
4.
If you want to inform users that the outbreak is over, select the check box under
Outbreak prevention disabled alert message. You can accept the default
message or create a new one by typing your message in the Alert message text
box.
5.
Click Restore to normal.
6.
The Outbreak Prevention Policy screen displays a message that Outbreak
Prevention is disabled on the selected domains and computers.
To verify that Outbreak Prevention is disabled, verify that a green check mark no
longer appears in the OPP column of the selected clients on the client tree.
Note:
If you do not restore network settings manually, OfficeScan restores them when the
number of hours specified in Automatically restore network settings to normal
after { } hours on the Outbreak Prevention Settings screen passes. The default
setting is 48 hours.
Configuring Virus Outbreak Monitor
You can have OfficeScan clients monitor the network for suspicious activity that may
signal an infection or attack. An excessive number of network sessions running
simultaneously may be an indicator that clients on the network are infected or are
under attack. You can configure an alert message that OfficeScan can send if this
occurs.
To configure Virus Outbreak Monitor:
5-8
1.
Click Virus Outbreak Monitor in the sidebar. The Virus Outbreak Monitor
screen appears.
2.
Select the Enable Virus Outbreak Monitor check box.
3.
Under Alert Criteria for Virus Outbreak Monitor, type both the minimum
number of network sessions and time period (in minutes) during which they are
detected. These criteria will determine when to send an alert message.
Managing Outbreaks
Tip:
In determining the number of network sessions, Trend Micro suggests taking the
number of clients divided by 10 (#clients/10) for every three minutes.
4.
To send an alert message, select the Send a notification via email if alert
criteria are met check box.
5.
If you enable an alert message, fill in these fields under Alert message settings:
6.
•
SMTP – type the domain name of the mail server
•
Port Number – type the port number that the OfficeScan server uses to
communicate with the mail server (default is 25)
•
To – type the destination email address
•
From – type the name of the sender
•
Subject – type the subject of the alert
•
Message – type the alert message
Click Save to save the settings.
To view and save Virus Outbreak Monitor records:
1.
Click the link that displays the number of Network sessions recorded under
Current Status. The Virus Outbreak Monitor Records screen appears.
2.
To save the log as a comma-separated value (CSV) data file, click Export to CSV.
A confirmation screen appears.
3.
Click Open to view the file in your spreadsheet application without saving it.
4.
Click Save and then specify the location to which you want to save the CSV file.
Note:
Use a spreadsheet application to view CSV data files.
5-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
5-10
Chapter 6
Configuring Enterprise Client Firewall
This chapter describes how to configure Enterprise Client Firewall settings to help
protect your clients from hacker attacks and network viruses.
The topics in this chapter include:
•
Understanding Enterprise Client Firewall on page 6-4
•
Deploying the Firewall on page 6-8
•
Verifying Deployment on page 6-11
•
Configuring Enterprise Client Firewall on page 6-12
•
Disabling the Firewall on page 6-15
6-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Enterprise Client Firewall Features
Enterprise Client Firewall helps protect OfficeScan Windows NT/2000/XP/Server
2003 clients from hacker attacks and network viruses by creating a barrier between
the client and the network.
Traffic Filtering
Enterprise Client Firewall filters all in coming and out going traffic, providing the
ability to block certain types of traffic based on the following criteria:
•
Direction (in coming or out going)
•
Protocol (TCP/UDP/ICMP)
•
Destination ports
•
Destination computer
Scanning for Network Viruses
Enterprise Client Firewall also examines each packet to determine if it is infected
with a network virus (see Network Viruses on page 1-15 for more information).
Customized Profiles and Policies
Enterprise Client Firewall gives you the ability to configure policies to block or allow
specified types of network traffic. Assign a policy to one or more profiles, which you
can then deploy to specified OfficeScan clients. This provides a highly customized
method of organizing and configuring Enterprise Client Firewall settings for your
clients.
Stateful Inspection
Enterprise Client Firewall is a stateful inspection firewall; it monitors all connections
to the client and remembers all connection states. It can identify specific conditions in
any connection, predict what actions should follow, and detect when normal
conditions are violated. Filtering decisions, therefore, are based not only on profiles
and policies, but also on the context established by analyzing connections and
filtering packets that have already passed through the firewall.
6-2
Configuring Enterprise Client Firewall
Intrusion Detection System
Enterprise Client Firewall also includes an Intrusion Detection System (IDS). When
enabled, IDS can help identify patterns in network packets that may indicate an attack
on the client. Enterprise Client Firewall can help prevent the following well-known
intrusions:
Too Big Fragment, Ping of Death, Conflicted ARP, SYN flood, Overlapping
Fragment, Teardrop, Tiny Fragment Attack, Fragmented IGMP, LAND attack
Firewall Outbreak Monitor
Firewall Outbreak Monitor sends a customized alert message to specified recipients
when log counts exceed certain thresholds, which may signal an attack.
Client firewall Privileges
Grant clients the privilege to view the Enterprise Client Firewall tab on the
OfficeScan client program. The Enterprise Client Firewall tab displays the Enterprise
Client Firewall settings for the client. Also grant users the privilege to enable or
disable the firewall, the Intrusion Detection System, and the Enterprise Client
Firewall Alert message (see Configuring Client Privileges and Settings on page
2-28).
Note:
You can install, configure, and use Trend Micro Enterprise Client Firewall on
Windows XP machines that also have Internet Connection Firewall™ enabled.
However, you must manage you policies carefully to avoid creating conflicting
firewall policies and producing unexpected results.
For example, if you configure one firewall to allow traffic from a certain port but
the other firewall blocks traffic from the same port, the traffic will be blocked.
See the your Microsoft documentation for details on Internet Connection Firewall.
6-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Understanding Enterprise Client Firewall
The following steps are necessary to successfully deploy and use Enterprise Client
Firewall:
1.
Create a policy – the policy allows you to select a security level that blocks or
allows all client traffic and enables firewall functions
2.
Add exceptions to the policy – exceptions allow clients to deviate from a policy.
With exceptions, you can specify clients, and allow or block certain types of
client traffic, despite the security level setting in the policy. For example, you can
block all traffic for a set of clients in a policy, but create an exception that allows
HTTP traffic so clients can access a Web server.
3.
Create a profile – the profile allows you to choose a policy (which includes
exceptions) to associate with the profile, specify which clients receive the profile,
and set client privileges that allow or restrict users from modifying firewall
settings
4.
Select profiles and deploy them to clients – select which profiles you want to
use and deploy them to the clients specified in the profile.
Tip:
6-4
Trend Micro recommends uninstalling other software-based firewalls on
OfficeScan clients before deploying and enabling Enterprise Client Firewall.
Multiple vendor firewall installations on the same computer may produce
unexpected results.
For the latest information regarding third-party firewall compatibility issues, see
Knowledge Base Solution ID 20473. It is available at the following Web site:
http://kb.trendmicro.com/solutions/search/main/search/s
olutionDetail.asp?solutionId=20437
Configuring Enterprise Client Firewall
Understanding Policies, Exceptions, and Profiles
Enterprise Client Firewall uses policies, exceptions, and profiles to organize and
customize methods for protecting clients on the network.
Policies
Policies are comprised of the following:
•
Security level – a general setting that blocks or allows all in coming and/or all
out going traffic
•
Enterprise Client Firewall settings– enable or disable Enterprise Client
Firewall, the Intrusion Detection System, and an alert message
•
An exception list – a list of configurable exceptions to block or allow various
types of network traffic
Exceptions
Exceptions are comprised of more specific settings to allow or block different kinds
of traffic based on client computer port number(s) and IP address(es). You can
configure a list of exceptions to associate with each policy. The exceptions in the list
override the Security level setting in a policy.
Exception settings include the following:
•
Action – block or allow all traffic that meets the exception criteria
•
Direction – inbound or outbound network traffic to/from the client
•
Protocol – the type of traffic: TCP, UDP, ICMP
•
Port(s) – ports on the client computer on which to perform the action
•
Computers – the computers on the network to which the above traffic criteria
apply
Configuring Exceptions: an Example
During an outbreak you may choose to block all client traffic, including the HTTP
port (port 80). However, if you still want to grant the blocked clients access to the
Internet, you can add the Web proxy server to the exception list.
6-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Profiles
OfficeScan uses profiles to specify the clients to which the associated policy applies
and to set client firewall privileges. You can group scan and update settings logically
by OfficeScan domain or by selecting individual clients. Profiles provide flexibility
by allowing you to choose the criteria that a client or group of clients must meet
before applying a policy. Profiles are comprised of the following:
•
An associated policy – each profile uses a single policy
•
Client criteria – the policy is applied to clients that meet the following criteria:
IP address – a client that has a certain IP address, clients who fall within a
range of IP addresses, or clients whose IP address belongs to a specified
subnet
Domain – clients that belong to a certain OfficeScan domain
Machine name – clients with specified machine names
Platform – clients that are running either Windows Server (NT/2000/Server
2003) or Windows Workstation (NT/2000/XP)
Logon Name– clients onto which specified users have logged on
Client status – if clients are online or offline
Select any combination of client criteria to specify client machines
•
User Privileges – allow or prevent client users from doing the following:
Changing the security level specified in a policy
Editing the exception list associated with a policy
Note:
6-6
OfficeScan applies Enterprise Client Firewall profiles to clients in the order in
which the profiles appear in the profile list. For example, if a client matches the
first profile, OfficeScan applies the actions configured for that profile to the client.
The other profiles configured for that client are ignored.
Configuring Enterprise Client Firewall
Firewall Defaults
Enterprise Client Firewall provides default policies, exceptions, and profiles to give
you a basis for initiating your client firewall protection strategy. The defaults are
meant to include common conditions that may exist on your clients, such as
installations for the Cisco NAC Trust Agent and the need to access the ScanMail for
Microsoft Exchange Web console.
Default Policy Name
Security
Level
All access
Low
Enable
firewall
none
Use to allow clients
unrestricted access
to the network
Cisco Trust Agent for
Cisco NAC
Low
Enable
firewall
Allow incoming/outgoing UDP traffic
through port 21862
Use when clients
have a Cisco Trust
Agent (CTA) installation
Communication Ports
for TMCM
Low
Enable
firewall
Allow all incoming/outgoing
TCP/UDP traffic
through ports 80 and
10319
Use when clients
have a Control Manager agent installation
ScanMail for
Microsoft Exchange
(SMEX) console
Low
Enable
firewall
Allow all incoming/outgoing TCP traffic through port 16372
Use when clients
need to access the
SMEX console
InterScan Messaging
Security Suite (IMSS)
console
Low
Enable
firewall
Allow all incoming/outgoing TCP traffic through port 80
Use when clients
need to access the
IMSS console
Port
Direction
Default Exception
Name
Action
Client
settings
Exceptions
Protocol
Recommended use
DNS
Allow
TCP/UDP
53
Incoming and outgoing
NetBIOS
Allow
TCP/UDP
137,138,139,445
Incoming and outgoing
HTTPS
Allow
TCP
443
Incoming and outgoing
HTTP
Allow
TCP
80
Incoming and outgoing
Telnet
Allow
TCP
23
Incoming and outgoing
6-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Default Exception
Name
Action
Protocol
Port
Direction
SMTP
Allow
TCP
25
Incoming and outgoing
FTP
Allow
TCP
21
Incoming and outgoing
POP3
Allow
TCP
110
Incoming and outgoing
Note:
None of the default exceptions specify clients. If you use any default exceptions,
specify which clients to which you want the exceptions to apply.
Default Profile Name
All clients profile
Policy used
All access
Applied to clients
unspecified
Deploying the Firewall
This section provides the necessary steps for successful deployment of Enterprise
Client Firewall.
To deploy the firewall:
6-8
1.
On the sidebar, click Enterprise Client Firewall > Policy List. The Policy List
screen appears.
2.
Select a default policy by selecting the check box next to the policy name.
If you want to create a new policy, Click Add. The Policy Editor screen appears.
3.
Type a name for the policy.
4.
Click a Security Level to allow or block inbound/outbound traffic.
5.
Click the Enable Firewall check box. You can also enable the Intrusion
Detection System and/or an alert message that appears on the client if it blocks an
outgoing packet.
Configuring Enterprise Client Firewall
Note:
If allowing clients to enable or disable the firewall, Intrusion Detection
System, and the alert message, the settings display under Local Personal
Firewall settings on the client console. You cannot change these settings from
OfficeScan server Web console.
If you do not grant clients this privilege, the settings display under Network
card list on the client console. You can change these settings from OfficeScan
server Web console.
The information under Local Personal Firewall settings on the client console
always reflects the settings configured from the client console, not the server
Web console.
6.
Under Exception, select the check boxes next to the default exceptions to include
in this policy.
If you want to create new exceptions, do the following:
a.
Click Add. The Edit Exception screen appears.
b.
Type a name for the exception.
c.
Next to Action, choose whether or not to allow or deny network traffic for
this exception
d.
Next to Direction, click Inbound or Outbound to select the type of traffic
to which to apply the exception settings.
e.
From the Protocol list, select the protocol that you are allowing or denying
f.
Click one of the following to specify client ports:
g.
•
All ports (default)
•
Range: type a range of ports
•
Specified: specify individual ports. Use a comma "," to separate port
numbers.
Under Computers, select client IP addresses to include in the exception.
For example, if you select Deny all network traffic (Inbound and
Outbound) and type the IP address for single computer on the network,
then any client that has this exception in its policy will not be able to send or
receive data to or from that IP address.
Click one of the following:
6-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
h.
•
All IP addresses (default)
•
Single IP: type the host name or IP address of a client. To resolve the
client host name to an IP address, click Resolve.
•
IP range: type a range of IP addresses
•
Subnet mask: type an IP address and subnet mask
Click Save. The Policy Editor screen appears with the new exception in the
exception list.
7.
Click the check boxes next to the exceptions you want to include in the profile.
8.
Click Save. The Policy List screen appears with the new policy you created.
9.
On the sidebar, click Enterprise Client Firewall > Profile List. The Profile List
screen appears.
10. To create a new profile, click Add. The Profile Editor screen appears.
11. Click Enable this profile to allow OfficeScan server to deploy this profile to
OfficeScan clients.
12. Type a name to identify the profile and an optional description.
13. From the list box next to Use the following policy, select the policy you created
for this profile.
14. Select the clients to which OfficeScan applies the policy. Select from the
following criteria:
•
6-10
IP address: the IP address(es) of the client(s). Click one of the following:
•
Single IP: Type a client IP address.
•
Range: Type a range of IP addresses in the From and To text fields.
•
Subnet: Type an IP address of the subnet and the subnet mask.
OfficeScan uses these to calculate the network address.
•
Domain: the domain name of the client(s). Click Go to client console to
select clients from the domain tree.
•
Machine name: the name of the client(s). Click Go to client console to
select clients from the domain tree.
•
Platform: the operating system of the client(s). Select from the following:
•
Windows Server (NT/2000/Server 2003)
•
Windows Workstation (NT/2000/XP)
Configuring Enterprise Client Firewall
•
Logon Name: the ID(s) of the users logged on as client(s). If typing multiple
entries, insert a comma "," between IDs.
•
Client status: if the OfficeScan Client application is online or offline. Click
one of the following:
•
Online
•
Offline
15. Under User Privileges, select from among the following options:
•
Allow user to change security level: clients can change the Enterprise
Client Firewall policy security level
•
Allow user to edit traffic exception list: clients can edit a configurable list
of exceptions to allow specified types of traffic
16. Click Save. The Profile List screen appears.
17. Click Deploy to Clients to deploy the profile, which includes the associated
policy and its exception list.
Verifying Deployment
To verify that you successfully deployed Enterprise Client Firewall to selected
clients, view the client in the OfficeScan domain tree.
To verify the deployment:
1.
On the sidebar, click Clients. The domain tree for the Clients screen appears.
2.
Click the domain to which the client belongs.
3.
Select Firewall view from the Client tree view list.
4.
Ensure that a green check mark exists in the Firewall column of the client tree. If
you enabled the Intrusion Detection System for that client, ensure that a green
check mark also exists in the IDS column.
5.
Verify that the correct firewall policy was applied to the client. The policy
appears under the Acting Policy column in the client tree.
6-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Configuring Enterprise Client Firewall
This section explains how to configure firewall settings after deployment. See
Deploying the Firewall on page 6-8 or click the help icon
on any screen for
specific configuration instructions on the following:
Configuring Policies
The Enterprise Client Firewall policy list provides a summary of all policies. Manage
the policy list from this screen. Also edit the template for Enterprise Client Firewall
exceptions.
Configuring Exceptions
The Enterprise Client Firewall exception list contains entries you can configure to
allow or block different kinds of network traffic based on client computer port
number(s) and IP address(es). Exceptions are applied to policies. After creating an
exception, edit the policies to which the exception applies.
Decide which type of exception you want to use. There are two types of exceptions:
•
Restrictive – these exceptions block only specified types of network traffic and
are applied to polices that allow all network traffic. An example use of a
restrictive exception is blocking client ports that are commonly vulnerable to
attack, such as a ports that Trojans often use (see the OfficeScan help for
information on Trojan ports).
•
Permissive – these exceptions allow only specified types of network traffic and
are applied to polices that block all network traffic. For example, you may want
to permit clients to access only the OfficeScan server and a Web server. To do
this, allow traffic from the Trusted port (used to communicate with the
OfficeScan server) and the port the client uses for HTTP communication.
To view the client listening (Trusted) port on the OfficeScan Web console, click
Clients > View Status > Expand All. The number next to the Port label is the
client listening (Trusted) port.
To view the server listening (Trusted) port on the OfficeScan Web console, click
Administration > Web Server. The number in Port field is the server listening
(Trusted) port, or Web port.
6-12
Configuring Enterprise Client Firewall
Note:
You can edit exceptions in the Exception Template Editor and apply them to all
existing policies or you can edit exceptions that apply to an individual policy on
the Policy Editor screen (see Configuring Policies on page 6-12).
Configuring Profiles
The Enterprise Client Firewall profile list provides a summary of all profiles,
including profile name, the policy each profile uses, and the current profile status.
Manage the profile list from this screen. Also select profiles and deploy them to
OfficeScan clients to update their Enterprise Client Firewall settings.
Note:
OfficeScan applies Enterprise Client Firewall profiles to clients in the order in
which the profiles appear in profile list. For example, if a client matches the first
profile, OfficeScan applies the actions configured for that profile to the client. The
other profiles that are also configured for that client are ignored.
Tip:
Put the most exclusive policies at the top of the list. For example, put policies you
create for a single client at the top, followed by those for a range of clients, a
network domain, and finally all clients.
Alternate Servers
You can also edit the list of alternate servers, which are computers that act as
substitutes for the OfficeScan server when it applies firewall profiles. OfficeScan
considers clients that can communicate with alternate servers to be online, even if the
clients cannot communicate with the OfficeScan server.
Configuring Firewall Outbreak Monitor
An excessive number of log entries may signal the possibility of a virus outbreak.
Enable Enterprise Client Firewall Outbreak Monitor to have OfficeScan declare a
firewall outbreak alert if log counts exceed certain thresholds. Also enable and
configure an alert message to have OfficeScan automatically notify relevant parties
of the potential outbreak.
6-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Testing the Firewall
To help ensure that your Enterprise Client Firewall deployment is working as
properly, perform a test on a client or group of clients.
WARNING! Test OfficeScan client program settings in a controlled environment only. Do
not perform tests on client computers that are connected to your network or
to the Internet. Doing so may expose client computers to viruses, hacker
attacks, and other risks.
To test the Enterprise Client Firewall:
1.
6-14
Create and save a test policy (see Configuring Policies on page 6-12 for
instructions). Configure the settings to block the types of traffic you want to test.
For example, to prevent the client from accessing the Internet only, do the
following:
a.
Click Low All inbound/outbound traffic allowed for the Default security
level.
b.
Select Enable Firewall and Enable Alert Message under Client Firewall
Settings.
c.
Create and exception that blocks HTTP (or HTTPS) traffic.
2.
Create and save a test profile selecting the clients whose firewall you want to test.
Associate the test policy with the test profile (see Configuring Profiles on page
6-13 for instructions).
3.
Click Deploy to Clients to deploy the test policy.
4.
Verify the deployment (see Verifying Deployment on page 6-11 for instructions)
5.
Test the firewall on the client computer by attempting to send or receive the type
of traffic you configured in the policy.
To test a policy configured to prevent the client from accessing the Internet, open
a Web browser on the client computer. If you enabled the alert message for the
firewall, it displays on the client machine (see Modifying Client Alert Messages
on page 4-3).
Configuring Enterprise Client Firewall
Disabling the Firewall
To disable Enterprise Client Firewall on client machines from the OfficeScan Web
console, create a new policy that does not enable the firewall and apply the policy to
clients.
To disable the firewall with a new policy:
1.
On the sidebar, click Enterprise Client Firewall > Policy List. The Policy List
screen appears.
2.
To create a new policy, click Add.
3.
Type a name for the policy.
4.
Clear the Enable Firewall check box.
5.
Click Save to save the policy.
6.
On the sidebar, click Enterprise Client Firewall > Profile List. The Profile List
screen appears.
7.
To create a new profile, click Add.
8.
Click Enable this profile to allow OfficeScan server to deploy this profile to
OfficeScan clients.
9.
Type a name to identify the profile and an optional description.
10. From the list box next to Use the following policy, select the policy you created.
11. Select the clients on which you want to disable the firewall.
12. Click Save.
13. Click Deploy to Clients to deploy the profile, which disables the firewall.
You can also disable the firewall for all clients by uninstalling the firewall on the
Product License screen.
To disable the firewall:
1.
On the sidebar, click Administration > Product License. The Produce License
screen appears.
2.
Clear the Install Enterprise Client Firewall check box under License
information.
3.
Click Apply.
6-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
6-16
Chapter 7
Viewing and Interpreting Logs
This chapter describes how to use OfficeScan logs to monitor your system and
analyze your protection.
The topics in this chapter include:
•
Virus Logs on page 7-2
•
Server Update Logs on page 7-3
•
Client Update Logs on page 7-3
•
System Event Logs on page 7-3
•
Verify Connection Logs on page 7-4
•
Enterprise Client Firewall Logs on page 7-4
7-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Log Types
OfficeScan keeps comprehensive logs about detections, events, and updates. Use
these logs to assess your organization's threat-protection policies and to identify
clients that are at a higher risk of infection or attack. Also use these logs to check
client-server connection and verify that updates were deployed successfully.
Note:
Use spreadsheet applications, such as Microsoft Excel, to view CSV log files.
To access the Web console screens for any logs, click Logs > {log type} on the
sidebar. Click the help icon
on any screen for specific configuration instructions
on the following:
Virus Logs
OfficeScan records log entries for viruses detected on your clients. Virus logs include
the following information:
•
Date and time: the time OfficeScan created the log entry
•
Computer name: the name of the OfficeScan client
•
Virus name: the virus(es) OfficeScan detected
•
Infection source: the client computer where the virus originated
•
Infected file: file(s) that the virus(es) infected
•
Scan type: the type of scan OfficeScan performed when it detected the virus
(Manual, Real-time, Scheduled)
•
Scan result: what OfficeScan did after the scan
To conserve disk space on the server, delete virus logs manually. On the sidebar, click
Logs > Virus Logs and select the domains or clients whose virus logs you want to
delete by clicking the corresponding icons in the domain tree. Then click Delete
Logs. Click the help icon
for specific configuration instructions.
7-2
Viewing and Interpreting Logs
Server Update Logs
OfficeScan keeps logs for all events related to the updates of components on the
OfficeScan server. Use Server Update logs to verify that OfficeScan has successfully
downloaded the components required to keep your risk-protection current.
Server Update logs include the following information:
•
Time and date of the update
•
Result of the update: successful or unsuccessful
•
Update component: which OfficeScan components were updated
•
Update method: automatic or manual
Client Update Logs
OfficeScan keeps logs for all events related to the updates of components on
OfficeScan clients. Use Client Update logs to verify that OfficeScan has successfully
updated the components required to keep your risk-protection current.
Client Update logs include the following information:
•
Time and date of the update
•
Update components: which OfficeScan components were updated
•
Progress: how many clients a particular update deployment updated
•
Details: which clients were updated from a particular deployment
System Event Logs
OfficeScan also records events related to the server program, such as shutdown and
startup. Use these logs to verify that the server is running smoothly and that the
services necessary for OfficeScan to work on your network are running.
System Event logs include the following information:
•
Time and date of the event
•
The name of the computer on which OfficeScan server is installed
•
A description of the event
7-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Verify Connection Logs
OfficeScan keeps Verify Connection logs to allow you to determine whether or not
the OfficeScan server can communicate with OfficeScan clients. OfficeScan creates a
log entry each time you verify client-server connection from the Web console
(Verifying Client-Server Connection on page 2-22).
Verify Connection logs include the following information:
•
Time and date of the verification attempt
•
The name, domain, and IP address of the client with which OfficeScan server
verified the connection
•
Status: whether or not the OfficeScan server successfully communicated with the
client
Enterprise Client Firewall Logs
OfficeScan clients that have Enterprise Client Firewall enabled store firewall events
in a log on the client computer. View these logs to analyze how Enterprise Client
Firewall is protecting your clients from attacks. To view the latest client Enterprise
Client Firewall logs, you must first notify clients to send their logs to the OfficeScan
server by clicking Logs > Firewall Logs | {clients} > Client Notification | Notify.
Firewall logs include the following information:
7-4
•
Time and date
•
The computer that logged the entry
•
The remote host
•
The local host
•
The protocol
•
A description of the log entry
•
The destination port
•
Details of the log entry
Viewing and Interpreting Logs
Deleting Logs
To prevent the logs from occupying too much space on your hard disk, you can
configure an automatic log deletion schedule. You can specify the types of logs to
delete and select a daily, weekly, or monthly frequency.
To access the Log Maintenance screen, click Logs > Log Maintenance on the
sidebar.
7-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
7-6
Chapter 8
Using Administrative and Client Tools
OfficeScan includes a set of tools that can help you easily accomplish various
OfficeScan tasks, including server configuration and client management.
These tools are classified into two categories:
• Administrative tools – developed to help configure the server and manage clients
(see Administrative Tools on page 8-3)
• Client tools – developed to help enhance the performance of the client program
(see Client Tools on page 8-9)
Several tools from previous versions of OfficeScan have been integrated into this version (see
Integrated Tools on page 8-17).
8-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Summary of Tools
Refer to Table 8-1 for a complete list of tools included in this version of OfficeScan
Note: Some tools available in previous versions of OfficeScan are not available in this
version. If you require these tools, contact technical support. See Integrated Tools on
page 8-17 for a list of tools whose functions have been integrated into this version of
OfficeScan.
Administrative Tools
Client Tools
Login Script Setup: automate the
installation of OfficeScan clients (see page
8-3)
Client Packager: create a self-extracting file
containing the OfficeScan client program and
components (see page 8-9)
Vulnerability Scanner: search for
unprotected computers on your network (see
page 8-3)
Image Setup Utility: create an image of an
OfficeScan client to make clones (see page
8-9)
Server Tuner: optimize the performance of
the OfficeScan server (see page 8-8)
Restore Encrypted Files: open infected
files that OfficeScan encrypted (see page
8-9)
Client Mover I: transfer clients from one
OfficeScan server to another (see page 8-11)
Touch Tool: change the time stamp on a hot
fix to automatically redeploy it (see page
8-13)
ServerProtect Normal Server Migration
Tool: Migrate computers running
ServerProtect
Normal Server to OfficeScan client (see page
8-14)
TABLE 8-1 OfficeScan tools
Note: You cannot run these tools from the OfficeScan Web console. For instructions on how
to run the tools, see the relevant section below.
8-2
Using Administrative and Client Tools
Administrative Tools
This section contains information about the following OfficeScan administrative
tools:
Login Script Setup
With Login Script Setup, you can automate the installation of the OfficeScan client to
unprotected computers when they log on to the network. Login Script Setup adds a
program called autopcc.exe to the server login script. The program autopcc.exe
performs the following functions:
• Determines the operating system of the unprotected computer and installs the
appropriate version of the OfficeScan client
• Updates the virus pattern file and program files
For instructions on installing clients, see the Installation and Deployment Guide and
OfficeScan server online help.
Vulnerability Scanner
Use Vulnerability Scanner to detect installed antivirus solutions and to search for
unprotected computers on your network. To determine if computers are protected,
Vulnerability Scanner pings ports that are normally used by antivirus solutions.
Vulnerability Scanner can perform the following functions:
• Perform a DHCP scan to monitor the network for DHCP requests so that when
computers first log on to the network, Vulnerability Scan can determine their status
• Ping computers on your network to check their status and retrieve their computer
names, platform versions, and descriptions
• Determine the antivirus solutions installed on the network. It can detect Trend
Micro products (including OfficeScan, ServerProtect for Windows NT and Linux,
ScanMail for Microsoft Exchange, InterScan Messaging Security Suite, and
PortalProtect) and third-party antivirus solutions (including Norton AntiVirus
Corporate Edition v7.5 and v7.6, and McAfee VirusScan ePolicy Orchestrator).
• Display the server name and the version of the pattern file, scan engine and
program for OfficeScan and ServerProtect for Windows NT
• Send scan results via email
8-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
• Run in silent mode (command prompt mode)
• Install OfficeScan client remotely on computers running Windows
NT/2000/XP(Professional only)/Server 2003
You can also automate Vulnerability Scanner by creating scheduled tasks. For
information on how to automate Vulnerability Scanner, see the TMVS online help.
To run Vulnerability Scanner on a computer other than the server, copy the TMVS
folder from the \PCCSRV\Admin\Utility folder of the server to the computer.
Note:
You can use Vulnerability Scanner on machines running Windows 2000 and
Server 2003; however, the machines cannot be running Terminal Server.
You cannot install OfficeScan clients with Vulnerability Scanner if an
OfficeScan server installation is present on the same machine.
Vulnerability Scanner does not install OfficeScan clients on a machine already
running OfficeScan server.
To run Vulnerability Scanner on a computer other than the server, copy the TMVS
folder from the \PCCSRV\Admin\Utility folder of the server to the computer.
To configure Vulnerability Scanner:
1. In the drive where you installed OfficeScan server, open the following
directories: OfficeScan > PCCSRV >Admin > Utility > TMVS. Double-click
TMVS.exe. The Vulnerability Scanner console appears.
2. Click Settings. The Settings screen appears.
3. In the Product Query box, select the products that you want to check for on your
network. Select the Check for all Trend Micro products to select all products.
If you have Trend Micro InterScan and Norton AntiVirus Corporate Edition
installed on your network, click Settings next to the product name to verify the
port number that Vulnerability Scanner will check.
4. Under Description Retrieval Settings, click the retrieval method that you want
to use. Normal retrieval is more accurate, but it takes longer to complete.
If you click Normal retrieval, you can set Vulnerability Scanner to try to retrieve
computer descriptions, if available, by selecting the Retrieve computer descriptions when available check box.
8-4
Using Administrative and Client Tools
5. To automatically send the results to yourself or other administrators, under Alert
Settings select the Email results to the system administrator check box, and
then, click Configure to specify your email settings.
• In To, type the email address of the recipient.
• In From, type your email address. This will let the recipient know who sent
the message, if you are not only sending it to yourself.
• In SMTP server, type the address of your SMTP server. For example, you can
type smtp.company.com. The SMTP server information is required.
• In Subject, type a new subject for the message or accept the default subject.
Click OK to save your settings.
6. To display an alert on unprotected computers, select the Display alert on
unprotected computers check box. Then, click Customize to set the alert
message. The Alert Message screen appears. You can type a new alert message
or accept the default message. Click OK.
7. To save the results as a comma-separated value (CSV) data file, select the
Automatically save the results to a CSV file check box. By default, CSV data
files are saved to the TMVS folder. If you want to change the default CSV folder,
click Browse. The Browse for folder screen appears. Browse for a target folder
on your computer or on the network and then click OK.
8. You can enable Vulnerability Scanner to ping computers on the network to get
their status. Under Ping Settings, specify how Vulnerability Scanner will send
packets to the computers and wait for replies. Accept the default settings or type
new values in the Packet size and Timeout text boxes.
9. To remotely install OfficeScan Client and send a log to the server, type the
OfficeScan server name and port number. If you want to automatically remotely
install OfficeScan client, select the Auto-install OfficeScan Client for
unprotected computer check box.
10. Click Install Account to configure the account. The Account Information
screen appears. Type user name and password that permits installation. Click
OK.
11. If you want to send log to server, select the Report log to OfficeScan server
check box.
8-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
12. Click OK to save your settings. The Trend Micro Vulnerability Scanner
console appears.
To run a manual vulnerability scan on a range of IP addresses:
1. Under IP Range to Check, type the IP address range that you want to check for
installed antivirus solutions and unprotected computers. Note that the
Vulnerability Scanner only supports class B IP addresses.
2. Click Start to begin checking the computers on your network. The results are
displayed in the Results table.
To run Vulnerability Scanner on computers requesting IP addresses from a
DHCP server:
1. Click the DHCP Scan tab in the Results box. The DHCP Start button appears.
2. Click DHCP Start. Vulnerability scanner begins listening for DHCP requests
and performing vulnerability checks on computers as they log on to the network.
To create scheduled tasks
1. Under Scheduled Tasks, click Add/Edit. The Scheduled Task screen appears.
2. Under Task Name, type a name for the task you are creating.
3. Under IP Address Range, type the IP address range that you want to check for
installed antivirus solutions and unprotected computers.
4. Under Task Schedule, click a frequency for the task you are creating. You can
set the task to run Daily, Weekly, or Monthly. If you click Weekly, you must
select a day from the list. If you click Monthly, you must select a date from the
list.
5. In the Start time lists, type or select the time when the task will run. Use the
24-hour clock format.
6. Under Settings, click Use current settings if you want to use your existing
settings, or click Modify settings.
If you click Modify settings, click Settings to change the configuration. For
information on how to configure your settings, refer to steps 4 and 5 in the "To
configure Vulnerability Scanner:" procedure.
7. Click OK to save your settings. The task you have created appears under
Scheduled Tasks.
8-6
Using Administrative and Client Tools
Other Settings
To configure the following settings you need to modify TMVS.ini:
• Debug – enable or disable the debug log
• EchoNum – set the number of computers that Vulnerability Scanner will
simultaneously ping
• ThreadNumManual – set the number of computers that Vulnerability
Scanner will simultaneously check for antivirus software
• ThreadNumSchedule – set the number of computers that Vulnerability
Scanner will simultaneously check for antivirus software when running
scheduled tasks
To modify these settings:
1. Open the TMVS folder and locate the TMVS.ini file.
2. Open TMVS.ini using Notepad or any text editor.
3. To enable the debug log, change the value from Debug=0 to Debug=1.
4. To set the number of computers that Vulnerability Scanner will simultaneously
ping, change the value for EchoNum. Specify a value between 1 and 64.
For example, type EchoNum=60 if you want Vulnerability Scanner to ping 60
computers at the same time.
5. To set the number of computers that Vulnerability Scanner will simultaneously
check for antivirus software, change the value for ThreadNumManual. Specify a
value between 8 and 64.
For example, type ThreadNumManual=60 to simultaneously check 60
computers for antivirus software.
6. To set the number of computers that Vulnerability Scanner will simultaneously
check for antivirus software when running scheduled tasks, change the value for
ThreadNumSchedule. Specify a value between 8 and 64.
For example, type ThreadNumSchedule=60 to simultaneously check 60
computers for antivirus software whenever Vulnerability Scanner runs a
scheduled task.
7. Save TMVS.ini.
8-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Server Tuner
Use Server Tuner to optimize the performance of your server.
Note: You can only use this tool in OfficeScan 3.54 and later versions.
Server Tuner requires the following file:
• Main file: SvrTune.exe
To run Server Tuner:
1. On the server, open Windows Explorer and go to the
\PCCSRV\Admin\Utility\SvrTune folder of OfficeScan.
2. Double-click SvrTune.exe to start Server Tuner. The Server Tuner console
opens.
3. Under Download, modify the following settings based on your network traffic:
• Timeout for
• Timeout for update
• Retry count
• Retry interval
4. Under Buffer, modify the following settings based on your network traffic:
• Event Buffer: used in reporting client status
• Log Buffer: used in reporting detected viruses
5. Under Network Traffic Control, modify the following settings based on your
network traffic:
• Normal hours
• Off-peak hours
• Peak hours
Note: If the number of clients reporting to your server is large, you may want to increase the
buffer size. A higher buffer size, however, means higher memory utilization on the
server.
8-8
Using Administrative and Client Tools
Client Tools
This section contains information about the following OfficeScan client tools:
Client Packager
Client Packager is a tool that can compress setup and update files into a
self-extracting file to simplify delivery via email, CD-ROM, or similar media. It also
includes an email function that can access your Microsoft Outlook address book and
allow you to send the self-extracting file from within the tool’s console.
To run Client Packager, double-click the file. OfficeScan clients that are installed
using Client Packager report to the server where the setup package was created.
For instructions on how to use Client Packager, see the Installation and Deployment
Guide and OfficeScan server online help.
Image Setup Utility
Disk imaging technology allows you to create an image of an OfficeScan client and
make clones of it to other computers on your network.
Each client installation needs to a Globally Unique Identifier (GUID), so that the
server can identify your clients individually. Use an OfficeScan program called
imgsetup.exe to create a different GUID for each clone.
Image Setup Utility helps you use hard drive imaging technology to deploy the
OfficeScan client software.
For instructions on how to use Image Setup Utility, see the Installation and
Deployment Guide and OfficeScan server online help.
Restore Encrypted Files
Whenever OfficeScan detects an infected file, it encrypts this file and stores it in the
Suspect folder of the client, normally in C:\Program Files\Trend
Micro\OfficeScan Client\SUSPECT. The infected file is encrypted to prevent
users from opening it and spreading the virus to other files on the computer.
8-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
However, there may be some situations when you have to open the file even if you
know it is infected. For example, an important document has been infected and you
need to retrieve the information from the document, you will need to decrypt the
infected file to retrieve your information.
You can use Restore Encrypted Files to decrypt infected files from which you want to
open.
Note: To prevent OfficeScan from detecting the virus again when you use Restore Encrypted
Files, exclude the folder to which you decrypt the file from Real-time Scan.
WARNING! Decrypting an infected file may spread the virus to other files.
Restore Encrypted Files requires the following files:
• Main file: VSEncode.exe
• Required DLL file: Vsapi32.dll
To decrypt files in the Suspect folder:
1. On the client where you want to decrypt an infected file, open Windows Explorer
and go to the \PCCSRV\Admin\Utility\VSEncrypt folder of OfficeScan.
2. Copy the entire VSEncrypt folder to the client computer.
Note: Do not copy the VSEncrypt folder to the OfficeScan folder. The Vsapi32.dll
file of Restore Encrypted Files will conflict with the original Vsapi32.dll.
3. Open a command prompt and go to the location where you copied the VSEncrypt
folder.
4. Run Restore Encrypted Files using the following parameters:
• no parameter: encrypt files in the Suspect folder
• -d: decrypt files in the Suspect folder
• -debug: create debug log and output in the root folder of the client
• /o: overwrite encrypted or decrypted file if it already exists
• /f: {filename}: encrypt or decrypt a single file
8-10
Using Administrative and Client Tools
• /nr: do not restore original file name
For example, you can type VSEncode [-d] [-debug] to decrypt files in the
Suspect folder and create a debug log. When you decrypt or encrypt a file, the
decrypted or encrypted file is created in the same folder.
Note: You may not be able to encrypt or decrypt files that are locked.
Restore Encrypted Files provides the following logs:
• VSEncrypt.log – contains the encryption or decryption details. This file is
created automatically in the temp folder for the user logged on the machine
(normally, on the C: drive).
• VSEncDbg.log – contains the debug details. This file is created automatically in
the temp folder for the user logged on the machine (normally, on the C: drive) if
you run VSEncode.exe with the -debug parameter.
To encrypt or decrypt files in other locations:
1. Create a text file and then type the full path of the files you want to encrypt or
decrypt.
For example, if you want to encrypt or decrypt files in C:\My
Documents\Reports, type C:\My Documents\Reports\*.* in the text
file. Then save the text file with an INI or TXT extension, for example, you can
save it as ForEncryption.ini on the C: drive.
2. At a command prompt, run Restore Encrypted Files by typing VSEncode.exe
-d -i {location of the INI or TXT file}, where {location of the INI or TXT
file} is the path of the INI or TXT file you created (for example,
C:\ForEncryption.ini).
Client Mover I
If you have more than one OfficeScan server on the network, you can use the Client
Mover tool to transfer clients from one OfficeScan server to another. This is
especially useful after adding a new OfficeScan server to the network when you want
to transfer existing OfficeScan clients to the new server.
8-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Note: The two servers must be of the same language version.
If using Client Mover I to move an OfficeScan 5.58 or 6.5 client registered with an
OfficeScan 5.58 or 6.5 server to a server of the current version, the client will be
upgraded automatically to the current version.
To use Client Mover I:
1. On the OfficeScan server, go to the following directory:
\PCCSRV\Admin\Utility\IpXfer
2. Copy the IpXfer.exe file to the client that you want to transfer.
3. On the client, open a command prompt and then go to the folder where you
copied the file.
4. Run Client Mover using the following syntax:
IpXfer.exe -s <server_name> -p <server_listening_port> -m
1 -c <client_listening_port>
where:
<server_name> = the server name of the destination OfficeScan server (the server
to which the client will transfer)
<server_listening_port> = the listening (Trusted) port of the destination
OfficeScan server. To view the server listening (Trusted) port on the OfficeScan
Web console, click Administration > Web Server. The number in Port field is the server
listening (Trusted) port, or Web port.
1 = the HTTP-based server (you must use the number "1" after "-m")
<client_listening_port> = number through which the server will
communicate with its clients you configured during installation. To view the client
listening (Trusted) port on the OfficeScan Web console, click Clients > View Status >
Expand All. The number next to the Port label is the client listening (Trusted) port.
5. To confirm the client now reports to the other server, do the following:
a. On the client machine, right click the OfficeScan client program icon in the
system tray.
b. Select OfficeScan Main.
8-12
Using Administrative and Client Tools
c. Click Help in the menu and select About.
d. Verify the OfficeScan server that the client reports to under Communication
information, Server name/port.
Note: If the client does not appear in the domain tree of the new OfficeScan server to which
it is registered, restart the new server’s Master Service (ofservice.exe).
Touch Tool
The Touch Tool synchronizes the time stamp of one file with the time stamp of
another file or with the system time of the computer. If you unsuccessfully attempt to
deploy a hot fix (an update or patch that Trend Micro releases) on the OfficeScan
server, use the Touch Tool to change the time stamp of the hot fix. This causes
OfficeScan to interpret the hot fix file as new, which makes the server attempt to
automatically deploy the hot fix again.
To run the Touch Tool:
1. On the OfficeScan server, go to the following directory:
\PCCSRV\Admin\Utility\Touch
2. Copy the TMTouch.exe file to the folder where the file you want to change is
located. If synchronizing the file time stamp with the time stamp of another file,
put both files in the same location with the Touch tool.
3. Open a command prompt and go to the location of the Touch Tool.
4. Type the following:
TmTouch.exe <destination_filename> <source_filename>
where:
<destination_filename> = the name of the file (the hot fix, for example)
whose time stamp you want to change
<source_filename> = the name of the file whose time stamp you want to
replicate
If you do not specify a source filename, the tool sets the destination file time
stamp to the system time of the computer.
8-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Note: You can use the wildcard character "*" in the destination file name field, but not the
source file name field.
5. To verify the time stamp changed, type dir in the command prompt or right click
the file in Windows explorer and select Properties.
ServerProtect Normal Server Migration Tool
The ServerProtect Normal Server Migration Tool is a Windows-based tool that helps
migrate computers running ServerProtect Normal Server to OfficeScan client.
System Requirements
The ServerProtect Normal Server Migration Tool shares the same hardware and
software specification of the OfficeScan server. Run the tool on Windows
NT/2000/XP/Server 2003 machines.
When uninstallation of the ServerProtect Normal server is successful, it installs
OfficeScan client. However, it does not preserve and migrate the ServerProtect
Normal server's settings to OfficeScan client settings.
Installing the Server Protect Normal Server Migration Tool
•
Copy the files SPNSXfr.exe and SPNSX.ini to the PCCSRV\Admin folder on
the OfficeScan server.
Use the local/domain administrator account to access the client machine. If you log
on the remote machines with insufficient privileges, such as "Guest" or "Normal
user", you will not be able to perform installation.
To perform the migration using the Server Protect Normal Server Migration
Tool:
8-14
1.
Double click the SPNSXfr.exe file to open the tool. The Server Protect Normal
Server Migration Tool console opens.
2.
Under OfficeScan server, select the OfficeScan server on which you are running
the tool. The path of the OfficeScan server appears under OfficeScan server path.
If it is incorrect, click Browse and select the PCCSRV folder in the directory
where you installed OfficeScan.
Using Administrative and Client Tools
To enable the tool to automatically find the OfficeScan server again the next time
you open the tool, select the Auto find OfficeScan server check box (selected
by default).
3.
Select the computers running ServerProtect Normal Server on which to perform
the migration by clicking one of the following under Target computer:
•
Windows network tree: displays a tree of domains on your network. To
select computers by this method, click the domains on which to search for
client computers.
•
Information Server name: search by Information Server name. To select
computers by this method, type the name of an Information Server on your
network in the text box. To search for multiple Information Servers, enter a
semicolon ";" between server names.
•
Certain Normal Server name: search by Normal Server name. To select
computers by this method, type the name of a Normal Server on your
network in the text box. To search for multiple Normal Servers, enter a
semicolon ";" between server names.
•
IP range search: search by a range of IP addresses. To select computers by
this method, type a range of class B IP addresses under IP range.
Note:
If a DNS server on your network does not respond when searching for clients,
the search will hang. Wait for the search to timeout.
4.
To include computers running Windows Server 2003 in the search, select the
Include Windows Server 2003 check box.
5.
Select the Restart Windows Server 2003 computers check box to restart
computers running Windows Server 2003. For the migration to complete
successfully on Windows 2003 computers, the computer must reboot. Selecting
this check box ensures that it automatically reboots. If you don't select the
Restart Windows Server 2003 computers check box, you must restart the
computer manually after migration.
6.
Click Search. The search results appear under ServerProtect Normal Servers.
7.
Under Server list, click the computers on which to perform the migration:
•
To select all computers, click Select All.
•
To deselect all computers, click Unselect All.
8-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
•
To export the list as a .CSV file, click Export to CSV.
If a user name and password are required to log on the target computers, do the
following:
8.
a.
Select the Use group account/password check box.
b.
Click Set User Logon Account. The Enter Administration Information
window appears.
c.
Type the user name and password.
d.
Click Ok.
e.
Click Ask again if logon is unsuccessful to be able to type the user name
and password again during the migration process if you are unable to log on.
Click Migrate.
Note:
The ServerProtect Normal Server Migration Tool does not uninstall the Control
Manager agent for ServerProtect. For instructions on how to uninstall the agent,
refer to your ServerProtect and/or Control Manager documentation.
While installing OfficeScan client, the migration tool client installer may time out
and the result may be shown as failed. However, the client may have been installed
successfully. Verify the installation on the client machine from the OfficeScan Web
console.
Migration will be unsuccessful under the following circumstances:
If the remote client cannot use the NetBIOS protocol or ports 455,137~139 are
blocked
If the remote client cannot use the RPC protocol
If the Remote Registry Service is stopped
8-16
Using Administrative and Client Tools
Integrated Tools
The functionality of the following tools, which were included in previous versions of
OfficeScan, have been integrated into this version:
Client Mover II
Client Mover II transferred online HTTP-based clients from one HTTP-based
OfficeScan server to another. Unlike Client Mover I, which is run from the command
line interface, Client Mover II included a Windows console.
You can now move clients to other OfficeScan servers through the OfficeScan server
Web console (see Working with OfficeScan Domains on page 2-3 for detailed
instructions).
Database Backup
Database Backup made a backup of the OfficeScan server database, which contained
all OfficeScan settings.
You can now back up the database from the Web console. (see Backing up the
OfficeScan Database on page 4-5 for detailed instructions).
Database Packer
Database Packer compressed the OfficeScan database and organized information to
decrease the size of the database and increase efficiency when performing queries.
OfficeScan now automatically compresses and reorganizes the database to optimize
performance.
Icon Cleaner
Icon Cleaner removed duplicate client records in the OfficeScan database.
If a client user uninstalls the OfficeScan program, the client machine notifies the
OfficeScan server, which automatically removes the client from the client domain
tree. You can verify client-server connection to update the status of clients on the
network (see Verifying Client-Server Connection on page 2-22).
8-17
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Network Scan Switch
Network Scan Switch allowed you to enable and disable the client’s ability to scan
map network drives and folders.
You can now enable scanning for mapped drives and shared network folders when
configuring client scan settings (see Setting Scan Options on page 2-23 for detailed
instructions).
Register Shell
Register Shell allowed you to add a Manual Scan shortcut on the client machine’s
Windows shortcut menu.
You can now add a Manual Scan shortcut to the client machine’s Windows shortcut
menu from the OfficeScan server Web console on the Global Client Settings screen.
On the sidebar, click Clients > Global Client Settings (see the online help for
detailed instructions).
Remote Agent
Remote Agent allowed clients to obtain the latest update components directly from
the Trend Micro ActiveUpdate server, instead of only from the OfficeScan server.
Updating directly from the ActiveUpdate server was necessary when client machines
were unable to communicate with the OfficeScan server.
When clients are not able to communicate with the OfficeScan server (for example, if
they are not connected to your network), you can allow them to receive component
updates from other sources by specifying them as Update Agents.
Specify a list of update sources on the Update Source screen and allow Update
Agents to receive updates from these sources on the Update Agent screen. Next, use
Client Packager to create and deploy a package to the clients (see Using Update
Agent on page 2-9, Updating OfficeScan on page 2-4, and the Installation and
Deployment Guide and OfficeScan server online help for Client Packager
instructions).
8-18
Using Administrative and Client Tools
GUID Changer
GUID changer assigned new Globally Unique Identifiers (GUIDs) to clients. If you
used imaging tools other than Image Setup Utility to create a client disk image, you
had to assign a new GUID to each client that was installed from the disk image.
You must now use the Image Setup Utility to create an image of an OfficeScan client
and make clones of it. A new GUID is created for each clone (see Image Setup Utility
on page 8-9).
8-19
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
8-20
Chapter 9
FAQs, Troubleshooting and Technical
Support
This chapter answers questions you might have about OfficeScan and describes how
to troubleshoot problems that may arise.
The topics in this chapter include:
•
Frequently Asked Questions (FAQs) on page 9-2
•
Troubleshooting on page 9-8
•
Contacting Trend Micro on page 9-18
9-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Frequently Asked Questions (FAQs)
The following is a list of frequently asked questions and answers.
Installation and Upgrade
I have several questions on installing and upgrading OfficeScan. Where can I find
the answers?
Refer to the Installation and Deployment Guide. You can download all
OfficeScan documentation from the following site:
http://www.trendmicro.com/download/
Registration
I have several questions on registering OfficeScan. Where can I find the answers?
See the following Web site for frequently asked questions about registration:
http://kb.trendmicro.com/solutions/search/main/search/solutionD
etail.asp?solutionID=16326
Compatibility
Is OfficeScan compatible with other antivirus and anti-spyware/grayware
applications?
Although OfficeScan may function on the same computers with other antivirus
and anti-spyware/grayware applications, Trend Micro highly recommends
uninstalling other third-party solutions. The interaction between these
applications and OfficeScan may produce unexpected and undesired results,
rendering your computers vulnerable to virus infection, hacker attacks, and other
security risks.
Does OfficeScan support SQL servers?
No. OfficeScan does not support SQL servers.
9-2
FAQs, Troubleshooting and Technical Support
Can OfficeScan function properly in a network environment that employs Network
Address Translation (NAT)?
Yes. You must enable Scheduled Deployment in a NAT environment to ensure
your clients can receive updated components (see Using Scheduled Update with
NAT on page 2-20).
Enterprise Client Firewall
Can I reinstall OfficeScan and preserve my client firewall settings?
Yes. You can back up the OfficeScan server database and certain other
configuration files in the OfficeScan server PCCSRV folder and then overwrite
the new database and configuration files with the backups. For specific
instructions, see the Installation and Deployment Guide.
How can I test to see that the firewall and Intrusion Detection System are working?
Create a test policy and deploy it to a test computer on your network (see Testing
the Firewall on page 6-14).
How can I prevent overwriting my client's exception list when I deploy a new firewall
profile?
Selecting the Overwrite client security level/exception list check box on the
Profile List screen ensures that the security level and exception list you
configured for the policy will be applied to all selected clients. If you want the
clients to preserve their settings, such as their exception list, clear this check box
(see Configuring Profiles on page 6-13).
Updating the Server and Clients
Where does the OfficeScan server receive updated components by default?
The OfficeScan server receives updated components from the Trend Micro
ActiveUpdate server by default. If you want to receive updates from other
sources, configure an update source list for both automatic and manual updates.
9-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
How often should I update the server and client?
Trend Micro typically releases virus pattern files on a daily basis and
recommends updating both the server and clients daily. You can preserve the
default schedule setting on the Automatic Update screen to update the server on a
daily basis.
When should an OfficeScan client get updates from the Trend Micro Web server?
Grant clients the privilege to download their components from the Trend Micro
ActiveUpdate server when you are having network problems that may prohibit
clients from connecting to the OfficeScan server or to Update Agents.
How many OfficeScan clients can an Update Agent handle?
This depends on the hardware specifications of the Update Agent. However,
since the OfficeScan server will only notify two hundred and fifty (250) clients at
a time, keeping the notification queue at a maximum of 250, each Update Agent
will handle no more than 250 downloading process concurrently (see Using
Update Agent on page 2-9).
How can a remote client that doesn't have access to the OfficeScan server get
updated components?
Clients that are unable to connect to the OfficeScan server can receive updates
from Update Agents or from the Trend Micro ActiveUpdate server.
How often should I update the client?
Trend Micro typically releases virus pattern files on a daily basis and
recommends updating both the server and clients daily. You can modify the
deployment schedule settings on the Automatic Deployment screen (see Using
Automatic Deployment on page 2-16).
9-4
FAQs, Troubleshooting and Technical Support
Alert Messages
What's the difference between the alert messages for Virus Outbreak Monitor,
Outbreak Prevention, Outbreak Alert, and Standard Alert?
•
OfficeScan sends the Virus Outbreak Monitor alert message when it detects an
excessive number of sessions on your network. This is a signal of a possible virus
outbreak (see Configuring Virus Outbreak Monitor on page 5-8).
•
OfficeScan sends the Outbreak Prevention alert message when you manually
enable Outbreak Prevention and configure client notification for outbreaks.
Enable Outbreak Prevention only when you are certain of an outbreak on your
network (see Configuring Client Notification for Outbreaks on page 5-7).
•
OfficeScan sends the Outbreak Alert message when it scans for and detects an
excessive amount of viruses or grayware applications (see Configuring Outbreak
Alerts on page 4-2).
•
OfficeScan sends a Standard Alert message immediately after detecting the first
virus or grayware application (see Configuring Standard Alerts on page 4-2).
Scanning
What types of viruses can OfficeScan detect?
See Understanding Viruses and Malware on page 1-14 for a summary of virus
types. Also see Potential Risks and Threats of Spyware and Other Grayware on
page 3-2 for an overview of what grayware is and how OfficeScan can deal with
it.
Can OfficeScan detect cookies?
Yes. OfficeScan can detect and eliminate cookies. For best results, enable
Damage Cleanup Services (see How Damage Cleanup Services Works on page
3-3).
How can I best protect my clients from spyware?
To take full advantage of the OfficeScan anti-spyware/grayware capabilities,
install Damage Cleanup Services (DCS) 3 along with the standard antivirus
protection. Scanning for spyware and other grayware is not enabled by default.
Modify the default scan settings to enable scanning for spyware and other
grayware.
9-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Follow the instructions for eliminating spyware and other types of grayware and
take into consideration the suggestions for guarding against spyware and other
types of grayware (Eliminating Spyware, other Grayware, and Trojan Threats on
page 3-1). Trend Micro recommends creating an anti-spyware policy for your
organization.
What is grayware?
Grayware is an umbrella term to describe files and programs, other than viruses
and Trojans, that can negatively affect the performance of the computers on your
network.
These include spyware, adware, dialers, joke programs, hacking tools, remote
access tools, password cracking applications, and others. The OfficeScan scan
engine scans for grayware as well as viruses. Damage Cleanup Services 3 can
clean up running Trojan and grayware processes.
Policy Server for Cisco Network Admission Control (NAC)
What device models does Policy Server for Cisco NAC support?
See Policy Server System Requirements on page A-16.
Does Cisco NAC validate clients based on the new anti-spyware/grayware
components?
No. Cisco NAC only validates clients based on their antivirus components (the
virus pattern file and scan engine).
Which version of Cisco NAC does this version of OfficeScan support?
OfficeScan supports both version 1.0 and 2.0. If your Access Control Server
(ACS) is version 4.0 or later, you must upgrade the Cisco Trust Agent on the
clients to version 2.0. See Upgrading and Deploying Cisco Trust Agent 2.0 on
page B-9.
9-6
FAQs, Troubleshooting and Technical Support
Web Console
Does the OfficeScan server Web console support SSL?
Yes. During OfficeScan server installation, you can enable SSL for secure
browser-Web server communications. See the OfficeScan Installation and
Deployment Guide for instructions on how to enable SSL after OfficeScan server
installation.
Documentation
What documentation is available with this version of OfficeScan?
This version of OfficeScan includes the following: Installation and Deployment
Guide, Administrator's Guide, readme file, and help files for the OfficeScan
server Web console (you are currently viewing), client, Master Installer, Policy
Server Web console, and Policy Server installer.
Can I download the OfficeScan documentation?
Yes. You can download the Installation and Deployment Guide, Administrator's
Guide, and readme file from the following site:
http://www.trendmicro.com/download/
I have questions/issues with the documentation. How can I provide feedback to Trend
Micro?
Trend Micro is always seeking to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please go to the
following site:
www.trendmicro.com/download/documentation/rating.asp
9-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Troubleshooting
This section describes how to troubleshoot problems that may arise with this version
of OfficeScan.
Client-server Communication
This section explains some key points about OfficeScan client-server
communication. Understanding the client-server communication will help you more
quickly troubleshoot problems and take advantage of the Web console's central
management capabilities.
The actual status and the displayed status are not synchronized primarily because the
server database records do not match with the values in the client registry.
The following steps describe the client-server communication flow:
1.
The server requests the client to install the client software or update its
components.
2.
The client writes its status information to the Registry after installation or update.
3.
The client reports the status information to the server.
4.
The server writes its information to the database.
5.
The server displays its updated information on the Web console.
6.
The server displays the updated status in the client icon.
OfficeScan Client will not Install on Windows XP
Computers
You must disable Simple File Sharing on Windows XP clients before they can
successfully install the OfficeScan client program (see your Windows documentation
for instructions).
9-8
FAQs, Troubleshooting and Technical Support
Some OfficeScan Components are not Installed
Licenses to various components of Trend Micro products may differ by region. You
may not have received a license for the Enterprise Client Firewall, for protection,
and/or Damage Cleanup Services 3. After installation, you will see a summary of the
components your Registration Key/Activation Code allows you to use. Check with
your vendor or reseller to verify the components for which you have licenses.
See the following Web site for frequently asked questions about registration:
http://kb.trendmicro.com/solutions/search/main/search/solutionD
etail.asp?solutionID=16326&q=licensing&qp=&qt=licensing&qs=&r=2
&c=16326&sort=0
Unable to Access the Web Console
There are several potential causes of this problem.
Browser Cache
If you upgraded from a previous version of OfficeScan, Web browser and proxy server cache
files may prevent the OfficeScan Web console from loading properly. Clear the cache
memory on your browser and on any proxy servers located between the OfficeScan server
and the computer you use to access the Web console.
SSL Certificate
Also verify that your Web server is functioning properly. If you are using SSL, verify
that the SSL certificate is still valid. See your Web server documentation for details.
Web Server Lockdown
If you’re using the Microsoft IIS Lockdown Tool™, the lockdown of OfficeScan
configuration (.ini) and executable (.exe) files may be causing the problem. See
your Microsoft documentation for ways to configure the lockdown tool to allow
these files to be accessed and execute.
Virtual Directory Settings
There may be a problem with the virtual directory settings If you are running the
OfficeScan server Web console on an IIS server and the following message appears:
9-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
The page cannot be displayed
HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)
This message may appear when either of the following addresses is used to access the
console:
http://<server name>/officescan/
http://<server name>/officescan/default.htm
However, the console may open without any problems when using the following
address:
http://<server name>/officescan/console/cgi/cgichkmasterpwd.exe
To resolve this issue, check the execute permissions of the OSCE virtual directory.
Do the following:
1.
Open the Internet Information Services (IIS) manager.
2.
In the OSCE virtual directory, select Properties.
3.
Select the Virtual Directory tab and change the execute permissions to Scripts
instead of none.
Also change the execute permissions of the client install virtual directory.
Incorrect Number of Clients on the Web Console
You may see that the number of clients reflected on the Web console is incorrect.
This happens if you retain client records in the database after client program removal.
For example, if client-server communication is lost while removing the client, the
server does not receive notification about the client removal. The server retains client
information in the database and still shows the client icon on the console. When you
reinstall the client, the server creates a new record in the database and displays a new
icon on the console.
This error can occur in steps 4 and 5 of the client-server communication flow (see
Client-server Communication on page 9-8).
Use the Verify Connection feature to check for duplicate client records. See Verifying
Client-Server Connection on page 2-22 for more information.
9-10
FAQs, Troubleshooting and Technical Support
You can also remove inactive clients automatically. See Removing Inactive Clients on
page 4-4 for more information.
Incorrect Client Status on the Web Console
You may see that OfficeScan does not synchronize the actual client status and the
client status on the console. This happens if the client is unable to launch the client
program or if, at startup, the client loses connection to the server before it could
report its status.
This error can occur in steps 4 and 5 of the client-server communication flow (see
Client-server Communication on page 9-8).
To resolve this, try the following:
•
Use the OfficeScan Verify Connection feature of the server to check if
client-server communication exists. See Verifying Client-Server Connection on
page 2-22 for more information. If the server can communicate with the client, it
will display the client status as Online.
•
Check if the client computer is off or if the client program has been unloaded,
removed, or stopped. These conditions will cause the server to display the client
status as Off. If there was an error during any of these processes, it is possible
that the client was not able to inform the server that it is shutting down or that it is
being unloaded, removed, or stopped. As a result, the server did not know to
change the status of the client from On to Off. On the client, check if the
OfficeScan icon appears as
. If it does, the client has switched to roaming
mode.
Note:
If this does not help you find the real cause of the issue, use ActiveSupport to
collect Ofcdebug.log from both the server and client, then contact Trend Micro
technical support. See the OfficeScan client help for information on running Active
Support.
Incorrect Component Versions
OfficeScan may incorrectly display the version number of the client components.
This happens when the client is unable to write its status information to the registry
and send this information to the server.
9-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
For example, you updated the pattern file of a client from 411 to version 413.
However, after updating, the console still shows 411. It is possible that you updated
the client but the client was unable to write its updated information to the registry.
To resolve the incorrect display problem, try the following:
•
Use ping or telnet to verify that the client is on the network
•
Use the OfficeScan Verify Connection feature of the server to check if
client-server communication exists. If the server can communicate with the
client, it will display the client status as Online (see Verifying Client-Server
Connection on page 2-22).
•
If you have limited bandwidth, check for connection timeouts between the server
and the client
•
If you are using a proxy server for client-server communication, check that the
proxy settings are correct
•
Open a Web browser on the client, type http://{Server name}:{Server
port}/officeScan/cgi/cgionstart.exe in the address text box, and then
press ENTER. (If using SSL, type https://{Server name}:{Server
port}/officeScan/cgi/cgionstart.exe). If the next screen shows -2, this
means the client can communicate with the server. This also indicates that the
problem may be in the server database; it may not have a record on the client. In
this case, please contact Trend Micro support.
•
Check if the user has local administrator rights to the client computer to write to
the registry. OfficeScan writes client information, including the version of the
pattern file, scan engine, and program, to the registry.
•
Check if the user modified files or registry values but forgot to restart the
Tmlisten.exe service on the client for Windows NT/2000/XP/Server 2003 or
Pccwin97.exe on the client for Windows 95/98/Me/98 SE.
Note:
9-12
If this does not help you find the real cause of the issue, use ActiveSupport to
collect Ofcdebug.log from both the server and client, then contact Trend
Micro technical support. See the OfficeScan client help for information on
running Active Support.
FAQs, Troubleshooting and Technical Support
Unsuccessful Installation from Web page or Remote Install
If users report that they cannot install from the internal Web page or if installation
with Remote Install is unsuccessful, try the following:
•
Verify that client -server communication exists by using ping and telnet
•
Verify that you have administrator privileges to the target computer where you
want to install the client
•
Check if TCP/IP on the client is enabled and properly configured
•
Check if the target computer meets the minimum system requirements
•
Check if any file has been locked
•
If you have limited bandwidth, check if it causes connection timeout between the
server and the client
•
If you are using a proxy server for client-server communication, check if the
proxy settings are configured correctly
•
Open a Web browser on the client, type http://{Server name}:{server
port} /officeScan/cgi/cgionstart.exe in the address text box, and then
press ENTER. If the next screen shows -2, this means the client can
communicate with the server. This also indicates that the problem may be in the
server database; it may not have a record on the client.
Client Icon Does Not Appear on Web Console After
Installation
You may discover that the client icon does not appear on the console after you install
the client. This happens when the client is unable to send its status to the server.
To resolve this, do the following:
•
Verify that client-server communication exists by using ping and telnet
•
If you have limited bandwidth, check if it causes connection timeout between the
server and the client
•
Check if the \PCCSRV folder on the server has shared privileges and if all users
have been granted full control privileges
•
Verify the OfficeScan server proxy settings to ensure they are correct
•
Open a Web browser on the client, type
http://{OfficeScan_Server_Name}:{port
9-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
number}/officeScan/cgi/cgionstart.exe in the address text box, and then
press ENTER. If the next screen shows -2, this means the client can
communicate with the server. This also indicates that the problem may be in the
server database; it may not have a record on the client.
•
If you moved the client to a new OfficeScan server with the Client Mover I tool,
you may need to restart the OfficeScan master service (ofservice.exe) on the
new server.
Note:
If this does not help you find the real cause of the issue, use ActiveSupport to
collect Ofcdebug.log from both the server and client, then contact Trend
Micro technical support. See the OfficeScan client help for information on
running Active Support.
Issues During Migration from Third-party Antivirus
Software
This section discusses some issues you may encounter when migrating from
third-party antivirus software.
Client migration
The setup program for the OfficeScan client utilizes the third-party software’s
uninstallation program to automatically remove it from your users’ system and
replace it with the OfficeScan client. If automatic uninstallation is unsuccessful,
users get the following message:
Uninstallation failed.
There are several possible causes for this error:
•
The third-party software’s version number or product key is inconsistent
•
The third-party software’s uninstallation program is not working
•
Certain files for the third-party software are either missing or corrupted
•
The registry key for the third-party software cannot be cleaned
•
The third-party software has no uninstallation program
There are also several possible solutions for this error:
9-14
FAQs, Troubleshooting and Technical Support
•
Manually remove the third-party software
•
Stop the service for the third-party software
•
Unload the service or process for the third-party software
To manually remove the third-party software:
•
•
If the third-party software is registered to the Add/Remove Programs
a.
Open the Control Panel.
b.
Double-click Add/Remove Programs.
c.
Select the third-party software from the list of installed programs.
d.
Click Remove.
If the third-party software is not registered to the Add/Remove Programs
a.
Open the Windows registry.
b.
Go to
HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVe
rsion\Uninstall.
c.
Locate the third-party software and run the uninstall string value.
d.
If the third-party software’s setup program is in MSI format:
•
Locate the product number
•
Verify the product number
•
Run the uninstall string
Note:
Some product uninstallation keys are in the Product Key folder.
To modify the service for the third-party software
1.
Restart the computer in safe mode.
2.
Modify the service startup from automatic to manual.
3.
Restart the system again.
4.
Manually remove the third-party software.
9-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
To unload the service or process for the third-party software
WARNING! This procedure may cause undesirable effects to your computer if performed
incorrectly. Trend Micro highly recommends backing up your system first.
1.
Unload the service for the third-party software.
2.
Open the Windows registry, then locate and delete the product key.
3.
Locate and delete the run or run service key.
Verify that the service registry key in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services has been
removed.
Clients Are Not Sending their Antivirus Information to the
Policy Server for Cisco NAC
OfficeScan supports both version 1.0 and 2.0. If your Access Control Server
(ACS) is version 4.0 or later, you must upgrade the Cisco Trust Agent on the
clients to version 2.0. See Upgrading and Deploying Cisco Trust Agent 2.0 on
page B-9.
Client Connection Time-out Occurs Frequently
If you have deployed a large number of clients to the network, it is possible that you
may encounter frequent connection time-outs between the client and server. This
issue is caused by a restriction on the maximum number of simultaneous TCP/IP
connections between hosts set by Microsoft Windows.
To prevent this behavior, do one of the following:
•
Increase the port range used for anonymous ports.
a.
Open the Windows Registry Editor (Regedit.exe).
b.
Locate the following path in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp
ip\
Parameters
c.
9-16
Click Edit > New > DWord value.
FAQs, Troubleshooting and Technical Support
•
d.
Type MaxUserPort in the Name column.
e.
Click Edit > Modify.
f.
Under Base, click Decimal.
g.
Type a value in the Value Data field. The default value is 5000. Trend
Micro recommends using a value higher than the total number of
OfficeScan clients installed on your network. The acceptable range of
values is 1 to 65534.
Decrease the default TCP timeout value.
a.
Open the Windows Registry Editor (Regedit.exe).
b.
Locate the following path key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp
ip\
Parameters
c.
Click Edit > New > DWord value.
d.
Type TcpTimedWaitDelay in the Name column.
e.
Click Edit > Modify.
f.
Under Base, click Decimal.
g.
Type a value in the Value Data field. The default value is 240. Trend Micro
recommends using a value lower than the default. The acceptable range of
values is 30 to 300.
Note:
More information about the registry keys MaxUserPort and TcpTimedWaitDelay
can be found by performing a search of the Microsoft knowledge base at:
http://support.microsoft.com/
Issues in environments using Network Address
Translation (NAT)
The following issues may arise if your network uses Network Address Translation
(NAT):
•
Clients appear as offline on the Web console
9-17
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
•
The OfficeScan server is not able to successfully notify clients of updates and
configuration changes
You can work around these issues by pulling updated components and configuration
files from the server to the client with a scheduled update. You can give clients the
privilege to enable a scheduled update, which allows clients to automatically update
both configuration files and antivirus components according to an Automatic
Deployment schedule you set (see Configuring Client Privileges and Settings on page
2-28 for information on enabling scheduled update and Using Automatic Deployment
on page 2-16 for information on setting an update schedule).
Do the following:
•
Before installing OfficeScan client on client machines, enable scheduled
deployment on the server and grant clients the privilege to enable scheduled
update.
If you do this after installing the OfficeScan client program, give clients the
privilege to perform Update Now, and then perform the update on the client
machine to obtain the updated configuration settings.
When clients perform a scheduled update, they will receive both the updated
components and the configuration files.
Contacting Trend Micro
Trend Micro has sales and corporate offices located in many cities around the globe.
For global contact information, visit the Trend Micro Worldwide site:
http://www.trendmicro.com/en/about/contact/overview.htm
Note:
The information on this Web site is subject to change without notice.
The Trend Micro Security Information Center
Comprehensive security information is available over the Internet, free of charge, on
the Trend Micro Security Information Web site:
http://www.trendmicro.com/vinfo/
9-18
FAQs, Troubleshooting and Technical Support
Visit the Security Information site to:
•
Read the Weekly Virus Report, which includes a listing of threats expected to
trigger in the current week, and describes the 10 most prevalent threats around
the globe for the current week
•
View a Virus Map of the top 10 threats around the globe
•
Consult the Virus Encyclopedia, a compilation of known threats including risk
rating, symptoms of infection, susceptible platforms, damage routine, and
instructions on how to remove the threat, as well as information about computer
hoaxes
•
Download test files from the European Institute of Computer Anti-virus Research
(EICAR), to help you test whether your security product is correctly configured
•
Read general virus information, such as:
•
The Virus Primer, which helps you understand the difference between
viruses, Trojans, worms, and other threats
•
The Trend Micro Safe Computing Guide
•
A description of risk ratings to help you understand the damage potential for
a threat rated Very Low or Low vs. Medium or High risk
•
A glossary of virus and other security threat terminology
•
Download comprehensive industry white papers
•
Subscribe to Trend Micro’s Virus Alert service, to learn about outbreaks as they
happen, and the Weekly Virus Report
•
Learn about free virus update tools available to Web masters
•
Read about TrendLabsSM, Trend Micro’s global antivirus research and support
center
Known Issues
Known issues are features in ProductNameVariable software that may temporarily
require a work around. Known issues are typically documented in the Readme
document you received with your product. Readme for Trend Micro products can
also be found in the Trend Micro Update Center:
http://www.trendmicro.com/download/
Known issues can be found in the technical support Knowledge Base:
9-19
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
http://esupport.trendmicro.com/support/supportcentral/supportcentra
l.do?id=m1
Trend Micro recommends that you always check the Readme text for information on
known issues that could affect installation or performance, as well as a description of
what’s new in a particular release, system requirements, and other tips.
Contacting Technical Support
A license to the Trend Micro software usually includes the right to product updates,
pattern file updates, and basic technical support for one (1) year from the date of
purchase only. After the first year, Maintenance must be renewed on an annual basis
at Trend Micro’s then-current Maintenance fees.
You can contact Trend Micro via fax, phone, and email, or visit us at:
http://www.trendmicro.com
Speeding Up Your Support Call
When you contact the Knowledge Base, to speed up your problem resolution, ensure
that you have the following details available:
•
Microsoft Windows and Service Pack versions
•
Network type
•
Computer brand, model, and any additional hardware connected to your machine
•
Amount of memory and free hard disk space on your machine
•
Detailed description of the install environment
•
Exact text of any error message given
•
Steps to reproduce the problem
The Trend Micro Knowledge Base
Trend Micro Knowledge Base is a 24x7 online resource that contains thousands of
do-it-yourself technical support procedures for Trend Micro products. Use
Knowledge Base, for example, if you are getting an error message and want to find
out what to do. New solutions are added daily.
9-20
FAQs, Troubleshooting and Technical Support
Also available in Knowledge Base are product FAQs, important tips, preventive
antivirus advice, and regional contact information for support and sales.
Knowledge Base can be accessed by all Trend Micro customers as well as anyone
using an evaluation version of a product. Visit:
http://kb.trendmicro.com/solutions/
If you can't find an answer to a particular question, the Knowledge Base includes an
additional service that allows you to submit your question via an email message.
Response time is typically 24 hours or less.
Sending Suspicious Files to Trend Micro
You can send your viruses, infected files, Trojans, suspected worms, spyware, and
other suspicious files to Trend Micro for evaluation. To do so, contact your support
provider or visit the Trend Micro Submission Wizard URL:
http://subwiz.trendmicro.com/SubWiz
Click the link under the type of submission you want to make.
Note:
Submissions made via the submission wizard/virus doctor are addressed promptly
and are not subject to the policies and restrictions set forth as part of the Trend
Micro Virus Response Service Level Agreement.
When you submit your case, an acknowledgement screen displays. This screen also
displays a case number. Make note of the case number for tracking purposes.
If you prefer to communicate by email message, send a query to the following
address:
virusresponse@trendmicro.com
In the United States, you can also call the following toll-free telephone number:
(877) TRENDAV, or 877-873-6328
9-21
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
About TrendLabs
TrendLabs is Trend Micro’s global infrastructure of antivirus research and product
support centers that provide up-to-the minute security information to Trend Micro
customers.
The “virus doctors” at TrendLabs monitor potential security risks around the world,
to ensure that Trend Micro products remain secure against emerging threats. The
daily culmination of these efforts are shared with customers through frequent virus
pattern file updates and scan engine refinements.
TrendLabs is staffed by a team of several hundred engineers and certified support
personnel that provide a wide range of product and technical support services.
Dedicated service centers and rapid-response teams are located in Tokyo, Manila,
Taipei, Munich, Paris, and Lake Forest, CA, to mitigate virus outbreaks and provide
urgent support.
TrendLabs’ modern headquarters, in a major Metro Manila IT park, has earned ISO
9002 certification for its quality management procedures in 2000—one of the first
antivirus research and support facilities to be so accredited. We believe TrendLabs is
the leading service and support team in the antivirus industry.
9-22
Appendix A
Policy Server for Cisco™ NAC Primer
This appendix serves as a primer for Cisco Network Admission Control (NAC). It
provides fundamental information on Cisco NAC technology. Read this appendix to
become familiar with the concepts and terminology associated with Cisco NAC
before installing and configuring the various Cisco NAC components.
Topics in this appendix include:
• Introducing Trend Micro Policy Server for Cisco NAC on page A-2
• Understanding Components and Terms on page A-2
• Cisco NAC Architecture on page A-5
• The Client Validation Sequence on page A-6
• Understanding the Policy Server on page A-8
• Understanding Certificates on page A-14
• Policy Server System Requirements on page A-16
A-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Introducing Trend Micro Policy Server for Cisco
NAC
Trend Micro Policy Server for Cisco Network Admission Control (NAC) evaluates
the status of antivirus components on OfficeScan clients. Policy Server configuration
options give you the ability to configure settings to perform actions on at-risk clients
to bring them into compliance with your organization’s antivirus initiative.
These actions include the following:
• Instruct client computers to update their OfficeScan client components
• Enable Real-time Scan
• Perform Scan Now and Cleanup Now
• Display a notification message on client computers to inform users of the antivirus
policy violation.
To help you analyze the performance of your antivirus policies, you also have the
option to view Policy Server logs, which record information such as the time the
Policy Server evaluated clients and the result of the evaluations.
Note: For additional information on Cisco NAC technology, see the Cisco Web site at
www.cisco.com/go/nac.
Understanding Components and Terms
The following is a list of the various components and the important terms you need to
become familiar with to understand and use Policy Server for Cisco NAC.
Components
The following components are necessary in the Trend Micro implementation of
Policy Server for Cisco NAC:
• Cisco Trust Agent (CTA) – an installation on a client that allows it to
communicate with other Cisco NAC components
A- 2
• OfficeScan client – a client computer with the OfficeScan client program
installed. To work with Cisco NAC, the client computer also requires the Cisco
Trust Agent
• Network Access Device – a network device that supports Cisco NAC
functionality. Supported Network Access Devices include a range of Cisco routers,
firewalls, and access points, as well as third-party devices with Terminal Access
Controller Access Control System (TACACS+) or the Remote Dial-In User
Service (RADIUS) protocol. For a list of supported routers, see Accepted Cisco
Device Models on page A-18.
• Cisco Secure Access Control Server (ACS) – a server that receives OfficeScan
client antivirus data from the client from the Network Access Device and passes it
to an external user database for evaluation. Later in the process, the ACS server
also passes the result of the evaluation, which may include instructions for the
OfficeScan client, to the Network Access Device.
Note: The ACS server has configuration options outside of the scope of the Trend
Micro implementation of Policy Server for Cisco NAC. For example, it is
capable of performing other actions on the client, such as preventing network
access. See your Cisco Secure Access Control Server documentation for more
information.
• Policy Server – a computer that receives and evaluates OfficeScan client antivirus
data. After performing the evaluation, the Policy Server determines what actions
the OfficeScan client should carry out. It then passes this information back to the
client.
• OfficeScan server – the OfficeScan server reports the current virus pattern file and
scan engine versions to the Policy Server, which uses this information to perform
the evaluation of the OfficeScan client
Terms
Become familiar with the following terms related to Policy Server for Cisco NAC:
• Security posture – the presence and currency of antivirus software on a client. In
this implementation, security posture refers to whether or not the OfficeScan client
program is installed on clients, the status of certain OfficeScan client settings, and
how up-to-date the versions of the scan engine and virus pattern file are.
A-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
• Posture token – information the Policy Server creates after OfficeScan client
validation, including instructions that tell the OfficeScan client to perform a set of
specified actions, such as enabling Real-time Scan or updating antivirus
components
• Client validation – the process of evaluating client security posture and returning
the posture token to the client
• Policy Server rule – guidelines containing configurable criteria the Policy Server
uses to measure OfficeScan client security posture. A rule also contains actions for
the client and the Policy Server to carry out if the security posture information
matches the criteria (see Understanding Policy Server Policies and Rules on page
A-9 for detailed information).
• Policy Server policy – a set of rules against which the Policy Server measures the
security posture of OfficeScan clients. Policies also contain actions for clients and
the Policy Server to carry out if the criteria in the rules associated with the policy
do not match the security posture (see Understanding Policy Server Policies and
Rules on page A-9 for detailed information).
A- 4
Cisco NAC Architecture
Figure A-1illustrates a basic Cisco NAC architecture with the components described
above.
Cisco Secure Access
Control Server (ACS)
Trend Micro Policy
Server for Cisco NAC
OfficeScan server
Cisco NAC-supported
Network Access Device
End-user client (OfficeScan
client) with CTA installation
FIGURE A-1 Basic Cisco NAC architecture
The OfficeScan client in Figure A-1 has a CTA installation and is only able to access
the network through a Network Access Device that supports Cisco NAC. The
Network Access Device is located between the client and the other Cisco NAC
components.
Note: The architecture of your network may differ based on the presence of proxy servers,
routers, or firewalls.
A-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
The Client Validation Sequence
Client validation refers to the process of evaluating an OfficeScan client’s security
posture and returning instructions for the client to perform if the Policy Server
considers it to be at-risk. The Policy Server validates an OfficeScan client by using
configurable rules and policies.
Figure A-2 illustrates the sequence of events that occurs when an OfficeScan client
attempts to access the network:
STEP1:The Cisco Network Access Device starts the validation sequence by
requesting the security posture of the client when it attempts to access the
network.
STEP2:The Network Access Device then passes the security posture to the ACS
server.
STEP3:The ACS server passes the security posture to the Policy Server, which
performs the evaluation.
STEP4:In a separate process, the Policy Server periodically polls the OfficeScan
server for pattern file and scan engine information to keep its data current. It
then uses a policy you configure to perform a comparison of this information
with the client security posture data.
STEP5:Following that, the Policy Server creates a posture token, and passes it back
to the OfficeScan client.
STEP6:Finally, the client performs the actions configured in the posture token.
A- 6
OfficeScan
client
Network Access
Device
Cisco Secure ACS
Request to connect
to network
Policy Server
OfficeScan
for Cisco NAC
server
Request current versions of virus pattern
file and scan engine
Request security
posture
Pass security
posture
(virus pattern file
and scan engine
version)
Return current
versions of virus
pattern file and
scan engine
Pass security
posture
Pass security
posture
Return posture
token
Return posture
token
Return posture
token
Carries out
actions specified
in the posture
token and retries
to connect to the
network.*
The validation
sequence is then
repeated.
Use security posture to validate client.
The Policy Server
uses policies to
compare client
security posture
with the most recent
versions of virus
pattern file and scan
engine.
* The client retries to access the network when the Network Access Device timer expires. See your Cisco router
documentation for information on configuring the timer.
FIGURE A-2 Network access validation sequence
A-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Understanding the Policy Server
The Policy Server is responsible for evaluating the OfficeScan client’s security
posture and for creating the posture token. It performs the evaluation by comparing
the security posture with the latest versions of the virus pattern file and scan engine
received from the OfficeScan server to which the client is a member. It returns the
posture token to the Cisco Secure ACS server, which in turn passes it to the client
from the Cisco Network Access Device.
Installing additional Policy Servers on a single network can improve performance
when a large number of clients simultaneously attempt to access the network and to
act as a backup if a Policy Server becomes inoperable. If multiple OfficeScan servers
are installed on a network, the Policy Server handles requests for all OfficeScan
servers registered to it. Likewise, multiple Policy Servers can handle requests for a
single OfficeScan server that is registered to all the Policy Servers. Figure A-3
illustrates the relationship of multiple OfficeScan servers and Policy Servers.
Policy
Cisco Secure ACS Servers
OfficeScan
Servers
Network Access
Device
OfficeScan Client
FIGURE A-3 Multiple Policy Server/OfficeScan server relationship
You can also install the Policy Server on the same machine as the OfficeScan server.
A- 8
Understanding Policy Server Policies and Rules
Policy Servers use configurable rules and policies to help enforce your organization’s
security guidelines.
Rules are comprised of specific criteria that Policy Servers use to compare with the
security posture of OfficeScan clients. If the client security posture matches the
criteria you configure in a rule, the client and server carry out the actions you specify
in the rule (see Instructing the Policy Server and the OfficeScan Client to Carry Out
Actions on page A-10).
Policies are comprised of one or more rules. Assign one policy to each registered
OfficeScan server on your network for both Outbreak mode and normal mode (see
Using Outbreak Prevention on page 5-2 for more information on network modes).
If the OfficeScan client security posture matches the criteria in a rule that belongs to
the policy, the OfficeScan client carries out the actions you configure in the rule.
However, if the client security posture does not match any of the criteria in any of the
rules associated with the policy, you can still configure default actions in the policy
for the client and server to carry out (see Instructing the Policy Server and the
OfficeScan Client to Carry Out Actions on page A-10).
Tip: If you want certain clients in an OfficeScan domain to have different Outbreak and
normal mode policies from other clients in the same domain, Trend Micro suggests
restructuring the domains to group clients with similar requirement (see Working
with OfficeScan Domains on page 2-3).
Rule Composition
Rules are comprised of security posture criteria, default responses that are associated
with clients, and actions that clients and the Policy Server perform.
Security Posture Criteria
Rules are comprised of the following security posture criteria:
• Client Real-time Scan status – if Real-time Scan is enabled or disabled
• Client scan engine version currency – if the scan engine is up-to-date
A-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
• Client virus pattern file status – how up-to-date the virus pattern file is. The Policy
Server determines this by checking one of the following:
• if the virus pattern file is a certain number of versions older than the Policy
Server version
• if the virus pattern file was released a certain number of days prior to the
validation
Default Responses for Rules
Responses are used to help you understand the condition of OfficeScan clients on
your network when client validation occurs. The responses, which appear in the
Policy Server client validation logs, correspond to posture tokens. Choose from the
following default responses:
• Healthy – the client conforms to your security policies
• Checkup – the client needs to update its antivirus components
• Quarantine – the client is at high risk of being infected
• Infected – the client is infected or has at risk of infection
• Unknown – any other condition
Note: You cannot add, delete, or modify responses.
Instructing the Policy Server and the OfficeScan Client to Carry Out
Actions
If the client security posture matches the rule criteria, the Policy Server can carry out
the following action:
• Creates an entry in a Policy Server client validation log (see Using the Client
Validation Logs on page B-17 for more information)
If the client security posture matches the rule criteria, the OfficeScan client can carry
out the following actions:
• Enable client Real-time Scan so OfficeScan client scans all files when they are
opened or saved (see Scan Options on page 2-25 for more information)
• Update all OfficeScan components (see Updating OfficeScan on page 2-4 for more
information)
A-10
• Scan the client after Real-time Scan is enabled or after an update
• If the above is selected, automatically run Anti-Spyware Services (Cleanup
Now) with the option of automatically performing Scan Now
Note: Enable Real-time Scan on clients to automatically perform Scan Now.
• Display a notification message to the client user
Default Rules
Policy Server provides default rules to give you a basis for configuring settings. The
rules cover common security posture conditions and actions that Trend Micro
recommends. The following rules are available by default:
Rule Name: Healthy
Matching criteria: Real-time Scan status enabled and Scan engine and virus
pattern file up-to-date
Response if criteria matched: Healthy
Server action: none
Client action: none
Rule Name: Checkup
Matching criteria: Client virus pattern status is at least one version older than the
version on the OfficeScan server with which the client is registered
Response if criteria matched: Checkup
Server action: Create entry in client validation log
Client action:
• Update components
• Perform automatic Cleanup Now on the client after Real-time Scan is enabled
or after an update
• Display notification message to the client user
A-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Tip: If you use this rule, Trend Micro recommends using automatic deployment.
This helps ensure that clients receive the latest virus pattern file immediately
after the OfficeScan server downloads new components (see Using
Automatic Deployment on page 2-16).
Rule Name: Quarantine
Matching criteria: Virus pattern file is at least five versions older than the pattern
file on the OfficeScan server with which the client is registered
Response if criteria matched: Quarantine
Server action: Create entry in client validation log
Client action:
• Update components
• Perform automatic Cleanup Now and Scan Now on the client after Real-time
Scan is enabled or after an update
• Display notification message to the client user
Rule Name: Not protected
Matching criteria: Real-time Scan status disabled
Response if criteria matched: Infected
Server action: Create entry in client validation log
Client action:
• Enable client Real-time Scan
• Display notification message to the client user
Policy Composition
Policies are comprised of any number of rules and default responses and actions.
A-12
Rule Enforcement
Policy Server enforces rules in a specific order, which allows you to prioritize your
rules. You can change the order of rules, add new rules, and remove existing rules
from a policy.
Default Responses for Policies
As with rules, policies include default responses to help you understand the condition
of OfficeScan clients on your network when client validation occurs. However, the
default responses are associated with clients only when client security posture does
not match any rules in the policy.
The responses for policies are the same as those for rules (see Default Responses for
Rules on page A-10 for the list of responses).
Instructing the Policy Server and OfficeScan Client to Carry Out
Actions
OfficeScan client and the Policy Server can carry out the same set of actions for
policies as they do for rules. However, the actions are performed only when client
security posture does not match any rules in the policy (see Instructing the Policy
Server and the OfficeScan Client to Carry Out Actions on page A-10 for a list of the
actions).
Default Policies
Policy Server provides default policies to give you a basis for configuring your
settings. Two policies are available: one for normal mode and one for outbreak mode.
Policy Name: Default Normal Mode Policy
Default rules associated with policy: Not protected, Quarantine, and Checkup
Response if none of the rules match: Healthy
Server action: none
Client action: none
Policy Name: Default Outbreak Mode Policy
Default rules associated with policy: Healthy
A-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Response if none of the rules match: Infected
Server action: Create entry in client validation log
Client action:
• Enable client Real-time Scan
• Update components
• Perform automatic Cleanup Now and Scan Now on the client after Real-time
Scan is enabled or update is performed
• Display notification message to the client user
Understanding Synchronization
Regularly synchronize the Policy Server with registered OfficeScan servers to keep
the Policy Server versions of the virus pattern file, scan engine, and server outbreak
status (normal mode or Outbreak mode) up-to-date with the those on the OfficeScan
server. Use the following methods to perform synchronization:
• Manually – perform synchronization at any time on the Summary screen (see
Viewing Summary Information for a Policy Server on page B-14)
• By schedule – set a schedule to have OfficeScan perform synchronization (see
Performing Administrative Tasks on page B-17)
Understanding Certificates
Cisco NAC technology uses the following digital certificates to establish successful
communication between various components:
• ACS certificate – establishes trusted communication between the ACS server and
the Certificate Authority (CA) server. The Certificate Authority server signs the
ACS certificate before you save it on the ACS server.
• CA certificate – authenticates OfficeScan clients with the Cisco ACS server. The
OfficeScan server deploys the CA certificate to both the ACS server and to
OfficeScan clients (included with the Cisco Trust Agent package).
• Policy Server SSL certificate – establishes secure HTTPS communication
between the Policy Server and ACS server. The Policy Server installer
A-14
automatically generates the Policy Server SSL certificate during Policy Server
installation.
Tip: The Policy Server SSL certificate is optional. However, Trend Micro recommends
using to encrypt the data sent between the Policy Server and ACS server.
Figure A-4 illustrates the steps involved in creating and deploying ACS and CA
certificates:
Certificate Authority (CA) server
ACS
certificate
CA certificate
CA certificate
OfficeScan
server
Cisco Secure
ACS server
CA certificate
with CTA
OfficeScan client
FIGURE A-4 ACS and CA certificate creation and deployment
1. After the ACS server issues a certificate signing request to the CA server, the CA
issues a certificate (the ACS certificate). You can then install the ACS certificate
on the ACS server. The process is described as Enrolling the Cisco Secure ACS
server on page B-3.
2. Next, you can export a CA certificate from the CA server and install it on the
ACS server. See Exporting and Installing the CA Certificate on page B-3 for
detailed instructions.
A-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
3. Following that, save a copy of the same CA certificate on the OfficeScan server.
4. The OfficeScan server deploys the CA certificate to clients with the CTA. See
Deploying the Cisco Trust Agent on page B-7 for detailed instructions.
Understanding the CA Certificate
OfficeScan clients with CTA installations authenticate with the ACS server before
communicating client security posture. Several methods are available for
authentication (see your Cisco Secure ACS documentation for details). For example,
you may have already enabled machine authentication for Cisco Secure ACS using
Windows Active Directory, which you can configure to automatically produce an end
user client certificate when a new computer is added in active directory. For
instructions, see Microsoft Knowledge Base Article 313407, HOW TO: Create
Automatic Certificate Requests with Group Policy in Windows.
For users of networks that have their own Certificate Authority (CA) server, but
whose end user clients do not yet have certificates, OfficeScan provides a mechanism
to distribute a root certificate to OfficeScan clients. Distribute the certificate during
CTA setup (which is done during OfficeScan installation) or from the OfficeScan
Web Console. OfficeScan distributes the certificate when it deploys the Cisco Trust
Agent to clients (see Deploying the Cisco Trust Agent on page B-7).
Note: If you have already acquired a certificate from a Certificate Authority or produced
your own certificate and distributed it to end user clients, it is not necessary to do so
again.
Before distributing the certificate to clients, enroll the ACS server with the CA
server, and prepare the certificate (see Enrolling the Cisco Secure ACS server on page
B-3).
Policy Server System Requirements
The following are minimum requirements to install the Policy Server and the Cisco
Trust Agent (CTA).
A-16
Operating System
• Microsoft™ Windows™ NT series (Service Pack 6a)
• Windows 2000 Series (Service Pack 2)
• Windows XP (Professional Edition only, Service Pack 1)
• Windows Server 2003
Hardware
• 300MHz Intel Pentium™ II processor or equivalent
• 128MB of RAM
• 300MB of disk space
• Monitor that supports 800 x 600 resolution at 256 colors or higher
• Microsoft Internet Explorer 5.5 or later
Web Server
• Microsoft Internet Information Server (IIS)
• on Windows NT: version 4.0
• on Windows 2000: version 5.0
• on Windows XP: version 5.1
• on Windows Server 2003: version 6.0
• Apache Web server 2.0 or later (for Windows 2000/XP/Server 2003 only)
Minimum System Requirements for the Web Console
To use the OfficeScan server management (Web) console, the following are required:
• Hardware:
• 133MHz Intel Pentium processor or equivalent
• 128MB of free RAM
• 30MB of free disk space
• Monitor that supports 800 x 600 resolution at 256 colors or higher
• Software:
• Microsoft Internet Explorer 5.5 or later
A-17
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Cisco Trust Agent (CTA) Requirements
The Cisco Trust Agent can be installed only on clients running Windows
NT/2000/XP. CTA version 2.0 can also be installed on clients running Windows
Server 2003.
CTA on Windows NT/2000
• 150MHz Intel Pentium processor or equivalent
• Microsoft Windows NT 4.0 with SP6a or later, Windows 2000 Server/Advanced
Server with SP2 or later, Windows 2000 Pro with SP 2 or later
• Windows Installer 2.0
• 128MB of RAM
• 80MB of available hard disk space
CTA on Windows XP/Windows Server 2003
• 300MHz Intel Pentium processor or equivalent
• Microsoft Windows XP Home or Professional Edition with SP1
• 256MB of RAM
• 80MB of available hard disk space
Accepted Cisco Device Models
See the Cisco NAC website for a list of acceptable device models:
www.cisco.com/go/nac.
A-18
Appendix B
Deploying Policy Server for Cisco
NAC
This appendix describes how to install and configure the Policy Server for Cisco
Network Admission Control (NAC). It also includes information on deploying the
Cisco Trust Agent (CTA) and creating and deploying digital certificates used
between the various Cisco NAC components. Before reading this appendix,
familiarize yourself with Appendix A: Policy Server for Cisco™ NAC Primer.
Topics in this appendix include:
• Policy Server for NAC Deployment Overview on page B-2
• Enrolling the Cisco Secure ACS server on page B-3
• Exporting and Installing the CA Certificate on page B-3
• Preparing the Policy Server SSL Certificate on page B-5
• Deploying the Cisco Trust Agent on page B-7
• Installing the Policy Server for Cisco NAC on page B-10
• Configuring the ACS Server on page B-12
• Configuring the Policy Server for Cisco NAC on page B-13
B-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Note: This appendix includes basic instructions to set up and configure Policy Server for
Cisco NAC. For more information about configuring and administering Cisco Secure
ACS servers and other Cisco products, refer to the most recent Cisco documentation
available at the following Web site:
http://www.cisco.com/univercd/home/home.htm
Policy Server for NAC Deployment Overview
Follow the procedure below to deploy the Policy Server for Cisco NAC:
1. Install the OfficeScan server – install the OfficeScan server on the network (see
the Installation and Deployment Guide).
2. Install OfficeScan clients – install the OfficeScan client program on all clients
whose antivirus protection you want Policy Server to evaluate (see the
Installation and Deployment Guide).
3. Enroll the Cisco Secure ACS server – establish a trusted relationship between
the ACS server and a Certificate Authority (CA) server by having the ACS server
issue a certificate signing request. Then save the CA-signed certificate (called the
ACS certificate) on the ACS server (see Enrolling the Cisco Secure ACS server
on page B-3).
4. Export and install a CA certificate – export the CA certificate to the ACS
server and store a copy on the OfficeScan server. This step is only necessary if
you have not deployed a certificate to clients and the ACS server (see Exporting
and Installing the CA Certificate on page B-3).
5. Deploy the Cisco Trust Agent and CA certificate – deploy the Cisco Trust
Agent and the CA certificate to all OfficeScan clients so clients can submit
security posture information to the Policy server (see Deploying the Cisco Trust
Agent on page B-7).
6. Install the Policy Server for Cisco NAC – install the Policy Server for Cisco
NAC to handle requests from the ACS server (see Installing the Policy Server for
Cisco NAC on page B-10).
7. Export an SSL certificate from the Policy Server – export an SSL certificate
from the Policy Server to the Cisco ACS server to establish secure SSL
B- 2
communications between the two servers (see Installing the Policy Server for
Cisco NAC on page B-10).
8. Configure the ACS server – configure the ACS server to forward posture
validation requests to the Policy Server (see Configuring the ACS Server on page
B-12).
9. Configure the Policy Server for NAC – create and modify Policy Server rules
and policies to enforce your organization’s security strategy for OfficeScan
clients (see Configuring the Policy Server for Cisco NAC on page B-13).
Note: The following procedures are for reference only and may be subject to change
depending on updates to either the Microsoft and/or Cisco interfaces.
Before performing any of the tasks in this appendix, verify that the Network Access
Device(s) on your network are able to support Cisco NAC (see Accepted Cisco
Device Models on page A-18). See the device documentation for set up and
configuration instructions. Also, install the ACS server on your network. See your
Cisco Secure ACS documentation for instructions.
Enrolling the Cisco Secure ACS server
Enroll the Cisco Secure ACS server with the Certificate Authority (CA) server to
establish a trust relationship between the two servers. The following procedure is
intended for users running a Windows Certification Authority server to manage
certificates on the network. Refer to your vendor documentation if using another CA
application or service and refer to your ACS server documentation for instructions on
how to enroll a certificate.
Exporting and Installing the CA Certificate
The OfficeScan client authenticates with the ACS server before it sends security
posture data. The CA certificate is necessary for this authentication to take place.
First, export the CA certificate from the CA server to both the ACS server and the
OfficeScan server. Later, when you create the CTA agent deployment package, the
CA certificate is included (see Understanding the CA Certificate on page A-16 and
Deploying the Cisco Trust Agent on page B-7).
B-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Perform the following to export and install the CA certificate:
• Export the CA certificate from the Certificate Authority server
• Install it on the Cisco Secure ACS server
• Store a copy on the OfficeScan server
Note: The following procedure is intended for users running a Windows Certification
Authority server to manage certificates on the network. Refer to your vendor
documentation if you are using another Certification Authority application or service.
To export and install the CA certificate for distribution:
1. Export the certificate from the Certification Authority (CA) server:
a. On the CA server, click Start > Run. The Run screen opens.
b. Type mmc in the Open box. A new management console screen opens.
c. Click File > Add/Remove Snap-in. the Add/Remove Snap-in screen
appears.
d. Click Certificates and click Add. The Certificates snap-in screen opens.
e. Click Computer Account and click Next >. The Select Computer screen
opens.
f. Click Local Computer and click Finish.
g. Click Close to close the Add Standalone Snap-in screen.
h. Click OK to close the Add/remove Snap-in screen.
i. In the tree view of the console, click Certificates > Trusted Root >
Certificates.
j. Select the certificate to distribute to clients and the ACS server from the list.
k. Click Action > All Tasks > Export... The Certificate Export Wizard opens.
l. Click Next > .
m.Click DER encoded binary x.509 and click Next > .
n. Enter a file name and browse to a directory to which to export the certificate.
o. Click Next >.
B- 4
p. Click Finish. A confirmation window displays.
q. Click OK.
2. Install the certificate on Cisco Secure ACS.
a. Click System Configuration > ACS Certificate Setup > ACS Certification
Authority Setup.
b. Type the full path and file name of the certificate in the CA certificate file
field.
c. Click Submit. Cisco Secure ACS prompts you to restart the service.
d. Click System Configuration > Service Control.
e. Click Restart. Cisco Secure ACS restarts.
f. Click System Configuration > ACS Certificate Management > Edit
Certificate Trust List. The Edit Certificate Trust List screen appears.
g. Select the check box that corresponds to the certificate that you imported in
step b. and click Submit. Cisco Secure ACS prompts you to restart the
service.
h. Click System Configuration > Service Control.
i. Click Restart. Cisco Secure ACS restarts.
3. Copy the certificate (.CER file) to the machine where OfficeScan server is
installed so you can deploy it to the client with the CTA (see Deploying the Cisco
Trust Agent on page B-7 for more information).
Note: Store the certificate on a local drive; mapped drives are not acceptable.
Preparing the Policy Server SSL Certificate
To establish a secure SSL connection between the ACS server and the Policy Server,
prepare a certificate especially for use with SSL. The Policy Server setup program
automatically generates the SSL certificate.
To prepare the Policy Server SSL certificate for distribution:
1. Export the certificate from the Certification Store on mmc:
B-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
• If the Policy server is running on IIS:
a. On the Policy Server, click Start > Run. The Run screen opens.
b. Type mmc in the Open box. A new management console screen opens.
c. Click Console > Add/Remove Snap-in. the Add/Remove Snap-in screen
appears.
d. Click Add. The Add Standalone Snap-ins screen appears.
e. Click Certificates and click Add. The Certificates snap-in screen opens.
f. Click Computer Account and click Next >. The Select Computer screen
opens.
g. Click Local Computer and click Finish.
h. Click Close to close the Add Standalone Snap-in screen.
i. Click OK to close the Add/remove Snap-in screen.
j. In the tree view of the console, click Certificates (Local Computer) >
Trusted Root Certification Authorities > Certificates.
k. Select the certificate from the list.
Note: Check the certificate thumbprint by double-clicking the certificate and selecting
Properties. The thumbprint should be the same as the thumbprint for the
certificate located in the IIS console.
To verify this, open the IIS console and right click either virtual Web site or
default Web site (depending on the Web site on which you installed Policy
Server) and then select Properties. Click Directory Security and then click
View Certificate to view the certificate details, including the thumbprint.
l. Click Action > All Tasks > Export... The Certificate Export Wizard opens.
m.Click Next > .
n. Click DER encoded binary x.509 or Base 64 encoded X.509 and click
Next> .
o. Enter a file name and browse to a directory to which to export the certificate.
p. Click Next >.
B- 6
q. Click Finish. A confirmation window displays.
r. Click OK.
• If the Policy server is running on Apache 2.0:
a. Obtain the certificate file server.cert. The location of the file depends on
which server, the OfficeScan server or the Policy Server, you installed first:
• If you installed OfficeScan server before installing Policy Server, the file
is located in the following directory:
C:\Program Files\Trend
Micro\OfficeScan\PCCSRV\Private\certificate
• If you installed Policy Server before installing OfficeScan server, the file
is located in the following directory:
C:\Program Files\Trend
Micro\OfficeScan\PolicyServer\Private\certificate
b. Copy the certificate file to the ACS server.
2. Install the certificate on Cisco Secure ACS.
a. On the ACS Web console, click System Configuration > ACS Certificate
Setup > ACS Certification Authority Setup.
b. Type the full path and file name of the certificate in the CA certificate file
field.
c. Click Submit. Cisco Secure ACS prompts you to restart the service.
d. Click System Configuration > Service Control.
e. Click Restart. Cisco Secure ACS restarts.
Deploying the Cisco Trust Agent
The Cisco Trust Agent (CTA) enables communication between OfficeScan clients
and Network Access Devices that support Cisco NAC. After installing and deploying
the OfficeScan server and OfficeScan clients, deploy the CTA to OfficeScan clients
from the Web console. The CTA deployment package includes the CA certificate you
saved on the OfficeScan server (see Exporting and Installing the CA Certificate on
page B-3).
B-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Note: Install Windows Installer 2.0 for NT 4.0 on clients before deploying the agent.
To deploy CTA to clients from the OfficeScan Web Console:
1. Open the OfficeScan server Web console.
2. Do one of the following:
• If you already distributed certificates to clients, go to Step 3
• If you haven’t yet distributed certificates to clients, do the following:
i. Click Client Certificate, the Import Client Certificate screen appears.
ii. Type the full path and file name of the prepared CA certificate stored on
the server. For instructions on preparing a CA certificate, see Exporting
and Installing the CA Certificate on page B-3.
iii.Click Import. The certificate information appears.
Note: If you did not accept the terms of the Cisco License Agreement during
installation of the OfficeScan server, you cannot deploy the agent. When you
click Agent Deployment, the license information appears again. Read the
license agreement and click Yes to agree to the terms.
3. Click Agent Deployment in the menu. The client tree appears.
4. Select the clients or domains to which to deploy the CTA and click Agent
Deployment in the sidebar. The Agent Install/Uninstall screen appears.
5. Click Install/Upgrade Cisco Trust Agent and then click Save. The Set Install
CTA page appears.
6. Click Close.
Note: If the client to which you deploy the agent is not online when you click Install
Cisco Trust Agent, OfficeScan automatically fulfills the deployment request
when the client comes online.
B- 8
If you already prepared a CA certificate before installing the OfficeScan server, the
option exists to deploy the CTA agent during OfficeScan server installation with the
master installer.
To deploy the CTA to clients using the OfficeScan server master installer:
1. During OfficeScan server installation, the Components Selection screen of the
OfficeScan server master installer displays. For instructions on using the
OfficeScan server master installer, refer to the Installation and Deployment
Guide.
2. Select the Enable Agent Deployment for Cisco NAC check box.
3. Do one of the following:
• If you have already distributed certificates to Cisco Secure NAC end user
clients, click Next >.
• If you need to distribute certificates to clients:
i. Click Import Certificate. A file browser appears.
ii. Select the prepared certificate file from the file browser and click OK. For
instructions on preparing a certificate file, refer to Exporting and
Installing the CA Certificate on page B-3.
iii.Click Next >.
4. Continue with OfficeScan server master installation.
Upgrading and Deploying Cisco Trust Agent 2.0
If your Cisco NAC Access Control Server (ACS) is version 4.0 or later, you must
upgrade the Cisco Trust Agent to version 2.0. Once you upgrade the agent, you
cannot roll back to the previous version.
To upgrade the agent:
1. On the sidebar, click Cisco NAC.
2. Click Agent Upgrade.
3. Click Upgrade. The OfficeScan server upgrades the agent to version 2.0 on the
server.
4. On the sidebar, click Agent Deployment.
B-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
5. Click Install/upgrade Cisco Trust Agent to manually deploy the agent to your
OfficeScan clients.
6. Click Save to save the settings without deploying the agent or click Apply to All
to deploy the agent.
Verifying Cisco Trust Agent Installation
After deploying the CTA to clients, verify successful installation by viewing the
client tree. The client tree contains a column titled CTA Program, which is visible in
the Update, View All, or Antivirus views. Successful CTA installations contain a
version number for the CTA program.
You can also verify that the process CTAD.EXE is running on the client machine.
Installing the Policy Server for Cisco NAC
There are two ways to install Policy Server:
• The Policy Server installer located on the Enterprise CD
• The OfficeScan server master installer (this installs both OfficeScan server and the
Policy Server on the same machine)
Note: The master installer installs both the OfficeScan server and Policy Server Web console
on a Web server you specify: IIS or Apache. If the installer does not find an Apache
server on the system, or if an existing Apache server installation is not version 2.0 or
above, the installer automatically installs Apache version 2.0.
The ACS server, Policy Server, and OfficeScan server must be on the same network
segment to ensure effective communication.
WARNING! Before installing the Apache Web server, refer to the Apache Web site for the
latest information on upgrades, patches, and security issues: www.apache.org.
To install Policy Server for Cisco NAC using the Policy Server installer:
1. Log on the machine to which you will install Policy Server for Cisco NAC.
B-10
2. Locate the Policy Server for Cisco NAC installer package on the Enterprise CD.
3. Double-click setup.exe to run the installer package.
4. Follow the installation instructions.
It is also possible to install the Policy Server to the same machine as the OfficeScan
server.
To install Policy Server for Cisco NAC from the OfficeScan server master
installer:
1. During OfficeScan server installation, the Components Selection screen of the
OfficeScan server master installer displays. For instructions on using the
OfficeScan server master installer, refer to the Installation and Deployment
Guide and the installer help.
2. Select the Install Policy Server for Cisco NAC check box.
3. Click Next>.
4. Continue with OfficeScan server master installation.
5. When the Welcome screen for Trend Micro Policy Server for Cisco NAC
appears, click Next>. The Policy Server for Cisco NAC License Agreement
screen appears.
6. Read the agreement and click Yes to continue. The Choose Destination
Location screen appears.
7. Modify the default destination location if necessary by clicking Browse... and
selecting a new destination for the Policy Server installation.
8. Click Next>. The Web Server screen appears.
9. Choose the Web server for the Policy Server:
• IIS server: click to install on an existing IIS Web server installation
• Apache 2.0 server: click to install on an Apache 2.0 Web server
10. Click Next>. The Web Server Configuration screen appears.
11. Configure the following information:
• If you selected to install Policy Server on an IIS server, select one of the
following:
• IIS default Web site: click to install as an IIS default Web site
B-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
• IIS virtual Web site: click to install as an IIS virtual Web site
• Next to Port, type a port that will serve as the server listening port.
Note: When the Policy Server and OfficeScan server are installed on the same machine
and Web server, the port numbers are as follows:
Apache Web server/IIS Web server on default Web site: Policy Server and
OfficeScan server share the same port
Both on IIS Web server on virtual Web site: Policy Server default listening
port is 8081 and the SSL port is 4344. The OfficeScan server default listening
port is 8080 and the SSL port is 4343.
• If you selected to install Policy Server on an IIS server, you also have the
option of enabling Secured Socket Layer (SSL) security. Select the Enable
SSL check box. Type the number of years to keep the SSL certificate valid (the
default is 3 years) and type an SSL port number. If you enable SSL, this port
number will serve as the server’s listening port. The Policy Server’s address
will be as follows:
http://{PolicyServer_Server_Name}:{port number} or
https://{PolicyServer_Server_Name}:{port number} (if you
enable SSL)
12. Click Next. The Setup Complete screen appears.
13. You have completed installing Policy Server. Click Finish.
The OfficeScan server master installer will continue.
Note: If upgrading from a previous version of OfficeScan, the master installer upgrades to
OfficeScan 7 and also installs Policy Server (if you specify to install it).
Configuring the ACS Server
To allow Cisco Secure ACS to pass authentication requests to the Policy Server for
Cisco NAC, add the Policy Server for Cisco NAC in External Policies for the
external user database to use for authentication. See your ACS server documentation
for instructions on how to add the policy server in a new external policy.
B-12
Note: You can configure the ACS server to perform functions such as blocking client access
to the network. These ACS functions are beyond the scope of the Trend Micro Policy
Server for Cisco NAC implementation and are not in this document. See your ACS
documentation for details on configuring other ACS functions.
Configuring the Policy Server for Cisco NAC
After installing OfficeScan and the Policy Server, and deploying both the OfficeScan
client and the Cisco Trust Agent, configure the Policy Server for Cisco NAC. To
configure a Policy Server, access the Policy Server Web console from the Policy
Servers menu item in the OfficeScan Web console.
This section describes the following aspects of Policy Server configuration:
• Adding and Removing Policy Servers starting on page B-13 describes how to
manage Policy Servers on the OfficeScan Web console
• Viewing Summary Information for a Policy Server starting on page B-14 shows
you how to get an overview of Policy Servers on your network
• Adding or Editing OfficeScan Servers starting on page B-16 is the first step in
configuring Policy Servers
• Configuring Rules starting on page B-16 shows you how to create and edit rules
that comprise policies
• Configuring Policies starting on page B-16 shows you how to create and edit
policies that ultimately determine how Policy Server measures client security
posture
• Using the Client Validation Logs starting on page B-17 gives an overview of how
to use logs to understand the security posture status of clients on your network
• Performing Administrative Tasks starting on page B-17 describes how to change
the Policy Server password and set a schedule for synchronization
Adding and Removing Policy Servers
The first step in configuring Policy Servers is adding the installed Policy Servers to
the OfficeScan server. This allows you to open the Policy Server Web console from
B-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
the OfficeScan Web console. The Policy Servers screen shows all the Policy Servers
currently installed on your network. Add or delete Policy Servers from this screen.
To add a Policy Server:
1. On the sidebar of the OfficeScan Web console, click Cisco NAC > Policy
Servers. The Policy Servers screen appears displaying a list of all Policy
Servers.
2. Click Add. The Policy Server screen displays.
3. Type the full Policy Server address and port number the server uses for HTTPS
communication (for example: https://policy-server:4343/). Also type
an optional description for the server.
4. Type a password to use when logging in the Policy Server management console
and confirm the password.
5. Click Add.
To delete a Policy Server:
1. On the sidebar of the OfficeScan Web console, click Cisco NAC > Policy
Servers. The Policy Servers screen appears displaying a list of all Policy
Servers.
2. Select the check box next to the Policy Server to delete.
3. Click Delete.
Note: To validate all clients on your network, add all OfficeScan servers to at least one
Policy Server.
Viewing Summary Information for a Policy Server
The Summary screen contains information about the Policy Server including
configuration settings for policies and rules, client validation logs, and OfficeScan
servers registered with a Policy Server.
The IP address and port number of the Policy Server for Cisco NAC appears at the
top of the Summary screen.
B-14
The Configuration Summary table displays the number of OfficeScan servers
registered with the Policy Server, the Policy Server policies, and the rules that
compose the policies.
To view and modify Configuration Summary details for a Policy Server:
1. On the sidebar of the OfficeScan Web console, click Cisco NAC > Policy
Servers. The Policy Servers screen appears displaying a list of all Policy
Servers.
2. Click the server name of the Policy Server whose details you want to view. The
Summary screen appears showing the Configuration Summary table.
3. Click the link next to the item whose configuration settings you want to view:
• Registered OfficeScan server(s): the OfficeScan servers currently on the
network
• Policies: the Policy Server policies that registered OfficeScan servers can use
• Rule(s): the Policy Server rules that comprise policies
If you want multiple Policy Servers on your network to have the same settings,
including the same rules and policies, export settings from one server and import
them into the others.
Tip: Trend Micro recommends configuring the same settings on all Policy Servers on your
network to maintain a consistent antivirus policy.
To synchronize the Policy Server with registered OfficeScan servers:
Click Synchronize with OfficeScan. The Summary - Synchronization Results
screen appears showing the following read-only information:
• OfficeScan server name: the host name or IP address of the registered OfficeScan
servers
• Synchronization Result: if the synchronization was successful
• Last Synchronized: the date of the last successful synchronization
For more information on synchronization, see Understanding Synchronization on
page A-14.
B-15
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Adding or Editing OfficeScan Servers
Register the Policy Server with at least one OfficeScan server so the Policy Server
can obtain virus pattern file and scan engine version information (see Figure A-2 for
information on the role the OfficeScan server performs in the validation process).
Note: For Policy Server to validate all clients on your network, add all OfficeScan servers to
at least one Policy Server.
Add a new OfficeScan server or edit the settings of an existing one on the
OfficeScan servers screen.
To access the Web console screens for Cisco ACS Policy Servers, click Cisco NAC >
Policy Servers on the sidebar. Click the help icon
on any screen for specific
configuration instructions.
Configuring Rules
Rules are the building blocks of policies and comprise policies. Configure rules as
the next step in Policy Server configuration (see Rule Composition on page A-9 for
detailed information on rules).
To access the Web console screens for Cisco ACS rules, click Cisco NAC > Policy
Servers > {policy server name} > Configurations > Rules. on the sidebar. Click the
help icon
on any screen for specific configuration instructions.
Configuring Policies
After configuring new rules or ensuring that the default rules are suitable for your
security enforcement needs, configure policies to that registered OfficeScan servers
can use (see Policy Composition on page A-12 for detailed information on policies).
Adding or Editing a Policy
Add a new Cisco NAC policy or edit an existing policy to determine which rules are
enforced and to take action on clients in the event that client security posture does not
match any rules.
B-16
To access the Web console screens for Cisco ACS policies, click Cisco NAC >
Policy Servers > {policy server name} > Configurations > Policies. on the sidebar.
Click the help icon
on any screen for specific configuration instructions.
Using the Client Validation Logs
Use the client validation logs to view detailed information about clients when they
validate with the Policy Server. Validation occurs when the ACS server retrieves
client security posture data and sends it to the Policy Server, which compares the data
to policies and rules (see The Client Validation Sequence on page A-6).
Note: To be able to view client validation logs, enable Policy Server to log client validations
when adding or editing a new rule/policy by selecting the check box under
Server-side actions (see Configuring Rules on page B-16 and Adding or
Editing a Policy on page B-16).
To access the Web console screens for Cisco ACS logs, click Cisco NAC > Policy
Servers > {policy server name} > Logs on the sidebar. Click the help icon
on
any screen for more information.
Configuring Client Log Maintenance
The Policy Server archives client validation logs when they reach a size you specify.
Policy Server deletes archived client validation logs after a specified number
accumulates. Specify the way that the Policy Server maintains client validation logs.
Performing Administrative Tasks
Perform the following administrative tasks on the Policy Server:
• Change password – change the password configured when adding the Policy
Server (see Adding and Removing Policy Servers on page B-13)
• Configure a synchronization schedule – the Policy Server needs to
periodically obtain the version of the virus pattern file and scan engine on the
OfficeScan server to evaluate OfficeScan client security posture. Therefore,
you cannot enable or disable scheduled synchronization. By default, the
B-17
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Policy Server synchronizes with the OfficeScan server(s) every five minutes
(see Understanding Synchronization on page A-14 for more information).
Note: You can manually synchronize the Policy Server at any time on the Summary
screen (see Viewing Summary Information for a Policy Server on page
B-14).
To access the Web console screens for Cisco ACS administration tasks, click Cisco
NAC > Policy Servers > {policy server name} > Administration on the sidebar.
Click the help icon
on any screen for more information.
B-18
Appendix C
Using Control Manager™ with
OfficeScan
This appendix introduces Trend Micro Control Manager and describes how it can
help simplify the administration of Trend Micro antivirus and content security
solutions in your organization. It also provides instructions on how to install the
agent for OfficeScan and how to access the OfficeScan server from the Control
Manager management console.
The topics in this appendix include:
• Introducing Control Manager on page C-2
• What You Can do with Control Manager and OfficeScan on page C-2
• What is a Control Manager Agent? on page C-3
• Requirements for Installing the Agent on page C-3
• Obtaining the Public Encryption Key on page C-4
• Installing the Control Manager Agent on page C-4
• Removing the Agent on page C-6
C-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Introducing Control Manager
Trend Micro Control Manager™ is a central management console that manages
Trend Micro products and services, third-party antivirus and content security
products at the gateway, mail server, file server, and corporate desktop levels. The
Control Manager Web-based management console provides a single monitoring point
for antivirus and content security products and services throughout the network.
Control Manager allows system administrators to monitor and report on activities
such as infections, security violations, or virus entry points. System administrators
can download and deploy update components throughout the network, helping ensure
that protection is consistent and up-to-date. Update components include virus pattern
files, scan engines, and anti-spam rules. Control Manager allows both manual and
pre-scheduled updates. Control Manager allows the configuration and administration
of products as groups or as individuals for added flexibility.
What You Can do with Control Manager and
OfficeScan
Control Manager builds on the centralized management concept Trend Micro
pioneered with Trend Virus Control System (Trend VCS). If you are currently
running Trend VCS, you can purchase an upgrade to obtain all the new benefits of
Control Manager. For more information on upgrading your management server from
Trend VCS to Control Manager, see the Control Manager Getting Started Guide.
Using Control Manager, you can accomplish the following:
• Configure, monitor, and maintain most Trend Micro software, including
OfficeScan, from a single console, regardless of location or platform
• Simplify the implementation of a your organization’s antivirus security policies
• Delegate tasks and determine access control based on a hierarchical structure. You
can assign different operators separate access to individual branches of the
hierarchy
• Respond to outbreaks quickly using Outbreak Prevention Service
C- 2
What is a Control Manager Agent?
A Control Manager agent is an application installed on a computer with a Trend
Micro product installation. The agent allows Control Manager to manage the
product. It receives commands from the Control Manager server, applies them to the
managed product, and collects logs to send to Control Manager.
Requirements for Installing the Agent
The requirements for installing the agent are the same as those for installing the
OfficeScan server.
Note: You cannot install the Control Manager agent on Microsoft Windows .NET™ Server.
For information on the minimum system requirements for the OfficeScan server, the
Installation and Deployment Guide.
Required Information for Agent Installation
You will need the following information before deploying the agent:
• The fully qualified domain name (FQDN) or IP address of the Control Manager
server
• Administrator privileges to the server where you want to install the agent
• A Control Manager User ID with Administrator, Power User, or Operator
privileges. It is very important to maintain this account. If the Control Manager
User ID is deleted, the agent will not be able to re-register with the Control
Manager server.
• The location of the public encryption key of the Control Manager server with
which you will register the agents
C-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Obtaining the Public Encryption Key
All products that Control Manager manages are required to have a public encryption
key to register and establish communications with the Control Manager server.
Obtain the public encryption key with the Control Manager management console.
To obtain the public encryption key:
On any computer on the network, open a Web browser and type http://{Control
Manager Server Name}/ControlManager, where {Control Manager
Server Name} is the computer name or IP address of the Control Manager server.
The Welcome screen of the Control Manager management console appears. See your
control manager documentation for more information.
Installing the Control Manager Agent
After obtaining the public encryption key and storing it on the OfficeScan server,
install the agent.
The following agent install methods are available:
• The OfficeScan server master installer – install the agent at the same time you
install the OfficeScan server (see the Installation and Deployment Guide)
• The Control Manager Agent setup program – use the remote install tool
available from the Control Manager management console and on the OfficeScan
Standard CD at the following location:
output/CMAgent/ControlMangerAgent Setup.exe
To install the agent:
1. Do one of the following:
• If installing with the OfficeScan master installer, when the Select
Components screen appears, select the Install Control Manager agent
check box. Later, the Control Manager agent installation screen appears.
• If installing the Control Manager agent from the included CD, double click the
Setup.exe file located in the Programs\OfficeScan\cmagent folder.
The installer window appears.
C- 4
2. Type an existing ID for the Control Manager server. Trend Micro recommends
using the root user ID.
3. Confirm the name of the OfficeScan server in the Entity Name field.
4. Click Next.
If the installer does not detect any Control Manager installation (including
Control Manager server or Control Manager agent) on the computer, the Setup
Message Routing Path screen appears.
If the installer detects a Control Manager installation on the computer, a prompt
appears asking you if you want to reconfigure the settings for the upgrade to the
current version of Control Manager agent.
• Click No to keep the original settings and complete the upgrade.
• Click Yes to modify the settings. The Setup Message Routing Path screen
appears.
Note: When upgrading to the current version of Control Manager agent, you cannot
modify the Control Manager account name associated with the agent. The
installer preserves the account name used with the previous installation.
5. Specify a path for the incoming messages from the Control Manager server:
• Any host – click to have the agent accept incoming messages from any host
on the network.
• IP port forwarding – click if incoming messages from the Control Manager
server pass through a firewall or network device that uses port forwarding and
type the device IP address, the port number the device listens at, and the port
number to which it forwards messages.
• Proxy server – click if incoming messages route through a proxy server and
click Proxy Server Configuration to configure the proxy server settings. The
Proxy Configuration screen appears.
a. Type the name of the proxy server, the port number it uses, and the type of
protocol it supports (HTTP or SOCKS 4/5).
b. If the proxy server requires log on credentials, click the Authentication
required text box and type the user name and password.
c. Click OK to return to the Setup Message Routing Path screen.
C-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
d. Specify the route for outgoing messages:
• Route direct to server – click if outgoing messages, which include
commands, route directly to the Control Manager server
• Proxy server – click if outgoing messages route through a proxy server
and click Proxy Server Configuration to configure the proxy server
settings. The Proxy Configuration screen appears.
i. Type the name of the proxy server, the port number it uses, and the type of
protocol it supports (HTTP or SOCKS 4/5).
ii. If the proxy server requires log on credentials, click the Authentication
required text box and type the user name and password.
iii.Click OK to return to the Setup Message Routing Path screen.
6. Click Next. The Register with Control Manager screen appears.
7. Click Import to select the public encryption key E2EPublic.dat you obtained
from the Control Manager server (see Obtaining the Public Encryption Key on
page C-4).
8. Select the public encryption key and click Open. The Control Manager
information appears under Server Information.
9. Click Next. When the installation is complete, a notification message appears.
10. Click OK.
Removing the Agent
You can easily remove the Trend Micro Control Manager agent for OfficeScan using
the Add/Remove Programs function of Windows.
To remove the agent:
1. On the server where the agent is installed, click the Start menu and click
Settings > Control Panel > Add/Remove Programs. The Add/Remove
Programs window appears. Click Trend Micro Control Manager Agent for
OfficeScan, and then click Change/Remove. A confirmation screen appears.
2. Click Yes. Windows removes the agent from the server. When the agent is
completely removed, click OK.
C- 6
Note: Removing the OfficeScan server automatically removes the Control Manager agent for
OfficeScan.
C-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
C- 8
Appendix D
Configuring OfficeScan with Add-ons
and Third-party Software
This appendix describes how to install and use Windows Protection Manager to help
manage your OfficeScan for Wireless files and Check Point™ SecureClient™ to
verify the security configuration of your clients.
Topics in this appendix include:
• About Wireless Protection Manager on page D-2
• Installing Wireless Protection Manager on page D-3
• Using Wireless Protection Manager on page D-4
• Overview of Check Point Firewall Architecture and Configuration on page D-9
• Configuring Check Point for OfficeScan on page D-11
• Installing SecureClient Support on the OfficeScan Client on page D-12
D-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
About Wireless Protection Manager
As personal digital assistants (PDAs) and other handheld computing devices increase
the number of ways for communicating with other devices, the chances of becoming
infected also increase. These days, it is common for PDAs to feature Internet
connectivity.
Note: In this manual, the term "PDA" is used to describe personal digital assistants and other
handheld computing devices.
OfficeScan for Wireless provides portable, easy-to-use virus protection for wireless
devices to defend against potential threats. Malicious code or other threats
specifically designed for portable platforms can enter your Palm, Pocket PC, or
EPOC device during beaming, synchronization, or Internet access.
You need to install Wireless Protection Manager on your desktop or laptop PC to help
manage OfficeScan for Wireless files that are installed, synchronized, or updated on
your PDA device. It also receives information in the form of logs from the PDA
devices.
FIGURE D-1 Relationship between Wireless Protection Manager on your
computer and wireless protection on your PDA
Note: Wireless Protection Manager does not provide any virus protection for your desktop or
laptop PC.
PDA System Requirements
Your PDA requires the following to run Trend Micro OfficeScan for Wireless.
D- 2
Palm
• Palm™ OS 3.x or 4.x
• 2MB of memory
• 100KB of available memory for program installation
• Desktop computer must have Palm Desktop™ 3.1 or above and HotSync™
applications
Pocket PC
• Windows CE 3.0
• 16MB of RAM
• 1MB of available memory for program installation
• Desktop computer must have Microsoft ActiveSync™ 3.1 or above application
EPOC
• Psion Revo™ or Revo™ Plus
• 8MB of RAM
• 200KB of available memory for program installation
• Desktop computer must have PsiWin 2.3.2 application
Installing Wireless Protection Manager
You need to install the following to provide virus protection on your PDA.
• Wireless Protection Manager on your computer
• OfficeScan for Wireless on your PDA
Before you install Wireless Protection Manager, make sure you have already
installed your synchronization software (for example, Palm Desktop) and your PDA
is firmly and correctly seated in its cradle.
To install Wireless Protection Manager:
1. In the system tray, right-click the OfficeScan Client icon, and then click
OfficeScan Main. The OfficeScan client window appears.
2. Under the Toolbox tab, click Install/Upgrade Wireless Protection. A message
box appears. Click Yes to install. The setup wizard appears.
D-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
3. Click Next. The License Agreement screen appears.
4. Click I accept the terms in the license agreement, and then click Next. You
must agree to continue installation. The Customer Information screen appears.
5. Make sure the information is correct, and then click Next. The Destination
Folder screen appears. You can choose where to install Wireless Protection
Manager or use the default location. To change the location click Change, and
then browse to the desired location.
6. Click Next. Select the check box of the platform of your PDA, depending on the
synchronization software you have already installed (for example, Palm
Desktop).
7. Click Next, and then click Install.
8. Click Finish.
After you have chosen the synchronization software platform and installed Wireless
Protection Manager on your computer, OfficeScan for Wireless is automatically
installed on your PDA.
Note: For Palm OS-based PDAs, the next time you perform a HotSync, OfficeScan for
Wireless is installed on your PDA. In addition, after installing OfficeScan for
Wireless, you need to manually close and re-open HotSync Manager. Reloading
HotSync Manager is needed to successfully obtain virus logs from Palm OS-based
devices.
Using Wireless Protection Manager
Use Wireless Protection Manager to update your pattern file and scan engine on
PDAs. You can specify the download location to get the update components, set
proxy settings, and synchronize files between the main program and the files on your
PDA.
Updating OfficeScan for Wireless
To protect your PDA against the latest threats, you need to update your scan engine
and virus pattern files. Although all components can be updated, new pattern files are
D- 4
released on at least a weekly basis. Updating your pattern file provides you with the
most up-to-date protection and lets OfficeScan for Wireless scan for the latest viruses
or other malicious programs.
Trend Micro recommends regular updates to your virus pattern file to maintain a
high-level of virus protection.
In addition, as new viruses are discovered and existing ones evolve, it becomes
necessary to update certain program files and add new functionality to the scan
engine. Updating your scan engine ensures OfficeScan for Wireless can act on the
new instructions in the virus pattern to detect and remove viruses.
Updating your wireless protection involves the following steps:
1. Manually downloading the files from either the Trend Micro ActiveUpdate
Server or another specified source
2. Synchronizing the files with your PDA
Downloading Update Components
You need to download the update components from the Trend Micro ActiveUpdate
Server or another specified update source. These components include the virus
pattern file, scan engine, and other program files.
To ensure you have the latest Trend Micro virus protection technology, you need to
keep your files updated.
To download update components:
1. Open Wireless Protection Manager.
2. Click the Manual Update tab.
3. Under Component Download Source, confirm the update source is correct. If
not, do one of the following:
• Click Trend Micro ActiveUpdate Server to download from Trend Micro
4. Click Other source to download from another specified location.
5. Click Update Now.
D-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Enabling and Configuring Proxy Settings
If you use a proxy server on your network, you need to type the IP address and port
number of this proxy server. You may also need to supply the appropriate logon
credentials.
To enable and configure proxy settings:
1. Open Wireless Protection Manager.
2. On the menu bar, click Option > Proxy Settings. The Proxy Settings window
appears.
3. Under Proxy server, select the Use a proxy server... check box.
4. In Host name, type the IP address or name of the proxy server (for example,
proxy.yourcompany.com).
5. In Port, type the port number of the proxy server (for example, 80).
6. In Protocol, click the protocol your proxy server uses (HTTP or SOCKS).
7. Under Authentication, in User name and Password, type your proxy server
logon credentials.
8. Click OK.
Synchronizing with Your PDA
To make sure the latest update components are on your PDA, you need to
synchronize the updated files on your computer with your PDA.
Before manually synchronizing through Wireless Protection Manager, please do the
following:
• Make sure your PDA is firmly and correctly seated in its the cradle
• Close any antivirus software running on your PDA
Note: This function currently only works with PDAs running on Pocket PC and EPOC
platforms. For Palm-based PDAs, you need to manually synchronize using the Palm
HotSync function.
D- 6
To synchronize with your PDA:
1. Open Wireless Protection Manager.
2. Click the Manual Synchronize tab.
3. Click Synchronize.
Working with Logs
All virus events are recorded as log entries. Log entries contain useful information
about virus events that have occurred including the type of virus scan, the date and
time the virus was detected, the file and virus name, and the performed action.
Viewing Logs
If you have detected a virus, view virus logs stored on Wireless Protection Manager
to get more information. Before you view logs, remember to synchronize Wireless
Protection Manager with your PDA to make sure you are viewing the most updated
logs.
To view logs:
1. Open Wireless Protection Manager.
2. Click the Virus Log tab.
3. Under Select log range, select the PDA type check box for the log you want to
view.
4. Do the following:
• To view all logs, in the Log for list select All dates.
• To view logs within a specific date range, in the Log for list select Specified
date range, and choose the date range.
5. Click View Log.
Managing Logs on your PDA
The virus log stores information about viruses detected during previous scans and the
actions taken against them.
To view the log, tap Log on the main screen of your PDA.
D-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
The Virus Scan Log screen displays information about detected viruses as well as
the size of the log in bytes. Tap Back to return to the main screen.
To delete the log entries, tap Clear Log. A message box appears to confirm log
deletion. Tap Yes to remove log entries, or No to abort the operation.
Deleting Logs
Delete Wireless Protection Manager log entries if the information they provide is no
longer useful. If the number of logs is taking up too much disk space, you may also
want to delete log entries for certain dates.
To delete logs:
1. Open Wireless Protection Manager.
2. Click the Virus Log tab.
3. Under Delete logs manually, in the Delete logs before list, select a date.
4. Click Delete Log. A confirmation message appears. Click Yes to delete all logs
before and including the date you selected.
D- 8
Overview of Check Point Firewall Architecture
and Configuration
OfficeScan installations can be fully integrated with Check Point SecureClient using
Secure Configuration Verification (SCV) within the Open Platform for Security
(OPSEC) framework. Please familiarize yourself with Check Point SecureClient
OPSEC documentation before reading this section. Documentation for OPSEC can
be found at www.opsec.com.
Check Point SecureClient has the capability to confirm the security configuration of
computers connected to the network using Secure Configuration Verification (SCV)
checks. SCV checks are a set of conditions that define a securely configured client
system. Third-party software can communicate the value of these conditions to
Check Point SecureClient. Check Point SecureClient then compares these conditions
with conditions in the SCV file to determine if the client is considered secure.
SCV checks are regularly performed to ensure that only securely configured systems
are allowed to connect to the network.
SecureClient uses Policy Servers to propagate SCV checks to all clients registered
with the system. The administrator sets the SCV checks on the Policy Servers using
the SCV Editor.
The SCV Editor is a tool provided by Check Point that allows you to modify SCV
files for propagation to client installation. To run the SCV Editor, locate and run the
file SCVeditor.exe on the Policy Server. In the SCV Editor, open the file
local.scv in the folder C:\FW1\NG\Conf (replace C:\FW1 with the installation
path for the Check Point firewall if different from the default).
For specific instructions on opening and modifying an SCV file with the SCV Editor,
see Configuring Check Point for OfficeScan on page D-11.
Integrating with OfficeScan
OfficeScan client periodically passes the virus pattern file number and scan engine
number to SecureClient for verification. SecureClient then compares these values
with values in the client local.scv file. This is what the local.scv file looks like
if you open it in a text editor:
(SCVObject
:SCVNames (
D-9
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
: (OfceSCV
:type (plugin)
:parameters (
:CheckType (OfceVersionCheck)
:LatestPatternVersion (701)
:LatestEngineVersion (7.1)
:PatternCompareOp (">=")
:EngineCompareOp (">=")
)
)
)
:SCVPolicy (
: (OfceSCV)
)
:SCVGlobalParams (
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (24)
)
)
In this example, the SCV check will allow connections through the firewall if the
pattern file version is 701 or later, and the scan engine number is 7.1 or later. If the
scan engine or pattern file is earlier, all connections through the Check Point firewall
will be blocked. These values are modified using the SCV Editor on the local.scv
file on the Policy Server.
Note: Check Point does not automatically update the pattern file and scan engine version
numbers in the SCV file. Whenever OfficeScan updates the scan engine or pattern file,
you need to manually change the value of the conditions in the local.scv file to
keep them current. If you do not update the scan engine and pattern versions, Check
D-10
Point will authorize traffic from clients with earlier pattern files or scan engines,
creating a potential for new viruses to infiltrate the system.
Configuring Check Point for OfficeScan
To modify the local.scv file, you need to download and run the SCV Editor
(SCVeditor.exe).
To configure the Secure Configuration Verification file:
1. Download SCVeditor.exe from the Check Point download site at:
www.checkpoint.com/techsupport/ng/fp3_updates.html#opsecsdk
The SCV Editor is part of the OPSEC SDK package.
2. Run SCVeditor.exe on the Policy Server. The SCV Editor console opens.
3. Expand the Products folder and select user_policy_scv.
4. Click Edit > Product >Modify, and then type OfceSCV in the Modify box.
Click OK.
Note: If your local.scv file already contains product policies for other third-party
software, create a new policy by clicking Edit > Product > Add, and then
typing OfceSCV in the Add box.
5. Now add five parameters. To add a parameter, click Edit > Parameters > Add,
and then type a Name and Value in the corresponding boxes. Table D-1 lists the
parameter names and values. Parameter names and values are case-sensitive, and
must be typed in the order given in Table D-1
D-11
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Name
Value
CheckType
OfceVersionCheck
LatestPatternVersion
{current pattern file number}
LatestEngineVersion
{current scan engine number}
LatestPatternDate
{current pattern file release date}
PatternCompareOp
>=
EngineCompareOp
>=
PatternMismatchMessage
EngineMismatchMessage
TABLE D-1. SCV file parameter names and values
Type the most current pattern file number and scan engine number in place of the
text in curly braces in Table D-1. You can view the latest virus pattern and scan
engine versions for clients by clicking Update & Upgrade on the sidebar of the
OfficeScan Web console. The pattern version number will appear to the right of
the pie chart representing the percentage of clients protected.
6. Select Block connections on SCV unverified.
7. Click Edit > Product > Enforce.
8. Click File > Generate Policy File to create the file. Select the existing
local.scv file to overwrite it.
Installing SecureClient Support on the
OfficeScan Client
If you have users that connect to the office network from a Virtual Private Network
(VPN), and they have both Check Point SecureClient and the OfficeScan client
installed on their computers, you can ask them to install SecureClient support. This
module allows SecureClient to perform SCV checks on VPN clients, ensuring that
only securely configured systems are allowed to connect to the network.
D-12
Users can verify that they have Check Point SecureClient installed on their
computers by checking for the
icon in the system tray or for an item named
Check Point SecureClient on the Add/Remove Programs screen of Windows.
To install SecureClient support:
1. Open the client console.
2. Click the Toolbox tab.
3. Under Check Point SecureClient Support, click Install/Upgrade
SecureClient support. A confirmation screen appears.
4. Click Yes. The client connects to the server and downloads the module. When
download is complete, the message "Register OfficeScan SCV" appears.
5. Click OK.
D-13
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
D-14
Appendix E
Glossary of Terms
The following is a list of terms in this document:
Term
Description
Access Control
Server (ACS)
Passes authentication requests from the Network Access Device to the
Policy Server in order to validate end-user client security posture. The ACS
server also passes the posture token from the Policy Server to the Network
Access Device. The ACS server can also be configured to carry out actions
on the end-user client.
ACS certificate
Used to establish trusted communication between the ACS server and the
Certificate Authority (CA) server. The Certificate Authority server signs the
ACS certificate, and it is saved on the ACS server.
ActiveX
malicious code
A type of virus that resides in Web pages that execute ActiveX controls.
Adware
Similar to spyware, adware gathers user data, such as Web surfing
preferences, that could be used for advertising purposes.
Authentication,
Authorization,
and Accounting
(AAA)
Describes the three main services used to control end-user client access to
computer resources. Authentication refers to identifying a client, usually by
having the user enter a user name and password. Authorization refers to
the privileges the user has to issue certain commands. Accounting refers to
a measurement, usually kept in logs, of the resources utilized during a
session. The Cisco Secure Access Control Server (ACS) is the Cisco
implementation of an AAA server.
Boot sector
viruses
A type of virus that infects the boot sector of a partition or a disk.
E-1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Term
Description
CA certificate
Used for authentication of end-user clients with the Cisco ACS server. The
CA certificate is deployed to both the ACS server and to clients (packaged
with the Cisco Trust Agent by the OfficeScan server).
Certificate
Authority (CA)
An authority on a network that distributes digital certificates for the
purposes of performing authentication and securing connections between
computers and/or servers.
Cisco Trust
Agent (CTA)
Installed on end-user client computers to allow communication of security
posture to Cisco Network Access Devices. The agent can be deployed to
OfficeScan clients from the OfficeScan Web console.
Client validation
The process of having a Cisco NAC Policy Server evaluate an OfficeScan
client’s security posture and sending a posture token back to the client.
COM and EXE file
infectors
A type of virus that masquerades as an application by using a .exe or .com
file extension.
Conflicted ARP
A type of attack where a hacker sends an Address Resolution Protocol
(ARP) request with the same source and destination IP address. The target
computer continually sends an ARP response (its MAC address) to itself,
causing it to freeze or crash.
Control Manager
Agent
Installed on OfficeScan server to register with the Control Manager server.
This allows administration of OfficeScan through the Control Manager
management console.
Denial of Service
Attack (DoS
Attack)
An attack on a computer or network that causes to a loss of 'service',
namely a network connection. Typically DoS attacks negatively affect
network bandwidth or overload computer resources, such as memory.
Dialers
Software that changes client Internet settings and can force the client to dial
pre-configured phone numbers through a modem.
Digital
Certificates
An attachment that is used for security. Most commonly, certificates
authenticate clients with servers, such as a Web server, and contain the
following: user identity information, a public key (used for encryption), and a
digital signature of a Certificate authority (CA) to verify that the certificate is
valid.
Dynamic Host
Control Protocol
(DHCP)
A device, such as a computer or switch, must have an IP address to be
connected to a network, but the address does not have to be static. A
DHCP server, using the Dynamic Host Control Protocol, can assign and
manage IP addresses dynamically every time a device connects to a
network.
Dynamic IP
Address (DIP)
A Dynamic IP address is an IP address that is assigned by a DHCP server.
The MAC address of a computer will remain the same, however, the
computer may be assigned a new IP address by the DHCP server
depending on availability.
E-2
Term
Description
End User License
Agreement
(EULA)
An End User License Agreement or EULA is a legal contract between a
software publisher and the software user. It typically outlines restrictions on
the side of the user, who can refuse to enter into the agreement by not
clicking "I accept" during installation. Clicking "I do not accept" will, of
course, end the installation of the software product.
Many users inadvertently agree to the installation of spyware and other
types of grayware into their computers when they click "I accept" on EULA
prompts displayed during the installation of certain free software.
File Transfer
Protocol (FTP)
FTP is a standard protocol used for transporting files from a server to a
client over the Internet. Refer to Network Working Group RFC 959 for more
information.
Fragmented
IGMP
A Denial of Service attack where fragmented IGMP packets are sent to a
target computer, which cannot properly process the IGMP packets. This can
freeze or slow the machine.
Grayware
Files and programs, other than viruses, that can negatively affect the
performance of the computers on your network. These include spyware,
adware, dialers, joke programs, hacking tools, remote access tools,
password cracking applications, and others. The OfficeScan scan engine
scans for grayware as well as viruses.
Hacking tools
Tools used to help hackers enter computers, often through empty ports.
Hot Fixes and
Patches
Workaround solutions to customer related problems or newly discovered
security vulnerabilities that you can download from the Trend Micro Web
site and deploy to the OfficeScan server and/or client program.
Hyper Text
Transfer
Protocol (HTTP)
HTTP is a standard protocol used for transporting Web pages (including
graphics and multimedia content) from a server to a client over the Internet.
HTML, VBScript,
or JavaScript
viruses
Viruses that reside in Web pages and are downloaded through a browser.
HTTPS
Hypertext Transfer Protocol using Secure Socket Layer (SSL).
Internet Control
Message
Protocol (ICMP)
Occasionally a gateway or destination host uses ICMP to communicate with
a source host, for example, to report an error in datagram processing. ICMP
uses the basic support of IP as if it were a higher level protocol, however,
ICMP is actually an integral part of IP, and must be implemented by every IP
module. ICMP messages are sent in several situations: for example, when
a datagram cannot reach its destination, when the gateway does not have
the buffering capacity to forward a datagram, and when the gateway can
direct the host to send traffic on a shorter route. The Internet Protocol is not
designed to be absolutely reliable. The purpose of these control messages
is to provide feedback about problems in the communication environment,
not to make IP reliable.
E-3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Term
Description
Internet Protocol
(IP)
"The internet protocol provides for transmitting blocks of data called
datagrams from sources to destinations, where sources and destinations
are hosts identified by fixed length addresses." (RFC 791)
Intrusion
Detection System
(IDS)
Intrusion Detection Systems are commonly part of firewalls. An IDS can
help identify patterns in network packets that may indicate an attack on the
client.
Java malicious
code
Operating system-independent virus code written or embedded in Java.
Joke program
Software that causes a computer to behave abnormally, such as forcing the
screen to shake.
Keylogger
A program that captures and stores a history of keystrokes and mouse
clicks, potentially without the user’s knowledge.
Land Attack
A type of attack where IP synchronization (SYN) packets with the same
source and destination address are sent to a computer, causing the
computer to send the synchronization acknowledgment (SYN/ACK)
response to itself. This can freeze or slow the machine.
Macro viruses
A type of virus encoded in an application macro and often included in a
document.
Network Access
Device
Network access servers, firewalls, routers, switches, or wireless access
points that support Cisco NAC functionality.
Network virus
A network virus is a self-contained program (or set of programs) that is
capable of spreading copies of itself or its segments across the network,
including the Internet. Propagation often takes place through shared
resources, such as shared drives and folders, or other network ports and
services. Network viruses are not limited to the usual form of files or email
attachments, but can also be resident in a computer's memory space alone
(often referred to as Memory-only Worms).
Overlapping
Fragment
Similar to a teardrop attack, this Denial of Service attack sends overlapping
TCP fragments to a computer. The header information in the first TCP
fragment is be overwritten and may then be able to pass though a firewall.
The firewall then may allow subsequent fragments, which may contain
malicious code, to pass through to the target computer.
Packer
A compressed and/or encrypted Windows or Linux executable program,
often a Trojan. Compressing executables makes them more difficult for antivirus products to detect.
Password
cracking
applications
Software that can help hackers decipher user names and passwords.
Phish sites
A Web site that lures users into providing personal details, such as credit
card information. Links to phish sites are often sent in bogus email
messages disguised as legitimate messages from well-known businesses.
E-4
Term
Description
Ping
A utility that sends an ICMP echo request to an IP address and waits for a
response. The Ping utility can determine if the machine with the specified IP
address is online or not.
Ping of Death
A Denial of Service attack where a hacker directs an oversized ICMP
packet at a target computer. This can cause the computers buffer to
overflow, which can freeze or reboot the machine.
Policy Server
The server responsible for the determination of the posture token of
end-user clients by periodically uploading current antivirus pattern file and
scan engine version information from the OfficeScan servers on the
network. Install Policy Server from the OfficeScan master installer or from
the Enterprise CD.
Policy Server
policy
Comprised of rules, policies are used by the Policy Server to measure
end-user client security posture. One policy is assigned to each registered
OfficeScan server on the network.
Policy Server rule
Rules are comprised of specific criteria that Policy Servers use to compare
with OfficeScan client security posture data. If any aspect of client security
posture matches the criteria you configure in a rule, the client can carry out
actions you specify.
Policy Server
SSL certificate
Used to ensure secure HTTPS communication between the Policy Server
and ACS server. The Policy Server SSL certificate is automatically
generated during Policy Server installation.
Post Office
Protocol 3
(POP3)
POP3 is a standard protocol for storing and transporting email messages
from a server to a client email application.
Posture token
The Policy Server creates the posture token after end-user client validation.
It includes information that tells the OfficeScan client to perform a set of
specified actions, such as enabling Real-time scan or updating antivirus
components.
Remote access
tools
Tools used to help hackers remotely access and control a computer.
Remote
Authentication
Dial-In User
Service (RADIUS)
An authentication system requiring clients to enter a user name and
password. Cisco Secure ACS servers support RADIUS.
Secure Socket
Layer (SSL)
SSL is a scheme proposed by Netscape Communications Corporation to
use RSA public-key cryptography to encrypt and authenticate content
transferred on higher-level protocols such as HTTP, NNTP, and FTP.
SSL certificate
A digital certificate that establishes secure HTTPS communication between
the Policy Server and the ACS server.
E-5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
Term
Description
Security posture
The presence and currency of antivirus software installed on an end-user
client. The security posture of OfficeScan clients refers to if the OfficeScan
client program is installed and how old the antivirus component versions
are.
Simple Mail
Transport
Protocol (SMTP)
SMTP is a standard protocol used to transport email messages from server
to server, and client to server, over the internet.
SOCKS 4
A TCP protocol used by proxy servers to establish a connection between
clients on the internal network or LAN and computers or servers outside the
LAN. The SOCKS 4 protocol makes connection requests, sets up proxy
circuits and relays data at the Application layer of the OSI model.
Spyware
A type of grayware that installs components on a computer for the purpose
of recording Web surfing habits (primarily for marketing purposes). Spyware
sends this information to its author or to other interested parties when the
computer is online. Spyware often downloads with items identified as 'free
downloads' and does not notify the user of its existence or ask for
permission to install the components. The information spyware components
gather can include user keystrokes, which means that private information
such as login names, passwords, and credit card numbers are vulnerable to
theft.
Stateful
inspection
firewall
Stateful inspection firewalls monitor all connections to a client and
remember all connection states. They can identify specific conditions in any
connection, predict what actions should follow, and detect when normal
conditions are violated. This significantly increases the chances that a
firewall can detect an attack on a client.
SYN Flood
A Denial of Service attack where a program sends multiple TCP
synchronization (SYN) packets to a computer, causing the computer to
continually send synchronization acknowledgment (SYN/ACK) responses.
This can exhaust computer memory and eventually crash the machine.
Teardrop
Similar to an overlapping fragment attack, this Denial of Service attack
deals with IP fragments. A confusing offset value in the second or later IP
fragment can cause the receiving computer operating system to crash when
attempting to reassemble the fragments.
Telnet
Telnet is a standard method of interfacing terminal devices over TCP by
creating a "Network Virtual Terminal". Refer to Network Working Group RFC
854 for more information.
Terminal Access
Controller
Access Control
System
(TACACS+)
A security protocol enabled through AAA commands used for authenticating
end-user clients. Cisco ACS servers support TACACS+.
Test virus
An inert file that acts like a real virus and is detectable by virus-scanning
software. Use test files, such as the EICAR test script, to verify that your
antivirus installation is scanning properly.
E-6
Term
Description
Tiny Fragment
A type of attack where a small TCP fragment size forces the first TCP
packet header information into the next fragment. This can cause routers
that filter traffic to ignore the subsequent fragments, which may contain
malicious data.
Too Big
Fragment
A Denial of Service attack where a hacker directs an oversized TCP/UDP
packet at a target computer. This can cause the computers buffer to
overflow, which can freeze or reboot the machine.
Transmission
Control Protocol
(TCP)
A connection-oriented, end-to-end reliable protocol designed to fit into a
layered hierarchy of protocols that support multi-network applications. TCP
relies on IP datagrams for address resolution. Refer to DARPA Internet
Program RFC 793 for information.
TrendLabs
TrendLabs is Trend Micro's global network of antivirus research and product
support centers that provide 24 x 7 coverage to Trend Micro customers
around the world.
Trojan horses
Executable programs that do not replicate but instead reside on systems to
perform malicious acts, such as open ports for hackers to enter.
User Datagram
Protocol (UDP)
A connectionless communication protocol used with IP for application
programs to send messages to other programs. Refer to DARPA Internet
Program RFC 768 for information.
Virus
A virus is a program that replicates. To do so, the virus needs to attach itself
to other program files and execute whenever the host program executes
(see Understanding Viruses and Malware on page 1-14 for more
detailed information).
Worm
A self-contained program (or set of programs) that is able to spread
functional copies of itself or its segments to other computer systems, often
by email. A worm can also be called a network virus.
E-7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
E-8
Index
Numerics
32- bit and 64-bit clients 1-10
A
Access Control Server (ACS) B-12
definition E-1
enrolling B-3
ACS certificate B-3
definition E-1
ActiveX 1-14
definition E-1
adding a domain 2-3
administrative tasks 4-1
administrative tools 8-3
adware 1-16
definition E-1
agents
Cisco Trust Agent (CTA) B-7
upgrading to version 2.0 B-9
Control Manager E-2
Update Agent 2-9
alert messages
Frequently Asked Questions (FAQs) 9-5
alerts
outbreak 4-2
standard 4-2
alternate servers 6-13
Authentication, Authorization, and Accounting
(AAA)
definition E-1
Automatic Deployment 2-16
automatic updates
client 2-16
B
blocking
ports 5-3
shared folders 5-2
boot sector viruses 1-14
definition E-1
C
CA certificate A-16
definition E-2
exporting and installing B-3
Certificate Authority (CA)
definition E-2
certificates A-14
ACS B-3
CA A-16, B-3
Policy Server SSL B-5
Cisco NAC
architecture A-5
components and terms A-2
Frequently Asked Questions (FAQs) 9-6
introduction A-2
policy server deployment B-2
Cisco router models A-18
Cisco Trust Agent (CTA) 1-11, B-7
definition E-2
system requirements for Windows NT/2000 A-18
system requirements for Windows XP A-18
upgrading to version 2.0 B-9
Cleanup Now 3-5
client
new features 1-2
notification for outbreaks 5-7
program 1-11
tools 8-9
Client Packager 8-9
client validation
definition E-2
clients 1-7
classifications 1-8
configuration files 1-11
disconnected 1-8
granting privileges
client privileges 2-28
Image Setup Utility 8-9
importing and exporting scan and privilege
I–1
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
settings 2-30
normal 1-8
removing inactive 4-4
roaming 1-9
Update Agent 2-9
update logs 7-3
updating 2-12
components and configuration files 2-13
COM and EXE file infectors 1-14
definition E-2
common firewall driver 1-11
compatibility
Frequently Asked Questions (FAQs) 9-2
components 1-11
rolling back 2-21
updating 2-4
configuring
ACS server B-12
anti-spyware settings 3-6
client notification for outbreaks 5-7
Firewall Outbreak Monitor 6-13
Internet proxy settings 2-9
outbreak notifications 5-7
Policy Server for Cisco NAC B-13
Quarantine Manager 4-4
Scan Now 2-24
scan settings 2-23
Conflicted ARP
definition E-2
contacting Trend Micro 9-18
Control Manager C-2
agent C-3
capabilities with OfficeScan C-2
installing the agent C-4
introduction C-2
public encryption key C-4
Control Manager agent
definition E-2
installation C-4
removing C-6
required information C-3
requirements C-3
Critical Spyware/Grayware exclusion list 3-7
I–2
D
Damage cleanup engine 1-11, 3-4
Damage Cleanup Services
running Cleanup Now 3-5
Damage cleanup template 1-11, 3-4
database backup integration
new feature 1-3
deleting
logs 7-5
Denial of Service Attack (DoS Attack)
definition E-2
denying write access to files and folders 5-5
dialers 1-16
definition E-2
digital certificates
definition E-2
documentation 1-16
Frequently Asked Questions (FAQs) 9-7
provide your feedback 1-17, 9-7
domain
adding 2-3
moving clients from 2-3
working with 2-3
Dynamic Host Control Protocol (DHCP)
definition E-2
Dynamic IP Address (DIP)
definition E-2
E
End User License Agreement (EULA)
definition E-3
enrolling the Cisco Secure ACS server B-3
Enterprise Client Firewall 7-4
configuration 6-12
configuring Firewall Outbreak Monitor 6-13
default policies 6-7
defaults 6-7
deploying 6-8
disabling 6-15
features 6-2
Firewall Outbreak Monitor 6-3
Frequently Asked Questions (FAQs) 9-3
Intrusion Detection System 6-3
logs 7-4
policies, exceptions, and profiles 6-5
stateful inspection 6-2
understanding 6-4
verifying deployment 6-11
events 1-7
excluding files and folders from scanning 2-27
F
File Transfer Protocol (FTP)
definition E-3
file-based server 1-7
Firewall Outbreak Monitor 6-3
configuring 6-13
Fragmented IGMP
definition E-3
Frequently Asked Questions (FAQs) 9-2
alert messages 9-5
Cisco NAC 9-6
compatibility 9-2
documentation 9-7
Enterprise Client Firewall 9-3
scanning 9-5
updating 9-3
Web console 9-7
G
General Spyware/Grayware exclusion list 3-6
Glossary of Security Threat Terms 9-19
granting privileges to clients 2-28
grayware
definition E-3
grayware protection
new feature 1-2
H
hacking tools 1-16
definition E-3
hot fixes 1-11
hot fixes and patches
definition E-3
HTML, VBScript, or JavaScript viruses 1-14, E-3
HTTP 1-6
HTTPS
definition E-3
Hyper Text Transfer Protocol (HTTP) 1-6
definition E-3
I
icons
normal client 1-8
roaming client 1-9
ICSA Certification 1-13
Image Setup Utility 8-9
importing and exporting client scan and privilege settings 2-30
inactive clients
removing 4-4
installing
Control Manager agent C-4
Policy Server for Cisco NAC B-10
Internet 1-6
Internet Control Message Protocol (ICMP)
definition E-3
Internet Information Server (IIS) 1-6
Internet Protocol (IP)
definition E-4
Internet proxy
configuring settings 2-9
intranet proxy
configuring 2-4, 4-3
Intrusion Detection System (IDS) 6-3
definition E-4
ISO 9002 Certification-see TrendLabs 9-22
J
Java
malicious code 1-14
definition E-4
joke program 1-16
definition E-4
K
keylogger
definition E-4
Knowledge Base 9-20
URL 1-17
Known Issues
URL for readme documents describing 9-19
known issues with OfficeScan 9-19
L
Land Attack
I–3
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
definition E-4
local.scv D-9
Login Script Setup 8-3
logs
client update 7-3
deleting 7-5
managing 7-5
Policy Server client validation B-17
server update 7-3
system event 7-3
verify connection 7-4
viewing 7-2
virus 7-2
M
macro viruses 1-14
definition E-4
management console
functions 1-10
Manual Deployment 2-19
Manual Outbreak Prevention
configuring outbreak notifications 5-7
manual update
client 2-19
server 2-8
moving clients from a domain 2-3
multiple update sources
new feature 1-3
multi-server and remote server installation
new feature 1-3
N
Network Access Device (NAD)
definition E-4
network virus 1-15
definition E-4
network virus pattern file 1-11
new features
client-side 1-2
database backup integration 1-3
multiple update sources 1-3
multi-server and remote server installation 1-3
server-side 1-3
spyware and other grayware protection
new feature 1-2
I–4
normal clients 1-8
O
OfficeScan
benefits and capabilities 1-5
client 1-7
integrating with SecureClient D-9
management console 1-10
server 1-5–1-6
OfficeScan client program 1-11
OfficeScan server
architecture 1-5
synchronizing with Policy Server A-14
outbreak alerts 4-2
Outbreak Prevention 5-2
blocking ports 5-3
denying write access to files and folders 5-5
restoring network settings to normal 5-7
shared folder blocking 5-2
Overlapping Fragment
definition E-4
P
packer
definition E-4
packers 1-15
password
changing Web console 4-2
Password cracking applications
definition E-4
password cracking applications 1-16
patches 1-11
Phish sites
definition E-4
Ping
definition E-5
Ping of Death
definition E-5
Policy Server
client validation logs B-17
configuring B-13
configuring policies B-16
configuring synchronization B-17
definition E-5
enrolling the Cisco Secure ACS server B-3
policy definition E-5
rule definition E-5
SSL certificate B-5
definition E-5
supported Cisco routers A-18
synchronizing with OfficeScan server A-14
system requirements A-16
viewing client validation logs B-17
Web console system requirements A-17
Policy Server for Cisco NAC
ACS certificate B-3
administrative tasks B-17
CA certificate A-16, B-3
certificates A-14
Cisco Trust Agent (CTA) B-7
upgrading to version 2.0 B-9
client validation process A-6
configuring ACS server B-12
configuring policies B-16
configuring Policy Server B-13
configuring rules B-16
configuring synchronization B-17
default policies A-13
default rules A-11
deployment overview B-2
enrolling the ACS server B-3
policies and rules A-9
policy composition A-12
Policy Server installation B-10
Policy Server SSL certificate B-5
rule composition A-9
synchronizing the Policy Server and OfficeScan
Server A-14
understanding Policy Server A-8
viewing client validation logs B-17
Policy Servers for SecureClient D-9
Post Office Protocol 3 (POP3)
definition E-5
proxy
Internet 2-9
intranet 2-4, 4-3
public encryption key for Control Manager C-4
Q
Quarantine Manager 4-4
R
Remote access tools
definition E-5
remote access tools 1-16
Remote Authentication Dial-In User Service (RADIUS)
definition E-5
removing
Control Manager agent C-6
inactive clients 4-4
requirements
Policy Server Web console A-17
Restore Encrypted Files 8-9
restoring network settings to normal 5-7
Risk Ratings
Security Information Center 9-19
roaming clients 1-9
privileges 1-9
updating 1-9
rolling back components 2-21
S
Safe Computing Guide 9-19
scan engine 1-11
about 1-12
events that trigger an update 1-13
ICSA certification 1-13
updating 1-13
Scan Now 2-24
scan options 2-23
scan settings
configuring 2-23
excluding files and folders 2-27
Scan Now 2-24
scanning
excluding files and folders 2-27
Frequently Asked Questions (FAQs) 9-5
Scan Now 2-24
scan settings 2-23
Scheduled Update
server updates 2-7
SCV Editor D-9
Secure Configuration Verification. See SCV
Secure Socket Layer (SSL)
definition E-5
I–5
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
SecureClient D-9
integrating with OfficeScan D-9
Policy Servers D-9
SCV Editor D-9
Security Information Center 9-18
EICAR test file 9-19
glossary of security threat terms 9-19
Risk Ratings 9-19
Safe Computing Guide 9-19
subscription service 9-19
TrendLabs 9-19
URL 9-18
Virus Alert 9-19
Virus Encyclopedia 9-19
Virus Map 9-19
Virus Primer 9-19
Webmaster tools 9-19
Weekly Virus Report 9-19
white papers 9-19
security patches 1-11
security posture
definition E-6
security risks
ActiveX 1-14
boot sector viruses 1-14
COM and EXE file infectors 1-14
HTML, VBScript, or JavaScript viruses 1-14
Java malicious code 1-14
macro viruses 1-14
packers 1-15
Trojans 1-14
worms 1-15
sending suspicious files to Trend Micro 9-21
server
configuring automatic scheduled updates 2-7
file-based 1-7
HTTP-based 1-6
new features 1-3
update logs 7-3
updating 2-6
updating manually 2-8
Server Tuner 8-8
Simple Mail Transport Protocol (SMTP)
definition E-6
SOCKS 4
I–6
definition E-6
SolutionBank-see Knowledge Base 1-17
spyware 1-16
definition E-6
spyware and other grayware
configuring anti-spyware settings 3-6
guarding against 3-8
overview 1-15
risks and threats 3-2
sending unknown files to Trend Micro 3-3
the Spyware Protection Ratio 3-8
types 1-16
Spyware Protection Ratio 3-8
Spyware/Grayware
cleanup pattern 1-11, 3-4
critical exclusion list 3-7
general exclusion list 3-6
scan pattern 1-11
SSL certificate
definition E-5
standard alert
email 2-23
standard alerts 4-2
stateful inspection firewall
definition E-6
Submission Wizard
URL 9-21
Subscription Service 9-19
SYN Flood
definition E-6
synchronization
configuring Policy Server B-17
system event logs 7-3
system requirements
Policy Server A-16
T
TCP/IP 1-6
Teardrop
definition E-6
Technical support 9-1
technical support 9-20
Telnet
definition E-6
Terminal Access Controller Access Control System
(TACACS+)
definition E-6
test virus
definition E-6
Tiny Fragment
definition E-7
Too Big Fragment
definition E-7
tools
administrative 8-3
client 8-9
Client Mover I 8-11
Client Packager 8-9
Image Setup Utility 8-9
Login Script Setup 8-3
previously supported 8-17
Restore Encrypted Files 8-9
Server Tuner 8-8
Touch Tool 8-13
Vulnerability Scanner 8-3
Transmission Control Protocol (TCP)
definition E-7
Trend Micro
contacting 9-18
TrendLabs 9-19, 9-22
definition E-7
Trojan horses
definition E-7
Trojans 1-14
Troubleshooting 9-1
U
uninstalling
Control Manager agent C-6
Update Agent 2-9
Update Now 1-9, 2-19
update source 2-13
updating clients 2-12
components and configuration files 2-13
configuration files 1-11
Frequently Asked Questions (FAQs) 9-3
roaming clients 1-9
selecting client update source 2-13
Update Agent 2-9
using Automatic Deployment 2-16
using Manual Deployment 2-19
using Update Now 2-19
verifying 2-20
updating the server 2-6
Frequently Asked Questions (FAQs) 9-3
using automatic scheduled update 2-7
using Manual Server Update 2-8
URLs
Cisco NAC A-2
Knowledge Base 1-17, 9-21
readme documents containing known issues 9-19
User Datagram Protocol (UDP)
definition E-7
V
verify connection logs 7-4
verifying
updates 2-20
viewing
client update logs 7-3
Enterprise Client Firewall logs 7-4
logs 7-2
server update logs 7-3
system event logs 7-3
verify connection logs 7-4
virus logs 7-2
virus
definition E-7
Virus Alert Service 9-19
Virus Encyclopedia 9-19
virus logs 7-2
Virus Map 9-19
Virus Outbreak Monitor 5-8
virus pattern file 1-11
about 1-12
Virus Primer 9-19
viruses
"in the wild" 1-12
"in the zoo" 1-12
VPN D-12
Vulnerability Scanner 8-3
W
Web console
Frequently Asked Questions (FAQs) 9-7
I–7
Trend Micro™ OfficeScan™ 7.3 Administrator’s Guide
getting around 2-2
opening 2-2
Web master Tools 9-19
Web server information
changing 4-3
Weekly Virus Report 9-19
White Papers 9-19
World Virus Tracking Program 4-5
worm 1-15
definition E-7
I–8