IBM Core Protection Module BigFix Protection Administrator's Guide
BigFix Protection Core Protection Module is a powerful, scalable, and easy-to-manage security solution for large enterprises. It delivers superior malware protection for Mac endpoints and includes Web Reputation technology, which pro-actively protects client computers within or outside the corporate network.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
IBM BigFix
Version 9.2
BigFix Protection (formerly known as
Core Protection Module) for Mac
Administrator's Guide
IBM
IBM BigFix
Version 9.2
BigFix Protection (formerly known as
Core Protection Module) for Mac
Administrator's Guide
IBM
Note
This edition applies to version 9, release 2, modification level 0 of IBM BigFix and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2015.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Chapter 1. Introducing Core Protection
Module for Mac (CPM) . . . . . . ..
1
Key Differences between CPM and CPM for Mac ..
Trend Micro Pattern Files and Scan Engine .
Chapter 2. Working With the IBM BigFix
Server . . . . . . . . . . . . . ..
9
Add CPM for Mac to the IBM BigFix Server .
Install CPM Components on the Server .
Update Pattern Files on the Server.
Prepare the IBM BigFix Server and Update the
Activate Core Protection Module for Mac Analysis 14
Remove CPM Server Components .
Chapter 3. Working with CPM for Mac
Clients . . . . . . . . . . . . . ..
17
Client Installation and Updates .
Pattern File and Engine Updates .
Update Pattern Files on CPM for Mac Clients ..
Conflicting or Incompatible Programs .
Chapter 4. Working with CPM for Mac 25
Configure and Run Malware Scans .
Configure Default Scan Settings .
Client Updates from the Cloud .
Previous Pattern File Version Rollback .
Deploy Selected Pattern Files .
Smart Protection Server Configuration .
Chapter 5. Configuration Wizards . ..
39
Configuration Wizards Reference .
Active Update Server Settings Wizard .
On-Demand Scan Settings Wizard .
Real-Time Scan Settings Wizard .
Scan Exclusion Settings for Mac .
Chapter 6. Web Reputation . . . . ..
47
© Copyright IBM Corp. 2015
Enable Smart Protection Server Web Reputation
Enable HTTP Web Reputation (port 80) on CPM
Web Reputation Proxy Settings .
Delete a Blocked or Approved List .
Delete a Web Reputation Custom Task .
Chapter 7. Locations . . . . . . . ..
57
Create Location-Specific Tasks .
Configure Automatic Updates Using Location
Chapter 8. Troubleshooting . . . . ..
65
Chapter 9. Contact Trend Micro . . ..
71
Appendix A. Appendix A: Routine CPM
Tasks (Quick Lists) . . . . . . . ..
73
Appendix B. Appendix B: Reference
Lists. . . . . . . . . . . . . . ..
79
Appendix C. Appendix C:
Understanding Security Risks. . . ..
81
Appendix D. Support. . . . . . . ..
87
Notices . . . . . . . . . . . . ..
89
Terms and conditions for product documentation..
iii
iv
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 1. Introducing Core Protection Module for Mac (CPM)
IBM BigFix provides extended management capabilities to the CPM for Mac server and clients. The CPM for Mac client provides real-time, on-demand, and scheduled malware protection. In addition, you can protect your users against malicious websites by enabling CPM for Mac’s Web Reputation. Using a single agent and management console, IBM BigFix can support more than 250,000 endpoints. From the management console, you can track the progress of each computer as updates or configuration policies are applied.
IBM BigFix technology identifies agents with outdated antivirus and malware protection. You can trigger 50,000 computers to update their 10 MB pattern file and have confirmation of the completed action in as little as 15 minutes. You can deploy CPM for Mac to endpoints and track the progress of each computer as you apply CPM for Mac component updates. This makes it easy to measure your level of protection across the entire enterprise. Additionally, the BigFix Reporting module makes it simple to show the status of your overall protection with web-based reports.
New in This Release
Core Protection Module for Mac includes the following new features and enhancements: v Mac OS X 10.11 support v
Improved scan performance.
The on-demand scan cache improves the scanning performance and reduces scan time by skipping previously scanned, threat-free files.
Configure scan exclusion folders easily using wildcards.
Allow users to stop, and set the maximum scan time for, Scheduled Scans.
v Smart protection for Web Reputation
Clients send Web Reputation queries to smart protection sources to determine the safety of websites. Clients use the smart protection source list that is configured for CPM clients to determine which smart protection sources to send queries to.
v Mac client system tray icon
Administrators can allow the client to display the system tray icon and allow users to view logs and run scans.
Key Differences between CPM and CPM for Mac
Note the following differences when migrating from CPM to CPM for Mac.
Version Report
After subscribing to the CPM for Mac website these changes display.
v A new pie chart that displays the Anti-virus Engine Versions for Mac.
v A new pie chart initiated from the CPM tab that displays the CPM for
Mac Program Version.
v The existing Anti-virus Pattern Versions pie chart now supports both
Windows and Mac endpoints.
© Copyright IBM Corp. 2015
1
v The existing Spyware Active-monitoring Pattern Versions pie chart has changed to support both Windows and Mac endpoints.
Infection Report
v A new pie chart displays the Top Mac Malware Infections (but only the total number of malware infections).
v A new data chart that details the Mac Malware Infections.
Web Reputation
CPM for Mac supports only the Blocked Web Sites chart.
Wizards
The key differences between wizards in CPM and CPM for Mac are described in the next section.
Key Differences in Wizards
When you migrate from CPM to CPM for Mac, note the following the differences in the wizards.
Real-Time Scan Settings Wizard
CPM for Mac supports a subset of the CPM configuration: v Malware scans enabled or disabled.
v User activity on files.
v Scan compressed files that are enabled or disabled.
v Scan action:
– Use Active Action
– Use custom actions
- First action: CPM for Mac supports only three types of the first action:
1.
Clean
2.
Delete
3.
Quarantine
Note:
If administrators select an unsupported option for the first action, such as “Rename”, CPM for Mac does not apply the generated Action for this configuration. The original value is retained.
- Second action: CPM for Mac supports only two types of the first action:
1.
Delete
2.
Quarantine
On-Demand Scan Settings Wizard
CPM for Mac no longer supports the following options and features.
Table 1. What's New or Changed
Option
All Spyware/Grayware actions/options
Files to Scan (Windows filters by extension, Mac takes lists of file names)
Resolution
Ignored and Virus/Malware settings used
Different target options between CPM and CPM for Mac are used
2
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Table 1. What's New or Changed (continued)
Option
Scan Compressed files maximum layers
Resolution
Ignored on Mac
Scan Boot Area
Enable IntelliTrap
Ignored on Mac
Ignored on Mac
CPU Setting “Medium”
Scan Exclusion options
Ignored on Mac
Ignored on Mac
Note:
To configure Scan Exclusions for Mac, use the Scan
Exclusion Settings for Mac wizard.
Ignored on Mac “Rename” action option
Specific action for virus type Use defaults (Clean/Quarantine)
Back up Files before cleaning Ignored on Mac
Display a notification message Ignored on Mac
Note:
CPM for Mac consolidates All Spyware/Grayware actions and options under the “Virus/Malware” scan options. CPM for Mac ignores this option when it constructs Mac actions and relevance in favor of the “Virus/Malware” scan options.
Pattern Update and Rollback Wizard
After the wizard upgrades the server components, it shows any pattern sets downloaded with the earlier CPM 1.5 or 1.6 AU server components and the new
CPM 2.0 AU server components. The rollback feature is supported only by CPM.
v After you subscribe to the CPM for Mac site and upgrade the Server
Components to the AU 2.0 plug-in architecture, the successive pattern sets downloaded show the Virus Scan Engine for Mac components.
v
Earlier pattern sets downloaded with the CPM 1.5 or 1.6 AU server will still exist.
v Rollback capability for old and new pattern sets is restricted to CPM clients for
Windows by applicability relevance.
v CPM 1.5 pattern sets are not applicable to CPM for Mac clients and are restricted in the applicability relevance.
v Unsubscribing from the CPM for Mac site does not automatically remove the
Virus Scan Engine for Mac from the pattern updates. If this occurs, remove the
CPM 2.0 AU server components and reinstall the CPM 1.5 or 1.6 AU server components.
Pattern Update Settings Wizard
After you upgrade the server components and download a new 2.0 pattern set, the setting to enable/disable the updating of the Virus Scan Engine for Mac displays.
v After you subscribe to the CPM for Mac site and upgrade the Server
Components to the AU 2.0 plug-in architecture, the successive pattern-set downloaded shows the Virus Scan Engine for Mac components.
v After you download new pattern sets with the Virus Scan Engine for Mac, this new component appears to enable and disable the update.
v Unsubscribing from the CPM for Mac site removes this setting.
Chapter 1. Introducing Core Protection Module for Mac (CPM)
3
CPM for Mac Components
As a module running on IBM BigFix, CPM for Mac provides a powerful, scalable, and easy-to-manage security solution for large enterprises. This integrated system consists of the following components:
BigFix Console
The IBM BigFix Console provides a system-wide view of all the computers in your network, so that vulnerabilities and threats can be quickly addressed. Use the Console to quickly distribute fixes to computers that need them without impacting other computers on your network. In large deployments the Console is often hosted from Terminal Servers.
BigFix Server
The IBM BigFix Server offers a collection of interacting services, including application services, a web server, and a database server. It coordinates the flow of information to and from individual computers, and stores the results in the BigFix database. Server components operate in the background, without any direct intervention from the administrator. The
Server includes a built-in Web Reporting module to allow authorized users to connect through a web browser to view information about endpoints, vulnerabilities, actions, and more. BigFix supports multiple servers, adding a robust redundancy to the system.
BigFix Relays
IBM BigFix Relays increase the efficiency of the system. Instead of forcing each networked computer to directly access the BigFix Server, Relays spread the load. Hundreds to thousands of BigFix Agents can point to a single relay for downloads. In turn, the Relay subsequently makes only one request of the Server. Relays can connect to other relays, further increasing efficiency. A BigFix Relay does not need to be a dedicated computer. A relay can be any computer that has the BigFix Agent installed.
As soon as you install a Relay, the BigFix Agents on your network can automatically discover and connect with it.
CPM Client Components
CPM for Mac client components manage pattern files, conducting scans, and removing any malware that they detect. These components run undetected by device holders and use minimal system resources. You must install a CPM for Mac client on each endpoint that you want to protect. If these endpoints do not already have the BigFix Agent installed, install it before you proceed.
Smart Protection Network
Trend Micro Smart Protection Network
™ is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that uses malware prevention signatures that are stored in the cloud. This solution uses file, email, and web reputation technology to detect security risks. The technology works by offloading many malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Servers or
Trend Micro Smart Protection Network. Using this approach, the system and network impact of the ever-increasing volume of signature updates to endpoints is reduced.
Smart Protection Server
Trend Micro Smart Protection Servers allow corporate customers to tailor
Smart Protection Network use within their corporate IT infrastructure for
4
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
the best privacy, response time, and customized File and Web Reputation
Services. You can monitor the Smart Protection Server using a customized dashboard along with email and SNMP alert notifications. These features facilitate a seamless integration with a customer’s IT operation infrastructure.
Smart Protection Relay (SPR)
Based on an elegant and efficient architecture, Trend Micro Smart
Protection Relay is a light-weight connection between Smart Protection
Server and the Smart Protection clients that takes deployment flexibility to the next level. For corporations and organizations that usually have slow and expensive links across their organizations, Smart Protection Relay concentrates, throttles, and significantly reduces the required bandwidth between the Smart Protection Clients and Smart Protection Servers. With its small footprint, flexibility of deployment, and minimized management requirements, Smart Protection Relay is the best fit for most subsidiary or remote branch offices with lower cross-site bandwidth and limited onsite
IT resources.
Features and Benefits
CPM for Mac reduces business risks by preventing infection, identity theft, data loss, network downtime, lost productivity, and compliance violations. Additionally, it provides your large enterprise with a number of features and benefits.
Ease of Management
v
Uses small, state-of-the-art pattern files, and enhanced log aggregation for faster, more efficient updates, and reduced network use.
v Supports native 64-bit and 32-bit processing for optimized performance.
v Integrates with the IBM BigFix Console to provide centralized security, including the centralized deployment of security policies, pattern files, and software updates on all protected clients and servers.
Superior Malware Protection
v Delivers powerful protection against viruses, Trojans, worms, and new variants as they emerge.
v Protects against a wide variety of spyware/grayware, including adware, dialers, joke programs, remote-access tools, key loggers, and password-cracking applications.
v Detects and removes active and hidden rootkits.
v Cleans endpoints of malware, including processes and registry entries that are hidden or locked.
Web Reputation Technology
The CPM for Mac Web Reputation technology pro-actively protects client computers within or outside the corporate network from malicious and potentially dangerous websites. Web Reputation breaks the infection chain and prevents the downloading of malicious code.
In addition to file-based scanning, CPM for Mac now includes the capability to detect and block web-based security risks, including phishing attacks. Use the IBM
BigFix location awareness features to have CPM for Mac enforce different web
Chapter 1. Introducing Core Protection Module for Mac (CPM)
5
reputation policies according to the client computer's location. The client's connection status with the BigFix Server or any BigFix Relay can be used to determine the location of the client.
v Web Reputation opens a blocking page whenever access to a malicious site is detected. The page includes links to the Trend Micro Web Reputation Query system, where users can find details about the blocked URL or send feedback to
Trend Micro.
v Proxy server authentication for Web Reputation is also supported. You can specify a set of proxy authentication credentials on the web console. HTTP proxy servers are supported.
Trend Micro Pattern Files and Scan Engine
You can configure all Trend Micro products, including CPM for Mac, to automatically check the Trend Micro ActiveUpdate (TMAU) server, and then download and install any updates that are found. This process is typically configured to occur in the background, although you can manually update some or all of the pattern files at any time. In addition, pre-release patterns are available for manual download (at your own risk) if a situation such as a virus outbreak occurs.
Pre-release patterns have not undergone full testing but are available to stop burgeoning threats.
You can manually download the virus pattern and other files from the following
URL, where you can also check the current release version, date, and review the new virus definitions included in the files.
http://www.trendmicro.com/download/pattern.asp
Incremental Virus Pattern File Updates
CPM for Mac, with Trend Micro ActiveUpdate, supports incremental updates of the virus pattern file. Rather than download the entire pattern file each time,
ActiveUpdate can download only the portion of the file that is new and append it to the existing pattern file. (Full pattern files can be over 20 MB.)
How Scanning Works
The scan engine works together with the virus pattern file to complete the first level of detection, through a process called pattern matching. Every virus contains a unique binary "signature:" a string of identifying characters that distinguish it from any other code. The virus experts at TrendLabs capture snippets of this code to include in the pattern file. The engine then compares certain parts of each scanned file to the data in the virus pattern file, looking for a match.
Pattern files use the following naming format: lpt$vpn.### where ### represents the pattern version (for example, 400).
If multiple pattern files exist in the same directory only the one with the highest number is used. Trend Micro publishes new virus pattern files regularly (typically several times a week), and recommends configuring hourly automatic updates.
With automatic updates enabled, new updates are downloaded to the server and flow to the endpoints immediately. Updates are available to all Trend Micro customers that have valid maintenance contracts.
6
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
The Trend Micro Scan Engine and Detection Technologies
At the heart of all Trend Micro products lies a scan engine. Originally developed in response to early file-based computer viruses, the scan engine now detects Internet worms, mass-mailers, Trojan horse threats, phish sites, spyware, and network exploits, in addition to viruses. The scan engine checks for actively circulating threats "in the wild," and for those "in the zoo." A "zoo" is a collection of viruses used for testing by researchers in a virus laboratory. A virus "in the wild" has caused an infection outside of a virus laboratory.
Rather than scanning every byte of every file, the engine and pattern file work together to identify tell-tale virus characteristics and the exact location within a file where the malicious code inserts itself. CPM for Mac can usually remove this virus or malware upon detection and restore the integrity of the file ("clean" the file).
Scan Engine Updates
By storing the most time-sensitive virus and malware information in pattern files,
Trend Micro minimizes the number of scan engine updates required, while keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new scan engine versions available. Trend Micro releases new engines under the following circumstances: v Incorporation of new scanning and detection technologies into the software.
v Discovery of new, potentially harmful malware unhandled by the current engine.
v
Enhancement of the scanning performance.
v Addition of file formats, scripting languages, encoding, and compression formats.
Chapter 1. Introducing Core Protection Module for Mac (CPM)
7
8
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 2. Working With the IBM BigFix Server
This section covers installing the Core Protection Module for Mac server components on the IBM BigFix Server, updating related files, and preparing endpoints to receive the BigFix Client.
The IBM BigFix Server
Before you begin these procedures, install the IBM BigFix Server, Console, and
Agents. If you log in to the BigFix Server by using an administrator account, you can use NT Authentication instead of entering a password. A user name and password are required if you are running the BigFix Console remotely.
Open the BigFix Console
Note:
This procedure describes one method for opening the BigFix Console. There are several, such as the shortcut on your desktop. Use the one that is most convenient for you. "Endpoint Security Platform," and its acronym, "ESP," are
Trend Micro terms for IBM BigFix and its components. As a convenience to readers more familiar with IBM terminology, this document uses BigFix throughout. For example, BigFix Server rather than Endpoint Security Platform Server, BigFix
Agent rather than ESP Agent, BigFix Console rather than ESP Console.
1.
To open the Console: v Windows XP, Server 2003, Vista, Server 2008, Windows 7, POSReady 2009, and POSReady 7:
– On the Windows desktop, click Windows Start, then Programs > Trend
Micro Endpoint Security Platform
> ESP Console.
v For Windows 8 and Server 2012:
– On the Windows desktop, click the Windows Start, then click the ESP
Console shortcut.
Note:
Switch to desktop mode to view the console.
2.
Connect to the BigFix Server database by entering the user name that you created when you installed the BigFix Server. If you installed the evaluation version type "EvaluationUser" for the user name.
3.
Click OK to open the BigFix Console.
Add CPM for Mac to the IBM BigFix Server
Install Trend Micro Core Protection Module for Mac by adding its site masthead to the list of managed sites in the IBM BigFix Console. If you do not have the Core
Protection Module for Mac and Reporting mastheads, contact your Trend Micro sales representative to obtain them.
CPM for Mac includes a Web Reputation component that replaces the stand-alone version. CPM for Mac allows for the migration of any pre-existing WPM Blocked and Approved Lists.
© Copyright IBM Corp. 2015
Note:
If you are a current Web Protection Module (WPM) customer, remove any installed clients and then the WPM site before you install CPM for Mac.
9
Before you add the CPM for Mac site make sure that the BigFix Server has an active Internet connection so it can connect to the source of the masthead files. If the BigFix Server cannot connect to the Internet, the request will remain pending until a connection can be made.
1.
From any computer with the IBM BigFix Console installed, locate and double-click the masthead file to automatically add its site. Alternatively, in the
BigFix Console menu, click Tools > Add External Site Masthead.
2.
In the Add Site window that opens, locate the masthead file, or files, that you received from your Trend Micro Sales Representative. The following masthead is available (file name is shown here): v Trend Micro Core Protection Module.efxm
v Trend Reporting.efxm
v Trend Common Firewall.efxm (optional)
If you are already a CPM user, simply add CPM for Mac and Trend Micro Mac
Protection Module.efxm.
3.
The masthead files that you selected are shown in the Manage Site window.
Click Gather All Sites, and then OK.
4.
At the prompt, type your private key password and click OK.
The BigFix Server begins gathering the associated files and content that is associated with the mastheads that you added, and installs them.
Install CPM Components on the Server
After you add the mastheads to the BigFix Server, open the BigFix Console and update the CPM Server with the required components. You must have at least one relevant computer. In this case, the BigFix Server you just added the CPM masthead to should be relevant. If it is not, resolve this issue before you begin. For example, check that the server has a BigFix Agent installed or that the CPM components are not already updated on the server.
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
Click Deployment > Upgrade > Upgrade CPM Server.
3.
Below Actions, click the hyperlink to open the Take Action window.
4.
Select Specify computers selected in the list below. In the Applicable
Computers list, the BigFix Server that is updating the CPM for Mac components appears as the only relevant computer.
5.
Click OK.
6.
At the prompt, type your private key password and click OK. A status summary page opens when the Task is finished.
7.
Close any open windows to return to the Dashboard view.
Update Pattern Files on the Server
It is critically important to keep the IBM BigFix Server, Relays, and all CPM for
Mac clients up-to-date with the current pattern and engine files from Trend Micro.
CPM for Mac uses pattern files to identify viruses, spyware, and other malware
threats (see Appendix C, “Appendix C: Understanding Security Risks,” on page 81
for the complete list).
Not all patterns are updated every day. However, when a new threat is released and hackers are writing hundreds of variations in an attempt to avoid detection,
10
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
one or all of the patterns can be updated often over the course of a day or week.
Trend Micro recommends that you update the virus pattern file on the BigFix
Server immediately after you install CPM for Mac, and then set the task to repeat hourly. The same is true also for CPM for Mac clients.
Choose an Update Source
By default, CPM is configured to use the Trend Micro ActiveUpdate (AU) server for pattern updates. You can use an intranet source, for example, by manually downloading the pattern files to an internal computer and then pointing the BigFix
Server to that source. However, Trend Micro recommends that you use the AU server, the only official source for pattern updates. With CPM for Mac, AU provides several layers of authentication and security to prevent the use of forged or unsupported patterns.
Configure the CPM for Mac server to frequently contact the AU server to check for and download pattern and component updates. If there is a proxy server between the BigFix Server and the Internet, you need to identify it and provide any required logon credentials. The proxy server that you identify here is not
"inherited" for use by other CPM for Mac components. This includes the client settings for Web Reputation, which is a separate configuration. Likewise, if you configured a proxy to enable BESGather service (typically identified during installation), those settings will not be inherited for pattern updates, even if the same proxy is used.
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Configuration > ActiveUpdate Server Settings > ActiveUpdate Server
Settings Wizard
. The Server Settings Wizard opens.
3.
Under Source, choose Trend Micro’s ActiveUpdate Server. See “Active Update
Server Settings Wizard” on page 39 for information about the configuration
choices available.
Chapter 2. Working With the IBM BigFix Server
11
4.
Under Proxy, click Use a proxy server for pattern and engine updates and provide the following information. There is no validation checking, so ensure that you provide the correct settings.
Proxy Protocol
Choose the option that reflects your proxy server.
Server Name or IP
Use an IP address if you have not configured the BigFix Server to recognize host names.
Port
Typically port 80 or 8080.
User Name
Type a name with access rights to the proxy.
Password
The password is encrypted when stored and transmitted.
5.
Click Create Server Configuration Action.... The Take Action screen opens.
6.
Select the BigFix server and click OK.
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed".
Prepare the IBM BigFix Server and Update the Pattern Files
This procedure requires that you run a script to prepare the BigFix Server for recurring automatic pattern updates, which are then used for CPM for Mac client updates. Use Automatic Updates to deliver and apply pattern file updates to your endpoints whenever new patterns are made available by Trend Micro.
Note:
An endpoint’s automatic update flag is set after CPM for Mac deploys.
When the flag is set, the Apply Automatic Updates policy action (configured in
Step 3) will become relevant whenever new pattern files are made available by the policy action that was configured in Step 2. Only endpoints with the flag set will automatically apply pattern file updates.
1.
Run the CPM Automatic Update Setup Script.
Download and run the CPM automatic update setup script on your server. You need the deployment site administrator credentials and password. You cannot create a new console operator account without these credentials. Use the operator account to send a manifest of the latest available pattern file versions to your endpoints whenever new patterns are downloaded from Trend Micro.
Note:
The following items require a pre-installation of the CPM Automatic
Update Setup Script on the server that hosts IBM BigFix and CPM. Download and install the latest script, using an administrator account from Endpoint
Protection
> Core Protection Module > Updates and select Core Protection
Module - Download CPMAutoUpdateSetup Script
in the upper right pane.
Or, download the script from: http://esp-download.trendmicro.com/download/cpm/
CPMAutoUpdateSetup2_1.0.8.0.exe
Note the following recommendations for the Automatic Update Setup Script: v Do not give the operator account administrative rights on any endpoints.
v Do not change the default values supplied by the script.
12
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
v Enable automatic updates on the server to make the latest pattern versions available to endpoints.
v
Run the script before you proceed to the next steps. The script automatically sets a flag on the server. After the flag is set, the Set ActiveUpdate Server
Pattern Update Interval
policy action that is configured in Step 2 will send a manifest of the latest available pattern updates to CPM endpoints.
v If you want to prevent endpoints from updating pattern files, use the
Disable Automatic Updates - Server
Task.
2.
Issue a "Set ActiveUpdate Server Pattern Update Interval" Task.
Note:
The setup process of automatic updates will not download a new pattern-set. That action is still managed by the Set ActiveUpdate Server
Pattern Update Interval
task.
A policy action of that task might exist and the most recent pattern-set might have been downloaded before the automatic updates setup procedure. In that situation, a new pattern-set will not be available for automatic updates until the next set is downloaded from the Trend ActiveUpdate Server.
The caching behavior of the Trend CPM Server component downloads only new content from the Trend ActiveUpdate Server. To start an immediate download of the latest pattern-set to use in automatic updates: a.
Clear the CPM Server Component download cache - Delete the contents of the folder
C:\Program Files\Trend Micro\Core Protection Module Server\download.
b.
Configure a periodic policy action and deploy the action from the task Core
Protection Module - Set ActiveUpdate Server Pattern Update Interval
.
3.
Issue a "Apply Automatic Updates" Task.
This policy action monitors the latest pattern file versions and applies them to endpoints with automatic updates enabled. Target this action at all computers and set with the following parameters: v Reapply whenever relevant.
v Reapply an unlimited number of times.
v Set to never expire.
v Try again up to 99 times on failure.
Connect IBM BigFix to SPS
If you choose to use Web Reputation Services for CPM for Mac endpoints, Smart
Protection Servers (SPS) must install the IBM BigFix Agent to allow the BigFix
Server to connect with the Smart Protection Servers. Once connected, the BigFix
Server can monitor the status of Smart Protection Servers.
Install the BigFix Agent using the BigFix Deployment tool.
1.
Log on to SPS servers using the root account.
2.
Run the script file /usr/tmcss/bin/patchcpm.sh on SPS servers.
3.
Download *NIX Client Deploy and follow the installation instructions in the following link to deploy the BigFix Agent in SPS servers: http:// support.bigfix.com/labs/Unix_Client_Deploy_Tool.html
Note:
After running patchcpm.sh, the Summary screen displays only the Real-time
Status widget data. None of the other widgets display any data. Disabling the widgets improves SPS performance.
Chapter 2. Working With the IBM BigFix Server
13
Activate Core Protection Module for Mac Analysis
Core Protection Module for Mac includes a number of analyses that are used to collect statistics from target computers. Analyses data is used to display information, typically in reports, about endpoint scan and configuration settings, server settings, spyware, and virus events. Analyses must be activated before they can be used.
1.
From the IBM BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module > Analyses
> CPM for Mac Endpoints > [analysis name]
. The Analysis Description tab opens.
3.
Below the description, click the hyperlink to activate the analysis.
4.
At the prompt, type your private key password and click OK.
Shortcut: Activate All CPM for Mac Analyses
You can activate all CPM for Mac analyses at the same time, avoiding the need to repeatedly type your private key password and click OK. You can activate the
CPM for Mac client analyses at anytime, before or after the CPM for Mac clients are deployed.
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Analyses.
3.
Click the Name column header to sort the analyses in alphabetical order, then scroll down the list and select all the Core Protection Module for Mac analyses.
4.
Right-click the list that you selected. In the menu that opens, click Activate.
5.
At the prompt, type your private key password and click OK.
CPM activates all the Analyses.
Remove CPM Server Components
Use the Remove Server Components Task to uninstall CPM server components from the IBM BigFix Server (seldom used).
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Deployment > Uninstall.
3.
From the list in the upper right pane, select Core Protection Module - Remove
Server Components
. A screen that shows the Task Description tab opens.
4.
Below Actions, click the hyperlink to open the Take Action window.
5.
Select the CPM server and click OK.
6.
At the prompt, type your private key password and click OK.
The BigFix Server initiates the removal.
Remove the Core Protection Module for Mac Site
Remove the Core Protection Module for Mac site, the Trend Reporting site, or both, from the BigFix Console by deleting the mastheads from the list of managed sites.
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to All Endpoint Protection > Sites >
External Sites
.
14
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
3.
Select the Trend Micro Core Protection Module for Mac site to be removed.
4.
In the right pane, click X Remove and then OK.
5.
At the prompt, type your private key password and click OK.
BigFix removes the CPM for Mac masthead.
Chapter 2. Working With the IBM BigFix Server
15
16
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 3. Working with CPM for Mac Clients
Install, update, deploy, and remove clients. Update pattern files. Remove incompatible and conflicting programs.
Client Installation and Updates
There are various ways to handle the deployment of CPM for Mac clients to your endpoints. You will need to determine the one that works best for you and your organization. Best practices suggest that you start incrementally: deploying, then configuring a few clients, and then gradually proceeding until CPM for Mac clients are installed on all your endpoints.
The Tasks created by the procedures below can be deployed only to relevant computers. In the IBM BigFix environment, relevance is determined by a "relevance statement" that defines certain conditions that the computer must meet. The number of relevant computers is indicated after the Task name. Computers running a BigFix Agent can receive relevance statements. When they do, they perform a self-evaluation to determine whether they are included in the criteria.
Relevant computers then complete whatever Action is specified.
When you target more than a few computers at the same time, Trend Micro suggests that you target endpoints by property rather than by list. Targeting by property does not require a relevant computer status and allows for the use of logic such as: "Install on all iMac computers, in California, that are part of the User group."
CPM for Mac Console and Client System Requirements
For information about IBM BigFix Server and IBM BigFix Console requirements, see the Trend Micro Endpoint Security Platform Administrator’s Guide.
Supported operating systems: v Mac OS 10.5.x ~ 10.8.x
v
Mac OS X 10.9
v Mac OS X 10.10
v Mac OS X 10.11
CPM for Mac supports migrations from: v CPM for Mac 1.x client
Incompatible or Conflicting Programs
For a complete list of incompatible or conflicting programs, see “Conflicting or
Incompatible Programs” on page 24. Here is a short list of software that must be
removed from the endpoints before you deploy the CPM for Mac client: v Trend Micro Smart Surfing for Mac and Trend Micro Security for Macintosh.
v
AntiVirus software for Mac, including Symantec AntiVirus, McAfee VirusScan,
Sophos Antivirus, and Intego VirusBarrier.
© Copyright IBM Corp. 2015
17
Client Deployment
The client deployment process consists of several procedures. To successfully deploy the CPM for Mac client:
1.
Identify ineligible endpoints.
2.
Identify conflicting products.
3.
Remove conflicting products.
4.
Deploy CPM for Mac clients.
Identify Ineligible Endpoints
The CPM for Mac client supports most operating systems and typically does not require system resources that exceed those required by the host operating system.
However, some factors can preclude otherwise eligible endpoints from receiving the CPM for Mac client. Before installing the client use these procedures to identify which of your endpoints, if any, require modification. Do this before you remove any existing security products to ensure a continuation of your endpoint security.
1.
From the IBM BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Troubleshooting
.
3.
From the list on the right pane, select Core Protection Module - Ineligible for
Install -Insufficient Hardware Resources
. The Fixlet Description opens.
4.
Click the Applicable Computers tab. A list appears with the endpoints with insufficient hardware resources.
5.
Below Actions, click the hyperlink if you want to connect to the Support web page for more information.
6.
Repeat steps 1-3 for any Tasks that pertain to endpoint readiness (for example,
Troubleshooting > Core Protection Module - Ineligible for Install -
Insufficient Software Resources
).
Identify Conflicting Products
Before you deploy the CPM for Mac client to your endpoints, uninstall any programs that conflict with the CPM for Mac functions. For more information see
“Conflicting or Incompatible Programs” on page 24.
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Troubleshooting
.
3.
From the list on the right pane, select Core Protection Module - Ineligible for
Install - Removal of Conflicting Products Required
. The Fixlet Description opens.
4.
Click the Applicable Computers tab. A list of endpoints running conflicting software appears.
5.
Below Actions, click the hyperlink if you want to connect to the Support web page for more information.
Remove Conflicting Products
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Deployment > Uninstall > [product name]
. The Fixlet Description tab opens, showing a list of the endpoints currently running the program.
18
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Note:
Alternatively, you can click All Content and then go to Fixlets and
Tasks > All > By Site > Trend Micro Core Protection Module
. In the list of
Fixlets that appears in the right window pane, select Core Protection Module -
Uninstall [product name]
by double-clicking it.
3.
Below Actions, click the hyperlink to open the Take Action window.
4.
In the Target tab, a list of the endpoints that are running the selected program appears. Click Applicable Computers to choose all relevant computers. In addition, you might also want to configure other options:
Execution
Set the deployment time and retry behavior.
Users
This option works in combination with Target, which is linked by the
AND operand (both conditions must be present for the installation to occur).
Messages
Configure these options to passively notify the user that the uninstall is going to occur, to obtain consent, or to ask users to stop using their computer while the installation occurs.
Offer
Configure these options if you want the user to be able to choose whether the program is removed. A message displays on the target endpoints (requires that the client is enabled for offers).
5.
Click OK.
6.
At the prompt, type your private key password and click OK.
7.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed".
Deploy CPM for Mac Clients to the Endpoints
Use the Core Protection Module for Mac Endpoint Deploy Task to deploy CPM for
Mac to all computers that you want to secure against viruses and spyware. The
CPM for Mac client package is about 40 MB, and each endpoint is directed to download the file from the BigFix Server or Relay.
If you target endpoints using properties rather than by computer (the recommended behavior), any endpoint that later joins the network will automatically receive the CPM for Mac client.
Installation takes about 10 minutes, and the CPM for Mac client can be installed with or without the target user’s consent. Installation does not typically require a restart. In addition, the client will be briefly disconnected from the network.
Note:
Before you deploy the CPM for Mac client, be sure that your targeted
endpoints are not running a conflicting product (see “Conflicting or Incompatible
Programs” on page 24) and that they meet the hardware and software
requirements described in “Client Installation and Updates” on page 17.
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module >
Deployment > Install.
3.
Note the number of eligible clients in the parenthesis after Install.
4.
From the list on the right pane, select Core Protection Module for Mac -
Endpoint Deploy
. A screen displaying the Task Description tab appears.
Chapter 3. Working with CPM for Mac Clients
19
5.
Below Actions, click the hyperlink to open the Take Actionwindow. In the
Target
tab that opens, a list of eligible endpoints appears. The default behavior is to install the CPM for Mac client on every relevant endpoint, whether anyone is logged on, or present, or not.
6.
Use the following deployment options if you want to change the target:
Target Click All computers with the property values selected in the tree list below
and choose a property that includes all the computers that you want to deploy this Action to.
Execution
Set the deployment time and any retry behavior.
Users
This option works in combination with Target, which is linked by the
AND operand (both conditions must be present for the installation to occur).
Messages
Configure these options to passively notify the user that the Action is going to occur, or to ask users to stop using their computer while the
Action occurs.
Offer
Configure these options if you want the user to be able to choose whether the Action is completed. A message is displayed on the target endpoints (requires that the client is enabled for offers).
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Pattern File and Engine Updates
It is important to keep your CPM for Mac clients current with the latest pattern and engine files from Trend Micro. The update process can be scheduled to occur automatically and is transparent; there is no need to remove the old pattern or install the new one.
Incremental Updates
To reduce network traffic generated by downloading the latest pattern, the Trend
Micro ActiveUpdate server includes incremental pattern updates along with the full pattern file. Updates represent the difference between the previous pattern file and the current one. Like the full pattern file, incremental updates download and apply automatically. Incremental updates are available to both the IBM BigFix
Server (which typically downloads pattern updates from the ActiveUpdate server), and to CPM for Mac clients that are configured to get their updates from the
BigFix Server.
Updates from the Cloud
Clients typically receive their updates from the BigFix Server or Relays, but CPM for Mac also supports client-updates from the "cloud", that is, directly from the
Trend Micro ActiveUpdate server.
Tip:
Trend Micro does not recommend updating clients from the cloud as the default behavior.
20
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Pattern files can exceed 20 MB/client, so frequent, direct client downloads from the
ActiveUpdate server are not preferred. Instead, you can use the cloud as a fallback for clients to use whenever they are not able to connect to the BigFix Server.
Updates from the cloud support incremental pattern updates, but cannot be used to update only certain pattern types.
Update Pattern Files on CPM for Mac Clients
Before you perform the client update procedures, be sure to update the pattern files on the CPM Server and enable that server to perform automatic updates. For
details, see “Pattern File Management” on page 75.
Trend Micro recommends that you perform the first full pattern-file update on a few CPM for Mac clients and then repeat the procedure on a broader scale as you become more familiar with the procedure.
In summary:
1.
Enable automatic pattern file updates for CPM for Mac clients.
2.
Schedule and apply automatic pattern file updates.
3.
Manually update CPM for Mac clients with the latest pattern files.
Note:
Automatic updates are enabled by default.
Enable Automatic Updates for CPM for Mac Clients
1.
From the IBM BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module > Updates
> Automatic Update Tasks
.
3.
Select Core Protection Module - Enable Automatic Updates - Endpoint from the list on the right. The Fixlet Description tab opens.
4.
Below Actions, click the hyperlink to open the Take Action window.
5.
On the Target tab, choose All computers with the property values selected in
the tree list below
.
6.
Choose a property that includes all the computers that you want to deploy this
Action to and click OK.
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and confirm that it "Fixed."
Chapter 3. Working with CPM for Mac Clients
21
Schedule and Apply Automatic Pattern File Updates
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module > Updates
> Automatic Update Tasks
.
3.
From the list on the right, select Core Protection Module - Apply Automatic
Updates
. A screen displaying the Task Description tab opens.
4.
Below Actions, click the hyperlink to open the Take Action window.
5.
Click the Execution tab to display scheduling options: a.
Change Preset as shown by the letter "a" in the figure.
b.
Enable Starts on and choose the current date and time (do not set Ends on).
c.
Enable On failure, retry 99 times (default setting).
d.
Choose to Wait 15 minutes between attempts (default setting).
e.
Enable Reapply this action... whenever it becomes relevant again (default setting).
6.
On the Target tab, choose All computers with the property values selected in
the tree list below
and then select All Computers.
Note:
It is important to target All Computers for this action; only endpoints that have the CPM for Mac client installed and automatic updates enabled will be relevant.
7.
Click OK.
8.
At the prompt, type your private key password and click OK.
9.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Manually Update CPM for Mac Clients with the Latest Patterns
1.
From the BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper left navigation pane, go to Core Protection Module > Updates
> Updates/Rollback Patterns > Create Pattern Update/Rollback Task
. The
Pattern Updates Wizard
opens.
3.
In the list of folders that displays, click the ">" icon next to most recent folder to expand and display individual patterns as shown in the following figure.
22
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Note:
If you recently updated the pattern file for the first time, there will be only one folder will be available.
4.
Click Deploy across from the folder. In the window that opens, choose:
Deploy a one time action
Opens the Take Action window. Select the computers that you want to apply this one-time Action to. Any computers included in the Target that are not relevant for the Action at the time of deployment will respond with a "not relevant" statement. Click OK.
Create an update Fixlet
Opens the Edit Fixlet Message window. Configure a Fixlet that will deploy the Action whenever the selected clients become relevant. When finished, click OK and in the window that opens, click the hyperlink that appears below Actions to open the Take Action window.
5.
In the Target tab that opens, click All computers with the property values
selected in the tree list
. Choose a property that includes all the computers that you want to deploy this Action to.
Execution
Set the time and any retry behavior for the update.
Users
This option works in combination with Target, which is linked by the
AND operand (both conditions must be present for the installation to occur).
6.
After you select the computers to update, click OK.
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Remove CPM for Mac Clients
To uninstall CPM for Mac from the IBM BigFix Server, you first remove all the
CPM for Mac clients deployed to the endpoints, then remove the CPM for Mac server components from the server, including any mastheads. You can do the former by running the Endpoint Uninstall Task.
1.
From the BigFix Console, click Endpoint Protection on the bottom left pane.
Chapter 3. Working with CPM for Mac Clients
23
2.
From the upper left navigation pane, go to Core Protection Module >
Deployment > Uninstall
.
3.
From the list on the right, select Core Protection Module for Mac - Endpoint
Uninstall
. A screen displaying the Task Description tab appears.
4.
Below Actions, click the hyperlink to open the Take Action window.
5.
Select the computers you want to target and click OK.
6.
At the prompt, type your private key password and click OK. The uninstall sequence begins.
7.
In screen that appears, click the Reported Computers tab to follow the status of the scan.
It usually takes a few minutes for targeted computers to report back their Action status.
Conflicting or Incompatible Programs
Remove the following programs before you deploy CPM for Mac to the endpoints.
Spyware, Virus, and Malware Programs: v Norton AntiVirus 11 (or later) for Mac v Norton Internet Security 4 (or later) For Mac v Intego VirusBarrier X4 (or later) v Intego NetBarrier X4 (or later) v Sophos Anti-Virus for Mac OS X 7.1.1 (or later) v avast! Mac Edition 2.7.4 (or later) v Kaspersky 7.0 beta (or later) v MacScan 2.6 (or later) v MacAfee ViruScan for Mac 8.6 (or later) v PCTools iAntivirus 1.36 (or later) v ClamXav 1.1.1 with ClamAV 0.95.2 backend (or later)
Trend Micro Software
Remove these programs from the endpoints before you deploy CPM clients to those computers. Use the program’s native uninstaller to remove them.
v Trend Micro Security for Macintosh 1.0 (or later) v Trend Micro Smart Surfing for Mac 1.0 (or later)
24
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 4. Working with CPM for Mac
Work with the CPM dashboard and task flows. Configure and run scans, update clients from the cloud. Run a pattern file rollback.
The CPM Dashboard and Menu
Before using the procedures in this chapter, install the IBM BigFix Server, BigFix
Console, and at least one BigFix Agent. In addition, install the CPM for Mac server, deploy the CPM for Mac clients, and update their pattern files updated.
Open the BigFix Console using the shortcut on your desktop, or your preferred method. When prompted, log in as a Master Console Operator.
Tips for Navigating the CPM Console
1.
Use one of the following methods to access the CPM Console: a.
All Contents Menu Method
1) Select the All Contents menu item at the bottom left of the BigFix
Console window.
2) In the navigation tree, go to Fixlets and Tasks > All > By Site > Trend
Micro Core Protection Module
.
3)
Select tasks by clicking one of the following folders: By Source
Severity, By Category, By Source,
or By Source Release Date.
b.
Endpoint Protection Menu Method
1) Select the Endpoint Protection menu item at the bottom left of the
BigFix Console window.
2) In the navigation tree, select Core Protection Module.
3) Click one of the following categories: Overview, Protection Status,
Quick Start, Reports, Common Tasks, Deployments, Updates,
Configuration, Analyses,
or Troubleshooting.
© Copyright IBM Corp. 2015
25
Note:
This guide mainly uses the second method.
2.
Display the CPM Console Dashboard by clicking the Endpoint Protection menu item, the Core Protection Module folder in the tree, and the Overview subcategory.
3.
Click a category, such as Updates.
4.
Find any task, including custom tasks, in the right-upper pane. Tasks can be sorted alphabetically by clicking the Name column heading. Click a Task to open it and view its description.
5.
Navigate back, forward, refresh the console data, or control how much data displays from the button above the navigation tree.
6.
When working on a specific task, you can use the buttons above the
Description
window to Take Action, Edit, Copy, Export, Hide Locally or
Globally, and (sometimes) Remove.
7.
Target certain computers when the Task is open by clicking one of the sub-tabs that appears: Description (default), Details, Applicable Computers, and Action History.
8.
Run the Task by clicking the link that appears below the Action window.
26
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
9.
Add or remove display columns by right-clicking any column header and then selecting or clearing from the menu that appears.
10.
Bundle configuration settings into a Task, attach it to selected endpoints, and schedule it to run automatically.
11.
To configure components: a.
Use the Endpoint Protection > Core Protection Module > Configuration
>[component to be configured]
to make your security and firewall configurations. For example, you can access the tasks for setting up the behavior of client scans.
b.
Select the task in the list on the right or click the Create [task name] button.
Note:
Windows opened by clicking the create-a-task button can be closed by clicking the X in the upper-right corner.
CPM for Mac Task Flows
In general, start by using the CPM Dashboard to make configuration settings.
Then, bundle the settings into a Task, which delivers an Action to targeted computers. Tasks also include a Relevance, which provides an extra layer of logic that can further define eligible targets. All IBM BigFix Agents (on which the CPM client runs) receive Tasks. Each agent makes its own determination whether its host endpoint meets the conditions of the Task, that is, whether the Action is
Relevant or not.
v
Relevance is determined by checking whether a particular set of conditions is true for a particular endpoint. If all the conditions are true, the endpoint is designated as eligible for whatever Task, Fixlet, or Action did the checking.
v Fixlets are a way of polling endpoints to see whether they are Relevant for an
Action. In other words, Fixlets make Actions in a Task possible when conditions are met.
v Fixlets can be grouped into Baselines to create a sequence of Fixlet Actions.
v Offers are a way of obtaining users consent before you take an action.
Configure and Run Malware Scans
CPM for Mac provides two types of malware scans: On-Demand, and Real-Time.
In addition, you can schedule On-Demand scans to automatically recur. You can apply the same scan to all endpoints, or create different scan configurations and apply them to different sets of endpoints based on whatever criteria you choose.
Users can be notified before a scheduled or on-demand scan runs, but do not explicitly receive notifications whenever a detection occurs on their computer.
Note:
For more information about making detection information visible to your
users, see “Enable the Client Console (for Mac)” on page 75, in “CPM Client
Detections are logged and available for review in CPM Reports.
Note:
On-Demand scans can be CPU intensive on the client. Although you can moderate the effect by configuring the CPU Usage option (which sets a pause between each file scanned), you might also want to configure an Offer as part of the Task. The Offer will allow users to initiate the scan themselves.
Chapter 4. Working with CPM for Mac
27
As with most Tasks in the IBM BigFix Console, you can associate any of these scans with selected computers, users, or other conditions. As a result, you can define multiple scan settings and then attach a particular scan configuration to a given set of computers. Scan settings are saved in the CPM Dashboard.
The configuration settings that you define for these scans apply with the Global
Settings you configure.
On-Demand scans
Use On-Demand scans to run a one-time scan of client hard drives or the boot sector. Launch the default scan with the Scan Now Task. On-Demand scans can take from a few minutes to a few hours to complete, depending on how many files are scanned and on client hardware.
Note:
When an user initiates a Manual Scan from the CPM for Mac client console, the scan settings reflect the latest settings configured by the administrator for an On-Demand scan. For example, an administrator might schedule an On-Demand scan on every Thursday at 12:00 that scans all file types. Then the administrator might run an On-Demand scan with different scan settings, maybe scanning only for .EXE files, at 14:00. If a user runs a Manual Scan at 15:00, and the administrator has not changed the settings, the user’s Manual Scan will scan only for .EXE files, not all file types.
Scheduled scans
You can schedule an On-Demand scan to trigger at a particular time, day, or date. You can also have the scan automatically recur according to the schedule you set.
Real-Time scans
This scan checks files for malicious code and activity as they are opened, saved, copied, or otherwise being accessed. These scans are typically imperceptible to the user. Real-time scans are especially effective in protecting against Internet-borne threats and harmful files being copied to the client. Trend Micro recommends that you enable real-time scanning for all endpoints.
28
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Configure Default Scan Settings
Whenever you run the default on-demand scan, the settings that are applied are those that you configured for the default On-Demand Scan Settings. The relationship between them is shown in the following figure.
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > On-Demand Scan Settings > On-Demand Scan Settings
Wizard
. The On-Demand Scan Settings Wizard opens:
3.
Make your configurations choices.
4.
Click the Create Configuration Task... button. The Create Task window opens.
5.
Because this is the default Start Scan Now Task, keep the existing name and click OK to also accept the default Actions and Relevance. The Task is set to be relevant to all CPM for Mac clients.
6.
Click OK.
7.
At the prompt, type your private key password and click OK.
8.
Wait a few minutes and the Applicable Computers tab opens.
9.
Below Actions, click the hyperlink to open the Take Action window.
10.
In the Take Action window's Target tab, select the applicable computers and click OK.
11.
Click OK.
12.
At the prompt, type your private key password and click OK.
13.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Start a Scan of Relevant Endpoints
From the Endpoint Protection > Core Protection Module tree, go to Common
Tasks > Core Protection Module > Core Protection Module - Start Scan Now.
Chapter 4. Working with CPM for Mac
29
Configure an On-Demand Scan
This scan configuration will be saved separately from the default scan now settings. You can run it from the CPM Dashboard anytime to initiate an
On-Demand scan that uses the saved settings and applies to the selected computers.
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > On-Demand Scan Settings > On-Demand Scan Settings
Wizard
. The On-Demand Scan Settings Wizard opens.
3.
Make your configurations choices.
4.
Click the Create Scan Now Task... button. The Create Task window opens.
5.
Edit the Name field and use the Description tab to edit it to clearly identify the scan parameters that you have selected and the computers you will target in this task.
6.
Select all the relevant computers from the Relevance tab and click OK.
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Run an On-Demand Scan
1.
Go to Endpoint Protection > Core Protection Module > Configuration >
On-Demand Scan Settings
.
2.
Double-click the previously defined [scan name] in the top-right pane to initiate the Task.
3.
Below Actions, click the hyperlink to open the Take Action window.
4.
In the Take Action window, select the computers that you want to target
(typically, by Properties) and then click OK.
5.
At the prompt, type your private key password and click OK.
6.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Schedule an On-Demand Scan
A scheduled scan runs automatically according to the schedule you set. Although it is shown in the CPM for Mac Dashboard along with any other On-Demand scans, you do not need to trigger it.
1.
Go to Endpoint Protection > Core Protection Module > Configuration >
On-Demand Scan Settings
.
2.
Double-click the previously defined [scan name] in the upper-right pane to open the scan configuration.
3.
Below Actions, click the hyperlink to open the Take Action window.
4.
In the Take Action window, click the Execution tab (see the following figure).
v Choose a Start date, and optionally, configure the days that you want the scan to run in the Run only on field.
v Select Reapply this action while relevant, waiting 2 days between
reapplications
(choosing whatever time period suits you).
WARNING!
Do not select “whenever it becomes relevant again” or the scan might run continuously.
30
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
v If you want to let users initiate the scan, click the Offer tab and select Make
this action an offer
.
v
Click any of the other tabs to modify the trigger time and applicable users.
5.
Select all the relevant computers and click OK.
6.
At the prompt, type your private key password and click OK.
7.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Client Updates from the Cloud
Receiving pattern updates from the cloud is not recommended as the default behavior. However, there are some cases, such as when an endpoint is not connected to the IBM BigFix Server or Relay, when you might want the endpoint to fail over to updates from the cloud. The most typical use case is to support roaming clients, for example those clients being taken offsite for travel.
Note:
Perhaps the best method for updating roaming endpoints is to place a
BigFix Relay in your DMZ. This way endpoints can maintain continuous connectivity with the BigFix architecture and receive updates through the Relay, as they would if located inside the corporate network.
There are several reasons why updating from the cloud is not recommended for daily use by all endpoints: v The Update from the cloud Task is not restricted to roaming clients. Target your endpoints carefully to avoid triggering a bandwidth spike.
v Full pattern and engine file updates can be 15 MB or more.
v Updates from the cloud always include all patterns (you cannot update selected patterns as you can from the BigFix Server).
v Updates from the cloud are typically slower than updates from the BigFix
Server.
Three more points are relevant to cloud updates: v The endpoint requires an Internet connection. If the endpoint has a proxy configured for Internet Explorer, those settings are automatically used.
Chapter 4. Working with CPM for Mac
31
v As with any pattern update, following a pattern rollback, further updates are prohibited until the rollback condition has been lifted by running the Task: Core
Protection Module - Clear Rollback Flag
.
v The CPM for Mac client verifies the authenticity of the pattern from the cloud.
Configure Clients to Update from the Cloud
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module > Updates
> Other Update Tasks
.
3.
From the list in the right pane, click Core Protection Module - Update From
Cloud
. A screen that displays the Task Description tab opens.
4.
Below Actions, click the hyperlink to open the Take Action window.
5.
In the Target tab, choose All computers with the property values selected in
the tree list below
and then select the property that you want to apply (for example, one that distinguishes between corporate and non-corporate Internet connections).
Execution
Schedule the time and duration of the cloud updates, as well as the retry behavior. This setting can be useful for cloud updates.
Users
Select the computers that you want to convert to cloud-updates by
User. This option works in combination with Target, linked by the AND operand (both conditions must be present for the install to occur).
6.
Click OK when finished.
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Previous Pattern File Version Rollback
Problems with the scan engine or pattern files are uncommon. However, if a problem does occur, it is likely to be due either to file corruption or false positives
(incorrect detection of malware in non-problematic files).
If a problem does arise, you can deploy an Action to affected endpoints to delete the file (or files) in question and replace them with a different version. This action is called a pattern rollback, and you can roll back all or selected pattern files. By default, the CPM server keeps 15 previous versions of the pattern and engine file for rollbacks. (Set this option at the bottom of the Server Settings Wizard: Core
Protection Module > Configuration > ActiveUpdate Server Settings >
ActiveUpdate Server Settings Wizard > "Others"
section.)
There are several things to remember when rolling back a pattern update: v Part of the rollback process is to lock down endpoints to prevent any further pattern updates until the lock is cleared. The lock serves as a safeguard against reintroducing whatever issue it was that triggered the need for a rollback. After the issue is resolved, either by changing something on the endpoints or by acquiring a different version of the pattern file, you must run the Core
Protection Module - Clear Rollback Flag Task
to re-enable updates.
v
If your clients are not all running the same version of the pattern file, that is, some have the current pattern and some have an earlier version, and you
32
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
perform a rollback to the earlier version, clients with the current version will revert to the earlier version, and clients with the earlier version will be updated to the current version.
v You can roll back all or selected pattern files. However, even if you only roll back one pattern file, you must still reset the rollback flag for all pattern files.
Perform a Pattern File Rollback
1.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module > Updates
> Update/Rollback Patterns > Create Pattern Update/Rollback Task
. The
Pattern Update and Rollback Wizard
opens.
3.
In the list of folders that appears, click the ">" icon to expand and display the pattern file version that you want to roll back to.
4.
Click the Rollback To button across from the folder. In the pop-up window that opens, choose either:
Deploy a one time action
Use this option to open the Take Action window and the computers that you want to apply this one-time Action to. Any computers included in the Target that are not relevant for the Action at the time of deployment respond with a "not relevant" statement. Click OK.
Create an update Fixlet
Use this option to open the Edit Fixlet Message window and configure a Fixlet that deploys the Action whenever the selected clients become relevant. When finished, click OK and in the window that opens, click the hyperlink that appears below Actions to open the Take Action window.
Note:
In CPM 10.6 (or later), you can perform a rollback only on Virus Patterns and Engines.
5.
In the Target tab that opens, click All computers with the property values
selected in the tree list below
and then choose a property that includes all the computers that you want to deploy this Action to.
Execution
Set any time and retry behavior for the update.
Users
This option works in combination with Target, linked by the AND operand (both conditions must be present for the installation to occur).
Chapter 4. Working with CPM for Mac
33
6.
After you select the computers you want to update, click OK.
7.
At the prompt, type your private key password and click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Re-Enable Updates Following a Rollback
After a rollback you must clear the rollback flag setting attached to patterns on your CPM for Mac clients to re-enable manual, cloud, or automatic pattern updates. You must do this also for pattern files that were not included in the rollback: all pattern files updates will be on hold after a rollback until their individual flags are lifted. You can remove the flag on all pattern files at the same time, or on selected files.
1.
From the BigFix Console, click Endpoint Protection on the lower left-pane.
2.
From the upper-left navigation pane, go to Core Protection Module > Updates
> Other Update Tasks > Core Protection Module - Clear Rollback Flag
. A screen displaying the Task Description tab opens.
3.
Beneath Actions, click the hyperlink to open the Take Action window.
4.
In the Target tab, click All computers with the property values selected in the
tree list below
and then choose a property that includes all the computers that you want to deploy this Action to.
5.
Click OK.
6.
At the prompt, type your private key password and click OK.
7.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Deploy Selected Pattern Files
By default, all pattern files are included when the pattern is deployed from the
IBM BigFix Server to CPM for Mac clients. You can, however, select and deploy a subset of patterns.
Note:
This Task is typically only used to address special cases, and as a result is seldom used. When used, this Task tends to be targeted narrowly.
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Updates > Pattern Update Settings > Create Pattern Update Settings Task
.
The Update Settings Wizard screen opens.
34
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
3.
In the list of components that appears, select the pattern types that you want to allow updates for whenever pattern updates are applied. By default, all pattern files are selected.
4.
Click the Create Update Settings Task... button in the upper-right corner. The
Edit Task
window opens.
5.
Modify the default name in the Name field and use the Description tab to edit it to clearly identify the purpose of this custom Task.
6.
Edit the Description and the Relevance tabs if necessary, to reflect your goals.
Click OK.
7.
At the prompt, type your private key password and click OK. A screen displaying the Task Description tab opens. The Task is added below Pattern
Update Settings
on the CPM for Mac Dashboard.
8.
Below Actions, click the hyperlink to open the Take Action window.
9.
In the Target tab, click All computers with the property values selected in
the tree list below
and then choose a property that includes all the computers that you want to deploy this Action to.
Execution
Set the deployment time and any retry behavior.
Users
This option works in combination with Target, linked by the AND operand (both conditions must be present for the installation to occur).
Messages
Configure these options to passively notify the user that the installation is going to occur, to obtain consent, or to ask users to stop using their computer while the installation occurs.
10.
When you finish identifying the computers that you want to receive the selected patterns, click OK.
11.
At the prompt, type your private key password and click OK.
12.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Chapter 4. Working with CPM for Mac
35
Smart Protection Server Configuration
Smart Protection Server Settings only need to be configured and deployed if there are Smart Protection Servers deployed on your network. CPM for Mac automatically detects Smart Protection Servers on your network if a IBM BigFix
Agent is installed on the server hosting a Smart Protection Server. For more information about installing a BigFix Agent on a Smart Protection Server, see
“Connect IBM BigFix to SPS” on page 13.
This Smart Protection Server hosts File Reputation Services, Web Reputation
Services, or both. File Reputation Services supports HTTP or HTTPS, while Web
Reputation Services supports only HTTP connection. Endpoints can connect to the
Smart Protection Servers using HTTP and HTTPS protocols. HTTPS allows for a more secure connection while HTTP uses less bandwidth.
Configure the Smart Protection Server List
Smart Protection Servers must be ordered and the communication configured.
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Smart Protection Server Settings > Smart Protection Server
List
. If there are no Smart Protection Servers in your network (with BigFix
Agent installed), no servers are shown in the Available Smart Protection
Server List
. The Smart Protection Server List screen opens.
3.
If a later version of a Smart Protection Server is available, click the Update
available
link under the Version column to obtain the latest updates from the
Trend Micro download center.
4.
Click the arrow icons, in the Order column, to move servers in to the priority that you need. Servers at the top of the list are the first server Smart Protection
Relays that endpoints try to connect to when performing updates and reputation queries.
5.
Click a server name to modify the protocol used when communicating with
Smart Protection Relays and endpoints.
36
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
6.
Specify the protocol to use.
Note:
HTTPS is more secure but requires more bandwidth for communication.
CPM for Mac supports only Web Reputation Services through HTTP channels.
7.
Click Save.
Create a Smart Protection Server List Deployment Task
You can create this task even if no Smart Protection Servers are deployed in your network.
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Smart Protection Server Settings > Smart Protection Server
List
. The Assign Smart Protection Server List screen opens.
3.
Click Create a Task to Assign the List. A Create Task dialog box opens.
4.
Click OK.
5.
At the prompt, type your private key password and click OK.
Deploy the Smart Protection Server List
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
Chapter 4. Working with CPM for Mac
37
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Smart Protection Server Settings > Custom Tasks
. The
Custom Tasks screen opens.
Note:
Click the Smart Protection Server deployment task. Settings for the task are shown.
3.
Click Take Action. The Take Action screen opens.
4.
Specify which endpoints and relays the task deploys to.
5.
Click OK.
6.
At the prompt, type your private key password and click OK.
38
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 5. Configuration Wizards
Use CPM Dashboard Wizards to organize scan-related configuration choices.
Configuration Wizards Reference
The CPM Dashboard includes Wizards to help you understand and organize scan-related configuration choices. For example, use the On-Demand Scan Settings
Wizard to define which files to scan, how to manage scan engine CPU usage, and designate the action to take whenever a threat is discovered. Individual scan configurations can also be saved as a Task, which is then available in the main
Task List.
CPM for Mac provides the following configuration wizards.
v
“Active Update Server Settings Wizard”
v
“On-Demand Scan Settings Wizard” on page 40
v
“Real-Time Scan Settings Wizard” on page 43
v
v
“Web Reputation Proxy Settings” on page 51
v
“Scan Exclusion Settings for Mac” on page 44
Active Update Server Settings Wizard
Use this Wizard to select the location from where you want to download component updates. You can choose to download from the Trend Micro
ActiveUpdate (AU) server, a specific update source, or a location on your company intranet.
Source
v Trend Micro’s ActiveUpdate Server: This location contains the latest available patterns and is typically the best source.
© Copyright IBM Corp. 2015 v Other Update Source (seldom used): The default location is http://esp-p.activeupdate.trendmicro.com/activeupdate.
39
v Intranet location containing a copy of the current file: If you want to use an intranet source for obtaining the latest pattern file update, specify that location here. This is typically used on a temporary basis for one-time updates, unless the intranet source is configured to poll and receive updates from the Trend
Micro ActiveUpdate server regularly.
Proxy
v Use a proxy server for pattern and engine updates: If there is a proxy server between the IBM BigFix Server and the pattern update source you selected, enable this option and provide the location and proxy access credentials.
Others
v Log Rolling Frequency (1-90): To keep the cumulative size of log files from occupying too much space on the server, you can specify how many days to retain logs. The newest logs will replace the oldest logs after this number of days. The default is 10 days. Logs are stored in the following directory:
\TrendMirrorScript\log v Number of Updates to Keep on Server (1-100): You can store previous pattern file sets on the server in case you ever need to revert, or roll back to an older file. By default, CPM for Mac keeps the current pattern and 15 "snapshots" of the pattern set.
On-Demand Scan Settings Wizard
Core Protection Module for Mac supports only virus/malware scanning on CPM for Mac clients. For details about different types of virus and malware threats, see
Appendix C, “Appendix C: Understanding Security Risks,” on page 81.
Note:
When a user initiates a Manual Scan from the CPM for Mac client console, the scan settings reflect the most recent ones set by the administrator for an
On-Demand Scan.
For example, an administrator might schedule an On-Demand Scan on every
Thursday 12:00 that scans all file types. The administrator might then run an
On-Demand scan of /Users/username/ with different scan settings at 14:00. If an user runs a Manual Scan at 15:00, and the administrator has not changed the settings, the user’s Manual Scan will only scan /Users/username/, not the entire endpoint.
40
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Configuring the Scan Target Tab
Core Protection Module for Mac supports the following configuration options on the Scan Target tab.
v In the Files to Scan section:
All scannable files
All files are scanned, even if the file type cannot contain infections. This option is the safest but also has the greatest effect on client performance.
File types scanned by IntelliScan
Scans only files that are known to potentially harbor malicious code, even files disguised by an innocuous-looking extension name, using file metadata to determine file type.
Target files
CPM for Mac always scans the files listed. CPM for Mac requires that administrators type the full file path for the files that are targeted for scanning.
v In the Scan Settings section:
Scan compressed files
Scans files that use compression technology. CPM for Mac supports only the scanning of compressed files, not the configuration of the maximum number of compression layers.
v In the Stop Scanning Settings (Mac only) section:
Stop scanning after: __ hour(s) __ minute(s)
Automatically stops a scan that has exceeded the configured time frame.
Enable the privilege to stop scanning
Allows CPM for Mac users to cancel an active scan.
v In the Scan Cache Settings section:
Enable the scan cache
Each time scanning runs, the client checks the properties of previously scanned threat-free files. If a threat-free file has not been modified, the client adds the cache of the file to the on-demand scan cache file. When the next scan occurs, CPM for Mac does not scan the file if the cache information has not expired.
Chapter 5. Configuration Wizards
41
v In the CPU Usage section: On-Demand scans can be CPU intensive and clients might notice a performance decrease when a scan is running. Moderate this effect by introducing a pause after each file is scanned allowing the CPU to handle other tasks. Consider factors such as the type of applications that are run on the computer, CPU, RAM, and what time the scan is run.
High
No pausing between scans.
Low
Pause longer between scans.
Configuring the Scan Exclusion Tab
Core Protection Module for Mac does not support any configuration options on the
Scan Exclusions tab. For details about configuring scan exclusions for Core
Protection Module for Mac, see “Scan Exclusion Settings for Mac” on page 44.
Configuring the Scan Action Tab
The default scan action CPM for Mac performs depends on the virus/malware type and the scan type that detected the virus/malware. Core Protection Module for Mac supports the following configuration options on the Scan Action tab.
v Use ActiveAction : ActiveAction is a set of pre-configured scan actions for different types of security risks. ActiveAction settings are constantly updated in the pattern files to protect computers against the latest security risks and the latest methods of attacks. Optionally select a customized action for probable virus/malware threats. If you are unsure which scan action is suitable for a certain type of security risk, Trend Micro recommends using ActiveAction.
v Use the same action for all virus/malware types : If the first action fails, CPM for Mac automatically takes the second action. For example, if the default action is “Clean” and CPM for Mac is unable to clean an infected file, the backup action of “Quarantine” is taken.
Quarantining Files: Administrators can configure CPM for Mac to quarantine any harmful files detected. CPM for Mac encrypts and moves the files to a directory on the endpoint that prevents users from inadvertently spreading the virus/malware to other computers in the network. For more information, see
Appendix B, “Appendix B: Reference Lists,” on page 79.
42
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Real-Time Scan Settings Wizard
Core Protection Module for Mac supports only virus and malware scanning on
CPM for Mac clients. For details about different types of virus and malware
threats, see Appendix C, “Appendix C: Understanding Security Risks,” on page 81.
Configure the Scan Target Tab
Core Protection Module for Mac supports the following configuration options on the Scan Target tab.
v In the User Activity on Files section:
– Scan files being: Scans files that users create, modify, or receive (as configured).
v In the Scan Settings section:
– Scan compressed files: Scans files that use compression technology.
Note:
CPM for Mac supports only the scanning of compressed files, not the configuration of the maximum number of compression layers.
Configure the Scan Exclusion Tab
Core Protection Module for Mac does not support any configuration options on the
Scan Exclusions tab. For details about configuring scan exclusions for Core
Protection Module for Mac, see “Scan Exclusion Settings for Mac” on page 44.
Configure the Scan Actions Tab
The default scan action CPM for Mac performs depends on the virus or malware type and the scan type that detected the virus or malware. Core Protection Module for Mac supports the following configuration options on the Scan Action tab: v Use ActiveAction : ActiveAction is a set of pre-configured scan actions for different types of security risks. ActiveAction settings are constantly updated in the pattern files to protect computers against the latest security risks and the latest methods of attacks. Optionally select a customized action for probable virus or malware threats.
If you are unsure which scan action is suitable for a certain type of security risk,
Trend Micro recommends using ActiveAction.
– Use the same action for all virus/malware types: If the first action fails, CPM for Mac automatically takes the second action. For example, if the default action is “Clean” and CPM for Mac is unable to clean an infected file, the backup action of “Quarantine” is taken. For more information, see
Appendix B, “Appendix B: Reference Lists,” on page 79.
Note:
You can configure CPM for Mac to quarantine any harmful files detected. CPM for Mac encrypts and moves the files to a directory on the endpoint that prevents users from inadvertently spreading the virus or malware to other computers in the network.
– Display a notification message on the client computer when virus/malware
is detected
: Enabling this option allows CPM for Mac to display a notification message for users to see when a virus or malware threat has been detected on the endpoint.
Chapter 5. Configuration Wizards
43
Scan Exclusion Settings for Mac
Configure scan exclusions to increase the scanning performance and skip the scanning of files that are known to be harmless. When a particular scan type runs,
Core Protection Module for Mac checks the scan exclusion list to determine which files to exclude from scanning.
Scan Exclusion List v Files: Core Protection Module for Mac does not scan a file if:
– The file's directory path is the same as the path specified in the scan exclusion list.
– The file matches the full file path (directory path and file name) specified in the scan exclusion list.
v
File Extensions: Core Protection Module for Mac does not scan a file if the file extension matches any of the extensions included in the exclusion list.
Scan Exclusion Lists (Files)
Administrators must follow specific criteria when configuring the file exclusion list.
v Core Protection Module for Mac supports a maximum of 64 file exclusions.
v Administrators cannot only type a file name. Core Protection Module for Mac requires a full file path.
v Administrators must type properly formatted paths.
Examples: v Full file path: excludes a specific file.
– Example 1: /file.log
– Example 2: /System/file.log
v Directory path: excludes all files located on a specific folder and all subfolders.
– Example 1: /System/
- Examples of files excluded from scans: v /System/file.log
v /System/Library/file.log
– Example 2: /System/Library
- Examples of files excluded from scans: v /System/Library/file.log
v /System/Library/Filters/file.log
– Examples of files that Core Protection Module for Mac scans:
- /System/file.log
Use the asterisk wildcard (*) in place of folder names. See the examples below.
v Full file path: /Users/Mac/*/file.log
– Examples of files excluded from scans:
- /Users/Mac/Desktop/file.log
- /Users/Mac/Movies/file.log
– Examples of files that Core Protection Module for Mac scans:
- /Users/file.log
- /Users/Mac/file.log
44
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
v Directory path:
– Example 1: /Users/Mac/*
- Examples of files excluded from scans: v /Users/Mac/doc.html
v /Users/Mac/Documents/doc.html
v /Users/Mac/Documents/Pics/pic.jpg
- Examples of files that Core Protection Module for Mac scans: v /Users/doc.html
– Example 2: /*/Components
- Examples of files excluded from scans: v /Users/Components/file.log
v /System/Components/file.log
- Examples of files that Core Protection Module for Mac scans: v /file.log
v /Users/file.log
v /System/Files/file.log
Note:
Core Protection Module for Mac does not support partial matching of folder names. For example, administrators cannot type /Users/*user/temp to exclude files on folder names ending in user, such as end_user or new_user.
Configure Scan Exclusion Lists
1.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Scan Exclusion Settings for Mac > Scan Exclusion Settings
.
The Scan Exclusion Settings for Mac wizard opens.
3.
Select the Enable scan exclusions check box.
4.
Select Exclude Trend Micro directories (reduce false positives).
5.
Select Exclude BigFix directories (improves performance).
6.
To configure the Scan Exclusion List for files: a.
Type a full file path or directory path and click E.
b.
To delete a path, select the file path and click Remove Selected Item.
7.
To configure the Scan Exclusion List (File Extensions): a.
Type a file extension without a period (.) and click Add. For example, type pdf .
Note:
Core Protection Module for Mac supports a maximum of 64 file extension exclusions.
b.
To delete a file extension, select the extension and click Remove Selected
Item
.
8.
Click Create Configuration Task.... The Create Task screen opens.
9.
Type a name for the task or accept the default name. Click OK. The Take
Action
screen appears.
10.
In the Target tab, a list of endpoints that are running the CPM for Mac client opens.
11.
Select all applicable computers and then click OK.
Chapter 5. Configuration Wizards
45
12.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
46
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 6. Web Reputation
Optimize Web Reputation (WR) for your environment using Blocked and
Approved List templates, Analyses, and the Dashboard.
Introducing Web Reputation
The Trend Micro Web Reputation (WR) technology joins its real-time visibility and control capabilities with CPM to prevent web-based malware from infecting your users’ computers. Web Reputation intercepts malware "in-the-cloud" before it reaches your users’ systems, reducing the need for resource-intensive threat scanning and clean-up. Specifically, WR monitors outbound web requests, stops web-based malware before it is delivered, and blocks users’ access to potentially malicious websites in real time.
Web Reputation requires no pattern updates. It checks for web threats when a user accesses the Internet by performing a lookup on an "in-the-cloud" database. Web
Reputation uses the site’s "reputation" score and a security level set by the Console
Operator to block access to suspicious sites. The Web Reputation database lookups are optimized to use little bandwidth (similar in size to a DNS lookup) and have a negligible impact on network performance.
Web Reputation Operation
Whenever a user tries to open an Internet site, the requested URL is scored at the proxy, in real-time, and that score is then evaluated against the security level. URLs with a score that exceeds the level you select are prevented from opening. This scoring is relative to security, not to whether a site might contain objectionable content.
Note:
As you set the security level higher, the web threat detection rate improves but the likelihood of false positives also increases.
You can override incorrect blocking by adding the URL to the Approved List.
Likewise, you can force blocking of a site by adding it to the Blocked List.
© Copyright IBM Corp. 2015
URLs are scored on a security scale from 0 - 100.
Safe
Scores range 81 - 100. Static and normal ratings. URLs are confirmed as secure, however content can be anything (including objectionable content).
Unrated
Score equals 71. Unknown ratings. These URLs are not included in the rating database.
47
Suspicious
Scores range 51 - 80. URLs that have been implicated in Phishing or
Pharming attacks.
Dangerous
Scores range 0 - 49. Static and malicious ratings. URLs are confirmed as malicious, for example a known vector for spyware or viruses
Security Levels range from high to low and have the following default actions:
High
Blocks unknown, suspicious, and dangerous sites.
Medium
Blocks dangerous and suspicious sites.
Low
Blocks only dangerous sites.
For example, if you set the Security Level to Low, Web Reputation only blocks
URLs that are known to contain malicious software or security threats.
Web Reputation Security Levels
After enabling WR on your endpoints, you can raise the security level to Medium or High (the default is Low) to increase the degree of sensitivity that WR uses when evaluating URLs.
Configuring a Default WR Security Level
1.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Common Tasks > Core Protection Module > Web Reputation
.
3.
Click Web Reputation - Configure Web Reputation Security Level. A screen displaying the Task Description tab opens.
4.
Below Actions, choose a Security Level by clicking the hyperlink. The Take
Action
window opens.
5.
In the Target tab, select all Applicable Computers to apply the WR security level to all your endpoints. Click OK.
6.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
48
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Using Web Reputation
The following rules apply when creating Approved Lists and/or Blocked Lists: v Secure URLs, those starting with https://, are supported after enabling HTTPS
Web Reputation.
v Include all subdirectories by using the * wildcard: http://www.example.com/* v Include all sub-domains by using the * wildcard: http://*.example.com
This example is not valid: https://www.example.??
v
To import a URL that uses a non-standard port, use this format: http://www.example.com:8080 v URLs can be up to 2083 characters long.
v List each URL on a new line.
v You can add or import up to 500 URLs in a given list.
Templates
Use the Web Reputation Blocked-Approved List Wizard to create and maintain global lists of websites in the form of templates that you can use to control your users’ web access. After these templates are defined, use them to create Custom
Tasks which you can then apply to your endpoints. There are two types of URL lists that you can create and group into templates using the Wizard:
Blocked Lists
Lists of blocked websites. If the endpoint tries to access a site in one of these lists, they receive a message in their web browser indicating that access to the site is blocked.
Approved Lists
Lists of websites you allow your endpoints to access without restriction.
Note:
Use care when selecting sites for Approved Lists. After a site is added to an
Approved List, it is no longer checked. Therefore, endpoints connecting to that site would no longer be protected by Web Reputation, should that site become a host for malware at some point in the future.
By creating multiple tasks, you can apply different sets of Blocked and Approved
List templates to different users or groups of users. You can perform the following tasks: v Create and deploy a New Blocked or Approved List template.
v Create and deploy a New Blocked or Approved List template by importing an existing list.
v View an existing Blocked or Approved List template.
v Copy a Blocked or Approved List template.
v Copy and edit a Blocked or Approved List template.
v
Delete a Blocked or Approved List template.
Chapter 6. Web Reputation
49
Create and Deploy a New Template
1.
From the IBM BigFix Console, click Endpoint Protection on the lower left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Web Reputation Blocked-Approved List > Web Reputation
Blocked-Approved List Wizard
. The Web Reputation Blocked-Approved List
Wizard
window opens, showing a list of your currently available templates.
3.
Click Add Template. The Blocked-Approved List Template–Add Template page opens.
4.
Enter a name for your template in the Template Name field.
5.
In the Blocked List pane, enter or copy and paste the URLs you want to block. Enter up to 500 URLs. Place http:// or https:// before each URL entry. To block all the pages for a site, enter the name of the domain followed by /*. For example: http://www.badURL.com/*
Note:
You can include up to 500 URLs in a single template, and can create multiple templates for use. However, only one template can be active on an endpoint at the same time.
6.
To enter an Approved List, in the Approved List pane, type or copy and paste the URLs you want your users to be able to access without restriction. You can enter up to 499 URLs per template. You also must have http:// or https:// before each URL entry. To grant access to all the pages on a site, enter the name of the domain followed by /*. For example: http://www.goodURL.com/*
7.
When you are finished creating your template, click Save. The
Blocked-Approved List Templates
window returns.
8.
Click the Create Task From Template... button. The Edit Task window opens.
9.
Click OK.
10.
Click the hyperlink in the Actions window. The Take Action window opens.
11.
Select the computer or computers in the window to which you want to deploy your Blocked / Approved List template and set any wanted options.
12.
When you have finished selecting options, click OK.
13.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Enable Smart Protection Server Web Reputation Service on
Clients
Important:
Administrators must install and configure a Smart Protection Server before configuring CPM for Mac client access. For more information about Smart
Protection Servers, see “Smart Protection Server Configuration” on page 36.
1.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Common Tasks > Web Reputation > Web Reputation - Enable Smart
Protection Server Web Reputation Service
. A screen displaying the Task
Description
tab opens.
3.
Click the hyperlink to open the Take Action window.
4.
In the Target tab, a list shows the applicable CPM for Mac clients.
5.
Select all the Applicable Computers and click OK.
50
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
6.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Enable HTTP Web Reputation (port 80) on CPM Clients
1.
From the IBM BigFix Console, click Endpoint Protection on the bottom-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Common Tasks > Web Reputation > Web Reputation - Enable HTTP Web
Reputation Scanning (port 80)
. A screen displaying the Task Description tab opens.
3.
Click the hyperlink to open the Take Action window.
4.
In the Target tab, a list shows the CPM clients without Web Reputation installed.
5.
Select all the Applicable Computers and click OK.
6.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Web Reputation Proxy Settings
If your endpoints connect to the Internet through a proxy server, you must identify that proxy and provide log-on credentials. The credentials will be used by those
CPM clients that you target with this Action to connect to the Internet. Configure the Web Reputation proxy settings using either the Web Reputation Proxy Settings
Wizard
or the Web Reputation-Enable/Configure Proxy Settings Fixlet.
Configure the Web Reputation Proxy Settings Wizard
1.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Web Reputation Proxy Settings > Web Reputation Proxy
Settings Wizard
. The Web Reputation Proxy Settings Wizard window opens.
3.
Click Use the following proxy settings.
4.
Either provide the necessary proxy settings information or click Use to reload previously configured settings.
5.
Click Create Configuration Task and deploy the proxy settings to the necessary clients.
Configure Web Reputation Proxy Settings Using the Fixlet
You will be prompted to provide a password for the proxy server. Be sure to encrypt the password using the utility provided in the Task before deploying the
Task (user name and password will be visible in the Action’s Summary Details).
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Common Tasks > Web Reputation
.
3.
From the right pane, select Web Reputation - Enable/Configure Proxy
Settings
. A screen displaying the Task Description tab opens.
4.
Download and extract the encryption program, which will have a name such as: TMCPMEncrypt.exe utility tool.
a.
Run the program. At the prompt, type your password in the field.
b.
Copy the encrypted results (you will be prompted to paste them in later).
Chapter 6. Web Reputation
51
5.
Back in the Task Description window, below Actions, click the hyperlink. At the prompt, provide the following: v
Proxy IP address or host name.
v Proxy port.
v User name for proxy authentication.
v Encrypted password (paste the password you encrypted).
The Take Action screen opens.
6.
In the Target tab, a list of endpoints that are running the CPM client appears.
7.
Select all applicable computers (those that are running WR) and then click OK.
8.
At the prompt, type your private key password and click OK.
9.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
Import Lists of Websites
Web Reputation allows you to import URLs for new Blocked and Approved List templates from new line-delimited files.
1.
Create two text files - one for the websites that you want this template to block and another for the websites to which you want to give your users unrestricted access.
Note:
If you do not want to include an Approved List in the template, you can skip this part of the process. Web Reputation allows you to create Blocked or Approved List Templates with both list types (a blocked and an approved list), only a Blocked List, or only an Approved List.
2.
Press ENTER or place a newline code at the end of each line to separate each entry. You must have http:// before each URL entry. To block all the pages for a site, enter the domain name followed by /*. For example: http://www.badURL.com/*
3.
From the IBM BigFix Console, click Endpoint Protection on the bottom-left pane.
4.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Web Reputation Blocked-Approved List > Web Reputation
Blocked-Approved List Wizard
to open the Web Reputation
Blocked-Approved List Wizard
.
52
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
5.
Click the Add Template button or Edit. The Blocked-Approved List
Templates – Add Template
window opens.
6.
Click Bulk Import Sites from external file.... The Import Sites from External
File
window opens.
7.
Select the text file that you want to import by clicking Browse next to the
Select Import File
field. The Open window opens.
8.
Use the Open window to navigate to the location where you have stored the text file.
9.
Select the file and click Open. The path to the selected file appears in the
Select Import File
field.
10.
Choose Blocked List or Approved List from the List Type.
11.
Click the Add Sites from File button.
12.
Click Yes to import the file. If you click No, to import the list you must re-launch the Wizard and perform the import process again.
13.
After you click Yes, the Blocked / Approved List Wizard displays the contents of the tab associated with the file.
14.
Click Finish to end the import process and start generating the relevant
Custom Action.
Note:
To see the process required to finish generating your Custom Action
and deploying the template, start at Step 8 in the “Create and Deploy a New
Template” on page 50 procedure.
View an Existing Template
1.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Web Reputation Blocked-Approved List > Web Reputation
Blocked-Approved List Wizard
to open the Web Reputation Blocked-
Approved List Wizard
.
3.
Click the name of the Blocked / Approved List template you want to examine.
The Blocked-Approved List Templates – Add Template window opens.
Copy and Edit a Template
Web Reputation allows you to create copies of existing Blocked and Approved List templates. Use this feature to create copies of existing templates or to create slightly modified versions of existing templates.
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Web Reputation Blocked-Approved List > Web Reputation
Blocked-Approved List Wizard
to open the Web Reputation Blocked-
Approved List Wizard
.
3.
Select the name of the Blocked or Approved List template that you want to duplicate and click Copy. The name of the template appears in the form of
"Copy of..." followed by the template name you chose to copy. Web Reputation automatically copies the contents of the Blocked and Approved List fields into the new template.
4.
Change the name in the Template Name field to a descriptive template name.
5.
Make other necessary changes to the template. For example: v Add new URLs to the copied Blocked or Approved List.
v Remove URLs from the Blocked or Approved List.
Chapter 6. Web Reputation
53
v Import and append either an external blocked or an external approved list to your Blocked and Approved List entries.
6. When you are finished editing, click Finish to end the process and to start generating the relevant Custom Action.
Edit Custom Actions
The Blocked/Approved List Wizard allows you to edit existing Blocked or
Approved List templates. You can edit these Custom Actions in two different ways: v By making modifications using the Edit Task window immediately after you click Finish to create the Custom Task.
v By accessing the Edit Task window AFTER you have completely generated the
Custom Task.
Note:
To make modifications using the Edit Task window, either access it as part of Custom Task generation process or select it by right-clicking the name of an existing Custom Task and selecting Edit.
The Edit Task window has four tabs:
Description
Use the Description tab to make modifications to the task name, title, and description.
Actions
Use the Actions tab to view or change the Action this Custom Task performs. For example, use this window to add or remove blocked or approved URLs from the presented Action Script.
Relevance
Use the Relevance tab to view and make modifications to the relevance for a Custom Task. By default, the relevance for the Blocked or Approved List is static. Its purpose is to detect endpoints for Web Reputation.
Properties
Use the Properties tab to view and modify the properties for this custom task.
Delete a Blocked or Approved List
To delete an existing Blocked or Approved List template from the Wizard’s
Template list:
1.
From the BigFix Console, click Endpoint Protection on the bottom-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Web Reputation Blocked-Approved List > Web Reputation
Blocked-Approved List Wizard
to open the Web Reputation Blocked-
Approved List Wizard
.
3.
Select the name of the Blocked or Approved List template you want to delete and click Remove. The Delete window opens.
4.
Click Yes. Web Reputation removes the template from the Blocked-Approved
List Wizard Template Management
window.
Note:
The Blocked-Approved List Wizard Delete feature deletes only the template from the Management list. It does not delete the Custom Task created with the
54
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
template. To completely remove the Blocked-Approved List template from your endpoints, follow the steps for deleting a WR Custom Task.
Delete a Web Reputation Custom Task
1.
Select the name of the template that you want to delete in the Custom Tasks list and right-click.
2.
Select Remove from the right-click menu.
3.
At the prompt, type your private key password and click OK.
A series of messages displays when the Custom Task is removed from the affected
CPM clients and the List Panel.
Web Reputation Analysis
Web Reputation shows detailed information about an endpoint or group of endpoints that are protected by Web Reputation. Use the Client Information analysis to view information about each endpoint protected by a CPM client.
From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
From the upper-left navigation pane, go to Core Protection Module > Analyses >
Web Reputation for Mac
. The following properties are available for each endpoint:
Number of Web Threats Found
The number of web threats encountered and recorded in the endpoint’s storage file.
Web Reputation Enabled/Disabled
The status of the agent’s Web Reputation feature (Enabled or Disabled).
Web Reputation Security Level
The security level for the Web Reputation feature (High, Medium, or Low).
Web Reputation Service Type
The Web Reputation query source (Smart Protection Network or Smart
Protection Server).
Web Reputation Query Server URL
The URL of the Smart Protection Server used for Web Reputation queries.
Connection to the Smart Protection Network
The connection configuration to the Smart Protection Network for Web
Reputation queries (Enabled or Disabled).
Log Purge Enabled
The configuration setting for purging Web Reputation logs (True or False).
Log Age Deletion Threshold
The number of days that logs are kept on the endpoint before they are deleted.
The Site Statistics analysis displays statistical information about the number of websites accessed by an endpoint. Use it to view Blocked Sites: the time a block occurred, and the URL that was blocked.
Viewing the Client Information Analysis
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
Chapter 6. Web Reputation
55
2.
From the upper-left navigation pane, go to Core Protection Module > Analyses
> Web Reputation for Mac
. The List Panel changes to show all available analyses.
v Web Reputation - Client Information v Web Reputation - Site Statistics
3.
Click the Web Reputation - Client Information analysis. The Web Reputation -
Client Information
window opens.
4.
View the analysis property results in list or summary format. To select a perspective, choose the wanted format from the drop-down box in the upper-right corner of the analysis in the Results tab.
5.
To deactivate the analysis, return to the click here link in the Action window.
View the Site Statistics Analysis
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module > Analyses
> Web Reputation for Mac
. The List Panel changes to show all available analyses.
v Web Reputation - Client Information v Web Reputation - Site Statistics
3.
Click the Web Reputation - Site Statistics analysis. The Web Reputation - Site
Statistics
window opens. The window displays information about the two Web
Reputation properties that you can view with the analysis.
4.
View the analysis property results in list or summary format. To select a perspective, choose the wanted format from the drop-down box in the upper-right corner of the analysis in the Results tab.
5.
To deactivate the analysis, return to the click here link in the Action window.
56
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 7. Locations
Apply different CPM for Mac security configurations based on a client’s geographical location.
Locations Overview
You can have IBM BigFix apply different CPM for Mac security configuration based on a client’s current geographical location. For example, say that an organization has offices in California, New York, and Germany, and that travel between offices is not uncommon. In California and New York, the corporate security policy requires that suspicious files be quarantined. In Germany such files must be deleted. In locations other than California or Germany, incidents must be logged but no action taken. You can accommodate all these regulations by creating
Location Properties. In short, a client can disconnect from the corporate network in the California one day and reconnect in Germany the next, and the client's computer will automatically pick up the correct security policy for the new location.
This same idea also applies to firewall configurations, and other CPM for Mac security features. For example, in addition to location-specific configurations, you can create NIC-specific security policies. If you want to have one set of malware and firewall settings that govern wireless connections and another set for wired connections. Your LAN and W-LAN settings can be the same for all geographic locations, or they too can vary to reflect a local security policy.
For example, wireless connections in New York might have one set of rules and wired connections another. In Germany, there might be different rules for both wired and wireless connections - two locations, but four sets of rules that might apply.
Create Locations
Use the BigFix Location Property wizard to create one or more named properties that allow BigFix Agents to identify themselves according to their current network location or status. As soon as the property is created, it will be propagated to all clients and applicable computers will pick up the setting (that is, their configuration status might change according to the choices you have in place.)
Before you begin, you should know or have a list of the subnets used in your organization and their respective geographic locations. Alternatively, you can create a custom relevance expression to dynamically map retrieved client properties using a key/ value set. For more information, see the ESP Administrator’s Guide.
Note:
The purpose of the procedure below is to create a property that defines the geographic location of an endpoint according to its subnet. Using the same principles, you might also create a property based on connection type, relay, operating system, or any other characteristics and use it with the CPM firewall,
CPM for Mac malware protection, and CPM for Mac Web Reputation.
1.
Log on to the BigFix Console as Master Console Operator.
2.
On the Console click All Content on the lower-left pane.
© Copyright IBM Corp. 2015
57
3.
From the upper-left navigation pane, go to Wizards > All Wizards > Location
Property Wizard
. The Location Property Wizard screen opens.
4.
Choose one of the following options and click Next.
v Create a retrieved property that maps subnet to location : For each location that you want to identify, type the subnet IP address. If a single location includes more than one subnet, type each subnet IP address (followed by the same location name) on a new line. Clients self-determine their relevance to a particular location by comparing their current IP address with the value or values specified here. Clients with multiple NICs might self-identify by using their W-LAN or LAN IP address, so you might need to include both subnets.
v Create a retrieved property that maps subnet to location using only the
first two octets
: Use this option to support a larger block of IP addresses.
As described above, clients self-identify their relevance to this IP address block. Clients not included in the block either inherit the default configuration that is not location-specific, or not be covered by any location property.
v Create a retrieved property that maps IP address range to location : Only one range per line is supported (do not delimit multiple ranges).
v Create a retrieved property that uses a custom relevance expression and
maps the result using a key/value set
: For more information, see the ESP
Administrator’s Guide.
5.
Give the property a name that clearly identifies its purpose and click Next.
6.
For each location, type the subnet address or addresses. Click the Insert Tab button, and then type a name. Use only one IP/location pair per line as shown in the following screen. Create multiple lines for the same location if it uses multiple subnets.
Note:
Be careful not to "overlap" any IP addresses when you are specifying ranges. Computers included in multiple locations will constantly be updated as they reevaluate and recognize their relevance to one location and then another.
7.
Click Next, and if no valid IP/location pairs are displayed, click Next again.
8.
Accept the defaults that are selected in the Additional Options window and click Finish. The Import Content window opens.
58
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
9.
Click OK.
10.
At the prompt, type your private key password and click OK.
11.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed".
Now that locations are defined, the next step is to create a couple of different configuration settings and bundle them into a Task. You can then associate these Tasks with the Locations you created.
Create Location-Specific Tasks
The goal in the procedures below is to create two different configurations and tasks and attach them to different locations. As a result Configuration 1 is automatically picked up by users in Location 1, and Configuration 2 is picked up by users in Location 2. When users from Location 2 travel to Location 1 they automatically pick up Configuration 1 when connecting to the network.
How Location Properties Work
Each IBM BigFix Agent, on which the CPM for Mac client is installed, receives a complete list of all the Actions deployed from the BigFix Server through the various Tasks. The individual Agents check themselves against the list and create a short-list of only those Actions that apply to them. In the current example, relevance is determined by IP address. Configuration 1 is going to be deployed to all Agents, but only those Agents running on an endpoint with an IP address in the subnet that is defined for San Francisco will pick up the configuration. You can see this self-selection at work when you create the second configuration and apply it to a different Location. One Action is picked up by San Francisco endpoints and the other by German endpoints.
BigFix Agents remain in sync with new relevance expressions by frequently checking the BigFix Server for updates. Agents also maintain a detailed description of themselves that can include hundreds of values describing their hardware, the network, and software. In short:
1.
Define some locations.
2.
Configure your scan, firewall, or URL filtering settings.
3.
Save the settings to a Task and create an Action to target some given endpoints.
Chapter 7. Locations
59
When you deploy the Task, the BigFix Server converts the Action details into a relevance expression, which is sent to all Agents at the endpoints. Each Agent checks itself against the relevance expression and takes the Action that is required for every match found.
Create the First Configuration and Task
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Global Settings > Global Settings Wizard
. The Global
Settings Wizard
screen opens.
3.
Enable Configure scan settings for large compressed files and type the limits that are shown here: v Do not scan files in the compressed file if the size exceeds 2 MB.
v Stop scanning after CPM detects 2 virus/malware in the compressed file.
4.
Click the Create Global Scan Settings Configure Task button. The Edit Task window opens.
5.
Type a descriptive (or memorable) name for the Task such as, Skip 2MB-2.
6.
Click OK.
7.
At the prompt, type your private key password and click OK. The new policy now appears in the Configuration > Global Settings > Custom Tasks screen.
Create the Second Configuration and Task
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module >
Configuration > Global Settings > Global Settings Wizard
. The Global
Settings Wizard
screen opens.
3.
Remove the check from Configure scan settings for large compressed files.
4.
Click the Create Global Settings Configuration Task button. The Create Task screen opens.
5.
Type a descriptive (or memorable) name for the Task such as, Scan BIG.
6.
Click OK.
7.
At the prompt, type your private key password and click OK. The new policy now appears in the Configuration > Global Settings screen.
60
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Make the Configurations Location-Specific
1.
From the BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to the task you just created, for example, Core Protection Module > Configuration > Global Settings >
Custom Task > Skip 2MB-2
. A screen displaying the Task Description tab opens.
3.
Below Actions, click the hyperlink to open the Take Action window.
4.
Select All computers with the property values selected in the tree below.
.
5.
Click the All Computers tree and then By Retrieved Properties > By Subnet
Address
to open that branch.
6.
Choose the Location name that you created for the San Francisco subnet in
“Create Location-Specific Tasks” on page 59.
7.
With your location still selected, click the Execution tab.
8.
Remove any Constraints that you do not want to apply (such as a Start and
End date), and in the Behavior section, make sure that only the following option is enabled: Reapply this action... whenever it becomes relevant again.
Chapter 7. Locations
61
9.
Click OK.
10.
At the prompt, type your private key password and click OK.
11.
Repeat this procedure for the second configuration and Task (choose Scan BIG from the Global Settings screen), and use the Location name that you used for the Germany subnet.
Configure Automatic Updates Using Location Properties
Administrators can configure CPM for Mac clients to switch update sources based on the client's location. Administrators can configure CPM for Mac clients that are within the internal network to update from the CPM server, and clients that are not within the internal network to update from the ActiveUpdate server.
Note:
This procedure assumes that administrators have already configured locations for the network. The procedure also uses the value of “OfficeSite” to indicate the internal company network.
1.
On the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
2.
From the upper-left navigation pane, go to Core Protection Module > Updates
> Other Update Tasks
.
3.
Click Core Protection Module - Update from Cloud. A screen displaying the
Task Description tab opens.
4.
Click Take Action.
5.
On the Target tab, select the endpoints relevant for this Task.
6.
On the Execution tab: a.
Select Run only when and configure the following settings: v Computer Location v does not match v OfficeSite b.
Select Reapply this action and configure the following settings: v while relevant, waiting
62
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
v 1 hour between reapplications
7.
Click OK.
8.
In the Action | Summary window that opens, monitor the "Status" and
"Count" of the Action to confirm that it is "Running" and then "Completed."
CPM for Mac clients that leave the internal network now update directly from the
ActiveUpdate server. When the client returns to the “OfficeSite” location, the update source switches back to the CPM server.
Chapter 7. Locations
63
64
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 8. Troubleshooting
Resources for basic troubleshooting and problem solving.
Installation
The CPM for Mac installer writes install logs to the following file:
/var/log/TrendMicro/TMMPMInstallResult.log
© Copyright IBM Corp. 2015
The log typically includes the installation start and finish time, current status, and any error codes encountered. If the status upon completion is not 5 or 6, an error occurred.
Installation Status Codes
6
7
4
5
8
2
3
0
1
Preparing Installation
Installing CPM for Mac Component
Upgrading CPM for Mac Component
Installing iCore Component
Upgrading iCore Component 5 Done
Done
Done But Need Reboot
Installing BF-AU-Server Component
Upgrading BF-AU-Server Component
Installation Error Codes
8
9
6
7
2
3
4
5
0
1
10
11
12
13
14
Installation was successful
Incorrect platform detected
Package extraction was unsuccessful
Insufficient disk space
Administrator privilege required
A later version of Core Protection Module for Mac exists
Computer restart required before installation/migration
Unable to start Core Protection Module for Mac service(s)
Unable to stop Core Protection Module for Mac service(s)
Installation time out occurred
Another installer package is running
Command line time out argument is invalid
File copy process was unsuccessful
Unknown error
Another Trend Micro antivirus product is installed
65
15
16
Another third-party antivirus product is installed
Uninstallation was unsuccessful
Malware Scanning
Enable Debug Logging
1.
Open Terminal.
2.
Change your location to the directory:
/Library/Application Support/TrendMicro/MPM/
3.
Use the root permission to run the directory command:
CaseDiagnosticTool AllOn
Disable Debug Logging
1.
Open Terminal.
2.
Change your location to the directory:
/Library/Application Support/TrendMicro/MPM/
3.
Use the root permission to run the command:
CaseDiagnosticTool Off
Malware Logs on the CPM for Mac Client
The malware log directory is located here:
/var/log/TrendMicro/MPM/
The following log is significant in that it contains both virus and spyware information: malware.log
Debug Logs
v TrendMirrorScript logs:
%ProgramFiles%\BigFix Enterprise\TrendMirrorScript\logs v CPM AU Server logs:
%ProgramFiles%\Trend Micro\Core v BigFix Client logs
/Library/Application Support/BigFix/BES Agent/__BESData/ __Global/Logs/ v CPM for Mac Client logs:
/var/log/TrendMicro/
Component Installation Debug Logs (CPM Server)
Use these logs track down CPM server installation issues.
Directory = %WINDOWS% v CPMInstallResult.log
v CPMMsrvInstall.log
v ClnExtor.log
v CPMsrvISSetup.log
66
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Component Installation Debug Logs (CPM for Mac Client)
Use these logs to track down CPM for Mac client installation issues.
v \var\log\TrendMicro\TMMPMInstallResult.log
v \tmp\TrendMicroMPMInstaller.log
Log file names followed by an asterisk (*) also serve as CPM for Mac Client upgrade debug logs. All logs files can be collected by the Core Protection Module
for Mac - Execute CPM Case Diagnostic Tool (CDT) Task.
Enabling Debugging on the CPM for Mac Client
1.
While logged in as a “root” permission user, open the terminal.
2.
Change location to the directory:
/Library/Application Support/ TrendMicro/MPM/
3.
Run the script:
CaseDiagnosticTool AllOn
4.
Reproduce the issue.
5.
Run the script:
CaseDiagnosticTool off
6.
Use the root permission level to run:
CaseDiagnosticTool collect
The file is created on the desktop with the following naming convention:
TMMPMLogCollect.<datetime>.tar.bz2
7.
Send the compressed file to Trend Micro Technical Support:
.tar.bz2
Tip:
Administrators can use the Core Protection Module for Mac - Execute CPM
Case Diagnostic Tool (CDT)
Task to perform steps 6 and 7 automatically. This process creates the compressed .tar.bz2 file in the directory:
/Library/Application Support/TrendMicro/MPM/CDTData and uploads the file to the BigFix server.
Web Reputation Logs on the CPM for Mac Client
The Web Reputation log directory:
/var/log/TrendMicro/MPM
The log file that contains the Web Reputation information: wtp.log
Pattern Updates
There are a number of moving parts and components that are involved with the routine task of updating the pattern files: v CPM server components include:
– Proxy Settings
– TMCPMAuHelper.exe
– TrendMirrorScript.exe
v CPM console components include:
Chapter 8. Troubleshooting
67
– Pattern Update Wizard
– Pattern-set Loading via Manifest.json
v CPM for Mac client components include:
– BESAgent.exe (for dynamic download requests for pattern-sets)
– TMMPMAuUpdater.exe (for request and application of pattern-sets)
General
v The default ActiveUpdate server (for pattern updates) appears in the BigFix
Server registry:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv \ServerUpdateSource\DefaultAUServer v The default ActiveUpdate server URL for CPM for Mac version 2.0: http://esp-p.activeupdate.trendmicro.com/activeupdate v CPM server - Check that the server exists in the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\server v CPM server - If the automatic update Task is successful, the CPM site will exist in the ‘bfsites’ directory:
<%Program Files%>\BigFix Enterprise\BES Server\wwwrootbes \bfsites
\CustomSite_FileOnlyCustomSite_CPMAutoUpdate_0_1 v CPM for Mac client - After automatic updates are enabled on the client, the
CPM site will exist in the IBM BigFix subscribed sites directory:
<%Program Files%>\BigFix Enterprise\BES Client\__BESData
\CustomSite_FileOnlyCustomSite_CPMAutoUpdate v Check for pattern updates on the CPM server. From the CPM Dashboard, click
Update/Rollback Patterns > Create Pattern Update/Rollback Task to open
Pattern Update and Rollback Wizard.
– If there are no new updates, inspect the Task Core Protection Module - Set
ActiveUpdate Server Pattern Update Interval
.
– If the Task was run but the updates are not working properly, check the
Action or the BigFix Agent logs on the BigFix Server.
– Check the BigFix Server to confirm whether pattern updates are being received as expected:
<%Program Files%>\BigFix Enterprise\BES Server \wwwrootbes\cpm\patterns v Check the TrendMirrorScript.exe logs from
<%Program Files%>\BigFix Enterprise\TrendMirrorScript\logs v Confirm that older pattern files are still on the BigFix Server (by default a reserve of 15 patterns are retained).
Automatic Pattern Updates
1.
Check the BigFixConsole to verify whether any CPM servers require action for
Core Protection Module > Warnings
.
2.
Check on the BigFix Server that the Task, Core Protection Module - Set
ActiveUpdate Server Pattern Update Interval
has been created and run. This task must be set to automatically reapply at a frequent interval (often, hourly), and it must not be restricted in any way that would conflict with the action.
3.
Check on the BigFix Server that the Task, Core Protection Module - Apply
Automatic Updates
has been run and that the Action has successfully completed.
4.
On the CPM Server, the user account must be in place for the propagation site.
The PropagateManifest registry key must be set to 1.
v For 32-bit endpoints:
68
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\server v For 64-bit endpoints:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\CPM \server
5. For CPM for Mac clients that enabled for automatic updates, check the following file:
/Library/Preferences/com.bigfix.BESAgent.plist
Proxy Servers
If there is a proxy server between the BigFix Server and Internet, two separate configurations are necessary: v The BigFix Server proxy authentication settings: Used by BESGather service, and typically set during the BigFix Server install. For more information see the
Knowledge Base article: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=231 v CPM Server component proxy authentication settings: Used by the update program, TMCPMAuHelper.exe. Set or check this from Endpoint Protection > Core
Protection Module > Configuration > ActiveUpdate Server Settings >
ActiveUpdate Server Settings Wizard
.
If the latest pattern file already exists on the CPM Server, you must perform the following manual steps to continue testing.
1.
Locate and delete the following folder:
%CPM_SERVER_INSTALL_FOLDER%\bin\AU_Data
2.
Delete all files and any subfolders from this directory (but not the folder itself):
%CPM_SERVER_INSTALL_FOLDER%\download
3.
From Endpoint Protection > Core Protection Module > Updates > Automatic
Update Tasks
, run the Core Protection Module - Set ActiveUpdate Server
Pattern Update Interval Task
.
Client-Side Logging: ActiveUpdate
1.
On the CPM for Mac client, create or locate and open the following text file:
/Library/Application Support/TrendMicro/common/lib/ AUlib / aucfg.ini
2.
Add or change the following parameter:
[debug] level=-1
3.
Save and close the file.
4.
Log output will be saved here:
/Library/Application Support/TrendMicro/common/lib/ AUlib /AU_Data/AU_Log/TmuDump.txt
Additional Files
v Create a manifest file and list of URLs by typing the following at a command prompt:
TMMPMAuUpdater –pu –m Manifest –f urllist v Check the file, server.ini in the following location:
/Library/Application Support/TrendMicro/MPM/download/
Chapter 8. Troubleshooting
69
Watchdog Function
To provide improved failover defense for the Core Protection Module for Mac, a
“watchdog” service now monitors the program’s own essential service processes, such as the iCoreService and TMMPMAdapter.
Every 60 seconds the watchdog checks for the existence of the Core Protection
Module for Mac’s main services. If one of the main services has exited abnormally or crashed, the watchdog stops all services and then restarts the CPM for Mac main services to guarantee the availability of the system.
70
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Chapter 9. Contact Trend Micro
Work with Trend Micro contacts and support resources to optimize CPM for Mac performance. Find assistance for any technical support questions you might have.
Contact Technical Support
Trend Micro provides technical support, pattern downloads, and program updates for one year to all registered users, after which you must purchase renewal maintenance. If you need help or have a question, feel free to contact us. We also welcome your comments.
v Get a list of the worldwide support offices: http://esupport.trendmicro.com
v Get the latest Trend Micro product documentation: http://docs.trendmicro.com
In the United States, you can reach the Trend Micro representatives by phone, fax, or email: v Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014 v Toll free: +1 (800) 228-5651 (sales) v Voice: +1 (408) 257-1500 (main) v Fax: +1 (408) 257-2003 v Web address: http://www.trendmicro.com
v Email: [email protected]
Speed Up Your Support Call
When you contact Trend Micro, to speed up your problem resolution, ensure that you have the following details available: v Operating System and Service Pack version.
v Network type.
v Computer brand, model, and any additional hardware connected to your computer.
v Browser version.
v Amount of memory and free hard disk space on your computer.
v
Detailed description of the install environment.
v Exact text of any error message given.
v Steps to reproduce the problem.
Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this document, or any Trend Micro document, go to the following site: http://www.trendmicro.com/download/documentation/ rating.asp
Knowledge Base
The Trend Micro Knowledge Base is a 24 x 7 online resource that contains thousands of do-it-yourself technical support procedures for Trend Micro products.
© Copyright IBM Corp. 2015
71
Use the Knowledge Base, for example, if you are getting an error message and want to find out what to do. New solutions are added daily.
Also available in the Knowledge Base are product FAQs, important tips, preventive antivirus advice, and regional contact information for support and sales. The
Knowledge Base can be accessed by all Trend Micro customers and anyone using an evaluation version of a product. Visit: http://esupport.trendmicro.com/. If you can't find an answer to a particular question, the Knowledge Base includes a service you can use to submit your question by email. Response time is typically
24 hours or less.
TrendLabs
Trend Micro TrendLabs is a global network of antivirus research and product support centers that provide continuous, 24 x 7 coverage to Trend Micro customers worldwide. Staffed by a team of more than 250 engineers and skilled support personnel, the TrendLabs dedicated service centers ensure rapid response to any virus outbreak or urgent customer support issue.
The TrendLabs modern headquarters earned ISO 9002 certification for its quality management procedures in 2000. TrendLabs is one of the first antivirus research and support facilities to be so accredited. Trend Micro believes that TrendLabs is the leading service and support team in the antivirus industry. For more information about TrendLabs, visit: http://us.trendmicro.com/us/about/ company/trendlabs/.
Security Information Center
Comprehensive security information is available at the Trend Micro website: http://www.trendmicro.com/vinfo/: v List of viruses and malicious mobile code currently "in the wild," or active.
v Computer virus hoaxes.
v Internet threat advisories.
v Virus weekly report.
v Virus Encyclopedia, which includes a comprehensive list of names and symptoms for known viruses and malicious mobile code.
v Glossary of terms.
72
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Appendix A. Appendix A: Routine CPM Tasks (Quick Lists)
Abbreviated procedures for common CPM for Mac management tasks. Refer to the complete procedure if you need configuration steps, an explanation of choices, or other details.
Scan Management
Configure an On-Demand Scan
1.
Click Endpoint Protection > Core Protection Module > Configuration > On-
Demand Settings
. Use the On-Demand Settings Wizard > Create
Configuration Task...
.
2.
To deploy the new settings, click Endpoint Protection > Core Protection
Module > Configuration > On-Demand Settings > [scan name]
.
Start a Scan with Current Endpoint Settings
1.
Click Endpoint Protection > Core Protection Module > Common Tasks > Core
Protection Module > Core Protection Module - Start Scan Now
.
Create and Run a One-time On-Demand Scan
1.
Click Endpoint Protection > Core Protection Module > Configuration > On-
Demand Settings
. Use the On-Demand Settings Wizard > Create Scan Now
Task...
.
2.
To deploy the new settings, click Endpoint Protection > Core Protection
Module > Configuration > On-Demand Settings > [scan name]
.
Schedule an On-Demand Scan
1.
Click Endpoint Protection > Core Protection Module > Configuration > On-
Demand Settings > [scan name]
.
2.
Click the Take Action button and select Click here to configure these policy settings option.
3.
In the Take Action window, click the Target tab and select the target computers.
4.
In the Take Action window, click the Execution tab.
v
Choose a Start date, and optionally, configure the days you want the scan to run in the Run only on field.
v Select Reapply this action while relevant, waiting 2 days between
reapplications
(choosing whatever time period suits you).
5.
Click OK to deploy the task.
CPM Server Management
The steps below are for experienced IBM BigFix administrators who just need a list for tasks involving the CPM server.
Activate Analysis
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Analyses
.
© Copyright IBM Corp. 2015
73
2.
In the upper right pane, sort the Name column in alphabetical order.
3.
Select all the Core Protection Module for Mac analyses.
4.
Right-click the list you have selected and click Activate.
Remove CPM Server Components
1.
Click Endpoint Protection > Core Protection Module > Deployment >
Uninstall
.
2.
Click Core Protection Module - Remove Server Components in the list of
Actions that appears.
Upgrade CPM Server Components
1.
Click Endpoint Protection > Core Protection Module > Deployment >
Upgrade
.
2.
Click Core Protection Module - Upgrade Server Components in the list of
Actions that appears.
Remove the CPM for Mac Site
1.
From the BigFix Console, click Endpoint Protection > All Endpoint Protection
> Sites > External
and select the Trend Micro Mac Protection Module.
2.
Click the Remove button.
3.
At the prompt, type your private key password and click OK.
CPM Client Management
The steps below are for experienced IBM BigFix administrators who want a reference list of tasks involving the CPM clients.
Display the BigFix Icon on Endpoints
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Core Protection Module > Core Protection Module -
Enable Client Dashboard
. A screen displaying the Task Description tab appears.
View BigFix Hidden Client Statistics for a Given Account
From the endpoint you want to check, press: CTRL+ALT+SHIFT+T
Decrypt Quarantined Files
Note:
Decrypting an infected file might spread a virus or malware to other files.
Trend Micro recommends isolating the computer with infected files by unplugging it from the network. Move important files to a backup location.
When you decrypt or encrypt a file, CPM creates the decrypted or encrypted file in the same folder. For example, to decrypt files in the suspect folder and create a debug log, type: VSEncode [-d] [-debug]
Required files: v Main file: VSEncode.exe
v Required DLL files: Vsapi32.dll
Run Restore Encrypted Virus using the following parameters:
74
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Parameter
none
-d
-debug
/o
/f <filename>
/nr
Result
Encrypt files in the Suspect folder.
Decrypt files in the Suspect folder.
Create debug log and output in the client temp folder.
Iverwrite encrypted or decrypted file if it already exists.
Encrypt or decrypt a single file.
Do not restore original file name.
Deploy CPM Clients
1.
Click Endpoint Protection > Core Protection Module > Deployment > Install.
2.
Click Core Protection Module - Endpoint Deploy.
Remove CPM Clients
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Deployment > Uninstall
.
2.
Click Core Protection Module - Endpoint Uninstall in the list of Actions that appears.
Enable the Client Console (for Mac)
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Core Protection Module > Client
.
2.
Select Core Protection Module for Mac - Enable Client System Tray Icon.
Pattern File Management
The steps below are for experienced IBM BigFix administrators who just need a list for tasks involving the pattern files.
Configure Updates from the Cloud
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Updates > Other Update Tasks > Core Protection Module - Update From
Cloud
. A screen displaying the Task Description tab appears.
Deploy Selected Pattern Files
By default, all pattern files are included when the pattern is deployed from the
BigFix Server to CPM clients. You can, however, select and deploy a subset of patterns.
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Updates > Pattern Update Settings > Create Pattern Update Settings Task
.
2.
In the list of components that appears, select those that you want to include in the pattern update. By default, all patterns are selected.
3.
Click the Create Update Settings Task... button in the upper right corner.
4.
Deploy the setting by clicking Endpoint Protection > Core Protection Module
> Updates > Pattern Update Settings > [Task name]
.
Appendix A. Appendix A: Routine CPM Tasks (Quick Lists)
75
Revert to a Previous Pattern File Version
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Updates > Update/Rollback Patterns > Create Pattern Update/Rollback
Task
.
Update Pattern Files on the CPM Server
1.
Configure the ActiveUpdate server and proxy settings. From the BigFix
Console, click Endpoint Protection > Core Protection Module >Configuration
> ActiveUpdate Server Settings > ActiveUpdate Server Settings Wizard
.
2.
Download the Automatic Update script. From the BigFix Console, click
Endpoint Protection > Core Protection Module > Updates > Automatic
Update Tasks
. Then select Core Protection Module - Download
CPMAutoUpdateSetup Script
. If this step completes successfully, Core
Protection Module - Enable Automatic Updates - Server
is set by default.
3.
Update the pattern file on the CPM server. From the BigFix Console, click
Endpoint Protection > Core Protection Module > Updates > Automatic
Update Tasks. Select Core Protection Module - Set ActiveUpdate Server
Pattern Update Interval
.
Update Pattern Files on the CPM for Mac Clients
1.
Enable CPM for Mac clients to receive automatic pattern updates (this is typically a one-time Task). From the BigFix Console, click Endpoint Protection
> Core Protection Module > Updates > Automatic Update Tasks
.
2.
Schedule and apply automatic pattern file updates. From the BigFix Console, click Endpoint Protection > Core Protection Module > Updates > Automatic
Update Tasks
.
3.
Select Core Protection Module - Apply Automatic Updates. The Task deploys the latest pattern set to the endpoints.
4.
Manually update CPM for Mac clients with the latest pattern files: From the
BigFix Console, click Endpoint Protection > Core Protection Module >
Updates > Update/Rollback Patterns > Create Pattern Update/Rollback Task...
.
The Task deploys the specified pattern set to the endpoints.
Web Reputation
These procedures are for experienced IBM BigFix administrators who need a list of tasks involving Web Reputation.
Enable Smart Protection Server Web Reputation Service
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Web Reputation
.
2.
Select Web Reputation - Enable Smart Protection Server Web Reputation
Service
.
Enable HTTP Web Reputation (port 80)
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Web Reputation
.
2.
Select Web Reputation - Enable HTTP Web Reputation Scanning (port 80).
Enable HTTP Web Reputation (all ports other than 80)
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Web Reputation
.
76
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
2.
Select Web Reputation - Enable HTTP Web Reputation Scanning (all ports
other than 80)
.
Enable HTTPS Web Reputation
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Web Reputation
.
2.
Select Web Reputation - Enable HTTPS Web Reputation Scanning.
Configure Web Reputation
1.
From the BigFix Console, click Endpoint Protection > Core Protection Module
> Common Tasks > Web Reputation
.
2.
Select Web Reputation - Configure Web Reputation Security Level. A screen displaying the Task Description tab opens.
Appendix A. Appendix A: Routine CPM Tasks (Quick Lists)
77
78
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Appendix B. Appendix B: Reference Lists
© Copyright IBM Corp. 2015
Reference lists of available Virus/Malware Scan Actions, Pattern and Scan Engine
Files, and Scan Action Results for Compressed Files.
Available Virus/Malware Scan Actions
Delete
CPM for Mac deletes the infected file.
Quarantine
CPM for Mac moves infected files to the following, non-configurable, directory on the client’s computer:
/Library/Application Support/TrendMicro/common/lib/vsapi/quarantine/
Clean
CPM for Mac cleans the infected file before allowing full access to the file.
If the file is uncleanable, CPM for Mac performs a second action, which can be one of the following actions: Quarantine (typical), Delete, Rename or Pass.
Pass
CPM for Mac performs no action on the infected file but records the virus or malware detection in the logs. The file stays where it is located. CPM for Mac cannot use this scan action during Real-time Scan because performing no action when an attempt to open or execute an infected file is detected allows virus and malware code to execute. All the other scan actions can be used during Real-time Scan.
For the "probable virus/malware" type, CPM for Mac always performs no action on detected files (regardless of the scan type) to mitigate false positives. If further analysis confirms that the probable virus or malware is indeed a security risk, a new pattern will be released to allow CPM for
Mac to take the appropriate scan action. If actually harmless, the probable virus or malware will no longer be detected.
Pattern and Scan Engine Files
Virus Pattern
A file that helps CPM’s conventional scan clients identify virus signatures, unique patterns of bits and bytes that signal the presence of a virus.
Virus Scan Engine
The engine that scans for and takes appropriate action on viruses/ malware; supports 32-bit and 64-bit platforms.
Spyware Active-monitoring Pattern File
used for real-time spyware/grayware scanning.
Scan Action Results for Compressed Files
Status of Clean/
Delete Infected Files in Compressed Files CPM for Mac Action
Enabled Clean or Delete
Compressed File
Format
Not supported
Example: def.rar
contains an infected file 123.doc.
Result
CPM for Mac encrypts def.rar but does not clean, delete, or perform any other action on
123.doc
.
79
Status of Clean/
Delete Infected Files in Compressed Files CPM for Mac Action
Disabled Clean or Delete
Enabled/Disabled Not Clean or Delete
(in other words, any of the following:
Quarantine or Pass)
Compressed File
Format
Supported/ Not supported Example: abc.zip
contains an infected file 123.doc.
Supported/ Not supported Example: abc.zip
contains an infected file 123.doc.
Result
CPM for Mac does not clean, delete, or perform any other action on both abc.zip
and 123.doc.
CPM performs the configured action
(Quarantine or Pass) on abc.zip, not
123.doc
.
If the action is:
Quarantine
: CPM for
Mac quarantines abc.zip
(123.doc and all non-infected files are quarantined).
If the action is Pass:
CPM for Mac performs no action on both abc.zip and
123.doc
but logs the virus detection.
80
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Appendix C. Appendix C: Understanding Security Risks
Overview of common security risks: viruses, malware, spyware, grayware, and web threats.
Terminology
Computer security is a rapidly changing subject. Administrators and information security professionals invent and adopt various terms and phrases to describe potential risks or uninvited incidents to computers and networks. Some of these terms refer to real security risks and some refer to annoying or unsolicited incidents.
Trojans, viruses, malware, and worms are examples of terms that are used to describe real security risks. Joke programs, spyware, and grayware are terms that are used to describe incidents that might be harmful, but are sometimes simply annoying and unsolicited. CPM can protect Exchange servers against all of the incidents that are described in this appendix.
Internet Security Risks
Thousands of viruses and malware programs are known to exist, with more being created each day. These include spyware, grayware, phish sites, network viruses and malware, Trojans, and worms. Collectively, these threats are known as security risks. Here is a summary of the major security risk types:
Threat Type
Denial-of-Service (DoS) attack
Phish
Spyware and Grayware
Trojan Horse Program
Viruses and Malware
Characteristics
A DoS attack happens when a mail server’s resources are overwhelmed by unnecessary tasks. Preventing the scanning of files that decompress into very large files helps prevent this problem from happening.
Unsolicited email that requests user verification of private information, such as credit card or bank account numbers, with the intent to commit fraud.
Technology that aids in gathering information about a person or organization without their knowledge.
Malware that performs unexpected or unauthorized, often malicious, actions.
Trojans cause damage, unexpected system behavior, and compromise system security, but unlike viruses and other types of malware, they do not replicate.
A program that carries a destructive payload, and replicates - spreading quickly to infect other systems. By far, viruses and malware remain the most prevalent threat to computing.
© Copyright IBM Corp. 2015
81
Threat Type
Worm
Other Malicious Codes
Packed files
Characteristics
A self-contained program or set of programs that are able to spread functional copies of itself or its segments to other computer systems, typically through network connections or email attachments.
Scanning detects some malicious code that is difficult to categorize, but pose a significant threat to Exchange. This category is useful when you want CPM to take an action against a previously unknown threat type.
Potentially malicious code in real-time compressed executable files that arrive as email attachments. IntelliTrap scans for packing algorithms to detected packed files.
Enabling IntelliTrap allows administrators to take user-defined actions on infected attachments, and to send notifications to senders, recipients, or administrators.
Viruses and Malware
A computer virus or malware program is a segment of code with the ability to replicate by infecting files. When a virus or malware infects a file, it attaches a copy of itself to the file in such a way that when the file executes, the virus or malware also runs. When this happens the infected file becomes capable of infecting other files. Like biological viruses, computer viruses and malware can spread quickly and are often difficult to eradicate.
In addition to replication, some computer viruses and malware share another commonality: a damage routine that delivers a payload. While payloads might display only messages or images, they can also destroy files, reformat your hard disk, or cause other damage. Even if the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading computer performance.
Generally, there are three kinds of viruses and malware:
Type
File
Boot
Description
File viruses and malware can come in different types—there are DOS viruses and malware, Windows viruses and malware, macro viruses and malware, and script viruses and malware. All of them share characteristics but infect different types of host files or programs.
Boot viruses and malware infect the partition table of hard disks and boot sector of hard disks and diskettes.
82
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Type
Script
Description
Script - Script viruses and malware are written in script programming languages, such as Visual Basic Script and JavaScript and are usually embedded in HTML documents. VBScript (Visual Basic Script) and Jscript (JavaScript) viruses and malware make use of Microsoft's Windows Scripting
Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98, Windows 2000 and other Windows operating systems, the viruses and malware can be activated simply by double-clicking a *.vbs or *.js file from
Windows Explorer.
What is so special about script viruses and malware? Unlike programming binary viruses and malware, which requires assembly-type programming knowledge, virus and malware authors program script viruses and malware as text. A script virus can become functional without low-level programming and with code as compact as possible. It can also use predefined objects in
Windows to make accessing many parts of the infected system easier (for example, for file infection, for mass-mailing).
Furthermore, since the code is text, it is easy for others to read and imitate the coding paradigm. Because of this, many script viruses and malware programs have several variants. For example, shortly after the "I love you" virus appeared, antivirus vendors found modified copies of the original code, which spread themselves with different subject lines, or message bodies.
Whatever their type, the basic mechanism remains the same. A virus contains code that explicitly copies itself. In the case of file viruses and malware, it usually entails making modifications to gain control when a user accidentally executes the infected program.
After the virus code finishes execution, it typically passes control back to the original host program to give the impression that nothing is wrong with the infected file.
Take note that there are also cross-platform viruses/malware. These types of virus and malware programs can infect files on different platforms (for example,
Windows and Linux). However, such programs are rare and seldom achieve 100% functionality.
Appendix C. Appendix C: Understanding Security Risks
83
Spyware and Grayware
Your clients are at risk from potential threats other than viruses/malware.
Grayware can negatively affect the performance of the computers on your network and introduce significant security, confidentiality, and legal risks to your organization.
Spyware
Gathers data, such as account user names and passwords, and transmits them to third parties.
Adware
Displays advertisements and gathers data, such as user web surfing preferences, to target advertisements at the user through a web browser.
Dialers
Change computer Internet settings and can force a computer to dial pre-configured phone numbers through a modem.
Joke Programs
Cause abnormal computer behavior, such as closing and opening the
CD-ROM tray and displaying numerous message boxes.
Hacking Tools
Help hackers enter computers.
Remote Access Tools
Help hackers remotely access and control computers.
Password Cracking Applications
Other
Other types that are not covered above.
Potential Risks and Threats
The existence of spyware and grayware on your network has the potential to introduce:
Reduced computer performance
To perform their tasks, spyware and grayware applications often require significant CPU and system memory resources.
Increased web browser-related crashes
Certain types of grayware, such as adware, are often designed to create pop-up windows or display information in a browser frame or window.
Depending on how the code in these applications interacts with system processes, grayware can sometimes cause browsers to crash or freeze and might even require a system reboot.
Reduced user efficiency
By needing to close frequently occurring pop-up advertisements and deal with the negative effects of joke programs, users can be distracted from their main tasks.
Degradation of network bandwidth
Spyware and grayware applications often transmit the data that they collect to other applications on your network or to locations outside of your network.
Loss of personal and corporate information
Not all data that spyware and grayware applications collect is as innocuous as a list of websites users visit. Spyware and grayware can also
84
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
collect the user names and passwords users type to access their personal accounts, such as a bank account, and corporate accounts that access resources on your network.
Higher risk of legal liability
If hackers gain access to the computer resources on your network, they might use your client computers to start attacks or install spyware or grayware on computers outside your network. Having your network resources unwillingly participate in these types of activities might leave your organization legally liable to damages incurred by other parties.
How Spyware/Grayware Gets into your Network
Spyware and grayware often gets into a corporate network when users download legitimate software that has grayware applications included in the installation package. Most software programs include an End User License Agreement (EULA), which the user must accept before downloading the software. Often the EULA does include information about the application and its intended use to collect personal data; however, users often overlook this information or do not understand the legal jargon.
Guarding Against Spyware, Grayware, and Other Threats
There are many steps that you can take to prevent the installation of spyware/grayware onto your computer. Trend Micro suggests: v Configure On-Demand, Real-time, and Scheduled On-Demand Scans to find and remove spyware/grayware files and applications.
v Educate your client users to:
– Read the End User License Agreement (EULA) and included documentation of applications they download and install on their computers.
– Click No to any message requesting authorization to download and install software unless client users are certain both the creator of the software and the website they view are trustworthy.
– Disregard unsolicited commercial email (spam), especially if the spam asks users to click a button or hyperlink.
v Configure web browser settings that ensure a strict level of security. Trend Micro recommends requiring web browsers to prompt users before they install ActiveX controls.
v If they use Microsoft Outlook, configure the security settings so that Outlook does not automatically download HTML items, such as pictures sent in spam messages.
v Do not allow the use of peer-to-peer file-sharing services. Spyware and other grayware applications can be masked as other types of files your users might want to download, such as MP3 music files.
v Periodically examine the installed software on your agent computers and look for applications that might be spyware or other grayware.
v Keep your Windows operating systems updated with the latest patches from
Microsoft. See the Microsoft website for details.
Appendix C. Appendix C: Understanding Security Risks
85
86
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Appendix D. Support
For more information about this product, see the following resources: v IBM Knowledge Center v IBM BigFix Support Center v IBM BigFix Family support v IBM BigFix wiki v Knowledge Base v IBM BigFix Forum
© Copyright IBM Corp. 2015
87
88
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Notices
© Copyright IBM Corp. 2015
This information was developed for products and services that are offered in the
USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those
89
websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to change before the products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
90
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
Portions of this code are derived from IBM Corp. Sample Programs.
© Copyright IBM Corp. _enter the year or years_. All rights reserved.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the web at www.ibm.com/legal/ copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of The
Minister for the Cabinet Office, and is registered in the U.S. Patent and Trademark
Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java
™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Notices
91
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the
United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM
®
Corp. and Quantum in the U.S. and other countries.
Terms and conditions for product documentation
Permissions for the use of these publications are granted subject to the following terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that all proprietary notices are preserved. You may not distribute, display or make derivative work of these publications, or any portion thereof, without the express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications, or reproduce, distribute or display these publications or any portion thereof outside your enterprise, without the express consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either express or implied, to the publications or any information, data, software or other intellectual property contained therein.
IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of the publications is detrimental to its interest or, as determined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full compliance with all applicable laws and regulations, including all United States export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE
PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,
NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
92
IBM BigFix: BigFix Protection (formerly known as Core Protection Module) for Mac Administrator's Guide
Notices
93
IBM®
Printed in USA
advertisement
Key Features
- Centralized security, including the centralized deployment of security policies, pattern files, and software updates on all protected clients and servers
- Powerful protection against viruses, Trojans, worms, and new variants as they emerge
- Protects against spyware/grayware
- Detects and removes active and hidden rootkits
- Cleans endpoints of malware
- Web Reputation technology
Frequently Answers and Questions
What types of malware does BigFix Protection Core Protection Module protect against?
How does BigFix Protection Core Protection Module protect against malicious websites?
How often should I update the virus patterns for BigFix Protection Core Protection Module?
Related manuals
advertisement
Table of contents
- 5 Contents
- 7 Chapter 1. Introducing Core Protection Module for Mac (CPM)
- 7 New in This Release
- 7 Key Differences between CPM and CPM for Mac
- 8 Key Differences in Wizards
- 10 CPM for Mac Components
- 11 Features and Benefits
- 12 Trend Micro Pattern Files and Scan Engine
- 15 Chapter 2. Working With the IBM BigFix Server
- 15 The IBM BigFix Server
- 15 Add CPM for Mac to the IBM BigFix Server
- 16 Install CPM Components on the Server
- 16 Update Pattern Files on the Server
- 17 Choose an Update Source
- 18 Prepare the IBM BigFix Server and Update the Pattern Files
- 19 Connect IBM BigFix to SPS
- 20 Activate Core Protection Module for Mac Analysis
- 20 Remove CPM Server Components
- 23 Chapter 3. Working with CPM for Mac Clients
- 23 Client Installation and Updates
- 24 Client Deployment
- 26 Pattern File and Engine Updates
- 27 Update Pattern Files on CPM for Mac Clients
- 29 Remove CPM for Mac Clients
- 30 Conflicting or Incompatible Programs
- 31 Chapter 4. Working with CPM for Mac
- 31 The CPM Dashboard and Menu
- 33 CPM for Mac Task Flows
- 33 Configure and Run Malware Scans
- 35 Configure Default Scan Settings
- 36 Configure an On-Demand Scan
- 36 Run an On-Demand Scan
- 36 Schedule an On-Demand Scan
- 37 Client Updates from the Cloud
- 38 Previous Pattern File Version Rollback
- 40 Deploy Selected Pattern Files
- 42 Smart Protection Server Configuration
- 45 Chapter 5. Configuration Wizards
- 45 Configuration Wizards Reference
- 45 Active Update Server Settings Wizard
- 46 On-Demand Scan Settings Wizard
- 49 Real-Time Scan Settings Wizard
- 50 Scan Exclusion Settings for Mac
- 53 Chapter 6. Web Reputation
- 53 Introducing Web Reputation
- 55 Using Web Reputation
- 55 Templates
- 56 Enable Smart Protection Server Web Reputation Service on Clients
- 57 Enable HTTP Web Reputation (port 80) on CPM Clients
- 57 Web Reputation Proxy Settings
- 58 Import Lists of Websites
- 59 View an Existing Template
- 59 Copy and Edit a Template
- 60 Edit Custom Actions
- 60 Delete a Blocked or Approved List
- 61 Delete a Web Reputation Custom Task
- 61 Web Reputation Analysis
- 63 Chapter 7. Locations
- 63 Locations Overview
- 65 Create Location-Specific Tasks
- 68 Configure Automatic Updates Using Location Properties
- 71 Chapter 8. Troubleshooting
- 71 Installation
- 72 Malware Scanning
- 72 Debug Logs
- 73 Pattern Updates
- 76 Watchdog Function
- 77 Chapter 9. Contact Trend Micro
- 79 Appendix A. Appendix A: Routine CPM Tasks (Quick Lists)
- 79 Scan Management
- 79 CPM Server Management
- 80 CPM Client Management
- 81 Pattern File Management
- 82 Web Reputation
- 85 Appendix B. Appendix B: Reference Lists
- 87 Appendix C. Appendix C: Understanding Security Risks
- 90 Spyware and Grayware
- 93 Appendix D. Support
- 95 Notices
- 97 Trademarks
- 98 Terms and conditions for product documentation