Trend Micro Core Protection Module 2.0 Administrator`s Guide
Contents
1. 123 doc DELETE INFECTED CPM For Mac CompresseD RESULT FILES IN ACTION FILE FORMAT COMPRESSED FILES Enabled Clean or Not CPM for Mac encrypts def rar Delete supported but does not clean delete or perform any other action on Example 123 doc def rar contains an infected file 123 doc Disabled Clean or Supported No CPM for Mac does not clean Delete t supported delete or perform any other action on both abc zip and 123 doc Example abc zip contains an infected file Core Protection Module for Mac 2 0 Administrator s Guide Status oF CLeAn DELETE INFECTED CPM For Mac CompresseD RESULT FILES IN ACTION FILE FORMAT COMPRESSED FILES Enabled Disabled Not Clean or Supported No CPM performs the configured Delete in t supported action Quarantine or Pass on other words E je abc zip not 123 doc any of the eee on following abc zip If the action is contains an Quarantine or fected fil Quarantine CPM for Mac Pass infecteq Tile s 123 doo quarantines abc zip 123 doc and all non infected files are quarantined Pass CPM for Mac performs no action on both abc zip and 123 doc but logs the virus detection Appendix C Understanding Security Risks This appendix describes common security risks viruses malware spywate grayware and web threats Topics in this appendix include Understanding the Terms on page C 2 Ab2. a Endpoint Protection Domain 2 site Source amp 2 5 Core Protection Module Core Protection Module Apply Automatic Updates Trend Micro Core Protection Module BETA lt Unsp sal Overview Core Protection Module Disable Automatic Updates Endpoint Trend Micro Core Protection Module BETA lt Unsp Core Protection Module Disable Automatic Updates Server Trend Micro Core Protection Module BETA lt Unsp za Protection Status Trend Micro Core Protection Module BETA lt Unsp c fh Quick Start 12 Trend Ci i Mo ETA lt Unsp m Reports a ervi 5 Eh Common Tasks 52 c Eh Deployment 34 0 Ef Updates 11 Take Action 7 Edt Copy gt Export Hide Locally Hide Globally Remove c h Update Rollback Patterns Eh Pattern Update Settings Description Details Applicable Computers 0 Action History 1 Eh Automatic Update Tasks Eh Other Update Tasks 2 a E Configuration 46 Description amp amp Analyses 37 Take the action below to enable automatic updates on Core Protection Module endpoints E Troubleshooting 22 F All Endpoint Protection Important Note This action only sets a flag on the endpoint and does not actually apply any pattern files There must be a corresponding policy action taken from the Apply Automatic Updates task in order for new patterns to How to Sie eaea Additionally the server components must also have automatic updates configured and enabled Click here to enable au
3. Chapter 4 Configuring and Managing CPM for Mac Before using this chapter you should already have the ESP Server ESP Console and at least one ESP Agent installed In addition you should have already installed the CPM for Mac server and deployed CPM for Mac clients and updated their pattern files If you have not see Chapters 2 and 3 for the procedures Topics in this chapter include Using the CPM Dashboard and Menu on page 4 2 Configuring and Running Malware Scans on page 4 5 Client Updates from the Cloud on page 4 12 Previous Pattern File Version Rollback on page 4 14 Deploying Selected Pattern Files on page 4 18 Smart Protection Server Configuration on page 4 20 Core Protection Module for Mac 2 0 Administrator s Guide Using the CPM Dashboard and Menu Open the CPM for Mac Console by clicking the Windows Start button then AI Programs gt Trend Micro Endpoint Security Platform gt ESP Console When prompted log in as a Master Console Operator Tips for Navigating the CPM Console When you open the ESP Console you will notice that there are two systems of navigation the All Content or Endpoint Protection menus that access different folder trees Both are shown in the following figure Procedure 1 Use one of the following paths to access the CPM console a Select the All Contents menu item at the bottom left of the ESP console window In the navigation tree go to Fixlet
4. 1 hour between reapplications 7 Click OK 8 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed CPM for Mac clients that leave the internal network now update directly from the ActiveUpdate server One the client returns to the OfficeSite location the update source switches back to the CPM server Troubleshooting This chapter includes information to help with basic troubleshooting and problem solving Topics in this chapter include Installation on page 8 2 Malare Scanning on page 8 3 Debug Logs on page 84 file C zx pattern_updates xmlttid119SGIOFOUX Watchdog Functionality on page 8 11 Core Protection Module for Mac 2 0 Administrator s Guide Installation The CPM for Mac installer writes install logs to the following file var log TrendMicro TMMPMInstallResult log The log typically includes the install start and finish time current status and any error codes encountered If the status upon completion is not 5 or 6 an error occurred Installation Status Codes TABLE 8 1 Installation Status Codes NumBer Cove DEFINITION 0 Preparing Installation 1 Installing CPM for Mac Component 2 Upgrading CPM for Mac Component 3 Installing iCore Component 4 Upgrading iCore Component 5 Done 6 Done But Need Reboot 7 Installing BF AU Server Component 8 Upgrading BF AU
5. m El Core Protection Module On Demand Scan Settings Wizard Create Scan Now Task Create Configuration Task V Enable virus malware scan V Enable spyware grayware scan Windows only 8 ease bs Scan Target Scan Exclusion gt Scan Action gt t h Common Tasks 26 a Eh Deployment 6 ET Updates 7 b bade 41 All scannable files pa Global Settings 5 Th ActiveUpdate Server El a Common Firewall seny Target Files Use file extensions for Windows and full file paths for Mac use commas to separate entries Fh On Demand Scan Sett Lal On Demand Sean 5 FS Custom Tasks 6 A Real Time Scan Settir Spyware Approved Lis Eh Web Reputation Block E Behavior Monitoring St Fi Smart Protection Serv Client Self protection FER virtual Desktop Setting C Scan network drive Manual Scan Only A TG Data Protection 1 V Scan compressed files Maximum layers 2 Windows only s File types scanned by IntelliScan of 2 8 2 aa 4 Device Control 1 AR Analyses 20 EEL trnuthlachontinn 5 A i p V Scan boot area f Al Content V Enable IntelliTrap BigFix Management uv Endpoint Protection Ad Configuring the Scan Target Tab Fj Note Core Protection Module for Mac supports the following configuration options on the Scan Target tab Core Protection Module for Mac
6. for Mac 2 0 Administrator s Guide You can add or import up to 500 URLs in a given list Blocked and Approved List Templates The Web Reputation Blocked Approved List Wizard enables you to create and maintain global lists of websites in the form of templates that you can use to control your users web access Once you have defined these templates you use them to create Custom Tasks which you can then apply to your endpoints There are two types of URL lists you can create and group into templates using the Wizard Blocked Lists These are lists of blocked websites If the endpoint tries to access a site in one of these lists they receive a message in their web browser indicating that access to the site is blocked Approved Lists These are lists of websites you allow your endpoints to access without restriction Note Use care when selecting sites for Approved Lists Once a site is added to an Approved List it will no longer be checked Therefore endpoints connecting to that site would no longer be protected by WR should that site become a host for malware at some point in the future By creating multiple tasks you can apply different sets of Blocked and Approved List templates to different users or groups of users You can perform the following tasks Create and deploy a New Blocked Approved List Template e Create and deploy a New Blocked Approved List Template by importing an existing list
7. 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Pattern Update Settings gt Create Pattern Update Settings Task Configuring and Managing CPM for Mac The Update Settings Wizard screen opens Endpoint Protection of zai Endpoint Protection Domain F 5 Create te Settir Task 4 Core Protection M Update Settings Wizard ate Update Settings Le al Overview Zai Protection Status Fh Quick Start 8 H Reports l Components Current Version Last Update Eh Common Tasks 26 v V components z ki amp Deployments VY amp anti virus E Eh Updates 7 ET Update Rollback Patterns V Smart Scan Agent Pattern 8 447 00 Fri 23 Sep 2011 05 24 24 0800 E E Pattern Update Settings M Virus Pattern 8 447 50 Fri 23 Sep 2011 05 24 24 0800 u Create Pattern Update M IntelliTrap Pattern 0 159 00 Fri 23 Sep 2011 05 24 24 0800 ET Custom Tasks 0 Yj IntelliTrap Exception Pattern 0695 00 Fri 23 Sep 2014 05 24 24 0800 FA Automatic Update Tasks z ER Other Tasks 1 V Virus Scan Engine 32 bit 9 205 1002 Fri 23 Sep 2011 05 24 24 0800 z i E Configuration 41 M Virus Scan Engine 64 bit 9 205 1002 Fri 23 Sep 2011 05 24 24 0800 A Analyses 20 M Virus Scan Engine for Mac i381 9 200 1012 Fri 23 Sep 2011 05 24 24 0800 ET Troubleshooting 5 Y M Anti Spyware 1 AllEndpoin Protect
8. If administrators select an unsupported option for the first action such as Rename CPM for Mac does not apply the generated Action for this configuration and the original value is retained e First action CPM for Mac supports only three types of the first action 1 Clean 2 Delete 3 Quarantine Second action CPM for Mac supports only two types of the first action 1 Delete 2 Quarantine On Demand Scan Settings Wizard CPM for Mac no longer supports the following options and features TABLE 1 1 What s New or Changed OPTION RESOLUTION All Spyware Grayware actions options Ignored and Virus Malware settings used Files to Scan Windows filters by Different target options between CPM and extension Mac takes lists of filenames CPM for Mac are used Scan Compressed files maximum layers Ignored on Mac Scan Boot Area Ignored on Mac Core Protection Module for Mac 2 0 Administrator s Guide OPTION RESOLUTION Enable IntelliTrap Ignored on Mac CPU Setting Medium Ignored on Mac Scan Exclusion options Ignored on Mac Fi Note To configure Scan Exclusions for Mac use the Scan Exclusion Settings for Mac wizard For details see Configuring Scan Exclusion Lists on page 5 15 Rename action option Ignored on Mac Specific action for virus type Use defaults Clean Quarantine Backup Files before cleaning Ignored on Mac Display a notification messa
9. Select Web Reputation Enable HTTP Web Reputation Scanning all ports other than 80 Enabling HTTPS Web Reputation Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Common Tasks gt Web Reputation 2 Select Web Reputation Enable HTTPS Web Reputation Scanning Configuring Web Reputation Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Common Tasks gt Web Reputation 2 Select Web Reputation Configure Web Reputation Security Level A screen displaying the Task Description tab appears Appendix B Reference Tables The reference tables in this appendix include Available Virus Malware Scan Actions on page B 2 Pattern and Scan Engine Files on page B 2 Scan Action Results for Compressed Files on page B 3 Core Protection Module for Mac 2 0 Administrator s Guide Available Virus Malware Scan Actions Scan ACTION DESCRIPTION Delete CPM for Mac deletes the infected file Quarantine CPM for Mac moves infected files to the following non configurable directory on the client s computer Library Application Support TrendMicro common lib vsapi quarantine Clean CPM for Mac cleans the infected file before allowing full access to the file If the file is uncleanable CPM for Mac performs a second action which can be one of the following action
10. gt 20110922_150 A Custom Tasks 0 gt 20110922_1401 ET Pattern Update Settings gt 20110922_0701 Eh Automatic Update Tasks gt C 20110922_0531 EFR Other Update Tasks 2 EE Configuration 46 gt 20110921_174 fh Analyses 37 gt 20110921_143 E Troubleshooting 22 gt 20110921_122 Rollback To Qj Al Endpoint Protection 20110920_1835 Rollback To 20110920_1631 Rollback To gt C 20110920_152 Rollback To gt C 20110920_121 Rollback To gt CJ 20110919_140 Rollback To 4 Click the Deploy button across from the folder In the pop up window that appears choose Deploy a one time action Opens the Take Action window and allows you to select the computers you want to apply this one time Action to Any computers included in the Target that are not relevant for the Action at the time of deployment will respond with a not relevant statement Click OK Create an update Fixlet Opens the Edit Fixlet Message window and allows you to configure a Fixlet that will deploy the Action whenever the selected clients become relevant When finished click OK and in the window that opens click the hyperlink that appears below Actions to open the Take Action window 5 Inthe Target tab that opens click All computers with the property values selected in the tree list below Choose a property that will include all the computers you want to deploy this Action
11. 18 Smart Protection Server Configuration wc 4 20 Configuring the Smart Protection Server List wees 4 21 Creating a Smart Protection Server List Deployment Task 4 22 Deploying the Smart Protection Server List ccccseeeeeeeeseeseeseees 4 24 Chapter 5 Configuration Wizards Reference Available Wizards ounen dbneeresseoes 5 2 ActiveUpdate Server Settings Wizard sssss sssssssssssssssssssssssseeeresssrererersssereres 5 2 SOUECE E E S 5 2 PORY ouii aaraa AOE Ean SAER cused EAE ERAD EERE 5 4 UNE a T E 5 4 On Demand Scan Settings Wizard for Mac ss ssssssssssssssssserssssssreresssserere 5 4 Configuring the Scan Target Tab sscsssssssvsosssssssscsvotsesonesessvrseistetuietens 5 5 Configuring the Scan Exclusion Tab ssssssssssssssssssssssssreressssrrrrreerrreee 5 7 Configuring the Scan Action Tab s s sssssssesssesssreresessseereserserereressssrrees 5 7 Real Time Scan Settings Wizard ssssssssssssssssssssssseeesessssereeesesnerereesssnserensssssss 5 9 Configuring the Scan Target Tab sissssssssisssdesssocsedisssesdesasesessessvsbensdeonss 5 9 Configuring the Scan Exclusion Tab ssssssssssssssssssssssssrrreresssrrrrreeses 5 10 Configuring the Scan Action Tab Scan Exclusions ccccccessssessesesseseeeesessesees Scan Exclusion List Files Configuring Scan Exclusion Lists Chapter 6 Using Web Reputation About Web Reputation si iscccscsecsssssssssssrsersecvssasesosasesstiecestsecessosacetesbecebecvecese 6 2 How Web R
12. 4 10 scan action 5 7 scheduling 4 10 wizard 5 5 5 7 password cracking applications C 5 pattern files 1 12 2 4 2 5 3 7 3 10 3 12 4 14 4 15 4 17 4 18 deploying 4 18 incremental updates 3 7 logs 8 7 8 9 manual updates 3 12 Index pattern matching 1 13 rollbacks 4 14 4 15 4 17 scheduling updates 3 10 several on server 1 13 updates 2 5 2 8 3 7 updates from the Cloud 3 8 updating clients 3 83 10 3 12 updating on the ESP server 2 4 version numbering 1 13 pattern matching 1 13 phish C 2 proxy servers 8 9 logs 8 9 R Real time scan B 2 scan actions B 2 Real Time Scan 5 10 scan action 5 10 wizard 5 10 remote access tools C 5 rollbacks 4 14 performing 4 15 re enabling updates 4 17 S scan actions B 2 scan engine 1 12 1 14 3 7 pattern matching 1 13 update events 1 14 updates 1 14 3 7 virus malware 1 13 scans 4 5 4 7 4 9 4 10 configuring virus malware scans 4 5 default settings 4 7 4 9 On Demand scan 4 9 4 10 starting 4 9 virus malware 4 5 Security Information Center 9 4 security risks C 2 C 7 compressed files C 3 Denial of Service C 2 Denial of Service attack C 2 graywate C 2 other malicious codes C 3 packed files C 3 phish C 2 spyware C 2 spyware grayware C 2 C 5 C 7 Trojan Horse C 3 viruses malware C 3 worms C 3 Set ActiveUpdate Server Pattern Update Interval 2 9 Smart Protection Network 1 10 Smart Protection Rela
13. CPM for Mac clients that have been enabled for automatic updates check the following file Library Preferences com bigfix BESAgent plist Proxy Servers If there is a proxy server between the ESP Server and Internet two separate configurations ate necessary Core Protection Module for Mac 2 0 Administrator s Guide The ESP Server proxy authentication settings Used by BESGather service and typically set during the ESP Server install See the following knowledge base article for more information http support biefix com cei bin kbdirect plPid 231 CPM server component proxy authentication settings Used by the update program TMCPMAuHelper exe Set or check this from Endpoint Protection gt Core Protection Module gt Configuration gt ActiveUpdate Server Settings gt ActiveUpdate Server Settings Wizard Additional Information Continue Testing If the latest pattern file already exists on the CPM server you will need to perform the following manual steps to continue testing Procedure 1 Locate and delete the following folder CPM SERVER INSTALL FOLDER bin AU_Data 2 Delete all files and any subfolders from this directory but not the folder itself 7 SCPM SERVER_INSTALL FOLDER download 3 From Endpoint Protection gt Core Protection Module gt Updates gt Automatic Update Tasks run the Core Protection Module Set ActiveUpdate Server Pattern Update Interval Task Client Side Loggin
14. Detection Technologies At the heart of all Trend Micro products lies a scan engine Originally developed in response to early file based computer viruses the scan engine now detects Internet worms mass mailers Trojan horse threats phish sites spyware and network exploits as well as viruses The scan engine checks for threats in the wild or actively circulating and those that are in the zoo or known theoretical threat types typically created as a proof of concept Rather than scanning every byte of every file the engine and pattern file work together to identify tell tale virus characteristics and the exact location within a file where the malicious code inserts itself CPM for Mac can usually remove this virus or malware upon detection and restore the integrity of the file that is clean the file Core Protection Module for Mac 2 0 Administrator s Guide Scan Engine Updates By storing the most time sensitive virus and malware information in the pattern files Trend Micro minimizes the number of scan engine updates required while at the same time keeping protection up to date Nevertheless Trend Micro periodically makes new scan engine versions available Trend Micro releases new engines under the following circumstances Incorporation of new scanning and detection technologies into the software Discovery of new potentially harmful malware unhandled by the current engine Enhancement of the scanning perform
15. Patterns gt Create Pattern Update Rollback Task Core Protection Module for Mac 2 0 Administrator s Guide The Pattern Update and Rollback Wizard opens zal Endpoint Protection Domain E Core Protection Module il Overview Pattern Update and Rollback Wizard E zal Protection Status c Eh Quick Start 12 EG Reports ipti Version E fh Common Tasks 52 E Deployment 34 c E Updates 11 E fh Update Rollback Patterns E 20110922_182 sail Create Pattern Update 20110922_150 gt 20110923_041 Eh Custom Tasks 0 E 20110922_1401 Pattern Update Settings p C 20110922_0701 amp abe pate Tests gt 20110922_0531 ER Other Update Tasks 2 E E Configuration 46 C 20110921 _174 c fb Analyses 37 gt C 20110921_143 Troubleshooting 22 Ga zois0921_122 Qj All Endpoint Protection 20110920_183 Gi 20110920_1631 gt 20110920_1525 20110920_1215 CJ 20110919_140 3 In the list of folders that appears click the gt icon to expand and display the pattern file version you want to rollback to 4 Click the Rollback To button across from the folder In the pop up window that appears choose Deploy a one time action to open the Take Action window and the computers you want to apply this one time Action to Any computers included in the Target that are not relevant for the Action at the time of d
16. Protection Module gt Analyses 2 Inthe upper right pane sort the Name column in alphabetical order 3 Select all the Core Protection Module for Mac analyses 4 Right click the list you have selected and click Activate Removing CPM Server Components Procedure 1 Click Endpoint Protection gt Core Protection Module gt Deployment gt Uninstall Click Core Protection Module Remove Server Components in the list of Actions that appears Routine CPM Tasks Quick Lists Upgrading CPM Server Components Procedure 1 Click Endpoint Protection gt Core Protection Module gt Deployment gt Upgrade 2 Click Core Protection Module Upgrade Server Components in the list of Actions that appears Removing the CPM for Mac Site Procedure 1 In the ESP Console click Endpoint Protection gt All Endpoint Protection gt Sites gt External and select the Trend Micro Mac Protection Module 2 Click the Remove button 3 At the prompt type your private key password and click OK CPM Client Management The steps below are for experienced ESP administrators who just need a list for tasks involving the CPM clients Procedures include Displaying the ESP Icon on Endpoints on page A 6 Viewing ESP Hidden Client Statistics for a Given Account on page A 6 Decrypting Quarantined Files on page A 6 Deploying CPM Clients on page A 7 Removing CPM Clients on page A 7 Core Protectio
17. Server Component Installation Error Codes TABLE 8 2 Installation Error Codes NumsBer Cope DEFINITION 0 Installation was successful Troubleshooting NumBer Cope DEFINITION 1 Incorrect platform detected 2 Package extraction was unsuccessful 3 Insufficient disk space 4 Administrator privilege required 5 A newer version of Core Protection Module for Mac exists 6 Computer restart required before installation migration 7 Unable to start Core Protection Module for Mac service s 8 Unable to stop Core Protection Module for Mac service s 9 Installation time out occurred 10 Another installer package is running 11 Command line time out argument is invalid 12 File copy process was unsuccessful 13 Unknown error 14 Another Trend Micro antivirus product is installed 15 Another third party antivirus product is installed 16 Uninstallation was unsuccessful Malware Scanning Enabling Debug Logging Procedure 1 Open Terminal Core Protection Module for Mac 2 0 Administrator s Guide 2 Change your location to the Library Application Support TrendMicro MPM directory 3 Use the root permission to run the CaseDiagnosticTool AllOn command Disabling Debug Logging Procedure 1 Open Terminal 2 Change your location to the Library Application Support TrendMicro MPM directory
18. and removing any malware that they detect These components run undetected by end users and use minimal system resources You need to install a CPM for Mac client on each endpoint that you want to protect These endpoints should already have the ESP Agent installed Core Protection Module for Mac 2 0 Administrator s Guide COMPONENT DESCRIPTION Smart Protection Network Trend Micro Smart Protection Network is a next generation in the cloud based advanced protection solution At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in the cloud This solution leverages file email and web reputation technology to detect security risks The technology works by offloading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Servers or Trend Micro Smart Protection Network Using this approach the system and network impact of the ever increasing volume of signature updates to endpoints is significantly reduced Smart Protection Server Trend Micro Smart Protection Servers enable corporate customers to tailor Smart Protection Network utilization within their corporate IT infrastructure for the best privacy response time and customized File and Web Reputation Services The Smart Protection Server can be monitored using a customized dashboard along with email a
19. and spyware The CPM for Mac Core Protection Module for Mac 2 0 Administrator s Guide client package is about 40MB and each endpoint will be directed to download the file from the ESP Server or Relay If you target your endpoints using properties rather than by computer which is the recommended behavior any endpoint that subsequently joins the network will automatically receive the CPM for Mac client Installation takes about ten minutes and the CPM for Mac client can be installed with or without the target user s consent Installation does not typically require a restart In addition the client will be briefly disconnected from the network Note Prior to deploying the CPM for Mac client be sure your targeted endpoints are not running a conflicting product see Conflicting or Incompatible Programs on page 3 15 and that they meet the hardware and software requirements as explained in Identifying Ineligible Endpoints on page 3 3 Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Deployment gt Install 3 Note the number of eligible clients in the parenthesis after Install 4 From the list on the right pane select Core Protection Module for Mac Endpoint Deploy A screen displaying the Task Description tab appears 5 Below Actions click the hyperlink to open the Take Action window In th
20. and the Relevance tabs if necessary to reflect your goals Click OK At the prompt type your private key password and click OK A screen displaying the Task Description tab appears The Task is added below Pattern Update Settings on the CPM for Mac Dashboard Core Protection Module for Mac 2 0 Administrator s Guide 8 Below Actions click the hyperlink to open the Take Action window 9 Inthe Target tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to Execution Set the deployment time and retry behavior if any Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur Messages Configure these options to passively notify the user that the install is going to occur to obtain consent or to ask users to stop using their computer while the install occurs 10 When finished identifying the computers you want to receive the selected patterns click OK 11 At the prompt type your private key password and click OK 12 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Smart Protection Server Configuration Smart Protection Server Settings only need to be configured and deployed if there are Smart Protection Serve
21. gt ActiveUpdate Server Settings gt ActiveUpdate Server Settings Wizard Download the Automatic Update script In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Automatic Update Tasks Then select Core Protection Module Download CPMAutoUpdateSetup Script If this step completes successfully Core Protection Module Enable Automatic Updates Server is set by default Update the pattern file on the CPM server In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Automatic Update Tasks Select Core Protection Module Set ActiveUpdate Server Pattern Update Interval Updating Pattern Files on the CPM for Mac Clients Procedure 1 Enable CPM for Mac clients to receive automatic pattern updates this is typically a one time Task In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Automatic Update Tasks Schedule and apply automatic pattern file updates In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Automatic Update Tasks Select Core Protection Module Apply Automatic Updates The Task deploys the latest pattern set to the endpoints Manually update CPM for Mac clients with the latest pattern files In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Upd
22. have Topics in this chapter include Contacting Technical Support on page 9 2 Documentation Feedback on page 9 3 Knowledge Base on page 9 3 TrendLabs on page 9 3 Security Information Center on page 9 4 Core Protection Module for Mac 2 0 Administrator s Guide Contacting Technical Support Trend Micro provides technical support pattern downloads and program updates for one year to all registered users after which you must purchase renewal maintenance If you need help or just have a question please feel free to contact us We also welcome your comments Get a list of the worldwide support offices at http esupport trendmicro com Get the latest Trend Micro product documentation at http docs trendmicto com In the United States you can reach the Trend Micro representatives through phone fax or email Weel MELE ENES 10101 North De Anza Blvd Cupertino CA 95014 Toll free 1 800 228 5651 sales Voice 1 408 257 1500 main apes aril 408 257 2003 Web address http www trendmicro com Email support trendmicro com Speeding Up Your Support Call When you contact Trend Micro to speed up your problem resolution ensure that you have the following details available Operating System and Service Pack version e Network type Computer brand model and any additional hardware connected to your computer Browser version Amount of memory and free hard disk space on
23. relevant Core Protection Module for Mac 2 0 Administrator s Guide 7 Click OK 8 At the prompt type your private key password and click OK 9 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Manually Updating CPM for Mac Clients with the Latest Patterns Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Updates Rollback Patterns gt Create Pattern Update Rollback Task The Pattern Updates Wizard opens 3 In the list of folders that appears click the gt icon next to most recent folder to expand and display individual patterns as shown in the following figure A Note If you recently updated the pattern file for the first time there will be only one folder available CPM for Mac Clients Installing and Updating PAE create Pattern Update Rollback Task Pattern Update and Rollback Wizard zal Endpoint Protection Domain E E Core Protection Module al Overview ail Protection Status Available Pattern Updates c E Quick Start 12 E Reports Description Version Architecture ca Ei Common Tasks 52 gt 20110923_o524 Eh Deployment 34 gt i 20110923_o41 E Eh Updates 11 E F Update Rollback Patterns 20110922_182 sail Create Pattern Updat
24. the ESP Server and the Internet you need to identify it and provide any required log on credentials The proxy server you identify here is not inherited for use by other CPM for Mac components including the client settings for Web Reputation That is a separate configuration Likewise if you have configured a proxy to enable BESGather service typically identified during install those settings will not be inherited for pattern updates even if the same proxy is being used ESP Server Installing and Upgrading Choosing an Update Source Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt ActiveUpdate Server Settings gt ActiveUpdate Server Settings Wizard The Server Settings Wizard opens 3 Under Source choose Trend Micro s ActiveUpdate Server See ActiveUpdate Server Settings Wizard on page 5 2 for information about all the configuration choices available on this page 4 Under Proxy click Use a proxy server for pattern and engine updates and provide the following there is no validation checking be sure of the settings you configure here Proxy Protocol Choose the option that reflects your proxy server Server Name or IP Use an IP address if you have not configured ESP Server to recognize host names Port Typically this is port 80 or 8080 User Name Type a name with acce
25. the compressed file if the size exceeds _2_ MB Stop scanning after CPM detects 27 virus malware in the compressed file izard i Endpoint Protection Domain 4 Global Settings Wizard _Create Global Settings Configuration Task E E Core Protection Module A Zal Overview zal Protection Status m Eh Quick Start 12 SHG Reports Z Configure scan settings for large compressed files E Common Tasks 52 Do not scan files in the compressed file if the size exceeds 2 MB Eh Deployment 34 a Eh Updates 11 Stop scanning after CPM detects al viruses malware in the compressed file FR Configuration 47 i Global Settings 7 FB Custom Tasks 6 fm E ActiveUpdate Server 5 Common Firewall Settir i h On Demand Scan Setti fH Fh Real Time Scan Settinc ie h Spyware Approved Lis h Web Reputation Blocke Behavior Monitoring Se_ i 54 Smart Protection Serve i E Client self protection ia Fh Virtual Desktop Setting 6 Data Protection 1 h Device Control 2 ca fh Analyses 37 BAL Teouhlachogtinn 27 V Scan OLE objects Maximum layers 3 M Exclude Microsoft Exchange server folders from scanning Clean Delete infected files within compressed files _ Enable assessment mode Valid until 11 59 59 pm of Tig 0n1 Scan for cookies f All Content BigFix Management Yj Reserve 60 w MB of disk space for updates v Endpoin
26. the degree of sensitivity that WR uses when evaluating URLs Configuring a Default WR Security Level Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane Using Web Reputation From the upper left navigation pane go to Core Protection Module gt Common Tasks gt Core Protection Module gt Web Reputation Click Web Reputation Configure Web Reputation Security Level A screen displaying the Task Description tab appears Below Actions choose a Security Level by clicking the hyperlink The Take Action window opens In the Target tab select all Applicable Computers to apply the WR security level to all your endpoints Click OK In the Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Using Web Reputation in CPM for Mac The following rules apply when creating Approved Lists and or Blocked Lists Secure URLs those starting with https are supported after enabling HTTPS Web Reputation Include all subdirectories by using the wildcard http www example com Include all sub domains by using the wildcard http example com Not valid https www example To import a URL that uses a non standard port use the following format http www example com 8080 URLs can be up to 2083 characters long List each URL on a new line Core Protection Module
27. the server has an ESP Agent installed or that the CPM components have not already been updated on the server Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane Click Deployment gt Upgrade gt Upgrade CPM Server Below Actions click the hyperlink to open the Take Action window a a E Select Specify computers selected in the list below In the Applicable Computers list the ESP Server that is updating the CPM for Mac components will appear as the only relevant computer 5 Click OK 6 At the prompt type your private key password and click OK A status summary page appears when the Task is finished 7 Close any open windows to return to the Dashboard view Updating Pattern Files on the Server It is critically important to keep the ESP Server Relays and all CPM for Mac clients up to date with the current pattern and engine files from Trend Micro CPM for Mac uses ESP Server Installing and Upgrading pattern files to identify viruses spyware and other malware threats see Understanding Security Risks on page C 1 for the complete list Not all patterns are updated every day There are days however such as when a new threat is released and hackers are writing hundreds of variations to try and avoid detection that one or all the patterns are updated often over the course of a day or week Trend Micro recommends that you update the virus pattern file on the ESP Server
28. the updates are not working properly check the Action or the ESP Agent logs on the ESP Server Check the ESP Server to confirm whether pattern update are being received as expected lt Program Files gt BigFix Enterprise BES Server wwwrootbes cpm patterns e Check the TrendMirrorScript exe logs from lt sProgram Files gt BigFix Enterprise TrendMirrorScript logs Confirm that older pattern files are still located on the ESP Server by default a reserve of 15 patterns are retained Troubleshooting Automatic Pattern Updates Procedure 1 Check the console to verify if any CPM servers require action for Core Protection Module gt Warnings Check on the ESP Server that the Task Core Protection Module Set ActiveUpdate Server Pattern Update Interval has been created and run This task should be set to automatically reapply at a frequent interval often this is hourly and it should not be restricted in any way that would conflict with the action Check on the ESP Server that the Task Core Protection Module Apply Automatic Updates has been run and that the Action has successfully completed On the CPM server the user account must be in place for the propagation site The PropagateManifest registry key must be set to 1 For 32 bit endpoints HKEY LOCAL MACHINE SOFTWARE BigFix CPM server For 64 bit endpoints HKEY LOCAL MACH INE SOFTWARE Wow6432Node BigFix CPM server For
29. your computer Detailed description of the install environment Contacting Trend Micro Exact text of any error message given Steps to reproduce the problem Documentation Feedback Trend Micro always seeks to improve its documentation If you have questions comments or suggestions about this or any Trend Micro document please go to the following site http www trendmicro com download documentation rating asp Knowledge Base The Trend Micro Knowledge Base is a 24x7 online resource that contains thousands of do it yourself technical support procedures for Trend Micro products Use the Knowledge Base for example if you are getting an error message and want to find out what to do New solutions are added daily Also available in the Knowledge Base are product FAQs important tips preventive antivirus advice and regional contact information for support and sales The Knowledge Base can be accessed by all Trend Micro customers as well as anyone using an evaluation version of a product Visit http esupport trendmicro com And if you can t find an answer to a particular question the Knowledge Base includes an additional service that allows you to submit your question via an email message Response time is typically 24 hours or less TrendLabs Trend Micro TrendLabs is a global network of antivirus research and product support centers providing continuous 24 x 7 coverage to Trend Micro customers worl
30. 2 0 Administrator s Guide Procedure In the Files to Scan section All scannable files All files are scanned even if the file type cannot contain infections m This option is the safest but also has the greatest effect on client performance File types scanned by IntelliScan Scans only files known to potentially harbor malicious code even those disguised by an innocuous looking extension name using file meta data to determine file type Target files CPM for Mac always scans the files listed he CPM for Mac requires that administrators type the full file path for the files targeted for scanning In the Scan Settings section Scan compressed files Scans files that use compression technology Note CPM for Mac only supports the scanning of compressed files not the configuration of the maximum number of compression layers Inthe Stop Scanning Settings Mac only section Stop scanning after __ hour s __ minute s Automatically stops a scan that has exceeded the configured time frame Enable the privilege to stop scanning Allows CPM for Mac users to cancel an active scan Inthe Scan Cache Settings section Configuration Wizards Reference Enable the scan cache Fach time scanning runs the client checks the properties of previously scanned threat free files If a threat free file has not been modified the client adds the cache of the file to the on demand scan cache
31. 3 Make your configurations choices 4 Click the Create Configuration Task button The Create Task window opens 5 Since this is the default Start Scan Now Task keep the existing name and click OK to also accept the default Actions and Relevance The Task is set to be relevant to all CPM for Mac clients 6 Click OK 7 At the prompt type your private key password and click OK 8 Wait a few minutes and the Applicable Computers tab displays Configuring and Managing CPM for Mac 9 Below Actions click the hyperlink to open the Take Action window 10 Inthe Take Action window Target tab select the applicable computers and click OK 11 Click OK 12 At the prompt type your private key password and click OK 13 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Starting a Scan of Relevant Endpoints From the Endpoint Protection gt Core Protection Module tree go to Common Tasks gt Core Protection Module gt Core Protection Module Start Scan Now Configuring an On Demand Scan This scan configuration will be saved apart from the default scan now settings You can run it from the CPM Dashboard anytime to initiate an On Demand scan that uses the saved settings and applies to the selected computers Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper l
32. 3 Use the root permission to run the CaseDiagnosticTool off command Malware Logs on the CPM for Mac Client The malware log directory is located here var log TrendMicro MPM The following log is significant in that contains both virus and spyware information malware log Debug Logs 1 TrendMirrorScript Logs SProgramFiles BigFix Enterprise TrendMirrorScript logs 2 CPM AU Server Logs SProgramFiles Trend Micro Core Protection Module Server bin AU_Data AU_Log TmuDump txt Troubleshooting 3 BigFix Client Logs Library Application Support BigFix BES Agent BESData __Global Logs 4 CPM for Mac Client Logs var log TrendMicro Components Installation Debug Logs CPM Server Get and use the following logs to help understand CPM server installation issues Directory WINDOWS g CPMInstallResult log s CPMMsrvInstall log g ClnExtor log CPMsrvISSetup log Components Installation Debug Logs CPM for Mac Client Get and use the following logs to help understand CPM for Mac client installation issues var log TrendMicro TMMPMInstallResult log tmp TrendMicroMPMInstaller log Log file names followed by an asterisk also serve as CPM for Mac Client upgrade debug logs All logs files can be collected by the Core Protection Module for Mac Execute CPM Case Diagnostic Tool CDT Task Core Protection Module for Mac 2 0 Administrator s Guide Enabling Debugging on the CPM for
33. 6 When you have modified the template click Finish to end the process and to start generating the relevant Custom Action Core Protection Module for Mac 2 0 Administrator s Guide Editing Custom Actions The Blocked Approved List Wizard allows you to edit existing Blocked or Approved List templates You may edit these Custom Actions in two different ways By making modifications using the Edit Task window immediately after you click Finish to create the Custom Task By accessing the Edit Task window AFTER you have completely generated the Custom Task Note To make modifications using the Edit Task window either access it as part of Custom Task generation process or select it by right clicking on the name of an existing Custom Task and selecting Edit The Edit Task window consists of four tabs Description Use the Description tab to make modifications to the task name title and description Actions Use the Actions tab to view or change the Action this Custom Task performs For example use this window to add or remove blocked or approved URLs from the presented Action Script Relevance Use the Relevance tab to view and make modifications to the relevance for a Custom Task By default the relevance for the Blocked or Approved List is static Its purpose is to detect endpoints for Web Reputation Properties Use the Properties tab to view and modify the properties for this custom task De
34. 9 Click OK 10 At the prompt type your private key password and click OK 11 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Now that locations have been defined the next step is to create a couple of different configuration settings and bundle them into a Task You can then associate these Tasks with the Locations you just created Creating Location Specific Tasks In the procedures below the goal is to create two different configurations and tasks and then attach them to different locations The result will be that Configuration 1 will automatically be picked up by users in Location 1 and Configuration 2 will be picked up Core Protection Module for Mac 2 0 Administrator s Guide by users in Location 2 If a user from Location 2 travels to Location 1 he will automatically pick up Configuration 1 when connecting to the network How Location Properties Work Each ESP Agent on which the CPM for Mac client resides receives a complete list of all the Actions deployed from the ESP Server through the various Tasks The individual Agents check themselves against the list and create a short list of only those Actions that apply to them In the current example relevance is determined by IP addtess Configuration 1 is going to be deployed to all Agents but only those Agents running on an endpoint with an IP address in the subnet define
35. D dashboard 4 2 debug logging 8 3 8 5 Denial of Service C 2 Denial of Service attack C 2 dialers C 5 documentation feedback 9 3 E encryption program 6 11 ESP 1 7 ESPAgent 2 10 installing 2 10 ESP agent 1 9 ESP console 1 8 2 2 NT Authentication 2 2 opening 2 2 Core Protection Module for Mac 2 0 Administrator s Guide ESP deployment tool 2 10 ESP relay 1 9 ESP server 1 8 1 9 2 2 2 4 2 10 2 12 connecting to Smart Protection Servers 2 10 installing CPM components 2 4 removing CPM components 2 12 F Fixlet 1 7 G grayware C 2 H hacking tools C 5 HTTP web reputation 6 9 l incompatible programs 3 2 3 15 3 16 antivirus 3 16 Trend Micro 3 16 incremental pattern file updates 1 12 installation 1 9 8 2 8 3 CPM components 2 4 logs 8 2 8 3 IntelliScan 5 6 J joke program C 5 L locations 7 2 7 5 7 6 creating 7 2 7 5 7 6 ovetview 7 2 specific tasks 7 5 7 6 example 7 6 wizard 7 2 7 5 logs 8 2 8 5 8 7 8 9 8 10 automatic pattern updates 8 9 client side 8 10 debug logging 8 3 8 5 client installation 8 5 disabling 8 4 enabling 8 3 location 8 4 server installation 8 5 installation 8 2 8 3 error codes 8 2 8 3 status 8 2 pattern updates 8 7 proxy servers 8 9 viruses malware 8 4 mastheads 2 2 0 CPM 2 2 On demand scan B 2 scan actions B 2 On Demand Scan 4 9 4 10 5 5 5 7 P configuring 4 9 running
36. Endpoint Security Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice Before installing and using the software please review the readme files release notes and the latest version of the applicable user documentation Trend Micro the Trend Micro t ball logo OfficeScan Damage Cleanup Services ScanMail and TrendLabs are service marks trademarks or registered trademarks of Trend Micro Incorporated BigFix Fixlet and Fix it before it fails are registered trademarks of BigFix Inc iprevention Powered by BigFix Relevance Engine and related BigFix logos are trademarks of BigFix Inc All other product or company names may be trademarks or registered trademarks of their respective owners Protected by U S Patent No 5 623 600 5 889 943 5 951 698 6 119 165 Copyright 2013 Trend Micro Incorporated All rights reserved Document Part No APEM26091_ 130830 Release Date October 2013 Related Documents Use this Administrator s Guide to upgrade install and or configure Core Protection Module for Mac CPM for Mac on an existing Server This Administrator s Guide also covers CPM for Mac client deployment Web Reputation updates and configuration For related information see ESP 8 0 Administrator s Guide Contains deployment strategies installation instructions and common configuration tasks ESP 8 0 Console Operator s G
37. IntelliTrap scans for packing algorithms to detected packed files Enabling IntelliTrap allows administrators to take user defined actions on infected attachments and to send notifications to senders recipients or administrators Viruses Malware A computer virus malware is a segment of code that has the ability to replicate by infecting files When a virus malware infects a file it attaches a copy of itself to the file in such a way that when the former executes the virus malware also runs When this happens the infected file also becomes capable of infecting other files Like biological viruses computer viruses malware can spread quickly and are often difficult to eradicate In addition to replication some computer viruses malware share another commonality a damage routine that delivers a payload While payloads may only display messages or images they can also destroy files reformat your hard drive or cause other damage Core Protection Module for Mac 2 0 Administrator s Guide Even if the virus does not contain a damage routine it can cause trouble by consuming storage space and memory and degrading the overall performance of your computer Generally there are three kinds of viruses malwate TaBLe C 2 Types of Virus Malware TYPE DESCRIPTION File File viruses malware may come in different types there are DOS viruses malware Windows viruses malware macro viruses malware and script viruses malw
38. Last Refresh Time Launch Console a gt SPS IPv4 21 File Reputation Service 06 04 2012 08 00 07 Launch Console Update available web Reputation Service amp Allow global query GJ 2 7 spsipv6 2 6 File Reputation Service 06 04 2012 08 00 07 Launch Consola web Reputation Service amp Allow global query GI If a newer version of a Smart Protection Server is available click the Update available link under the Version column to obtain the latest updates from the Trend Micro download center Click the arrow icons in the Order column to move servers in to the priority that you need Servers at the top of the list are the first server Smart Protection Relays and endpoints try to connect to when performing updates and reputation queries Core Protection Module for Mac 2 0 Administrator s Guide 5 Click a server name to modify the protocol used when communicating with Smart Protection Relays and endpoints Smart Protection File Reputation Services 8 O triess Protocol HTTP O HTTPS Web Reputation Services Save Cancel 6 Specify the protocol to use Note HTTPS is more secure but requires more bandwidth for communication CPM for Mac only supports Web Reputation Services through HTTP channels 7 Click Save Creating a Smart Protection Server List Deployment Task You can create this task even if no Smart Protection Servers are deployed on your
39. Mac Client Procedure 1 While logged in as a root permission user open the terminal 2 Change the file location to Library Application Support TrendMicro MPM 3 Run the CaseDiagnosticTool Al1On script 4 Reproduce the issue 5 Run the CaseDiagnosticTool off script 6 Use the root permission level to run CaseDiagnosticTool collect 7 The file is created on the desktop with the following naming convention TMMPMLogCollect lt datetime gt tar bz2 8 Send the compressed tar bz2 file to Trend Micro Technical Support y Administrators can use the Core Protection Module for Mac Execute CPM Case Diagnostic Tool CDT Task to perform steps 6 and 7 automatically This process creates the compressed tar bz2 file in the Library Application Support TrendMicro MPM CDTData directory and uploads the file to the BigFix server Web Reputation Logs on the CPM for Mac Client The Web Reputation log directory is located at var log TrendMicro MPM The log file that contains the Web Reputation information is Troubleshooting wtp log Pattern Updates There are a number of moving parts and components involved with the routine task of updating the pattern files CPM server components include Proxy Settings TMCPMAuHelper exe TrendMirrorScript exe CPM console components include e Pattern Update Wizard Pattern set Loading via Manifest json CPM for Mac client components includ
40. Module for Mac 2 0 Administrator s Guide ESP and CPM for Mac Components CPM for Mac as a module in the Trend Micro Endpoint Security Platform ESP provides a powerful scalable and easy to manage security solution for very large enterprises This integrated system consists of the following components TABLE 1 2 ESP Components COMPONENT DESCRIPTION ESP Console ESP consoles tie all components together to provide a system wide view of all the computers on your network The system wide view of vulnerabilities and threats on the computers on your network can quickly be addressed The console helps administrators quickly and easily distribute fixes to computers that need them without impacting other computers on your network For large deployments ESP consoles are often hosted from Terminal Servers ESP Server ESP servers offer a collection of interacting services including application services a web server and a database server forming the heart of the ESP system It coordinates the flow of information to and from individual computers and stores the results in the ESP database ESP server components operate in the background without any direct intervention from the administrator ESP Servers also include a built in web reporting module to allow authorized users to connect through a web browser to view information about endpoints vulnerabilities actions and more ESP supports multiple servers adding a robust r
41. Trend Micro Core Protection Module BETA lt Unspeci c f Core Protection Module 1 nail Restore Spyware Gra KT E Tomus M o a ada g deste action ca Cony Econ Hide Localy Hide giobaly 9 2enove E Common Firewall 1 Description Details Applicable Computers 4 Action History 0 ia EF Deployment 6 c Fh Updates 7 m E Configuration 41 Description Analyses 20 ae 7 3 3 z i San Web Reputation integrated into CPM proactively protects clients from malicious and potentially web sites The following security levels determine whether Web Reputation will allow or block access to an URL E Al Endpoint Protection e High Blocks URLs that are unrated a Web threat very likely to be a Web threat or likely to be a Web threat e Medium Blocks URLs that are unrated a Web threat or very likely to be a Web threat e Low Blocks only URLs that are a Web threat Use the actions below to set the Web Reputation security level ci gt f All Content Click here to set High Web Reputation security level BioFix Management Click here to set Medium Web Reputation security level A Endpoint Protection Click here to set Low Web Reputation security level Aa Ficure 6 2 Web Reputation Security Level Configurations Web Reputation Security Levels After enabling WR on your endpoints you can raise the security level to Medium or High the default is Low to increase
42. View an existing Blocked Approved List Template Copy a Blocked Approved List Template Copy and edit a Blocked Approved List Template Using Web Reputation Delete a Blocked Approved List Template Creating and Deploying a New Template Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Web Reputation Blocked Approved List gt Web Reputation Blocked Approved List Wizard The Web Reputation Blocked Approved List Wizard window opens showing a list of your currently available templates 3 Click Add Template The Blocked Approved List Template Add Template page opens 4 Enter a name for your template in the Template Name field 5 Inthe Blocked List pane enter or copy paste the URLs you want to block You may enter up to 500 URLs You also must have http or https before each URL entry To block all the pages for a site enter the name of the domain followed by Example http www badURL com Note You can include up to 500 URLs in a single template and can create multiple templates for use However only one template can be active on an endpoint at the same time 6 To enter an Approved List in the Approved List pane enter or copy paste the URLs you want your users to be able to access without restriction You may enter up to 499 URLs per template You also m
43. Web Reputation Using a single agent and management console Trend Micro ESP can support over 250 000 endpoints From the management console you can track the progress of each computer as updates or configuration policies are applied New in this Release Core Protection Module for Mac includes the following new features and enhancements Introducing Core Protection Module for Mac FeaTurReE ENHANCEMENT DETAILS Improved scan performance and functionality The on demand scan cache improves the scanning performance and reduces scan time by skipping previously scanned threat free files For details see Configuring the Scan Target Tab on page 5 5 Configure scan exclusion folders with ease by using wildcards For details see Scan Exclusions on page 5 11 Allow users to stop and set the maximum scan time for Scheduled Scans For details see Configuring the Scan Target Tab on page 5 5 Smart protection for Web Reputation Clients send Web Reputation queries to smart protection sources to determine the safety of websites Clients leverage the smart protection source list configured for CPM clients to determine the smart protection sources to which to send queries For details see Enabling Smart Protection Server Web Reputation Service on page A 11 Mac client system tray icon Administrators can allow the client to display the system tray icon and allow users to view logs and run sca
44. ance Addition of file formats scripting languages encoding and compression formats Chapter 2 ESP Server Installing and Upgrading Before beginning these procedures you should have Trend Micro Endpoint Security Platform ESP installed including the ESP Server ESP Console and ESP Agents This chapter covers installing the Core Protection Module for Mac CPM for Mac server components on the ESP Server updating the related files and preparing endpoints to receive the ESP client Topics include Opening the ESP Console on page 2 2 Adding CPM for Mac to the ESP Server on page 2 2 Installing CPM Components on the ESP Server on page 2 4 E Updating Pattern Files on the Server on page 2 4 Update Sources on page 2 5 Preparing the ESP Server and Updating the Pattern Files on page 2 8 Connecting ESP to SPS on page 2 10 Activating Core Protection Module for Mac Analyses on page 2 11 Removing CPM Server Components on page 2 12 Core Protection Module for Mac 2 0 Administrator s Guide Opening the ESP Console If you are logging into the ESP Server using an administrator account you can use NT Authentication instead of entering a password If you are running the ESP Console remotely you will need a user name and password Procedure 1 To open the ESP console For Windows XP Server 2003 Vista Server 2008 Windows 7 POSReady 2009 and POSReady 7 On the Windows desktop click the Win
45. and Count of the Action to confirm that it is Running and then Completed Importing Lists of Websites Web Reputation allows you to import URLs for new Blocked and Approved List templates from new line delimited files Using Web Reputation Procedure 1 Create two text files one for the websites you want this template to block and another for the websites to which you want to give your users unrestricted access Note If you do not want to include an Approved List in the template you can skip this part of the process Web Reputation allows you to create Blocked Approved List Templates with both list types a blocked and an approved list only a Blocked List or only an Approved List Press ENTER or place a newline code at the end of each line to separate each entry You must have http before each URL entry To block all the pages for a site enter the domain name followed by for example http www badURL com From the ESP Console menu click Endpoint Protection on the bottom left pane From the upper left navigation pane go to Core Protection Module gt Configuration gt Web Reputation Blocked Approved List gt Web Reputation Blocked Approved List Wizard to open the Web Reputation Blocked Approved List Wizard Click the Add Template button or Edit The Blocked Approved List Templates Add Template window opens Click Bulk Import Sites from external file The Import Sit
46. are All of these share the same characteristics of viruses malware except that they infect different types of host files or programs Boot Boot viruses malware infect the partition table of hard disks and boot sector of hard disks and floppy disks Script Script viruses malware are viruses malware written in script programming languages such as Visual Basic Script and JavaScript and are usually embedded in HTML documents VBScript Visual Basic Script and Jscript JavaScript viruses malware make use of Microsoft s Windows Scripting Host to activate themselves and infect other files Since Windows Scripting Host is available on Windows 98 Windows 2000 and other Windows operating systems the viruses malware can be activated simply by double clicking a vbs or j s file from Windows Explorer What is so special about script viruses malware Unlike programming binary viruses malware which requires assembly type programming knowledge virus malware authors program script viruses malware as text A script virus can achieve functionality without low level programming and with code as compact as possible It can also use predefined objects in Windows to make accessing many parts of the infected system easier for example for file infection for mass mailing Furthermore since the code is text it is easy for others to read and imitate the coding paradigm Because of this many script viruses malware have several modified variants F
47. ates gt Update Rollback Patterns gt Create Pattern Update Rollback Task The Task deploys the specified pattern set to the endpoints Routine CPM Tasks Quick Lists Web Reputation The steps below are for experienced ESP administrators who just need a list for tasks involving the Web Reputation Procedures include Enabling Smart Protection Server Web Reputation Service on page A 11 Enabling HTTP Web Reputation port 80 on page A 11 Enabling HTTP Web Reputation all ports other than 80 on page A 12 Enabling HTTPS Web Reputation on page A 12 Configuring Web Reputation on page A 12 Enabling Smart Protection Server Web Reputation Service Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Common Tasks gt Web Reputation 2 Select Web Reputation Enable Smart Protection Server Web Reputation Service Enabling HTTP Web Reputation port 80 Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Common Tasks gt Web Reputation 2 Select Web Reputation Enable HTTP Web Reputation Scanning port 80 Core Protection Module for Mac 2 0 Administrator s Guide Enabling HTTP Web Reputation all ports other than 80 Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Common Tasks gt Web Reputation 2
48. ation about the application and its intended use to collect personal data however users often overlook this information or do not understand the legal jargon Guarding Against Spyware Grayware and Other Threats There are many steps you can take to prevent the installation of spyware grayware onto your computer Trend Micro suggests the following Configure On Demand Real time and Scheduled On Demand Scans to find and remove spyware grayware files and applications Educate your client users to do the following Read the End User License Agreement EULA and included documentation of applications they download and install on their computers Click No to any message asking for authorization to download and install software unless client users are certain both the creator of the software and the website they view are trustworthy Disregard unsolicited commercial email spam especially if the spam asks users to click a button or hyperlink Configure web browser settings that ensure a strict level of security Trend Micro recommends requiring web browsers to prompt users before installing ActiveX controls e If using Microsoft Outlook configure the security settings so that Outlook does not automatically download HTML items such as pictures sent in spam messages Do not allow the use of peer to peer file sharing services Spyware and other grayware applications may be masked as other types of files your users may
49. attern and engine files from Trend Micro The update process can be scheduled to occur automatically and is transparent there is no need to remove the old pattern or install the new one Incremental Updates To reduce network traffic generated when downloading the latest pattern the Trend Micro ActiveUpdate server includes incremental pattern updates along with the full pattern file Updates represent the difference between the previous pattern file and the current one Like the full pattern file incremental updates download and apply automatically Incremental updates are available to both the ESP Server which typically Core Protection Module for Mac 2 0 Administrator s Guide downloads pattern updates from the ActiveUpdate server and to CPM for Mac clients that are configured to get their updates from the ESP Server Updates from the Cloud Clients typically receive their updates from the ESP Server or Relays but CPM for Mac also supports client updates from the cloud that is directly from the Trend Micro ActiveUpdate server Tip Note that Trend Micro does not recommend updating clients from the cloud as the default behavior Pattern files may exceed 20MB client so frequent direct client downloads from the ActiveUpdate server are usually not preferred Instead you can use the cloud as a fallback for clients to use whenever they are not able to connect to the ESP Server Updates from the cloud support incremen
50. avigation pane go to Core Protection Module gt Analyses gt Web Reputation for Mac The List Panel changes to show all available analyses Web Reputation Client Information Web Reputation Site Statistics 3 Click the Web Reputation Site Statistics analysis The Web Reputation Site Statistics window appears The window displays information on the two Web Reputation properties you can view with the analysis Blocked websites 4 You can view the analysis property results in a list or in summary form To select a perspective choose the desired format from the drop down box in the upper right corner of the analysis in the Results tab 5 To deactivate the analysis return to the click here link in the Action window Chapter 7 Setting Up and Using Locations This chapter has information about creating locations tasks related to the locations and how to use locations Topics in this chapter include Locations Overview on page 7 2 Creating Locations on page 7 2 Creating Location Specific Tasks on page 7 5 How Location Properties Work on page 7 6 Configuring Automatic Updates Using Location Properties on page 7 11 Core Protection Module for Mac 2 0 Administrator s Guide Locations Overview You can have ESP apply different CPM for Mac security configuration on the basis of the client s current geographical location For example say an organization has offices in California New York and Ge
51. ble Virus Malware Others Endpoint Protection M Back up files before cleaning Windows only Use the same action for all virus malware types If the first action fails CPM for Mac automatically takes the second action For example if the default action is Clean and CPM for Mac is unable to clean an infected file the backup action of Quarantine is taken Configuration Wizards Reference Note Quarantining files Administrators can configure CPM for Mac to quarantine any harmful files detected CPM for Mac encrypts and moves the files to a directory on the endpoint that prevents users from inadvertently spreading the virus malwate to other computers in the network See Available Virus Malware Scan Actions on page B 2 fot more information Real Time Scan Settings Wizard Core Protection Module for Mac only supports virus malware scanning on CPM for Mac clients For details on different types of virus and malware threats see Understanding Security Risks on page C 1 Configuring the Scan Target Tab A Note Core Protection Module for Mac supports the following configuration options on the Scan Target tab Procedure Inthe User Activity on Files section Scan files being Scans files that users create modify or receive as configured In the Scan Settings section Scan compressed files Scans files that use compression technology C
52. bleshooting gt Core Protection Module Ineligible for Install Insufficient Software Resources Identifying Conflicting Products Before deploying the CPM for Mac client to your endpoints you need to uninstall any programs that will conflict with the CPM for Mac functions See Conflicting or Incompatible Programs on page 3 15 for more information Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Troubleshooting 3 From the list on the right pane select Core Protection Module Ineligible for Install Removal of Conflicting Products Required The Fixlet Description opens 4 Click the Applicable Computers tab A list of endpoints running conflicting software appears 5 Below Actions click the hyperlink if you want to connect to the Support web page for more information Removing Conflicting Products Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane CPM for Mac Clients Installing and Updating 2 From the upper left navigation pane go to Core Protection Module gt Deployment gt Uninstall gt product name The Fixlet Description tab opens showing a list of the endpoints currently running the program Alternatively you can click All Content and then navigate to Fixlets and Tasks gt All gt By Site gt Trend Micro Core Protecti
53. chapter include About Web Reputation on page 6 2 How Web Reputation Works on page 6 2 Web Reputation Security Levels on page 6 4 E Using Web Reputation in CPM for Mac on page 6 5 Importing Lists of Websites on page 6 12 5 Viewing an Existing Template on page 6 14 About Web Reputation Analyses on page 6 18 Core Protection Module for Mac 2 0 Administrator s Guide About Web Reputation The Trend Micro Web Reputation WR technology joins its real time visibility and control capabilities with CPM to prevent web based malware from infecting your users computers WR intercepts malware in the cloud before it reaches your users systems reducing the need for resource intensive threat scanning and clean up Specifically WR monitors outbound web requests stops web based malware before it is delivered and blocks users access to potentially malicious websites in real time Web Reputation requires no pattern updates It checks for web threats when a user accesses the Internet by performing a lookup on an in the cloud database Web Reputation uses the site s reputation score and a security level set by the Console Operator to block access to suspicious sites The Web Reputation database lookups are optimized to use very little bandwidth similar in size to a DNS lookup and have a negligible impact on network performance How Web Reputation Works Whenever an end user tries to open an Internet site the request
54. csesssssosecesessesecessosesesasessesecesteseseseoseseses Chapter 9 Contacting Trend Micro Contacting Technical Support ssisssisissssssrsseiessssesesssssssseiesssiessssssrssssiss eiesss es 9 2 Speeding Up Your Support Call ccccsssssssssssssssssssssssssssssseseseseeses 9 2 Documentation Feedback iiornerorianiororanera anana 9 3 Km OWE dpe BAS Cisse 5csestsdesecs aassdcssseasissiesesesssssseansendeossnesveasnogsessaesbssdnsatedsoectosans 9 3 Tretia sessesssussesxsssssasovssenuegssasessvesaes sssssevu asessss sgsssessbosbsacs usfesesdabossasebersssosens 9 3 Security Information Centers scscciiisctecsscsssctecsoscossebecasteauceonasedenaveersbaseserts 9 4 Appendix A Routine CPM Tasks Quick Lists Scan Management cscccscssvescespsastvivstenrsvasvte stoendesessstencssadetstestsantsnistcteansietssaes Real time and On Demand Scans ccceccscsesssssssseseseseeecsesesesseecseseseees CPM Server M agemMent pussnynenrnnenr nrin isit a Activan A mal SES onan R Removing CPM Server Components Upgrading CPM Server Components Removing the CPM for Mac Site sissesasnsisinsnrinnisnisssss CPM Client Management sevisscisisscssespassssssssoreanssionsssavsssstaa satiate wesetantens Displaying the ESP Icon on Endpoints sssssssssssssssssessssssssersssssereeeses A 6 Viewing ESP Hidden Client Statistics for a Given Account A 6 Core Protection Module for Mac 2 0 Administrator s Guide Decrypting Quarantined Files Deployin
55. d Cupertino CA 95014 USA T MICRO Tel 1 408 257 1500 1 800 228 5651 Fax 1 408 257 2003 info trendmicro com www trendmicro com Item Code APEM26091 130830
56. d for San Francisco will pick up the configuration You will be able to see this self selection at work when you create the second configuration and apply it to a different Location One Action will be picked up by San Francisco endpoints and the other by German endpoints ESP Agents remain in sync with new relevance expressions by frequently checking the ESP server for updates Agents also maintain a detailed description of themselves that may include hundreds of values describing their hardware the network and software In short First define some locations Second configure your scan firewall or URL filtering settings Next save the settings to a Task and create an Action to target some given endpoints When you deploy the Task the ESP Server converts the Action details into a relevance expression which is sent to all Agents at the endpoints Each Agent checks itself against the relevance expression and takes the Action required for every match found Creating the First Configuration and Task Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane Setting Up and Using Locations 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Global Settings gt Global Settings Wizard The Global Settings Wizard screen opens 3 Enable Configure scan settings for large compressed files and type the limits shown here Do not scan files in
57. dentify that proxy and provide log on credentials The credentials will be used by those CPM clients you target with this Action to connect to the Internet Configure the Web Reputation proxy settings using either the Web Reputation Proxy Settings Wizard or the Web Reputation Enable Configure Proxy Settings fixlet Configuring the Web Reputation Proxy Settings Wizard Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Web Reputation Proxy Settings gt Web Reputation Proxy Settings Wizard The Web Reputation Proxy Settings Wizard window opens 3 Click Use the following proxy settings 4 Either provide the necessary proxy settings information or click Use to reload previously configured settings 5 Click Create Configuration Task and deploy the proxy settings to the necessary clients Configuring WR Proxy Settings Using the Fixlet Note You will be prompted to provide a password for the proxy server Be sure to encrypt the password using the utility provided in the Task before deploying the Task user name and password will be visible in the Action s Summary Details Using Web Reputation Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Common Tasks gt Web Re
58. dows Start button then Programs gt Trend Micro Endpoint Security Platform gt ESP Console For Windows 8 and Server 2012 On the Windows desktop click the Windows Start button then click the ESP Console shortcut A Note Switch to desktop mode to view the console 2 Connect to the ESP Server database by entering the user name you created when installing the ESP Server if you installed the evaluation version type EvaluationUser for the user name and then click OK 3 The ESP Console opens Adding CPM for Mac to the ESP Server Install Trend Micro Core Protection Module for Mac by adding its site masthead to the list of managed sites in the ESP Console If you do not have the Core Protection Module for Mac and Reporting mastheads contact your Trend Micro sales representative to obtain them ESP Server Installing and Upgrading CPM for Mac includes a Web Reputation component that replaces the stand alone version CPM for Mac allows for the migration of any pre existing WPM Blocked and Approved Lists A Note If you are a current Web Protection Module WPM customer you will need to remove any installed clients and then the WPM site prior to installing CPM for Mac Before adding the CPM for Mac site ensure that the ESP Server has an active Internet connection in order to connect to the source of the masthead files If the ESP Server cannot connect to the Internet the request will remain pending un
59. dth spike Full pattern and engine file updates can be 15MB or more Updates from the cloud will always include all patterns you cannot update selected patterns as you can from the ESP server Updates from the cloud are typically slower than updates from the ESP server Three additional points are relevant to cloud updates The endpoint will need an Internet connection If the endpoint has a proxy configured for Internet Explorer those settings will be automatically used As with any pattern update following a pattern rollback further updates will be prohibited until the rollback condition has been lifted by running the Task Core Protection Module Clear Rollback Flag The CPM for Mac client will verify the authenticity of the pattern from the cloud Configuring Clients to Update from the Cloud Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Other Update Tasks Core Protection Module for Mac 2 0 Administrator s Guide 3 From the list in the right pane click Core Protection Module Update From Cloud A screen displaying the Task Description tab appears 4 Below Actions click the hyperlink to open the Take Action window 5 Inthe Target tab choose All computers with the property values selected in the tree list below and then select the property that you want to ap
60. dwide Core Protection Module for Mac 2 0 Administrator s Guide Staffed by a team of more than 250 engineers and skilled support personnel the TrendLabs dedicated service centers worldwide ensure rapid response to any virus outbreak or urgent customer support issue anywhere in the world The TrendLabs modern headquarters earned ISO 9002 certification for its quality management procedures in 2000 TrendLabs is one of the first antivirus research and support facilities to be so accredited Trend Micro believes that TrendLabs is the leading service and support team in the antivirus industry For more information about TrendLabs please visit http us trendmicro com us about company trendlabs Security Information Center Comprehensive security information is available at the Trend Micro website List of viruses and malicious mobile code currently in the wild or active Computer virus hoaxes Internet threat advisories Virus weekly report Virus Encyclopedia which includes a comprehensive list of names and symptoms for known viruses and malicious mobile code Glossary of terms http www trendmicro com vinfo Appendix A Routine CPM Tasks Quick Lists The Appendix includes a quick list of How To s for the most common and routine management tasks you ate likely to encounter In addition you will find several processes that are intended to reduce some procedures to a simple reference Refer to
61. e BESAgent exe for dynamic download requests for pattern sets TMMPMAuUpdater exe for request and application of pattern sets General The default ActiveUpdate server for pattern updates appears in the ESP Server registry HKEY LOCAL MACHINE SOFTWARE TrendMicro CPMsrv ServerUpdateSource DefaultAUServer The default ActiveUpdate server URL for CPM for Mac version 2 0 http esp p activeupdate trendmicro com activeupdate CPM server Check that the server exists in the Windows Registry Core Protection Module for Mac 2 0 Administrator s Guide HKEY LOCAL MACHINE SOFTWARE BigFix CPM server CPM server If the automatic update Task is successful the CPM site will exist in the bfsites directory lt Program Files gt BigFix Enterprise BES Server wwwrootbes bfsites CustomSite FileOnlyCustomSite CPMAutoUpdate_0 1 CPM for Mac client After automatic updates have been enabled on the client the CPM site will exist in the ESP subscribed sites directory lt Program Files gt BigFix Enterprise BES Client __BESData CustomSite_FileOnlyCustomSite_CPMAutoUpdate Check for pattern updates on the CPM server From the CPM Dashboard click Update Rollback Patterns gt Create Pattern Update Rollback Task to open Pattern Update and Rollback Wizard Ifthere are no new updates inspect the Task Core Protection Module Set ActiveUpdate Server Pattern Update Interval If the Task was run but
62. e Disable Automatic Updates Server Task Step 2 Issue a Set ActiveUpdate Server Pattern Update Interval Task You have most likely already configured a policy action from this task If you have not please see the instructions in the Core Protection User s Guide http publib boulder ibm com infocenter tivihelp v26r1 topic com ibm tem doc CPM _Users_Guide pdf Or reference the Installation Guide and User s Guide at http publib boulder ibm com infocenter tivihelp v26r1 index jsp topic com ibm tem doc welcome htm A Note The setup process of automatic updates will not download a new pattern set That action is still managed by the Set ActiveUpdate Server Pattern Update Interval task A policy action of that task may already exist and the most recent pattern set may have been downloaded prior to this automatic updates setup procedure In that situation a new pattern set will not be available for automatic updates until the next set is downloaded from the Trend ActiveUpdate Server The caching behavior of the Trend CPM Server component only downloads new content from the Trend ActiveUpdate Server To induce an immediate download of the latest pattern set to use in automatic updates perform the following Core Protection Module for Mac 2 0 Administrator s Guide Procedure 1 Clear the CPM Server Component download cache Delete the contents of the folder C Program Files Trend Micro Cor
63. e Protection Module Server download 2 Configure a periodic policy action and deploy the action from the task Core Protection Module Set Active Update Server Pattern Update Interval Step 3 Issue a Apply Automatic Updates Task This policy action monitors the latest pattern file versions and applies them to endpoints with automatic updates enabled This action should be targeted at all computers and set with the following parameters Reapply whenever relevant Reapply an unlimited number of times Set the action to never expire Retry up to 99 times on failure Connecting ESP to SPS If you choose to use Web Reputation Services for CPM for Mac endpoints Smart Protection Servers SPS need to install ESP Agent This needs to be done so the ESP server can connect with the Smart Protection Servers Once connected the ESP server can monitor the status of Smart Protection Servers Installing the ESPAgent using the ESP Deployment Tool Procedure 1 Logon to SPS servers using the root account ESP Server Installing and Upgrading 2 Execute the script file usr tmcss bin patchcpm sh on SPS servers 3 Download NIX Client Deploy and follow the installation instructions in the following link to deploy the ESPAgent in SPS servers http support bigfix com labs Unix_Client_Deploy_Tool html Note After executing patchcpm sh the Summary screen only displays the Real time Status widget data No
64. e Target tab that opens a list of eligible endpoints appears The default behavior is to install the CPM for Mac client on every relevant endpoint regardless of who is logged on to the computer and whether the user is present or not 6 Use the following deployment options if you want to change the target CPM for Mac Clients Installing and Updating Target Click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to Execution Set the deployment time and retry behavior if any e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur Messages Configure these options to passively notify the user that the Action is going to occur or to ask users to stop using their computer while the Action occurs Offer Configure these options if you want the user to be able to choose whether the Action is completed A pop up message will be displayed on the target endpoints requires that the client is enabled for offers 7 At the prompt type your private key password and click OK 8 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Pattern File and Engine Updates It is important to keep your CPM for Mac clients current with the latest p
65. e not included in the rollback all pattern files updates will be on hold after a rollback until their individual flags have been lifted You can lift the flag on all pattern files at once or on selected files Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Other Update Tasks gt Core Protection Module Clear Rollback Flag A screen displaying the Task Description tab appears 3 Below Actions click the hyperlink to open the Take Action window Core Protection Module for Mac 2 0 Administrator s Guide 4 Inthe Target tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to 5 Click OK 6 At the prompt type your private key password and click OK 7 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Deploying Selected Pattern Files By default all pattern files are included when the pattern is deployed from the ESP Server to CPM for Mac clients You can however select and deploy a subset of patterns A Note This Task is typically only used to address special cases and as a result is seldom used When used this Task tends to be targeted narrowly Procedure
66. e upper left navigation pane go to Core Protection Module gt Common Tasks gt Web Reputation gt Web Reputation Enable Smart Protection Server Web Reputation Service A screen displaying the Task Description tab appears 3 Click the hyperlink to open the Take Action window 4 Inthe Target tab a list shows the applicable CPM for Mac clients 5 Select all the Applicable Computers and click OK 6 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Enabling HTTP Web Reputation port 80 on CPM Clients Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Common Tasks gt Web Reputation gt Web Reputation Enable HTTP Web Reputation Scanning port 80 A screen displaying the Task Description tab appears 3 Click the hyperlink to open the Take Action window 4 Inthe Target tab a list shows the CPM clients without Web Reputation installed 5 Select all the Applicable Computers and click OK 6 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Core Protection Module for Mac 2 0 Administrator s Guide Web Reputation Proxy Settings If your endpoints connect to the Internet through a proxy server you will need to i
67. econd configuration and Task choose Scan BIG from the Global Settings screen and use the Location name you used for the Germany subnet Setting Up and Using Locations Configuring Automatic Updates Using Location Properties Administrators can configure CPM for Mac clients to switch update sources depending on the client s location Administrators can configure CPM for Mac clients that are within the internal network to update from the CPM server and clients that are not within the internal network to update from the ActiveUpdate server Note This procedure assumes that administrators have already configured locations for the network The procedure also uses the value of OfficeSite to indicate the internal company network Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Other Update Tasks 3 Click Core Protection Module Update from Cloud A screen displaying the Task Description tab appears 4 Click Take Action 5 On the Target tab select the endpoints relevant for this Task 6 On the Execution tab a Select Run only when and configure the following settings Computer Location e does not match OfficeSite b Select Reapply this action and configure the following settings e while relevant waiting Core Protection Module for Mac 2 0 Administrator s Guide
68. ed CPM clients and the List Panel About Web Reputation Analyses Web Reputation allows you to view detailed information about an endpoint or group of endpoints protected by Web Reputation Use the Client Information analysis to view information about each endpoint protected by a CPM client From the ESP Console menu click Endpoint Protection on the bottom left pane From the upper left navigation pane go to Core Protection Module gt Analyses gt Web Reputation for Mac The following properties are available for each endpoint TABLE 6 1 Web Reputation Client Analysis Properties PROPERTY DESCRIPTION Number of Web Threats Found The number of web threats encountered and recorded in the endpoint s storage file Web Reputation Enabled Disabled The status of the agent s Web Reputation feature Enabled Disabled Web Reputation Security Level The security level for the Web Reputation feature High Medium Low Web Reputation Service Type The Web Reputation query source Smart Protection Network Smart Protection Server Web Reputation Query Server URL The URL of the Smart Protection Server used for Web Reputation queries Using Web Reputation PROPERTY DESCRIPTION Connection to the Smart Protection The connection configuration to the Smart Network Protection Network for Web Reputation queries Enabled Disabled Log Purge Enabled The configuration setting for purgin
69. ed URL is scored at the proxy in real time and that score is then evaluated against the security level URLs with a score that exceeds the level you select will be prevented from opening Note that this scoring is relative to security not whether a site may contain objectionable content Note As you set the security level higher the web threat detection rate improves but the likelihood of false positives also increases Using Web Reputation You can override incorrect blocking by adding the URL to the Approved List Likewise you can force blocking of a site by adding it to the Blocked List Trend Micro Core Protection Module Event URL Blocked The URL that you are attempting to access is a potential security risk Trend Micro Core Protection Module has blocked this URL in keeping with network security policy URL httpviwr21 winshipway comf Risk Level Dangerous Details Verified fraud page or threat source Blocked by Web Reputation Trend Micro Core Protection Module 10 6 Copyright 1998 2011 Trend Micro Incorporated All rights reserved Ficure 6 1 URL Blocked Message URLs are scored on a security scale that runs from 0 to 100 Safe Scores range from 81 to 100 Static and normal ratings URLs are confirmed as secure however content may be anything including objectionable content Unrated Score equals 71 Unknown ratings These URLs are not included in the rating database Suspiciou
70. ed network utilization Supports native 64 bit and 32 bit processing for optimized performance Integrates with the Trend Micro ESP Console to provide centralized security including the centralized deployment of security policies pattern files and software updates on all protected clients and servers Superior Malware Protection Delivers powerful protection against viruses Trojans worms and new variants as they emerge e Protects against a wide variety of spyware grayware including adware dialers joke programs remote access tools key loggers and password cracking applications Detects and removes active and hidden rootkits Cleans endpoints of malware including processes and registry entries that are hidden or locked Web Reputation Technology The CPM for Mac Web Reputation technology pro actively protects client computers within or outside the corporate network from malicious and potentially dangerous websites Web Reputation breaks the infection chain and prevents downloading of malicious code Core Protection Module for Mac 2 0 Administrator s Guide In addition to file based scanning CPM for Mac now includes the capability to detect and block web based security risks including phishing attacks Using the ESP location awareness features you can have CPM for Mac enforce different web reputation policies according to the client computer s location The client s connection status with the ESP Server or a
71. eduling an On Demand Scan Automatic Scanning A scheduled scan will run automatically according to the schedule you set Although it will appear in the CPM for Mac Dashboard along with any other On Demand scans you do not need to trigger it Configuring and Managing CPM for Mac Procedure 1 Goto Endpoint Protection gt Core Protection Module gt Configuration gt On Demand Scan Settings 2 Double click the previously defined scan name in the top right pane to open the scan configuration 3 Below Actions click the hyperlink to open the Take Action window 4 Inthe Take Action window click the Execution tab see the following figure Choose a Start date and optionally configure the days you want the scan to run in the Run only on field Select Reapply this action while relevant waiting 2 days between reapplications choosing whatever time period suits you WARNING Do not select whenever it becomes relevant again or the scan may run continuously Ifyou want to let users initiate the scan click the Offer tab and select Make this action an offer Core Protection Module for Mac 2 0 Administrator s Guide Click any of the other Tabs to modify the trigger time and applicable users earch On Demand Scan Settings PIB ail Endpoint Protection Domain Name Taare E E Core Protection Module Activedction 0307 Q Take Action Sal venin On Dema
72. edundancy to the system Introducing Core Protection Module for Mac COMPONENT DESCRIPTION ESP Agent ESP Agents are installed on every computer ESP manages ESP agents access a collection of Fixlets that detect improper configuration settings and vulnerabilities The ESP Agent is then capable of implementing corrective actions received from the ESP Console through the ESP Server The ESP Agent is designed to run undetected by end users using a minimum of system resources However ESP also allows the administrator to provide screen prompts for those actions that require user input ESP Agents are capable of encrypting communications thereby protecting sensitive information ESP Relays ESP Relays increase the efficiency of the system Instead of forcing each networked computer to directly access the ESP Server relays spread the load Hundreds to thousands of ESP Agents can point to a single ESP Relay for downloads The relay then makes only a single request of the server ESP Relays can connect to other relays further increasing efficiency An ESP Relay does not need to be a dedicated computer A relay can be any computer with the ESP Agent installed As soon as you install an ESP Relay the ESP Agents on your network have the ability to automatically discover and connect to them CPM Client Components CPM for Mac Client Components are responsible for managing pattern files conducting scans
73. eft navigation pane go to Core Protection Module gt Configuration gt On Demand Scan Settings gt On Demand Scan Settings Wizard The On Demand Scan Settings Wizard appears 3 Make your configurations choices 4 Click the Create Scan Now Task button The Create Task window opens Core Protection Module for Mac 2 0 Administrator s Guide Edit the Name field and use the Description tab to edit it so it clearly identifies the scan parameters you have selected and the computers you will target in this task Select all the relevant computers from the Relevance tab and click OK At the prompt type your private key password and click OK In the Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Running an On Demand Scan Procedure 1 Goto Endpoint Protection gt Core Protection Module gt Configuration gt On Demand Scan Settings 2 Double click the previously defined scan name in the top right pane to initiate the Task 3 Below Actions click the hyperlink to open the Take Action window 4 Inthe Take Action window select the computers you want to target typically by Properties and then click OK 5 At the prompt type your private key password and click OK 6 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Sch
74. eployment will respond with a not relevant statement Click OK Create an update Fixlet to open Edit Fixlet Message window and configure a Fixlet that will deploy the Action whenever the selected clients become relevant When finished click OK and in the window that opens click the hyperlink that appears below Actions to open the Take Action window Configuring and Managing CPM for Mac Note In CPM 10 6 or later you can only perform a rollback on Virus Patterns and Engines 5 Inthe Target tab that opens click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to Execution Set the time and retry behavior for the update if any Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur 6 After selecting the computers you want to update click OK 7 At the prompt type your private key password and click OK 8 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Re enabling Updates Following a Rollback After a rollback you must clear the rollback flag setting attached to patterns on your CPM for Mac clients to re enable manual cloud and or automatic pattern updates The same holds true even for pattern files that wer
75. eputation Works sisscssssissssssosssenssssetersstesetassonnedeenegey sedetorssiease 6 2 Core Protection Module for Mac 2 0 Administrator s Guide Web Reputation Security Levels ssonsesssssisssanssnsscnnsnoniensni Configuring a Default WR Security Level Using Web Reputation in CPM for Mac Blocked and Approved List Templates Enabling Smart Protection Server Web Reputation Service on C E ON E EREE RENEA E AE EE 6 8 Enabling HTTP Web Reputation port 80 on CPM Clients 6 9 Web Reputation Proxy Settings sossssenenosarisenianninniia Importing Lists Of Websites scccisssenesstssncdenceasisnsionisnssassessassovonseptetusanedisaspeaes Viewing an Existing Template 0 0 Copying and Editing a Template Editing Custom Actions usec Deleting a Blocked or Approved List wesc eeeeseenesesees Deleting WR Custom Task aciisssesesssscessdesesdesetedendccasessssesetaassssneinioeas About Web Reputation Analyses sssssesssssssssesssssssrresssssssrtesssssnreresessrreee Viewing the Client Information Analysis Viewing the Site Statistics Analysis csceesessesesseesesessesesseescsseenes Chapter 7 Setting Up and Using Locations Locations Overview Creatine Locations enrere nrerin an N r a EIEEE Creating Location Specific Tasks ssss ssessssssesssssessssstessreessssrsssnreeserreesneens How Location Properties Work iiss sissssscessssossssssteteststeisvesisionesveteatencteantess Creating the First Confi
76. erator account without these credentials Use the operator account to send a manifest of the latest available pattern file versions to your endpoints whenever new patterns are downloaded from Trend Micro 4 Note The following items require a pre installation of the CPM Automatic Update Setup Script on the server that hosts ESP and CPM Download and install the latest script using an administrator account from Endpoint Protection gt Core Protection Module gt Updates and select Core Protection Module Download CPMAutoUpdateSetup Script in the top right pane Or download the script from the following location http esp download trendmicro com download cpm CPMAutoUpdateSetup2_1 0 8 0 exe Take note of the following recommendations for the Automatic Update Setup Script The operator account should not be given administrative rights on any endpoints ESP Server Installing and Upgrading Do not change the default values supplied by the script Enable automatic updates on the server to make the latest pattern versions available to endpoints Be sure to run the script before proceeding to the following steps The script automatically sets a flag on the server After the flag is set the Set Active Update Server Pattern Update Interval policy action configured in Step 2 will send a manifest of the latest available pattern updates to CPM endpoints If you want to prevent endpoints from updating pattern files use th
77. es 6 18 6 20 approved list 2 3 6 5 6 7 6 10 6 12 6 14 6 16 copying 6 15 creating 6 7 6 10 deleting 6 16 deploying 6 7 6 10 editing 6 15 importing 6 12 tules 6 5 viewing 6 14 Blocked Approved List Wizard 6 6 blocked list 2 3 6 5 6 7 6 10 6 12 6 14 6 16 copying 6 15 creating 6 7 6 10 deleting 6 16 deploying 6 7 6 10 editing 6 15 importing 6 12 tules 6 5 viewing 6 14 client information 6 18 6 19 Index configuring A 12 wizards 5 2 5 5 5 7 5 10 custom approved list ActiveUpdate Server Settings 5 2 editing 6 16 Location Property 7 2 7 5 custom blocked list On Demand Scan Settings 5 5 5 7 editing 6 16 Real Time Scan Settings 5 10 custom task 6 17 Web Reputation Blocked Approved deleting 6 17 List 6 6 custom templates worms C 3 editing 6 16 enabling A 11 A 12 HTTP 6 9 configuring 6 9 in CPM 6 5 proxy settings 6 10 6 12 configuring 6 10 6 12 quick steps A 11 A 12 configuring A 12 enabling A 11 A 12 enabling Smart Protection Server Web Reputation Services A 11 security level 6 3 6 4 secutity scale 6 3 site statistics 6 19 6 20 technology 1 11 templates 6 6 6 7 6 10 6 12 6 15 6 16 copying 6 15 creating 6 7 6 10 deleting 6 16 deploying 6 7 6 10 editing 6 15 importing 6 12 web reputation templates viewing 6 14 web reputation security level configuring 6 4 TREND MICRO INCORPORATED T R E N D 10101 North De Anza Blv
78. es from External File window appears Select the text file you wish to import by clicking Browse next to the Select Import File field The Open window appears Use the Open window to navigate to the location where you have stored the text file Core Protection Module for Mac 2 0 Administrator s Guide 10 11 12 13 14 Select the file and click Open The path to the selected file appears in the Select Import File field Choose Blocked List or Approved List from the List Type Click the Add Sites from File button Click Yes to import the file If you click No to import the list you must re launch the Wizard and perform the import process again After you click Yes the Blocked Approved List Wizard displays the contents of the tab associated with the file Click Finish to end the import process and start generating the relevant Custom Action Note To see the process required to finish generating your Custom Action and deploying the template start at Step8 in the Creating and Deploying a New Template on page 6 7 section Viewing an Existing Template Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Web Reputation Blocked Approved List gt Web Reputation Blocked Approved List Wizard to open the Web Reputation Blocked Approved List Wizard 3 Click the
79. file When the next scan occurs CPM for Mac does not scan the file if the cache information has not expired Inthe CPU Usage section Note On Demand scans can be CPU intensive and clients may notice a performance decrease when a scan is running Moderate this affect by introducing a pause after each file is scanned allowing the CPU to handle other tasks Consider factors such as the type of applications run on the computer CPU RAM and what time the scan is run High No pausing between scans Low Pause longer between scans Configuring the Scan Exclusion Tab Core Protection Module for Mac does not support any configuration options on the Scan Exclusions tab For details on configuring scan exclusions for Core Protection Module for Mac see Configuring Scan Exclusion Lists on page 5 15 Configuring the Scan Action Tab The default scan action CPM for Mac performs depends on the virus malware type and the scan type that detected the virus malwate ZZ Note Core Protection Module for Mac supports the following configuration options on the Scan Action tab Core Protection Module for Mac 2 0 Administrator s Guide Procedure Use ActiveAction ActiveAction is a set of pre configured scan actions for different types of security risks ActiveAction settings are constantly updated in the pattern files to protect computers against the latest security risks and the latest methods of attacks Op
80. g ActiveUpdate Procedure 1 On the CPM for Mac client create locate and open the following text file Troubleshooting Library Application Support TrendMicro common lib AUlib aucfg ini 2 Add or change the following parameter debug level 1 3 Save and close the file 4 Log output will be saved here Library Application Support TrendMicro common 1lib AUlib AU_Data AU_Log TmuDump txt Additional Files Create a manifest file and list of URLs by typing the following at a command prompt TMMPMAuUpdater pu m Manifest f urllist e Check the file server ini in the following location Library Application Support TrendMicro MPM download Watchdog Functionality To provide improved failover defense for the Core Protection Module for Mac a watchdog service has been introduced to monitor the program s own essential service processes such as the iCoreService and TMMPM Adapter Every 60 seconds the watchdog checks for the existence of the Core Protection Module for Mac s main services If one of the main services has exited abnormally or crashed the watchdog stops all services and then restarts the CPM for Mac main services guaranteeing the availability of the system Contacting Trend Micro This chapter provides information to optimize the Trend Micro Core Protection Module for Mac CPM for Mac performance and get further assistance with any technical support questions you might
81. g CPM Clients Removing CPM Clients Enabling the Client Console for Mac Pattern File Management 0 ccescecssessesessessesesenee Configuring Updates from the Cloud Deploying Selected Pattern Files c cscscssesssesessesesssesssseeseesssesnens Reverting to a Previous Pattern File Version ccccscssesesseeeseseees A 9 Updating Pattern Files on the CPM Servet weiss A 9 Updating Pattern Files on the CPM for Mac Clients 0 A 10 Wel Re pouta tie iernare a TEN REG A 11 Enabling Smart Protection Server Web Reputation Service A 11 Enabling HTTP Web Reputation port 80 wc A 11 Enabling HTTP Web Reputation all ports other than 80 A 12 Enabling HTTPS Web Reputation 0 eeeessesssesseesessessesseenes A 12 Configuring Web Reputation sis c ssscsecissssttiscsespsscssisnsssosssessassssvasnuses A 12 Appendix B Reference Tables Available Virus Malware Scan Actions sesessesesesesssresseseseserssesesestecereresseres B 2 Pattetn and Scan Engine Files sssssvssvcesivscasseisvsoneesieenstuctsisbeasensenssucausdapsberes B 2 Scan Action Results for Compressed Files cccscesesssseseesesseseessesteseenes B 3 Appendix C Understanding Security Risks Unidletstandinig the Terinns siesscasessciises setucaeotiaveeaalbvanes nstvacessteerdnensaevanusiavsoers C 2 About Internet Security Risks ssssessssessssesssseseessseeesseeesssssssssseeessereesseessssesss C 2 Virases Mal Wate cvcecsecasies cevecsts cosscesdessciseSecissc
82. g Web Reputation logs True False Log Age Deletion Threshold The number of days that logs will be kept on the endpoint before they are deleted the log age deletion threshold The Site Statistics analysis displays statistical information about the number of websites accessed by an endpoint You can use this analysis to view the following Blocked Sites Shows the time a block occurred and the URL that was blocked Viewing the Client Information Analysis Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Analyses gt Web Reputation for Mac The List Panel changes to show all available analyses Web Reputation Client Information Web Reputation Site Statistics 3 Click the Web Reputation Client Information analysis The Web Reputation Client Information window appears 4 You can view the analysis property results in either List or Summary format To select a perspective choose the desired format from the drop down box in the upper right corner of the analysis in the Results tab Core Protection Module for Mac 2 0 Administrator s Guide 5 To deactivate the analysis return to the click here link in the Action window Viewing the Site Statistics Analysis Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left n
83. ge Ignored on Mac CPM for Mac consolidates All Spyware Grayware actions and options under the Virus Malware scan options CPM for Mac ignores this option when constructing Mac actions and relevance in favor of the Virus Malware scan options Pattern Update and Rollback Wizard After the upgrading the server components the wizard shows any pattern sets downloaded with the older CPM 1 5 or 1 6 AU server components as well as the new CPM 2 0 AU server components The rollback feature is supported only by CPM e After subscribing to the CPM for Mac site and upgrading the Server Components to the AU 2 0 plug in architecture the successive pattern sets downloaded show the Virus Scan Engine for Mac components Older pattern sets downloaded with the CPM 1 5 or 1 6 AU server should still exist Rollback capability for old and new pattern sets are restricted to CPM clients for Windows by applicability relevance Introducing Core Protection Module for Mac Old existing CPM 1 5 pattern sets are not applicable to CPM for Mac clients and are restricted in the applicability relevance Unsubscribing from the CPM for Mac site does not automatically remove the Virus Scan Engine for Mac from the pattern updates If this occurs administrators need to remove the CPM 2 0 AU server components and then re install the CPM 1 5 or 1 6 AU server components Pattern Update Settings Wizard After upgrading the server component
84. guration and Task wo cseessesseeesseesesesees Creating the Second Configuration and Task oo seseeseeeseeseseene Making the Configurations Location Specific ccccceeeeseeeeeseseesees Configuring Automatic Updates Using Location Properties Chapter 8 Troubleshooting Tristallattotiss sesscsecsescescacesestisessssisedessgosdesedes sesetadssdesedesdesiseas odesscaveasssaslessseacksesies Installation Status Codes Tristallation Error COdeS sstsccscescistsissiesesicshecisdis laavessvesdeatecasseaveusectecesodess Malware Scanning s ccccissscssssssssessisasesssscssssseciasesesescesesessrbesasecteseincsecnsusneseiaaessnas Enabling Debug Log cing x sesssssssossessesssssegestssstes sonndetsssgeoonsstesrsosnenspivies Table of Contents Disabling Debug Logging riisiin inisiasi desista 8 4 Malware Logs on the CPM for Mac Client ssssssssssssssesssssssssssrssssreessse 8 4 Debug LORS sss tsssssrvssssersssseusnationsgasdenepevsssntans naisia 8 4 Components Installation Debug Logs CPM Server wu 8 5 Components Installation Debug Logs CPM for Mac Client 8 5 Web Reputation Logs on the CPM for Mac Client ccecseeeees 8 6 Pattern Updates E RA A E E o E E Automatic Pattern Update Soyerorninnennsiannn kiina Proxy Sery tsuninnanenunnniananis Client Side Logging ActiveUpdate i i Additional Tiles vz ssss essessessstssaewcasgesyesesnusssancavsdepsabsaessernssscensvaspbeviasvoees Watchdog Functionality sccsscssecsssssecess
85. ile path Users Mac file log Examples of files excluded from scans Users Mac Desktop file log Users Mac Movies file log Examples of files that Core Protection Module for Mac scans s Users file log Users Mac file log Directory path Example 1 Users Mac Examples of files excluded from scans Users Mac doc html Users Mac Documents doc html Users Mac Documents Pics pic jpg Examples of files that Core Protection Module for Mac scans Users doc html Example 2 Components Examples of files excluded from scans Ri Users Components file log System Components file log Examples of files that Core Protection Module for Mac scans file log Users file log System Files file log Configuration Wizards Reference Note Core Protection Module for Mac does not support partial matching of folder names For example administrators can not type Users user temp to exclude files on folder names ending in user such as end_user or new_user Configuring Scan Exclusion Lists For details about Scan Exclusion Lists see Scan Exclusions on page 5 11 Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Scan Exclusion Settings for Mac gt Scan Exclusion Settings The Scan Exclusion Settings for Mac wizard appears 3 Select
86. immediately after installing CPM for Mac and then set the task to repeat hourly The same holds true for CPM for Mac clients Update Sources By default CPM is configured to use the Trend Micro ActiveUpdate AU server for pattern updates Although you can use an intranet source for example by manually downloading the pattern files to an internal computer and then pointing the ESP Server to that source Trend Micro recommends that you use the AU server This is the only official source for pattern updates and in conjunction with CPM for Mac AU provides Core Protection Module for Mac 2 0 Administrator s Guide several layers of authentication and security to prevent the use of forged or unsupported patterns Server Settings Wizard Create Server Configuration Action l D Trend Micro s ActiveUpdate Server Other Update Source URL http cpm p activeupdate trendmicro com activeupdate Intranet location containing a copy of the current file UNC path example server_name download User Name Password L Use a proxy server for pattern and engine updates Proxy Protocol Server Name or IP Port 0 65535 User Name Password Ficure 2 1 Server Settings Wizard for identifying update sources Configure the CPM for Mac server to frequently contact the AU server to check for and download pattern and component updates If there is a proxy server between
87. ine 5 Applicable Computers 5 ComputerName os CPU EVANSYM CEDRIC Win2003 2 3790 2400 MHz X WIN2K3_5TD_32 Win2003 5 2 5790 2300 MHz X WINXP_PRO_32 WinXP 5 1 2600 2800 MHz X WINKP_PRO_64 WinXP 2003 5 2 3790 2800 MH2 X XPPRO TEST WinXP 5 1 2600 2400 MHz X e 4 Specify which endpoints and relays the task deploys to 5 Click OK 6 At the prompt type your private key password and click OK Chapter 5 Configuration Wizards Reference The CPM Dashboard includes Wizards to help you understand and organize scan related configuration choices Use the On Demand Scan Settings Wizard for example to define which files to scan how to manage scan engine CPU usage and designate the action to take whenever a threat is discovered Individual scan configurations can also be saved as a Task which is then available in the main Task List Topics in this chapter include Available Wizards on page 5 2 ActiveUpdate Server Settings Wizard on page 5 2 On Demand Scan Settings Wizard for Mac on page 5 4 Real Time Scan Settings Wizard on page 5 9 Scan Exclusions on page 5 11 Core Protection Module for Mac 2 0 Administrator s Guide Available Wizards CPM for Mac provides the following configuration wizards Taste 5 1 Configuration Wizards WIZARD REFERENCE ActiveUpdate Server Settings Wizard ActiveUpdate Server Settings Wizard on page 5 2 On Demand Scan Settings Wizard On Demand Scan Se
88. ints are satisfied 4 ell nie I stagger action start times over 5 minutes to reduce network load f All Content BioFix Management W Endpoint Protection Awa Coe ea 5 Select all the relevant computers and click OK 6 At the prompt type your private key password and click OK 7 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Client Updates from the Cloud Receiving pattern updates from the cloud is not recommended as the default behavior However there ate some cases such as when an endpoint is not connected to the ESP Server or Relay you may want the endpoint to fail over to updates from the cloud The most typical use case is to support roaming clients for example those being taken off site for travel Configuring and Managing CPM for Mac Note Perhaps the best method for updating roaming endpoints is to place an ESP Relay in your DMZ This way endpoints are able to maintain continuous connectivity with the ESP architecture and can receive their updates through this Relay just as they would if located inside the corporate network There are several reasons updating from the cloud is not recommended for daily use by all endpoints The Update from the cloud Task is not restricted only to roaming clients You will need to target your endpoints carefully to avoid triggering a bandwi
89. ion V Spyware Pattern 1219 Fri 23 Sep 2011 05 24 24 0800 M Spyware Active monitoring Pati 1 219 00 Fri 23 Sep 2011 05 24 24 0800 V Spyware Scan Engine 32 bit 6 2 3009 Fri 23 Sep 2011 05 24 24 0800 M Spyware Scan Engine 64 bit 6 2 3009 Fri 23 Sep 2011 05 24 24 0800 VY Damage Cleanup Services E Virus Cleanup Template 1150 Fri 23 Sep 2011 05 24 24 0800 Yj Virus Cleanup Engine 32 bit 6 3 1015 Fri 23 Sep 2011 05 24 24 0800 4 gt EE M Virus Cleanup Engine 64 bit 6 3 1015 Fri 23 Sep 2011 05 24 24 0800 P Al Content vM amp Firewall m Mw Common Firewall Pattern 10307 Fri 23 Sep 2011 05 24 24 0800 ea BigFix Management v amp Behavior Monitoring Compone E Endpoint Protection E Behavior Monitoring Detection 1 281 00 Fri 23 Sep 2011 05 24 24 0800 afa a gt A Behavior Monitoring Driver 32 2 9 1131 Fri 23 Sep 2011 05 24 24 0800 e A Onbowinw Manitnsinn Coen Cri 9 04404 Eui oa enn ansa nnana anonn liz In the list of components that appears select the pattern types that you want to allow updates for whenever pattern updates are applied By default all pattern files are selected Click the Create Update Settings Task button in the upper right corner The Edit Task window opens Modify the default name in the Name field and use the Description tab to edit it so it clearly identifies the purpose of this custom Task Edit the Description
90. ion on the bottom left pane Core Protection Module for Mac 2 0 Administrator s Guide 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt On Demand Scan Settings gt On Demand Scan Settings Wizard The On Demand Scan Settings Wizard appears u Endpoint Protection Domain SEF aena eO S Core Protection Module zal Overview V Enable virus malware scan al Protection Status 5 t ER Quick Start 8 V Enable spyware grayware scan Windows only e Reports Scan Target gt Scan Exclusion Scan Action gt fh Common Tasks 26 E Eh Deployment 6 3 Ei Updates 7 E Configuration 41 All scannable files Global Settings 5 S E ActiveUpdate Server File types scanned by IntelliScan i fh Common Firewall Setti 3 On Demand Scan Sett T On Demand Scan 5 Eh Custom Tasks 6 E Real Time Scan Setin t h Spyware Approved Lis E Web Reputation Block Eh Behavior Monitoring S h Smart Protection Serv Client Self protection Fh Virtual Desktop Setting J Scan network drive Manual Scan Only mE Data Protection 1 A Device Control 1 h Analyses 20 Trouhlachgatinn 5 Target Files Use file extensions for Windows and full file paths for Mac use commas to separate entries Tw M Scan compressed files Maximum layers rE M Scan boot area M Enable Intellitrap
91. is Clean and CPM for Mac is unable to clean an infected file the backup action of Quarantine is taken Note Quarantining files Administrators can configure CPM for Mac to quarantine any harmful files detected CPM for Mac encrypts and moves the files to a directory on the endpoint that prevents users from inadvertently spreading the virus malware to other computers in the network See Available Virus Malware Scan Actions on page B 2 for more information Display a notification message on the client computer when virus malware is detected Enabling this option allows CPM for Mac to display a notification message for end users to see when virus or malware threat has been detected on the endpoint Scan Exclusions Configure scan exclusions to increase the scanning performance and skip the scanning of files known to be harmless When a particular scan type runs Core Protection Module for Mac checks the scan exclusion list to determine which files to exclude from scanning Scan EXCLUSION List DETAILS Files Core Protection Module for Mac does not scan a file if The file s directory path is the same as the path specified in the scan exclusion list The file matches the full file path directory path and file name specified in the scan exclusion list Core Protection Module for Mac 2 0 Administrator s Guide Scan EXCLUSION DETAILS List File extensions Core Protectio
92. iscssscedveseevsd A cette etlatavesdes C 3 About Spy wate Gray Wate wniscsaricsanseciarse nied arianaiatienanninidiviates C 5 Potential Risks atid Threats csscissssscgsssssecsesssecessssisesaseoeesocsnssbeasessvoassets C 6 How Spyware Grayware Gets into your Network oe C 7 Guarding Against Spyware Grayware and Other Threats C 7 Index Table of Contents Chapter 1 Introducing Core Protection Module for Mac This chapter introduces Core Protection Module for Mac CPM for Mac and provides information on the following topics Overview on page 1 2 New in this Release on page 1 2 How CPM for Mac Works on page 1 7 ESP and CPM for Mac Components on page 1 8 Features and Benefits on page 1 11 The Trend Micro Pattern Files and Scan Engine on page 1 12 Core Protection Module for Mac 2 0 Administrator s Guide Overview Trend Micro Core Protection Module for Mac CPM for Mac is an anti malware application for Trend Micro Endpoint Security Platform ESP It works with ESP to protect the desktop and notebook Macs on your network from security risks such as malware ESP is built on the BigFix Enterprise Suite BES to provide extended management capabilities to the CPM for Mac server and clients The CPM for Mac client provides real time on demand and scheduled malware protection In addition you can protect your users against visiting malicious websites by enabling CPM for Mac s
93. ity Success Criteria Action Script Constraints iv Starts on fay 9 2011 zj at 5 30 40 Pm cient local time z J Ends on omon z a Scag cient localtime F Runbetween ionooam and zss 00 AM cient local time T Run only on sun Mon Tue wed Thu Fri J Sat client local time T Run only when active Directory Path zj matches z I lt f Behavior VV On failure retry os a times Wait fr hour x between attempts Wait until computer has rebooted JV Reapply this action o whenever it becomes relevant again while relevant waiting js minutes between reapplications I Limit to 5 reapplications J Start client downloads before constraints are satisfied I Stagger action start times over 5 minutes to reduce network load a Change Preset as shown by the letter a in the figure above b Enable Starts on and choose the current date and time do not set Ends on c Enable On failure retry 99 times default setting d Choose to Wait 15 minutes between attempts default setting e Enable Reapply this action whenever it becomes relevant again default setting 6 On the Target tab choose All computers with the property values selected in the tree list below and then select All Computers Note It is important to target All Computers for this action only endpoints with the CPM for Mac client installed and that have automatic updates enabled will be
94. l Settings 2 h On Demand Scan Settings 3 fi Real Time Scan Settings 2 h Spyware Approved List 1 nal Spyware Approved List Wizard ofl Custom Tasks 0 1 8 Web Reputation Blocked Approved List 2 Za Web Reputation Blocked Approved List Wize FG Custom Tasks 1 f Behavior Monitor Settings 3 T Behavior Monitoring Wizard i Custom Tasks 2 Eh Smart Protection Server Settings 2 hal Assign Smart Protection Server List Eh Custom Tasks 1 fh Client Self protection Settings 1 nil Client Self protection Wizard i Custom Tasks 0 Eh Virtual Desktop Settings 1 nal Virtual Desktop Settings Wizard fh Custom Tasks 0 h Analyses 31 h Troubleshooting 18 m Device Control f All Content Er tag S Configuration Deployment Smart Protection Server lt Unspecified gt Master Action Site Click Take Action Configuring and Managing CPM for Mac The Take Action screen appears LT allx Create in domain Endpoint Protection Preset Defaut Jr J Show only personal presets Save Preset Delete Preset Target Execution Users Messages Offer Post Action Applicability Success Criteria Action Script Name Configuration Deployment Smart Protection Target Specific computers selected in the list below All computers with the property values selected in the tree below The computers specified in the list of names below fone per l
95. l Sites 3 Select the Trend Micro Core Protection Module for Mac site to be removed 4 Inthe right pane click X Remove and then OK 5 At the prompt type your private key password and click OK ESP removes the CPM for Mac masthead Chapter 3 CPM for Mac Clients Installing and Updating There are a number of ways to handle the deployment of CPM for Mac clients to your endpoints and you will need to decide on the one that works best for you and your organization However Trend Micro does recommend that you start off incrementally deploying and then configuring a small number of clients and then either gradually or in batches proceed until you have installed CPM for Mac clients on all your endpoints Topics in this chapter include About CPM for Mac Client Deployment on page 3 2 Pattern File and Engine Updates on page 3 7 Removing CPM for Mac Clients on page 3 14 System Requirements on page 3 2 Conflicting or Incompatible Programs on page 3 15 Core Protection Module for Mac 2 0 Administrator s Guide About CPM for Mac Client Deployment The Tasks created in the procedures described below can only be deployed to relevant computers the number of which is indicated after the Task name In the ESP environment relevance is determined by a relevance statement which defines certain conditions that the computer must meet Any computers running an ESP Agent can receive relevance statements and when
96. leting a Blocked or Approved List Follow the steps below to delete an existing Blocked or Approved List template from the Wizard s Template list Using Web Reputation Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Web Reputation Blocked Approved List gt Web Reputation Blocked Approved List Wizard to open the Web Reputation Blocked Approved List Wizard 3 Select the name of the Blocked or Approved List template you want to delete and click Remove The Delete window appears 4 Click Yes Web Reputation removes the template from the Blocked Approved List Wizard Template Management window Note The Blocked Approved List Wizard Delete feature only deletes the template from the Management list It does not delete the Custom Task you created with the template To completely remove the Blocked Approved List template from your endpoints follow the steps below Deleting a WR Custom Task Procedure 1 Select the name of the template you wish to delete in the Custom Tasks list and right click The right click menu appears Select Remove from the right click menu At the prompt type your private key password and click OK Core Protection Module for Mac 2 0 Administrator s Guide A series of messages displays when the Custom Task is removed from the affect
97. n Module for Mac 2 0 Administrator s Guide Enabling the Client Console for Mac on page A 8 Displaying the ESP Icon on Endpoints Procedure 1 Inthe ESP console click Endpoint Protection gt Core Protection Module gt Common Tasks gt Core Protection Module gt Core Protection Module Enable Client Dashboard A screen displaying the Task Description tab appears Viewing ESP Hidden Client Statistics for a Given Account Procedure 1 From the endpoint you want to check press the following keys CTRL ALT SHIFT T Decrypting Quarantined Files WARNING Decrypting an infected file may spread the vitus malware to other files Trend Micro recommends isolating the computer with infected files by unplugging it from the network Move important files to a backup location When you decrypt or encrypt a file CPM creates the decrypted or encrypted file in the same folder For example type VSEncode d debug to decrypt files in the suspect folder and create a debug log Required the following files Main file VSEncode exe Routine CPM Tasks Quick Lists e Required DLL files Vsapi32 d11 Run Restore Encrypted Virus using the following parameters no parameter encrypt files in the Suspect folder d decrypt files in the Suspect folder debug create debug log and output in the client temp folder o overwrite encrypted or decrypted file if it already exists e lt file
98. n Module for Mac does not scan a file if the file extension matches any of the extensions included in the exclusion list Scan Exclusion List Files Administrators must follow specific criteria when configuring the file exclusion list Core Protection Module for Mac supports a maximum of 64 file exclusions e Administrators can not only type a file name Core Protection Module for Mac requires a full file path e Administrators must type properly formatted paths See the following table for examples PATH DETAILS EXAMPLES Full file path Excludes a Example 1 specific file file log Example 2 System file log Configuration Wizards Reference PATH DETAILS EXaAmPLes Directory path Excludes all Example 1 files located on a specific System eration Examples of files excluded from scans subfolders System file log System Library file log Examples of files that Core Protection Module for Mac scans Applications file log Example 2 System Library Examples of files excluded from scans System Library file log System Library Filters file log Examples of files that Core Protection Module for Mac scans System file log Use the asterisk wildcard in place of folder names See the following table for examples Core Protection Module for Mac 2 0 Administrator s Guide PATH WiLocaro Usace ExAmPLes Full f
99. n Tasks 52 5 E Core Protection Module 3 EE Web Reputation 15 A Take Action 7 Edt Copy Export Hide Locally Hide Globaly X zemcve E Common Firewall 1 Description Details Applicable Computers 0 Action History 0 A Deployment 34 ee unde 1 E Configuration 46 te Bh Analyses 37 Please enter the IP address or hostname of proxy i Web Reputation requires ir server use of a proxy server is Eh Troubleshooting 22 needed Use the action be iej 1 4 All Endpoint Protection Important Note The proxy in this action Download and unzip extract the TMC Filename TMCPMEn am e Size 185718 e SHA1 28704ae66eef9fc9dc0be92f91d64fe714d40f10 Usage Note The TMCPMEncrypt exe command line tool provides the option to generate an encrypted string The encrypted string can be used for proxy passwords Example C gt TMCEMEncrypt exe example_password 4 a I CRYPT 31371340370123D94E 6 42AARAG686E3C1E7F9E99DB1 9SEDS7245D16397E f all Content BioFix Management a v Endpoint Protection Click bere to configure proxy server settings Ad xl The Take Action screen appears 6 Inthe Target tab a list of endpoints that are running the CPM client appears 7 Select all applicable computers those that are running WR and then click OK 8 At the prompt type your private key password and click OK 9 Inthe Action Summary window that opens monitor the Status
100. n from the CPM for Mac client console the scan settings reflect the latest settings configured by the administrator for an On Demand Scan For example an administrator might schedule an On Demand Scan on every Thursday 12 00 PM that scans all file types Then the administrator might run an On Demand scan with different scan settings maybe scanning only for EXE files at 14 00 PM If an end user runs a Manual Scan at 15 00 PM and the administrator has not changed the settings the end user s Manual Scan will only scan for EXE files not all file types e Scheduled scans You can schedule an On Demand scan to trigger at a given time day or date You can also have the scan automatically reoccur according to the schedule you set Real Time scans This scan checks files for malicious code and activity as they are opened saved copied or otherwise being accessed These scans are typically imperceptible to the end user Real time scans are especially effective in protecting against Internet borne threats and harmful files being copied to the client Trend Micro recommends that you enable real time scanning for all endpoints Configuring the Default Scan Settings Whenever you run the default on demand scan the settings applied are those that you configured for the default On Demand Scan Settings The relationship between these is shown in the following figure Procedure 1 From the ESP Console menu click Endpoint Protect
101. name gt encrypt or decrypt a single file nr do not restore original file name Deploying CPM Clients Procedure 1 Click Endpoint Protection gt Core Protection Module gt Deployment gt Install 2 Click Core Protection Module Endpoint Deploy Removing CPM Clients Procedure 1 In the ESP console click Endpoint Protection gt Core Protection Module gt Deployment gt Uninstall 2 Click Core Protection Module Endpoint Uninstall in the list of Actions that appears Core Protection Module for Mac 2 0 Administrator s Guide Enabling the Client Console for Mac Procedure 1 In the ESP console click Endpoint Protection gt Core Protection Module gt Common Tasks gt Core Protection Module gt Client 2 Select Core Protection Module for Mac Enable Client System Tray Icon Pattern File Management The steps below are for experienced ESP administrators who just need a list for tasks involving the pattern files Procedures include Configuring Updates from the Cloud on page A 8 Deploying Selected Pattern Files on page A 9 Rererting to a Previous Pattern File Version on page A 9 d Updating Pattern Files on the CPM Server on page A 9 d Updating Pattern Files on the CPM for Mac Clients on page A 10 Configuring Updates from the Cloud Procedure In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Othe
102. name of the Blocked Approved List template you want to examine The Blocked Approved List Templates Add Template window appears Using Web Reputation Copying and Editing a Template Web Reputation enables you to create copies of existing Blocked Approved List templates Use this feature to create copies of existing templates or to create slightly modified versions of existing templates Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Web Reputation Blocked Approved List gt Web Reputation Blocked Approved List Wizard to open the Web Reputation Blocked Approved List Wizard 3 Select the name of the Blocked Approved List template you want to duplicate and click Copy The name of the template appears in the form of Copy of followed by the template name you chose to copy Web Reputation automatically copies the contents of the Blocked and Approved List fields into the new template 4 Change the name in the Template Name field to a descriptive template name 5 Make other necessary changes to the template For example in copied templates you can Add new URLs to the copied Blocked or Approved List Remove URLs from the Blocked or Approved List Import and append either an external blocked or an external approved list to your Blocked and Approved List entries
103. nd SNMP alert notifications These features facilitate a seamless integration with a customer s IT operation infrastructure Smart Protection Relay SPR Based on an elegant and efficient architecture Trend Micro Smart Protection Relay is a light weight connection between Smart Protection Server and the Smart Protection clients Trend Micro Smart Protection Relay takes the flexibility of deployment with Smart Protection Network to the next level For corporations and organizations which usually have slow and expensive links across their organizations Smart Protection Relay concentrates throttles and significantly reduces the bandwidth required between the smart protection clients and Smart Protection Servers With its small footprint flexibility of deployment and minimized administrator managing requirements Smart Protection Relay proves to be the best fit for most subsidiary or remote branch offices that have lower cross site bandwidth and limited on site IT resources Introducing Core Protection Module for Mac Features and Benefits CPM for Mac reduces business risks by preventing infection identity theft data loss network downtime lost productivity and compliance violations Additionally it provides your large enterprise with a host of features and benefits Ease of Management Uses small state of the art pattern files and enhanced log aggregation for faster more efficient updates and reduc
104. nd Scan Settings Wizard 4 Fectettinihi Rename 0307 Name User Configured On Demand Scan Create in domain Endpoint Protection Eh Quick start 8 Preset e of T Show only personal presets Save Preset Delete Preset S Reports 3 Jaaa isst E Common Tasks 26 pes Offer Post Action Applicabiity Success Criteria Action Script E Deployment 6 E Eh Updates 7 E Configuration 41 fH 3 Global Settings 5 fe E ActiveUpdate Server 5 E h Common Firewall Settir E E On Demand Scan Setti ail On Demand Scan Se Eh Custom Tasks 6 i A Real Time Scan Settine i Spyware Approved Lis ra Fh Web Reputation Blocke i 4 Behavior Monitoring Se E h Smart Protection Serve E E Client Self protection E G Virtual Desktop Setting E Data Protection 1 i F Device Control 1 T Starts oni mnom z at arezopm cient ioca tme z JY Ends on 11 12 2011 Z at 3 22 20 Pm client local time J Run between TooAM and 2 59 00AM chent local time IT Run only on sun Mon Tue Wed Tha A fsx client local time T Run only when Active Directory Path z matches Behavior I onfaiure retry 5 times G wat i hour E between attempts Wait untilcomputer Has rebooted J Reapply this action Whenever it becomes relevant again F while relevant waiting isminutes ly between reapplications M timtts ja rearplications m Analyses 20 T Start client downloads before constra
105. ne of the other widgets display any data Disabling the widgets improves SPS performance Activating Core Protection Module for Mac Analyses Core Protection Module for Mac includes a number of analyses that are used to collect statistics from target computers Analyses data are used to display information typically in Reports about endpoint scan and configuration settings server settings spyware and virus events Analyses must be activated before they can be used Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Analyses gt CPM for Mac Endpoints gt analysis name The Analysis Description tab opens 3 Below the Description click the hyperlink to activate the analysis 4 At the prompt type your private key password and click OK Core Protection Module for Mac 2 0 Administrator s Guide Shortcut Activate All CPM for Mac Analyses You can activate all CPM for Mac analyses at once thus avoiding the need to repeatedly type your private key password and click OK You can activate the CPM for Mac client analyses anytime before or after the CPM for Mac clients have been deployed Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Analyses 3 Click the Name column header to so
106. network Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane Configuring and Managing CPM for Mac 4 5 From the upper left navigation pane go to Core Protection Module gt Configuration gt Smart Protection Server Settings gt Smart Protection Server List The Assign Smart Protection Server List screen appears Click Create a Task to Assign the List A Create Task dialog box appears Create insite Master Action Site m Create in domain Endpoint Protection hd Description Use this task to deploy the Smart Protection Server List to specified computers Actions Click bere to deploy the task az Bistart GE 9 Trendmicro EsP Console Create Task 3 Click OK At the prompt type your private key password and click OK Core Protection Module for Mac 2 0 Administrator s Guide Deploying the Smart Protection Server List Procedure 3 From the ESP Console menu click Endpoint Protection on the bottom left pane From the upper left navigation pane go to Core Protection Module gt Configuration gt Smart Protection Server Settings gt Custom Tasks A Note Click the Smart Protection Server deployment task Settings for the task appear The Custom Tasks screen appears Search Custom Tasks F fh Global Settings 2 Fh ActiveUpdate Server Settings 1 Fh Common Firewal
107. ng preferences to target advertisements at the user through a web browser Dialers Change computer Internet settings and can force a computer to dial pre configured phone numbers through a modem Joke Programs Cause abnormal computer behavior such as closing and opening the CD ROM tray and displaying numerous message boxes Hacking Tools Help hackers enter computers Remote Access Tools Help hackers remotely access and control computers Password Cracking Help hackers decipher account user names and passwords Applications Other Other types not covered above Core Protection Module for Mac 2 0 Administrator s Guide Potential Risks and Threats The existence of spyware grayware on your network has the potential to introduce the following Taste C 4 Types of Risks TYPE DESCRIPTION Reduced computer performance To perform their tasks spyware grayware applications often require significant CPU and system memory resources Increased web browser related crashes Certain types of grayware such as adware are often designed to create pop up windows or display information in a browser frame or window Depending on how the code in these applications interacts with system processes grayware can sometimes cause browsers to crash or freeze and may even require a system reboot Reduced user efficiency By needing to close frequently occurring pop up advertisements and deal wi
108. ns For details see Enabling the Client Console for Mac on page A 8 Key Differences Between CPM and CPM for Mac When migrating from CPM to CPM for Mac take note of the following the differences in the following features Core Protection Module for Mac 2 0 Administrator s Guide Version Report These changes display after subscribing to the CPM for Mac website A new pie chart that displays the Anti virus Engine Versions for Mac A new pie chart initiated from the CPM tab that displays the CPM for Mac Program Version The existing Anti virus Pattern Versions pie chart has changed to support both Windows and Mac endpoints The existing Spyware Active monitoring Pattern Versions pie chart has changed to support both Windows and Mac endpoints Infection Report A new pie chart displays the Top Mac Malware Infections but only the total number of malware infections A new data chart that details the Mac Malware Infections Web Reputation CPM for Mac only supports the Blocked Web Sites chart Wizards Real Time Scan Settings Wizard No additional configuration has been added compared to CPM CPM for Mac supports only a subset of the CPM configuration listed as follows Malware scans enabled or disabled User activity on files Scan compressed files enabled or disabled Introducing Core Protection Module for Mac Scan action Use ActiveAction e Use custom actions Note
109. ny Relay Server can be used to determine the location of the client Web Reputation opens a blocking page whenever access to a malicious site is detected This page includes links to the Trend Micro Web Reputation Query system where end users can find details about the blocked URL or send feedback to Trend Micro Proxy server authentication for Web Reputation is also supported You can specify a set of proxy authentication credentials on the web console HTTP proxy servers are supported The Trend Micro Pattern Files and Scan Engine All Trend Micro products including CPM for Mac can be configured to automatically check the Trend Micro ActiveUpdate MAU server then download and install updates when found This process is typically configured to occur in the background although you can manually update some or all of the pattern files at any time In addition pre release patterns are available for manual download at your own tisk in the event that a situation such as a virus outbreak occurs Pre release patterns have not undergone full testing but are available to stop burgeoning threats You can manually download the virus pattern and other files from the URL provided below At the same location you can also check the current release version date and review all the new virus definitions included in the files http www trendmicro com download pattern asp Incremental Virus Pattern File Updates CPM for Mac in conjunction
110. og files from occupying too much space on the server you can specify how many days to retain logs The newest logs will replace oldest after this number of days The default is 10 days Logs are stored in the following directory TrendMirrorScript log Number of Updates to Keep on Server 1 100 You can store previous pattern file sets on the server in case you ever need to revert or roll back to an older file By default CPM for Mac keeps the current pattern and 15 snapshots of the pattern set On Demand Scan Settings Wizard for Mac Core Protection Module for Mac only supports vitus malware scanning on CPM for Mac clients For details on different types of virus and malware threats see Understanding Security Risks on page C 1 Configuration Wizards Reference Note When an end user initiates a Manual Scan from the CPM for Mac client console the scan settings reflect the latest settings configured by the administrator for an On Demand Scan For example an administrator might schedule an On Demand Scan on every Thursday 12 00 PM that scans all file types Then the administrator might run an On Demand scan of Users username with different scan settings at 14 00 PM If an end user runs a Manual Scan at 15 00 PM and the administrator has not changed the settings the end user s Manual Scan will only scan Users username not the entire endpoint zat Endpoint Protection Domain 4 F z
111. on gt ActiveUpdate Server Settings gt ActiveUpdate Server Settings Wizard gt Others section Configuring and Managing CPM for Mac There are several things to bear in mind with regards to rolling back a pattern update Part of the rollback process is to lock down endpoints to prevent any further pattern updates until the lock has been cleared The lock serves as a safeguard against re introducing whatever issue it was that triggered the need for a rollback Once the issue has been resolved either by changing something on the endpoints or by acquiring a different version of the pattern file you will need to run the Core Protection Module Clear Rollback Flag Task to re enable updates If your clients are not all running the same version of the pattern file that is some have the current pattern and some have a much older version and you perform a rollback to the previous version those with the current version will be reverted to the previous version while those with the older version will be updated to the version You can rollback all or selected pattern files However even if you only rollback one pattern file you will still need to reset the rollback flag for all pattern files Performing a Pattern File Rollback Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Update Rollback
112. on Module In the list of Fixlets that appears in the right window pane select Core Protection Module Uninstall product name by double clicking it 3 Below Actions click the hyperlink to open the Take Action window 4 Inthe Target tab a list of the endpoints that are running the selected program appears Click Applicable Computers to choose all relevant computers In addition you may also want to configure other options as described below Execution Set the deployment time and retry behavior Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur Messages Configure these options to passively notify the user that the uninstall is going to occur to obtain consent or to ask users to stop using their computer while the install occurs Offer Configure these options if you want the user to be able to choose whether the program is removed A pop up message displays on the target endpoints requires that the client is enabled for offers 5 Click OK 6 At the prompt type your private key password and click OK 7 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Deploying CPM for Mac Clients to the Endpoints Use the Core Protection Module for Mac Endpoint Deploy Task to deploy CPM for Mac to all computers you want to secure against viruses
113. on Properties Work on page 7 6 7 With your location still selected click the Execution tab 8 Remove any Constraints that you do not want to apply such as a Start and End date and in the Behavior section make sure only the following option is enabled Reapply this action whenever it becomes relevant again Core Protection Module for Mac 2 0 Administrator s Guide Name Firewall policy to prevent FTP over WLAN at London office Create in domain zm Protection Preset fr Custom Default z J Show only personal presets Save Presel To Delete Preset a Target Execution Users Messages Offer Post Action Applicability Success Criteria Action Script Constraints T Starts on janoza z a sizoosem etent tocaltime gt IV Ends on onzo gt at s z9 03 em client local time J Run between izcacoam and zsa am J client local time T Run only on aan Mon Tue Wed Thu Fri J Sat client local time lRunonlywhen activeDiectoryrath mtes olf Behavior J On failure retry E times between attempts lV Reapply this action whenever it becomes relevant again while relevant waiting fis minutes z between reapplications 3 reapplications J Stagger action start times over 5 minutes to reduce network load ma 9 Click OK 10 At the prompt type your private key password and click OK 11 Repeat this procedure for the s
114. on you want to identify type the subnet IP address If a single location includes more than one subnet type each subnet IP address followed by the same location name on a new line Clients will self determine their relevance to a given location by comparing their current IP address with the value s specified here Note that clients with multiple NICs may self identify using their W LAN or LAN IP addtess so you may need to include both subnets Create a retrieved property that maps subnet to location using only the first two octets Use this option to support a larger block of IP addresses As above clients will self identify their relevance to this IP address block Clients not included in the block will either inherit the default configuration that is not location specific or not be covered by any location property Create a retrieved property that maps IP address range to location Only one range pert line is supported do not delimit multiple ranges 7 Create a retrieved property that uses a custom relevance expression and maps the result using a key value set See the ESP Administrator s Guide for more information Core Protection Module for Mac 2 0 Administrator s Guide 7 8 Give the property a name that will clearly identify its purpose and click Next For each location type the subnet address es Click the Insert Tab button and then type a name Use only one IP location pair per line as shown in the foll
115. or example shortly after the I love you virus appeared antivirus vendors found modified copies of the original code which spread themselves with different subject lines or message bodies Whatever their type is the basic mechanism remains the same A virus contains code that explicitly copies itself In the case of file viruses malware this usually entails making modifications to gain control when a user accidentally executes the infected program Understanding Security Risks After the virus code has finished execution in most cases it passes back the control to the original host program to give the user an impression that nothing is wrong with the infected file Take note that there are also cross platform viruses malware These types of viruses malware can infect files belonging to different platforms for example Windows and Linux However such viruses malwate are vety rare and seldom achieve 100 functionality About Spyware Grayware Your clients are at risk from potential threats other than viruses malware Grayware can negatively affect the performance of the computers on your network and introduce significant security confidentiality and legal risks to your organization TaBLe C 3 Types of Grayware TYPE DESCRIPTION Spyware Gathers data such as account user names and passwords and transmits them to third parties Adware Displays advertisements and gathers data such as user web surfi
116. ore Protection Module for Mac 2 0 Administrator s Guide A Note CPM for Mac only supports the scanning of compressed files not the configuration of the maximum number of compression layers Configuring the Scan Exclusion Tab Core Protection Module for Mac does not support any configuration options on the Scan Exclusions tab For details on configuring scan exclusions for Core Protection Module for Mac see Configuring Scan Exclusion Lists on page 5 15 Configuring the Scan Action Tab The default scan action CPM for Mac performs depends on the virus malware type and the scan type that detected the virus malware Note Core Protection Module for Mac supports the following configuration options on the Scan Action tab Procedure Use ActiveAction ActiveAction is a set of pre configured scan actions for different types of security risks ActiveAction settings are constantly updated in the pattern files to protect computers against the latest security risks and the latest methods of attacks Optionally select a customized action for probable virus malware threats Tip If you are unsure which scan action is suitable for a certain type of security risk Trend Micro recommends using ActiveAction Configuration Wizards Reference Use the same action for all virus malware types If the first action fails CPM for Mac automatically takes the second action For example if the default action
117. ossesssesoeeossseteo sosstonssbosses 3 7 Tncremeintal Updates sieisceincdsssistisciieaisasssotadtsnsessassaarsatssetacsasaissonsieevanedtes 3 7 Updates from the Cloud scs cssecsscssccascssecesetsocustisness chesesocsscesssassetestzsezs 3 8 Updating Pattern Files on CPM for Mac Clients 0 ccessssesseseeeees 3 8 Removing CPM for Mac Clents sic sivia cisneccteniissitecierstecenenienctieeanctisasnns 3 14 System Requirements inira nanan 3 15 Conflicting or Incompatible Programs seseeseseesessesesseeesseene 3 15 Chapter 4 Configuring and Managing CPM for Mac Using the CPM Dashboard and Menu 0 0 Tips for Navigating the CPM Console How CPM for Mac Task Flows Work Configuring and Running Malware Scans Configuring the Default Scan Settings Configuring an On Demand Scan i ciccessesessssesesesessssesseeesseens Running an On Demand Scatrscsicsssisevcsssecvesscaivsssisescrescssesnstetieistecess Scheduling an On Demand Scan Automatic Scanning s s 4 10 Table of Contents Client Updates fromthe Cloud wssivssssssssssssvsssssestsessgesssveses estates sbedsnaesegts 4 12 Configuring Clients to Update from the Cloud uses 4 13 Previous Pattern File Version Rollback sisssiriraaserisosaisnseras 4 14 Performing a Pattern File Rollback wo esesseesessessesesseescssees 4 15 Re enabling Updates Following a Rollback wesc 4 17 Deploying Selected Pattern Files sssscssssssssssssscsssssssesssscessssssssseeses 4
118. otection gt Core Protection Module gt Configuration gt On Demand Settings Use the On Demand Settings Wizard gt Create Scan Now Task To deploy the new settings click Endpoint Protection gt Core Protection Module gt Configuration gt On Demand Settings gt scan name Scheduling an On Demand Scan Procedure 1 Click Endpoint Protection gt Core Protection Module gt Configuration gt On Demand Settings gt scan name 2 Click the Take Action button and select Click here to configure these policy settings option 3 Inthe Take Action window click the Target tab and select the target computers 4 Inthe Take Action window click the Execution tab Choose a Start date and optionally configure the days you want the scan to run in the Run only on field e Select Reapply this action while relevant waiting 2 days between reapplications choosing whatever time period suits you 5 Click OK to deploy the task Core Protection Module for Mac 2 0 Administrator s Guide CPM Server Management The steps below are for experienced ESP administrators who just need a list for tasks involving the CPM server Procedures include Activating Analyses on page A 4 Removing CPM Server Components on page A 4 Upgrading CPM Server Components on page A 5 Removing the CPM for Mac Site on page A 5 Activating Analyses Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core
119. out Internet Security Risks on page C 2 Viruses Malware on page C 3 About Spyware Grayware on page C 5 Core Protection Module for Mac 2 0 Administrator s Guide Understanding the Terms Computer security is a rapidly changing subject Administrators and information security professionals invent and adopt a variety of terms and phrases to describe potential risks or uninvited incidents to computers and networks The following is a list of these terms and their meanings as used in this document Some of these terms refer to real security risks and some refer to annoying or unsolicited incidents Trojans viruses malware and worms are examples of terms used to describe real security risks Joke programs spyware graywate are terms used to describe incidents that might be harmful but are sometimes simply annoying and unsolicited CPM can protect Exchange servers against all of the incidents described in this chapter About Internet Security Risks Thousands of viruses malware are known to exist with more being created each day These include spyware graywate phish sites network viruses malwate Trojans and worms Collectively these threats are known as security risks Here is a summary of the major security risk types Taste C 1 Internet Security Risks THREAT TYPE CHARACTERISTICS Denial of Service DoS A DoS attack happens when a mail server s resources are attack overwhelmed by unnecessary tasks Preventing
120. owing screen Create multiple lines for the same location if it uses multiple subnets Please provide Key Value Pairs Please enter one Key Value pair per line according to the sample pairs shown below Each key and value must be TAB delimited and please use the Insert Tab button below to insert a tab character If errors in formatting are detected they will be displayed on the next page 192 168 100 0 California 192 168 101 0 New York 210 210 132 0 Florida 10 155 173 12 Germany of The BES Clients with the key will return the corresponding Value instead Note Be careful not to overlap any IP addresses when specifying ranges Computers included in multiple locations will constantly be updated as they re evaluate and recognize their relevance to one location and then another Click Next and if no valid IP location pairs are displayed click Next again Accept the defaults that are selected in the Additional Options window and click Finish Setting Up and Using Locations The Import Content window opens iimport Content Te Review each ESP object to import by clicking Edit or double clicking in the list below Actions will immediately be sent to clients and are targeted at all applicable computers by default Edit Greate insite Master Action Site z Change Location By Subnet Setting Single Action Master Operator Site Location By Subnet New Property Master Operator Site
121. oy the CPM for Mac client perform the following procedures 1 Identify ineligible endpoints 2 Identify conflicting products 3 Remove conflicting products 4 Deploy CPM for Mac clients Identifying Ineligible Endpoints The CPM for Mac client supports most operating systems and typically does not require system resources exceeding those required by the host operating system However there are some factors that can preclude otherwise eligible endpoints from receiving the CPM for Mac client Perform the procedures that follow to identify which of your endpoints if any require modification before installing the client Do this before removing any existing security products to ensure a continuation of your endpoint security Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Troubleshooting 3 From the list on the right pane select Core Protection Module Ineligible for Install Insufficient Hardware Resources The Fixlet Description opens 4 Click the Applicable Computers tab A list appears with the endpoints with insufficient hardware resources Core Protection Module for Mac 2 0 Administrator s Guide 5 Below Actions click the hyperlink if you want to connect to the Support web page for more information 6 Repeat steps 1 3 for any Tasks that pertain to endpoint readiness for example Trou
122. ply for example one that distinguishes between corporate and non corporate Internet connections a Execution Schedule the time and duration of the cloud updates as well as the retry behavior This setting can be very useful for cloud updates b Users Select the computers you want to convert to cloud updates by User This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur 6 Click OK when finished 7 At the prompt type your private key password and click OK 8 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Previous Pattern File Version Rollback Problems with the scan engine and or pattern files are very uncommon However if a problem does occur it is likely to be due either to file corruption or false positives incorrect detection of malware in non problematic files incorrect detection of malware in non problematic files If a problem does arise you can deploy an Action to affected endpoints that will delete the file s in question and replace them with a different version This action is called a pattern rollback and you can rollback all or selected pattern files By default the CPM server keeps 15 previous versions of the pattern and engine file for rollbacks set this at the bottom of the Server Settings Wizard Core Protection Module gt Configurati
123. ported Computers tab to follow the status of the scan CPM for Mac Clients Installing and Updating It usually takes a few minutes for targeted computers to report back their Action status System Requirements A quick list of supported operating systems is provided as follows Mac OS 10 5 x 10 8 x Mac OS X 10 9 CPM for Mac supports migrations from the following CPM for Mac 1 x client Conflicting or Incompatible Programs Remove the following programs before deploying CPM for Mac to the endpoints Core Protection Module for Mac 2 0 Administrator s Guide Taste 3 1 Conflicting or Incompatible Programs PROGRAM TYPE ConFLicTING INCOMPATIBLE PROGRAMS Spyware Norton AntiVirus 11 or later for Mac i nik a Norton Internet Security 4 or later For Mac Programs Intego VirusBarrier X4 or later Intego NetBarrier X4 or later Sophos Anti Virus for Mac OS X 7 1 1 or later avast Mac Edition 2 7 4 or later Kaspersky 7 0 beta or later MacScan 2 6 or later MacAfee ViruScan for Mac 8 6 or later PCTools iAntivirus 1 36 or later ClamXav 1 1 1 with ClamAV 0 95 2 backend or later Trend Micro These software programs should be removed from the endpoints Software before deploying CPM clients to those computers Use the program s native uninstaller to remove them Trend Micro Security for Macintosh 1 0 or later Trend Micro Smart Surfing for Mac 1 0 or later
124. putation 3 From the right pane select Web Reputation Enable Configure Proxy Settings A screen displaying the Task Description tab appears 4 Download and extract the encryption program which will have a name such as the following TMCPMEncrypt exe utility tool a Run the program At the prompt type your password in the field b Copy the encrypted results you will be prompted to paste them later 5 Back in the Task Description window below Actions click the hyperlink At the prompt provide the following Proxy IP address or host name Proxy port User name for proxy authentication Encrypted password paste the password you encrypted Core Protection Module for Mac 2 0 Administrator s Guide a Endpoint Protection Domain Name Ste Sourc a E E Core Protection Module Web Reputation Disable Smart Protection Server Web Reputation Service Trend Micro Core Protection Module BETA lt Unsy ii Web Reputation Enable Collection of Visited Sites Trend Micro Core Protection Module BETA lt Unsy Web Reputation Enable HTTP Web Reputation Scanning Trend Micro Core Protection Module BETA lt Unsp rotection Status Web Reputation Enable HTTPS Web Reputation Scanning Trend Micro Core Protection Module BETA lt Unsp Eh Quick Start 12 Web Reputation Enable Smart Protection Server Web Reputation Service Trend Micro Core Protection Module BETA lt Unst sgt E Reports la Eh Commo
125. r Update Tasks gt Core Protection Module Update From Cloud A screen displaying the Task Description tab appears Routine CPM Tasks Quick Lists Deploying Selected Pattern Files By default all pattern files are included when the pattern is deployed from the ESP Server to CPM clients You can however select and deploy a subset of patterns Procedure 1 In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Pattern Update Settings gt Create Pattern Update Settings Task 2 In the list of components that appears select those that you want to include in the pattern update By default all patterns are selected 3 Click the Create Update Settings Task button in the upper right corner 4 Deploy the setting by clicking Endpoint Protection gt Core Protection Module gt Updates gt Pattern Update Settings gt Task name Reverting to a Previous Pattern File Version Procedure In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Updates gt Update Rollback Patterns gt Create Pattern Update Rollback Task Updating Pattern Files on the CPM Server Procedure 1 Configure the ActiveUpdate server and proxy settings In the ESP Console navigation pane click Endpoint Protection gt Core Protection Module gt Core Protection Module for Mac 2 0 Administrator s Guide Configuration
126. rmany and that travel between offices is not uncommon In California and New York the corporate security policy requires that suspicious files be quarantined In Germany such files must be deleted In locations other than California or Germany incidents should be logged but no action taken You can accommodate all these regulations by creating Location Properties In short a client can disconnect from the corporate network in the California one day and reconnect in Germany the next and his computer will automatically pick up the correct security policy for the new location This same idea also applies to firewall configurations and other CPM for Mac security features So for example in addition to location specific configurations you can create NIC specific security policies If you want to have one set of malware and firewall settings to that govern wireless connections and another set for wired connections Your LAN and W LAN settings can be the same for all geographic locations or they too can vaty to reflect a local security policy For example wireless connections in New York could have one set of rules and wired connections mighty have a different set of rules In Germany there may be completely different rules for both wired and wireless connections two locations but four sets of tules that may apply Creating Locations Use the ESP Location Property wizard to create one or more named properties that allow ESP Agents to identif
127. rs deployed on your network CPM for Mac automatically detects Smart Protection Servers on your network if an ESP Agent is installed on the server hosting a Smart Protection Server For more information on installing an ESP Agent on a Smart Protection Server For details see Connecting ESP to SPS on page 2 10 This Smart Protection Server hosts File Reputation Services Web Reputation Services or both File Reputation Services supports HTTP or HTTPS while Web Reputation Services supports only HTTP connection Configuring and Managing CPM for Mac Endpoints can connect to the Smart Protection Servers using HTTP and HTTPS protocols HTTPS allows for a more secure connection while HTTP uses less bandwidth Configuring the Smart Protection Server List Smart Protection Servers must be ordered and the communication configured Procedure From the ESP Console menu click Endpoint Protection on the bottom left pane From the upper left navigation pane go to Core Protection Module gt Configuration gt Smart Protection Server Settings gt Smart Protection Server List If there are no Smart Protection Servers on your network with ESP Agent installed no servers appear in the Available Smart Protection Server List The Smart Protection Server List screen appears Smart Protection Server List Create a Task to Assign The L Available Smart Protection Server List Refresh Order Server Name Version Server Status
128. rt the analyses in alphabetical order then scroll down the list and select all the Core Protection Module for Mac analyses 4 Right click the list you have selected In the pop up menu that appears click Activate 5 At the prompt type your private key password and click OK CPM activates all the Analyses Removing CPM Server Components Use the Remove Server Components Task to uninstall CPM server components from the ESP Server seldom used Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Deployment gt Uninstall 3 From the list in the upper right pane select Core Protection Module Remove Server Components A screen displaying the Task Description tab appears ESP Server Installing and Upgrading 4 Below Actions click the hyperlink to open the Take Action window 5 Select the CPM server and click OK 6 At the prompt type your private key password and click OK The ESP server initiates the removal Removing the Core Protection Module for Mac Site Remove the Core Protection Module for Mac and or Trend Reporting site from the ESP Console by deleting the mastheads from the list of managed sites Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to All Endpoint Protection gt Sites gt Externa
129. rview subcategory Click a category such as Updates Find any task including custom tasks in the right upper pane Tasks can be sorted alphabetically by clicking the Name column heading Click a Task to open it and view the description Navigate back forward refresh the console data or control how much data displays from the button above the navigation tree When working on a specific task you can use the buttons above the Description window to Take Action Edit Copy Export Hide Locally or Globally and sometimes Remove Target certain computers when the Task is open by clicking one of the sub tabs that appears Description default Details Applicable Computers and Action History Run the Task by clicking the link that appears below the Action window Add or remove display columns by right clicking any column header and then selecting or de selecting from the pop up menu that appears Bundle configuration settings into a Task attach it to selected endpoints and schedule it to run automatically To configure components a Use the Endpoint Protection gt Core Protection Module gt Configuration gt component to be configured to make your security and firewall configurations For example you can access the tasks for setting up the behavior of client scans b Select the task in the list on the right or click the Create task name button Configuring and Managing CPM for Mac Note Windows b
130. s 7 28 Configuration 41 All scannable files o h Global settings 5 Th ActiveUpdate Server Fh Common Firewall Setti Target Files Use file extensions for Windows and full file paths for Mac use commas to separate entries E E On Demand Scan Sett o pul OnDemand scan 5 ES Custom Tasks 6 E Real Time Scan Setin ey Spyware Approved Lis FR Web Reputation Block E Behavior Monitoring St i Fh Smart Protection Serv ES Client Self protection Fh Virtual Desktop Setting J Scan network drive Manual Scan Only f A paeen 9 Z Sean compressed files Maximum layers 2 1v Windows only AR Analyses 20 BAL Tenublachaotin 5 i al J r 2 V Scan boot area f all Content V Enable spyware grayware scan Windows only File types scanned by IntelliScan V Enable IntelliTrap BigFix Management Endpoint Protection a amp 2 Configuring and Managing CPM for Mac The configuration settings you define for these scans apply in conjunction with whatever Global Settings you have configured On Demand scans Use On Demand scans to run a one time scan of client hard drives and or the boot sector Launch the default scan with the Scan Now Task On Demand scans can take from a few minutes to a few hours to complete depending on how many files are scanned and client hardware Note When an end user initiates a Manual Sca
131. s Quarantine typical Delete Rename or Pass Pass CPM for Mac performs no action on the infected file but records the virus malware detection in the logs The file stays where it is located CPM for Mac cannot use this scan action during Real time Scan because performing no action when an attempt to open or execute an infected file is detected allows virus malware to execute All the other scan actions can be used during Real time Scan For the probable virus malware type CPM for Mac always performs no action on detected files regardless of the scan type to mitigate false positives If further analysis confirms that the probable virus malware is indeed a security risk a new pattern will be released to allow CPM for Mac to take the appropriate scan action If actually harmless the probable virus malware will no longer be detected Pattern and Scan Engine Files COMPONENT DESCRIPTION Virus Pattern A file that helps CPM s conventional scan clients identify virus signatures unique patterns of bits and bytes that signal the presence of a virus Reference Tables COMPONENT DESCRIPTION Virus Scan Engine The engine that scans for and takes appropriate action on viruses malware supports 32 bit and 64 bit platforms Spyware Active monitoring Pattern File used for real time spyware grayware scanning Scan Action Results for Compressed Files Status oF CLeAn
132. s Scores range from 51 to 80 URLs that have been implicated in Phishing or Pharming attacks Dangerous Scores range from 0 to 49 Static and malicious ratings URLs are confirmed as malicious for example a known vector for spyware or viruses Security Levels range from high to low and have the following default actions High Blocks unknown suspicious and dangerous sites Medium Blocks dangerous and suspicious sites Low Blocks only dangerous sites Core Protection Module for Mac 2 0 Administrator s Guide For example if you set the Security Level to Low Web Reputation will only block URLs that are known to contain malicious software or security threats cul Endpoint Protection Domain Name B E Core Protection Module b Reputation Search Web Reputation A 0 jes that are untested by Trend Micro Protection Module BETA W epu n Module BETA Web Reputation Disable Collection of Visited Sites Trend Micro Core Protection Module BETA rotection Status Web Reputation Disable HTTP Web Reputation Scanning Trend Micro Core Protection Module BETA lt Unspeci c EG Quick Start 8 Web Reputation Disable Smart Protection Server Web Reputation Service Trend Micro Core Protection Module BETA lt Unspeci 6 5 Reports Web Reputation Enable HTTP Web Reputation Scanning Trend Micro Core Protection Module BETA lt Unspeci t FS Common Tasks 26 Web Reputation Log Maintenance
133. s and Tasks gt All gt By Site gt Trend Micro Core Protection Module Select tasks by clicking one of the following folders By Source Severity By Category By Source or By Source Release Date b Select the Endpoint Protection menu item at the bottom left of the ESP console window In the navigation tree select Core Protection Module and click one of the following categories Overview Protection Status Quick Start Reports Common Tasks Deployments Updates Configuration Analyses or Troubleshooting Note This manual mainly uses method b Configuring and Managing CPM for Mac m Fixlets and Tasks 14 912 a Baselines 0 a Analyses 52 i2 Actions 223 H E Dashboards H Wizards E Custom Content H Custom Filters E Computers 12 P Computer Groups 3 Ea Unmanaged Assets 0 B Operators 5 H E Sites 14 BigFix Management j Endpoint Protection pial Endpoint Protection Domain aa Core Protection Module al Overview cat Protection Status E Quick Start 12 Ef Reports ES Common Tasks 52 HETA Deployment 34 ES Updates 11 AB Configuration 46 H Analyses 37 AB Troubleshooting 22 Ee All Endpoint Protection Method b Endpoint Protection Core Protection Module for Mac 2 0 Administrator s Guide 10 11 Display the CPM Console Dashboard by clicking the Endpoint Protection menu item the Core Protection Module folder in the tree and the Ove
134. s and downloading a new 2 0 pattern set the setting to enable disable the updating of the Virus Scan Engine for Mac displays After subscribing to the CPM for Mac site and upgrading the Server Components the AU 2 0 plug in architecture the successive pattern set downloaded shows the Virus Scan Engine for Mac components After downloading new pattern sets with the Virus Scan Engine for Mac this new component appears to enable and disable the update Unsubscribing from the CPM for Mac site removes this setting Refer to the integrated UI for more information How CPM for Mac Works Trend Micro ESP uses the patented Fixlet technology from BigFix to identify agents with outdated antivirus and malware protection You can trigger 50 000 computers to update their 10MB pattern file and have confirmation of the completed action in as little as 15 minutes Once CPM for Mac is installed you will find it easy to protect your networked computers and keep them secure all from the ESP Console Deploying CPM for Mac to ESP managed endpoints can be accomplished in minutes After completing this process you will be able to track the progress of each computer as you apply CPM for Mac component updates This tracking makes it easy to gauge the level of protection across your entire enterprise Additionally the ESP Web Reporting module makes it simple to chart the status of your overall protection with web based reports Core Protection
135. ss rights to the proxy Password The password is encrypted when stored and transmitted 5 Click the Create Server Configuration Action button The Take Action screen appears 6 Select the ESP server and click OK 7 At the prompt type your private key password and click OK 8 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Core Protection Module for Mac 2 0 Administrator s Guide Preparing the ESP Server and Updating the Pattern Files This procedure requires running a script to prepare the ESP Server for recurring automatic pattern updates which are then used for CPM for Mac client updates Automatic Updates allow you to automatically deliver and apply pattern file updates to your endpoints whenever new patterns are made available by Trend Micro Note An endpoint s automatic update flag is set after CPM for Mac deploys When the flag is set the Apply Automatic Updates policy action configured in Step 3 will become relevant whenever new pattern files are made available by the policy action configured in Step 2 Only endpoints with the flag set will automatically apply pattern file updates Step 1 Run the CPM Automatic Update Setup Script Download and run the CPM automatic update setup script on your server You need the deployment site administrator credentials and password You cannot create a new console op
136. ssssssssssssesssssssreessssssreressssrrreeress 2 2 Installing CPM Components on the ESP Servet c ccccsseeseeeeseeseeseseees 2 4 Updating Pattern Files on the Servet w ccccessssssssescssessesssseessssesssessssesseaes 2 4 Update SourceS aaen aa ainiaaksi 2 5 Choosing an Update SOutce senecsnnanmnnarsniii ninsis 2 7 Preparing the ESP Server and Updating the Pattern Files 0 2 8 Step 1 Run the CPM Automatic Update Setup Script ee 2 8 Core Protection Module for Mac 2 0 Administrator s Guide Step 2 Issue a Set ActiveUpdate Server Pattern Update Interval TASK E E E dedetistessiraieeedits Step 3 Issue a Apply Automatic Updates Task Connecting ESP t SPS siisii isisisi iisi Installing the ESPAgent using the ESP Deployment Tool 2 10 Activating Core Protection Module for Mac Analyses s ssssssssssssssssessesss 2 11 Shortcut Activate All CPM for Mac Analyses sssssssessesrieererseere 2 12 Removing CPM Servet Components ssssssssssssssssisssssrssssrsesrretssntesssressree 2 12 Removing the Core Protection Module for Mac Site wee 2 13 Chapter 3 CPM for Mac Clients Installing and Updating About CPM for Mac Client Deployment wees csesseeeestestsseeseseens 3 2 CPM for Mac Console and Client System Requirements 04 3 2 Incompatible or Conflicting Programs sssssssssssssssissssssrrrsssssssrressssssee 3 2 Overview of the Deployment Steps Pattern File and Engine Updates sssisssssecssssestsssossecssss
137. t Protection gt a C 4 Click the Create Global Scan Settings Configure Task button The Edit Task window opens 5 Type a descriptive or memorable name for the Task such as Skip 2MB 2 6 Click OK 7 At the prompt type your private key password and click OK Core Protection Module for Mac 2 0 Administrator s Guide The new policy now appears in the Configuration gt Global Settings gt Custom Tasks Creating the Second Configuration and Task Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Configuration gt Global Settings gt Global Settings Wizard The Global Settings Wizard screen opens 3 Remove the check from Configure scan settings for large compressed files 4 Click the Create Global Settings Configuration Task button The Create Task screen appears 5 Type a descriptive or memorable name for the Task such as Scan BIG 6 Click OK 7 At the prompt type your private key password and click OK The new policy now appears in the Configuration gt Global Settings screen Making the Configurations Location Specific Procedure 1 2 From the ESP Console menu click Endpoint Protection on the bottom left pane From the upper left navigation pane go to Core Protection Module gt Configuration gt Global Settings gt Cus
138. tal pattern updates however it does not allow you to update only certain pattern types Updating Pattern Files on CPM for Mac Clients Before performing the client update procedures below be sure that you have updated the pattern files on the CPM Server and that you have enabled that server to perform automatic updates See Updating Pattern Files on the CPM Server on page A 9 for details Trend Micro recommends that you perform the first full pattern file update on a small number of CPM for Mac clients and then repeat the procedure on an expanded scope as you become more familiar with the procedures g Note Automatic updates ate enabled by default Procedure Overview 1 Enable automatic pattern file updates for CPM for Mac clients CPM for Mac Clients Installing and Updating 2 Schedule and apply automatic pattern file updates 3 Manually update CPM for Mac clients with the latest pattern files Enabling Automatic Updates for CPM for Mac Clients Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Automatic Update Tasks 3 Select Core Protection Module Enable Automatic Updates Endpoint from the list on the right The Fixlet Description tab opens 4 Below Actions click the hyperlink to open the Take Action window Search Automatic Update Tasks
139. th the negative effects of joke programs users can be unnecessarily distracted from their main tasks Degradation of network bandwidth Spyware grayware applications often regularly transmit the data they collect to other applications running on your network or to locations outside of your network Loss of personal and corporate information Not all data that spyware grayware applications collect is as innocuous as a list of websites users visit Spyware grayware can also collect the user names and passwords users type to access their personal accounts such as a bank account and corporate accounts that access resources on your network Higher risk of legal liability If hackers gain access to the computer resources on your network they may be able to utilize your client computers to launch attacks or install spyware grayware on computers outside your network Having your network resources unwillingly participate in these types of activities could leave your organization legally liable to damages incurred by other parties Understanding Security Risks How Spyware Grayware Gets into your Network Spyware eraywate often gets into a corporate network when users download legitimate software that has grayware applications included in the installation package Most software programs include an End User License Agreement EULA which the user has to accept before downloading Often the EULA does include inform
140. the scanning of files that decompress into very large files helps prevent this problem from happening Phish Unsolicited email requesting user verification of private information such as credit card or bank account numbers with the intent to commit fraud Spyware Grayware Technology that aids in gathering information about a person or organization without their knowledge Understanding Security Risks THREAT TYPE CHARACTERISTICS Trojan Horse program Malware that performs unexpected or unauthorized often malicious actions Trojans cause damage unexpected system behavior and compromise system security but unlike viruses malware they do not replicate Virus Malware A program that carries a destructive payload and replicates spreading quickly to infect other systems By far viruses malware remain the most prevalent threat to computing Worm A self contained program or set of programs that is able to spread functional copies of itself or its segments to other computer systems typically through network connections or email attachments Other malicious codes Scanning detects some malicious code that is difficult to categorize but pose a significant threat to Exchange This category is useful when you want CPM to perform an action against a previously unknown threat type Packed files Potentially malicious code in real time compressed executable files that arrive as email attachments
141. the Enable scan exclusions check box 4 Select Exclude Trend Micro directories reduce false positives 5 Select Exclude BigFix directories improves performance 6 To configure the Scan Exclusion List for files a Type a full file path or directory path and click Add b To delete a path select the file path and click Remove Selected Item 7 To configure the Scan Exclusion List File Extensions a Type a file extension without a period and click Add For example type pdf 4 Note Core Protection Module for Mac supports a maximum of 64 file extension exclusions Core Protection Module for Mac 2 0 Administrator s Guide 10 11 12 b To delete a file extension select the extension and click Remove Selected Item Click Create Configuration Task The Create Task screen appears Type a name for the task or accept the default name Click OK The Take Action screen appears In the Target tab a list of endpoints that are running the CPM for Mac client appeats Select all applicable computers and then click OK In the Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Using Web Reputation This chapter will help you optimize the features of Web Reputation WR for your environment by detailing how to manage Blocked and Approved List templates Analyses and the Dashboard Topics in this
142. the complete procedure if you need configuration steps an explanation of choices or other details Procedute sections in this appendix include Scan Management on page A 2 CPM Server Management on page A4 CPM Client Management on page A 5 Pattern File Management on page A 8 Web Reputation on page A 11 Core Protection Module for Mac 2 0 Administrator s Guide Scan Management Scan management procedures included in this section include For Real time and On Demand Scans Configuring an On Demand Scan on page A 2 Starting a Scan with Current Endpoint Settings on page A 2 Creating and Running a One time On Demand Scan on page A 3 Scheduling an On Demand Scan on page A 3 Real time and On Demand Scans Configuring an On Demand Scan Procedure 1 Click Endpoint Protection gt Core Protection Module gt Configuration gt On Demand Settings Use the On Demand Settings Wizard gt Create Configuration Task To deploy the new settings click Endpoint Protection gt Core Protection Module gt Configuration gt On Demand Settings gt scan name Starting a Scan with Current Endpoint Settings Procedure 1 Click Endpoint Protection gt Core Protection Module gt Common Tasks gt Core Protection Module gt Core Protection Module Start Scan Now Routine CPM Tasks Quick Lists Creating and Running a One time On Demand Scan Procedure 1 Click Endpoint Pr
143. they do they perform a self evaluation to determine whether they are included in the criteria Relevant computers will complete whatever Action has been specified When targeting more than a few computers Trend Micro suggests that you target endpoints by property rather than by list Targeting by property does not require a relevant computer status and allows for the use of logic such as Install on all iMac computers in California that are part of the User group CPM for Mac Console and Client System Requirements For information on ESP Server and ESP Console requirements refer to the Trend Micro Endpoint Security Platform Administrator s Guide System Requirements A quick list of supported operating systems is provided as follows Mac OS 10 5 x 10 8 x Mac OS X 10 9 CPM for Mac supports migrations from the following CPM for Mac 1 x client Incompatible or Conflicting Programs For a complete list of incompatible or conflicting programs see Conflicting or Incompatible Programs on page 3 15 The following is a short list of software that you should remove from the endpoints before deploying the CPM for Mac client CPM for Mac Clients Installing and Updating Trend Micro Smart Surfing for Mac and Trend Micro Security for Macintosh AntiVirus software for Mac including Symantec AntiVirus McAfee VirusScan Sophos Antivirus and Intego VirusBarrier Overview of the Deployment Steps To successfully depl
144. til a connection becomes available Procedure 1 From any computer with the ESP Console installed locate and double click the masthead file to automatically add its site 2 Alternatively in the ESP Console menu click Tools gt Add External Site Masthead 3 In the Add Site window that opens locate the masthead file s you received from your Trend Micro Sales Representative The following masthead is available file name is shown here E Trend Micro Core Protection Module efxm Trend Reporting efxm s Trend Common Firewall efxm optional If you are already a CPM user you will only need to add CPM for Mac and Trend Micro Mac Protection Module efxm The masthead s you selected appear in the Manage Site window 4 Click Gather All Sites and then OK 5 At the prompt type your private key password and click OK Core Protection Module for Mac 2 0 Administrator s Guide The ESP Server will begin gathering the associated files and content associated with the masthead s you added and install them on the server Installing CPM Components on the ESP Server After adding the mastheads to the ESP Server the next step is to open the ESP Console and update the CPM Server with the required components You will need at least one relevant computer In this case the ESP Server to which you just added the CPM masthead should be relevant If it is not resolve this issue before you begin For example check that
145. ting 5 gt b KEJ Server Settings Wizard Create Server Configuration Action Trend Micro s ActiveUpdate Server Other Update Source URL _ httpi epm p activeupdate trendmicra corn activeupdate Intranet location containing a copy of the current file UNC path example server_name download User Name Password LJ Use a proxy server for pattern and engine updates Proxy Protocol 8 HTTP SOCKS4 Server Name or IP Port 0 65535 User Name Password mi Other Update Source seldom used The default location is http esp p activeupdate trendmicro com activeupdate Intranet location containing a copy of the current file If you want to use an intranet source for obtaining the latest pattern file update specify that location here This is typically used on a temporary basis for one time updates unless the intranet source is configured to poll and receive updates from the Trend Micro ActiveUpdate server on a regular basis Core Protection Module for Mac 2 0 Administrator s Guide Proxy Procedure Use a proxy server for pattern and engine updates If there is a proxy server between the ESP Server and the pattern update source you selected above enable this option and provide the location and proxy access credentials Others Procedure Log Rolling Frequency 1 90 To keep the cumulative size of l
146. tionally select a customized action for probable virus malware threats Tip If you are unsure which scan action is suitable for a certain type of security risk Trend Micro recommends using ActiveAction si Endpoint Protection Domain ak Gore Protection Modis On Demand Scan Settings Wizard Create Scan Now Task Create Configuration Task Overview Y Enable virus malware scan Protection Status Quick Start 8 V Enable spyware grayware scan Windows only 1 0 Reports Scan Target Scan Exclusion Scan Action Eh Common Tasks 26 i Eh Deployment 6 e Eh Updates 7 E Configuration 41 O Use Activerction 14 Global settings 5 _ Customize action for probable virus malware pass k ET activeupdate Server 5 z Eh Common Firewall Settir Use the same action for all virus malware types E E On Demand Scan Setti oc al Orspemand Sean If you choose Clean specify the second action CPM will take if cleaning fails A custom Tasks 6 Type 1st Action h Real Time Scan Setting All Ts E Spyware Approved Lisl ese pass Eh Web Reputation Blocke Use a specific action for each virus malware type Windows only t E Behavior Monitoring Se t E Smart Protection Serve Typa Karana E E Client Self protection Joke Pass Eh Virtual Desktop Setting E Data Protection 1 ita E Device Control 1 ua ch Analyses 20 ER Trouhlachaptinn 5 Test Virus Packer Proba
147. tions and apply them to different sets of endpoints based on whatever criteria you choose Users can be notified before a scheduled or on demand scan runs but do not explicitly receive notifications whenever a detection occurs on their computer Core Protection Module for Mac 2 0 Administrator s Guide Note See Enabling the Client Console for Mac on page A 8 for information on making some detection information visible to your end users Detections are logged and available for review in CPM Reports Note On Demand scans can be CPU intensive on the client Although you can moderate the affect by configuring the CPU Usage option sets a pause between each file scanned you may also want to configure an Offer as part of the Task The Offer will allow users to initiate the scan themselves As with most Tasks in the ESP Console you can associate any of these scans with selected computers users or other conditions As a result you can define multiple scan settings and then attach a particular scan configuration to a given set of computers Scan settings are saved in the CPM Dashboard 33 On Demand Scan Setting ia mn Sel all On Demand Scan Settings Wizard Create Scan Now Task Create Configuration Task Overview V Enable virus malware scan Zal Protection Status FS Quick start 8 H Reports Scan Target Scan Exclusion gt Scan Action gt E Eh Common Tasks 26 Ed Deployment 6 ET Update
148. to Execution Set the time and retry behavior for the update if any Users This option works in combination with Target linked by the AND operand both conditions must be present for the installation to occur Core Protection Module for Mac 2 0 Administrator s Guide 6 After selecting the computers to update click OK 7 At the prompt type your private key password and click OK 8 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Removing CPM for Mac Clients To uninstall CPM for Mac from the ESP Server you first remove all the CPM for Mac clients deployed to the endpoints then remove the CPM for Mac server components from the server including any mastheads You can do the former by running the Endpoint Uninstall Task Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Deployment gt Uninstall 3 From the list on the right select Core Protection Module for Mac Endpoint Uninstall A screen displaying the Task Description tab appears 4 Below Actions click the hyperlink to open the Take Action window 5 Select the computers you want to target and click OK 6 At the prompt type your private key password and click OK The uninstall sequence begins 7 In screen that appears click the Re
149. tom Task gt Skip 2MB 2 the task you just created A screen displaying the Task Description tab appears Setting Up and Using Locations 3 Below Actions click the hyperlink to open the Take Action window 4 Select All computers with the property values selected in the tree below lolx Name Skip 2MB 2 Create in domain Endpoint Protection gt Preset Defaut z J Show only personal presets Save Preset il Delete Preset m Target Execution Users Messages Offer Post Action Applicability Success Criteria Action Script BETA Corpac 2 a 6 By Retrieved Properties H By Computer Name 5 By os a By CPU 3 By Last Report Time This action will be targeted at all computers with the retrieved property values selected on the left There are currently 12 computers with the selected property values 5 By BES Relay Selection Method 5 By Relay By User Name E By RAM By Free Space on System Drive as By ree Size of system Drive Any computers that change to match the selected property values while the action is open will be targeted as well This action will end 11 12 2011 6 06 25 PM client local time See the Execution tab for more details 5 Next click the All Computers tree and then By Retrieved Properties gt By Subnet Address to open that branch 6 Choose the Location name you created for the San Francisco subnet in How Locati
150. tomatic updates on endpoints 4 E PD aii Content BigFix Management W Endpoint Protection ad Core Protection Module for Mac 2 0 Administrator s Guide 5 On the Target tab choose All computers with the property values selected in the tree list below 6 Choose a property that will include all the computers you want to deploy this Action to and click OK 7 At the prompt type your private key password and click OK 8 Inthe Action Summary window that opens monitor the Status and confirm that it Fixed Scheduling and Applying Automatic Pattern File Updates Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From the upper left navigation pane go to Core Protection Module gt Updates gt Automatic Update Tasks 3 From the list on the right select Core Protection Module Apply Automatic Updates A screen displaying the Task Description tab appears 4 Below Actions click the hyperlink to open the Take Action window 5 Click the Execution tab to display scheduling options as shown below CPM for Mac Clients Installing and Updating i Take Action 5 x Name core Protection Module Apply Automatic Updates Create in domain Endpoint Protection z Ha It Custom Policy z J Show only personal presets Save Preset Fl Delete Preset Target Execution Users Messages Offer Post Action Applicabil
151. ttings Wizard for Mac on page 5 4 Real Time Scan Settings Wizard Real Time Scan Settings Wizard on page 5 9 Web Reputation Blocked Approved List Blocked and Approved List Templates on Wizard page 6 6 Web Reputation Proxy Settings Wizard Configuring the Web Reputation Proxy Settings Wizard on page 6 10 Scan Exclusion Settings for Mac Scan Exclusions on page 5 11 ActiveUpdate Server Settings Wizard Use this Wizard to select the location from where you want to download component updates You can choose to download from the Trend Micro ActiveUpdate AU server a specific update source or a location on your company intranet Source Procedure Trend Micro s ActiveUpdate Server This location contains the latest available patterns and is typically the best source Configuration Wizards Reference al Endpoint Protection Domain Gl Core Protection Module nil Overview zal Protection Status e h Quick Start 8 GE Reports Eh Common Tasks 26 Eh Deployment 6 e Fh Updates 7 f Configuration 41 i Global Settings 5 i ActiveUpdate Server 5 il ActiveUpdate Serve Eh common Firewall Settir E On Demand Scan Setti i ET Real Time Scan Setting Eb Spyware Approved List h Web Reputation Blocke E Behavior Monitoring Se Eh Smart Protection Serve i E Client Self protection efh Virtual Desktop Setting cf Data Protection 1 E Device Control 1 1 IQ Analyses 20 Eh Troubleshoo
152. uide Contains information for using the ESP Console to administer protected endpoints Feedback Trend Micro always seeks to improve its documentation If you have questions comments or suggestions about this or any Trend Micro document please contact us at docs trendmicro com Please evaluate this documentation on the following site http www trendmicro com download documentation rating asp Table of Contents Chapter 1 Introducing Core Protection Module for Mac OAS sass EE 1 2 Neyin this Release sssini 1 2 Key Differences Between CPM and CPM fot Mac sses 1 3 Version Report ce0 sa His Infection Report Web Reputation Wizards orea ATA E TET How CPM fot Mac WOrks vasisscsisstsciisies sstsssivsindetesdesatsteesessceseetecuttatactivannantiegd 1 7 ESP and CPM for Mac Components ssssssssssssssssssssssessssssorsssssssseseess 1 8 Features and Benefitsiessen secesorsecuseseastsesescesocasteseseseses Ease of Management n s Superior Malware Protection z Web Reputation Technologyssa The Trend Micro Pattern Files and Scan Engine occ 1 12 Incremental Virus Pattern File Updates ceceesssesessesseesesseeaes 1 12 How Scanning WOLKS sash werscsueendssgesssiapeariasietestesse isisisi 1 13 The Trend Micro Scan Engine and Detection Technologies 1 13 Chapter 2 ESP Server Installing and Upgrading Opening the ESP Console sennagunon te e eE RENNERS 2 2 Adding CPM for Mac to the ESP Servet sss
153. ust have http or https before each URL entry To grant access to all the pages on a site enter the name of the domain followed by Example Core Protection Module for Mac 2 0 Administrator s Guide http www goodURL com 7 When you are finished creating your template click Save The Blocked Approved List Templates window returns 8 Click the Create Task From Template button The Edit Task window opens 9 Click OK 10 Click the hyperlink in the Actions window The Take Action window opens 11 Select the computer or computers in the window to which you want to deploy your Blocked Approved List template and set any desired options Note For more information about setting options using tabs in the Take Action window see the ESP Console Operator s Guide 12 When you have finished selecting options click OK 13 Inthe Action Summary window that opens monitor the Status and Count of the Action to confirm that it is Running and then Completed Enabling Smart Protection Server Web Reputation Service on Clients o Important Administrators must install and configure a Smart Protection Server before configuring CPM for Mac client access For details on Smart Protection Servers see Smart Protection Server Configuration on page 4 20 Using Web Reputation Procedure 1 From the ESP Console menu click Endpoint Protection on the bottom left pane 2 From th
154. want to download such as MP3 music files Core Protection Module for Mac 2 0 Administrator s Guide e Periodically examine the installed software on your agent computers and look for applications that may be spyware or other graywate Keep your Windows operating systems updated with the latest patches from Microsoft See the Microsoft website for details Index A ActiveUpdate 1 12 2 5 2 7 2 9 5 2 incremental updates 1 12 source 5 2 wizard 5 2 adwate C 5 analyses 2 11 2 12 6 18 activating 2 11 activating shortcut 2 12 viewing 6 19 6 20 Web Reputation Client Information 6 18 6 19 Web Reputation Site Statistics 6 19 6 20 Apply Automatic Updates 2 10 automatic update setup script 2 8 B BigFix 1 7 Block Approved List Wizard 6 6 Cc clients 3 2 3 5 3 14 4 12 4 13 8 4 8 10 configuring updates from the Cloud 4 13 deployment 3 2 deployment steps 3 3 deploying CPM 3 5 indentifying conflicting products 3 4 ineligible endpoints 3 3 removing conflicting products 3 5 logs 8 4 8 10 removing CPM 3 14 updates from the Cloud 4 12 components 2 12 compressed files C 3 contacting 9 3 9 4 documentation feedback 9 3 Trend Micro 9 4 CPM 2 2 2 4 2 12 2 13 4 5 adding to the ESP server 2 2 components 2 12 removing 2 12 installing components on the ESP server 2 4 masthead 2 2 site 2 13 removing 2 13 CPM console 4 2 navigating 4 2 CPM task flow 4 5
155. with Trend Micro ActiveUpdate supports incremental updates of the virus pattern file Rather than download the entire pattern file each time Introducing Core Protection Module for Mac full pattern files can be more than 20MB ActiveUpdate can download only the portion of the file that is new and append it to the existing pattern file How Scanning Works The scan engine works together with the virus pattern file to perform the first level of detection using a process called pattern matching Because each virus contains a unique binary signature or string of telltale characters that distinguishes it from any other code the virus experts at TrendLabs capture inert snippets of this code to include in the pattern file The engine then compares certain parts of each scanned file to the data in the virus pattern file looking for a match Pattern files use the following naming format lpt vpn where represents the pattern version for example 400 If multiple pattern files exist in the same directory only the one with the highest number is used Trend Micro publishes new virus pattern files on a regular basis typically several times per week and recommends configuring hourly automatic updates With automatic updates enabled new updates will be downloaded to the server and flow to the endpoints immediately Updates are available to all Trend Micro customers with valid maintenance contracts The Trend Micro Scan Engine and
156. y 1 10 Smart Protection Server 1 10 4 20 4 22 4 24 configuring 4 20 4 22 4 24 list configuring 4 21 deploying 4 22 4 24 Smart Protection Servers 2 10 connecting to the ESP server 2 10 SPR 1 10 spyware C 2 spywate graywate 8 4 C 2 C 5 C 7 adware C 5 dialers C 5 entering the network C 7 guarding against C 7 hacking tools C 5 joke program C 5 logs 8 4 Core Protection Module for Mac 2 0 Administrator s Guide password cracking applications C 5 remote access tools C 5 risks and threats C 6 system requirements 3 2 3 15 T task flow 4 5 TMCPMEncrypt exe 6 11 TrendLabs 9 3 Trend Micro Security Information Center 9 4 Trojan Horse C 3 Trojan horse program 1 13 U updates 2 5 2 7 2 8 3 7 3 8 applying 3 10 automatic updates on clients 3 9 from the Cloud 3 8 4 12 4 13 incremental 1 12 3 7 manual 3 12 pattern files 2 4 2 8 3 7 pattern files on clients 3 8 3 10 3 12 preparing the ESP server 2 8 scan engine 1 14 3 7 scheduling 3 10 sources 2 5 2 7 choosing 2 7 Vv virus pattern file published 1 13 virus malware 1 11 1 13 B 2 in the wild 1 13 protection 1 11 scan actions B 2 scans 4 5 viruses malwate 8 4 C 3 actions 5 7 5 10 boot C 4 file C 4 logs 8 4 script C 4 Ww watchdog 8 11 web protection module 2 3 pre installation removal 2 3 web reputation 1 11 2 3 6 2 6 7 6 9 6 10 6 12 6 14 6 20 A 11 A 12 about 6 2 analys
157. y clicking the create a task button can be closed by clicking the X in the upper right corner How CPM for Mac Task Flows Work In general you start by using the CPM Dashboard to make configuration settings Then you bundle the settings into a Task which delivers an Action to targeted computers Tasks also include a Relevance which provides an additional layer of logic that can further define eligible targets All ESP Agents on which the CPM client runs receive Tasks but then each agent makes its own determination as to whether its host endpoint meets the conditions of the Task that is whether the Action is Relevant or not Relevance is determined by checking whether a given set of conditions is true for a particular endpoint If all the conditions are true the endpoint is designated as eligible for whatever Task Fixlet or Action did the checking Fixlets are a way of polling endpoints to see if they are Relevant for an Action In other words Fixlets make Actions in a Task possible when conditions are right Fixlets can be grouped into Baselines to create a sequence of Fixlet Actions Offers are a way of obtaining end users consent before taking an action Configuring and Running Malware Scans CPM for Mac provides two types of malware scans On Demand and Real Time In addition you can schedule On Demand scans to automatically reoccur You can apply the same scan to all endpoints or create different scan configura
158. y themselves according to their current network location or status As soon as the property is created it will be propagated to all clients and applicable computers will pick up the setting that is their configuration status may change according to the choices you have in place Before you begin you should know or have a list of the subnets used in your organization and their respective geographic locations Alternatively you can create a custom relevance expression to dynamically map retrieved client properties using a key value set See the ESP Administrator s Guide for more information Setting Up and Using Locations Note The purpose of the procedure below is to create a property that will define the geographic location of an endpoint according to its subnet Using the same principles you could also create a property based on connection type relay operating system or any other characteristics and use it in conjunction with the CPM firewall CPM for Mac malware protection and CPM for Mac Web Reputation Procedure 1 Logon to the ESP Console as Master Console Operator 2 From the ESP Console menu click All Content on the bottom left pane 3 From the upper left navigation pane go to Wizards gt All Wizards gt Location Property Wizard The Location Property Wizard screen opens 4 Choose one of the following and then click Next Create a retrieved property that maps subnet to location For each locati
Download Pdf Manuals
Related Search